CENT 310 EXAM 2 WRITTEN

Question 1

Describe the functionality of an IDS

Answer 1

IDS function is responsible for detecting unauthorized access or attacks against a system or a network. Can verify, itemize, and characterize threats from outside and inside the network.

Question 2

Describe the three modes of detection for an IDS

Answer 2

Signature based: analyzes traffic for patterns associated with known attacks stored in database
Anomaly based: Analyzes traffic and compares it to normal or baseline traffic for deviations that might indicate an attack
Rule/ Heuristic based: Analyzes traffic by using pre-configured rules and an interface engine to determine when characteristics of an attack exists.

Question 3

What is the Security Onion

Answer 3

Security Onion can act as a IDS (Intrusion Detection System) and NSM (Network Security Monitoring). Open-source linux application suite of tools that provides IDS and IPS functionality, security monitoring, and log analysis.

It contains Snort, Suricata, Sguil, Squert, Snorby, Bro, Network Miner, Xplico and others.

Question 4

What are the hardware requirements for the Security Onion

Answer 4

64 bit CPU, 4 cores, 8 GB RAM, needs processor power/storage

Question 5

What is the purpose of a NSM utility (Describe the functionality of the 4 major utilities types found in SO)

Answer 5

Network Security Monitoring:

- Collects and displays alerts of suspicious activity
- Analyzes alerts of suspicious activity
- Collects packets for analysis
- Allows for overview of network activity or decision-making 
- IDS/ IPS, Snort
- HIDS session analysis, OSSEC
- Session Analysis, Bro
- Visibility to logs, ELSA, Sguil

Question 6

Describe sources of Event Logs

Answer 6

Name of the software that logs the event.
Often the name of the app or the name of subcomponent of the application if app is large.
Network devices /appliances
End Devices
Internet of Things Devices IoT

Question 7

What are the Cisco alert logging categories

Answer 7

0 Emergency: System is unable
1 Alert: Actions must taken immediately
2 Critical: Critical conditions
3 Error: Error conditions 
4 Warning: Warning conditions
5 Notice: Normal But significant condition
6 Informational: Informational messages
7 Debug: Debug-Level messages

Question 8

What can be used to centralize logs from network devices

Answer 8

A central logging server, centralized logging management application.
TADIUS / TACACAS+ is the protocol
SYSLOG is used though

Question 9

What can be used to centralize logs from windows devices

Answer 9

An event log subscriber. A source and a collector. Have the source computer have the collector as an event log reader, enable windows remote management on the source, subscribe to the source from the collector server in event management.

Question 10

Describe the 3 major logs available in a Windows environment

Answer 10

1) Application: The Application log records events related to Windows system components, such as drivers and built-in interface elements.
2) System: The System log records events related to programs installed on the system.
3) Security: Records events related to security, such as logon attempts and resource access.

Question 11

What are the three events seen in Windows logs

Answer 11

1) Application: The Application log records events related to Windows system components, such as drivers and built-in interface elements.
2) System: The System log records events related to programs installed on the system.
3) Security: Records events related to security, such as logon attempts and resource access.

Question 12

What are the three events seen in Windows logs

Answer 12

Security Log

Question 13

Describe how RSYSLOG is configured and deployed on a LINUX computer

Answer 13

1) Install rsyslog on linux computer if not installed by default
2) Configure rsyslog linux computer to accept remote log messages using TCP and UDP in rsyslog.conf ( uncomment areas )
3) Configure the rsyslog linux computer to send rsyslog events to another server using UDP ( uncomment areas )
4) Test with logger messages

Question 14

What are the three default chains in IPtables

Answer 14

1) INPUT chain – Incoming to firewall. For packets coming to the local server.
2) OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the local server.
3) FORWARD chain – Packet for another NIC on the local server. For packets routed through the local server.

Question 15

what are the three possible actions which can be taken to packets with IPtables

Answer 15

1) -A, –append: Append one or more rules to the end of the selected chain
2) -C, –check: Check whether a rule matching the specification does exist in the selected chain.
3) -D, –delete: Delete one or more rules from the selected chain.

Accept, Drop, Reject

Question 16

where are RSYSLOG events stored by default in Linux

Answer 16

/var/log/messages

Question 17

Describe the functionality of Splunk

Answer 17

Splunk captures, indexes, and correlates real-time machine generated data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.

Question 18

Describe the functionality of ELSA

Answer 18

log receiver, archiver, indexer, and web frontend for incoming syslog.

Question 19

Describe the functionality of Dumpit

Answer 19

used to generate a physical memory dump/ snapshot of Windows machines RAM. Used in memory forensics and incident responses.

Question 20

Describe the functionality of Volatility

Answer 20

Analyzes ram in 32bit/64 bit systems, raw dump or crash dumps, vmware dumps, virtual box dumps and more.. Used in memory forensics and incident responses.

Question 21

Name four stakeholders involved in the IR process

Answer 21

HR: Develop job descriptions for those persons who will be hired for positions involved in IR.

Legal: Review NDA agreements to ensure support for IR effort.

Marketing: Create newsletter and other education material to be used in employee response training.

Management: Communicate the importance of IR plan to all parts of the organizations. Important factor in the success of an IR plan is the support of both verbal and financial of upper management.

Question 22

Describe 6 common network signs of security incident

Answer 22

Bandwidth consumption
Whenever bandwidth usage is abnormal, look for security issues that generate unusual amount of traffic like Dos, DDoS

Can use free network bandwidth monitoring tools: BitMeter OS, Freemeter Bandwidth Monitor, BandwidthD.

Beaconing
Refers to traffic that leaves a network at regular intervals, attempting to call home. Firewalls, IDS, web proxies, and SIEM systems, creating and maintaining baselines of activity will help identify beacons.

Irregular peer-to-peer communication
Illegal file sharing could be occurring and P2P communication can result of a botnet. The spread of malicious code may be shared along with the file, Network DoS attacks created by large downloads.

Rogue device on network
Wireless key loggers
Collect info and transmit it to cominal (bluetooth or wifi)

Wifi and bluetooth hacking gear
Capture both bluetooth and Wi-Fi transmissions

Rogue access points
Designed to lure hosts into a connection for P2P attack

Rogue switches
Create trunk link with a legitimate switch, providing all access to all VLANs

Mobile hacking gear
Allows malicious individual to use software w/software-defined radio to trick cell-phones users into routing connection through a fake cell tower.

Question 23

Describe 10 common host signs of a security incident

Answer 23

Processor Consumption
Processor that is busy with very little or nothing running to generate the activity, could be a sign that the processor is working on behalf of a malicious software.

Sysinternal tools like Process Explorer enables you to see in Notification area the top CPU offender and look at the graph that appears in Task Manager and identify what caused the spikes in the past.

Memory Consumption
Increased memory consumption indicates of a compromised host. Also an indication that additional programs have been loaded into RAM so they can be processed.

Drive Capacity Consumption
Available disk space on the host decreasing for no reason could mean that the host is storing information to be transmitted at a later time. Some malware also cause an increase in drive availability due to deleting files.

Unauthorized Software
Whitelists: Specify only only application that are allowed
Blacklists: Specify which application cannot be run.

Malicious Processes
Malicious programs use processes to access the CPU. Can sometimes locate processes that are either using CPU or memory but by using Task Manager ir don’t show up. Can use Process Explorer or other tool to give better result.

Unauthorized Changes
Missing files, modified files, new menu options, strange error messages, and odd system behavior are all indication of unauthorized changes.

Unauthorized Privileges
Can be result of privilege escalation. Check all system accounts for changes to the permissions and rights should be assigned correctly, and pay special attention to new accounts with admin privileges.

Data Exfiltration
Theft of data from a device. Any reports of missing or deleted data should be investigated.

DLP is a software that attempts to prevent data leakage where it maintains a awareness of action that can and cannot be taken with respect to a document.

Question 24

Describe any three containment techniques.

Answer 24

Segmentation
limiting the scope of an incident by leveraging existing segments of the network as barriers to prevent the spread to other segments.

Isolation:
Implemented by either blocking all traffic to and from a device or devices or by shutting down device interface. Works well with single compromised system but for multiple devices, segmentation is better off.

Removal:
Shutting down a device or devices or removing it off the network to stop the threat from spreading or getting to that device or network. It is not recommended until digital forensic has been completed.

Question 25

Describe three important things to consider when eradicating a threat

Answer 25

Sanitization
Removing all traces of threat by overwriting the drive multiple times to ensure that the threat is removed.

Reconstruction/Reimage
Once a device has been sanitized, system must be rebuilt. Can be done by reinstalling the OS, apply all system updates, reinstalling the anti-malware software, etc.

Secure Disposal
Clearing
Includes removing data from media so that it cannot be reconstructed using normal file recovery techniques and tools

Purging
Makes the data unreadable with advanced forensic techniques and data should be unrecoverable.

Destruction
Involves in destroying the media on which the data resides. Degaussing and physical destruction.

Question 26

Describe three things you can do to validate that your system is back up and running secure after a security incident

Answer 26

Patching
Ensure that all OS and applications are up to the latest patches and updates are up to date. Butthole ( >o< )

Permission
All permission should undergo a review to ensure that all permissions are in the appropriate state.

Scanning
Vulnerability scanner should be updated so it can recognize the latest vulnerabilities and threat.

Question 27

Given any of the following compliance laws determine the application: SOX, HIPAA, GLBA, CFAA

Answer 27

SOX (Sarbanes Oxley Act)
Controls the accounting method and financial report for the organizations and stipulates penalties and jail time for executive officers.

HIPAA (Health Insurance Portability and Accountability Act)
Affects all healthcare facilities, health insurance companies, and healthcare clearinghouses.

Provides standards and procedures for storing, using, and transmitting medical information and healthcare data.

GLBA (Gramm-Leach-Bliley Act)
Affects all financial institutions, including banks, loan companies, insurance companies, investment companies and credit card provider.

Provides guidelines for securing all financial information and prohibits sharing financial information with third parties.

CFAA (Computer Fraud and Abuse Act)
Affects any entities that might engage in hacking. It includes knowingly accessing a computer without authorization; intentionally accessing a computer to obtain financial records, US government information and transmitting fraudulent commerce communication with the intent to extort.

Question 28

Describe the usage of the following frameworks: NIST SP 800-53, NIST cybersecurity framework, ISO 27000, COBIT, ITIL

Answer 28

NIST SP 800-53
Divides the control into three classes
Technical: uses technical controls like firewall, ACLs to identify and prevent threats.

Operational: policies, procedures and work practices that help prevent threat or make the threat more likely.

Management: Controls like security policies, separation duties, termination, supervision, etc.

NIST Cybersecurity Framework
Presents 5 cybersecurity functions each of which is further divided into subfunctions. (Identify, Protect, Detect, Respond, and Recover)

ISO 27000 (International Organization for Standardization)
ISO/IEC 27000 family helps organization keeps information assets secure. It helps your organization manage security of assets such as financial information, intellectual property, and employee details.

COBIT (Control Objectives for Information & Related Technology)
Framework developed by ISACA to help business develop, organize, and implement strategies around information management and governance.

Subdivides into 4 domains:
Plan & Organize (PO)
Acquire & Implement (AI)
Deliver & Support (DS)
Monitor & Evaluate (ME)

ITIL (Information Technology Infrastructure Library)
Provide how IT delivers and support business services and is a well-known set of IT best practices designed to assist business in aligning their IT service with customer & business needs.

Has 5 core publications:
ITIL Service Strategy
ITIL Service Design,
ITIL Service Transition
ITIL Service Operation
ITIL Continual Service Improvement

Question 29

What are the five functions in the NIST cybersecurity framework(important)(be able to apply to a scenario)

Answer 29

Identify
Protect
Detect
Respond
Recover

Question 30

Describe any three high level policy categories

Answer 30

Acceptable Use Policy (AUP): Used to inform users of the actions that are allowed and those that are not allowed.

Data Ownership Policy: Closely related to data classification policy and often the two policies are combined. Covers how the owner of each piece of data or each data set is identified.

Data Retention Policy: Outlines how various data types must be retained and may rely on the data classifications described in the data classification policy

Account Management Policy: Helps guide the management of identities and accounts.

Data Classification Policy: Data that is classified based on its value to the organization and its sensitivity to disclosure.

Question 31

Describe five out of the seven categories of controls

Answer 31

Compensative: A substitute for a primary access control in and mainly act to mitigate risks.

Corrective: Reduce the effect of an attack or other undesirable event.

Detective: Detect an attack while it is occuring to alert appropriate personnel.

Deterrent: Deter or discourage an attacker.

Directive: Specify acceptable practice within an organization.

Preventive: Prevent an attack from occurring.

Recovery: Recovers a system or device after an attack has occured.

Question 32

Describe 4 types of context based authentication

Answer 32

Time: Allowing certain people to gain access to certain resources during certain times.

Location: Whether you can access your network from home, wireless hotspots, hotel rooms, and all sorts of other locations that are less than secure.

Frequency: Based on the frequency with which the requests are made. Indicate whether it is an automated process or malware, rather than an individual that is making multiple requests.

Behavioral: Track behavior of an individual over time and use the information to detect when an entity is performing actions that, while within the rights of the entity, differ from the normal activity of the entity.

Question 33

Name any three security issues related to personnel

Answer 33

Dormant accounts remaining active.
Easily guessed passwords.
Poor credential management by those with privileged accounts.
The used of shared accounts.

Question 34

When looking at the lifecycle of accounts what is often overlooked?

Answer 34

Deletion of a user account when new personnel are terminated.

Question 35

Name 3 security issues related to endpoints

Answer 35

Social Engineering Threats
Malicious Software
Rogue Endpoints
Rogue Access Points

Question 36

Name 3 advantages of Kerberos

Answer 36

User password do not need to be sent over the network.
Both the client and server authenticate each other.
The tickets passed between the server and client are timestampled and include lifetime information.

Question 37

Name 3 disadvantages of Kerberos

Answer 37

Session keys on the client machines can be compromised.
The KDC must be scalable to ensure that performance of the system does not degrade.
Kerberos traffic needs to be encrypted to protect the information over the network.

Question 38

Name any 3 security issues related to RADIUS

Answer 38

The RADIUS shared secret can be weak due to poor configuration and limited size.
Poor Request Authenticator values can be used to decrypt encrypted attributes.
Sensitive attributes are encrypted using the RADIUS hiding mechanism.

Question 39

Name any 3 security issues related to TACACS

Answer 39

Due to lack of padding, the lengths of variable-size data fields can often be determined from that packet sizes.
Session IDs may be too small to be unique if randomly chosen.
Lack of integrity checking allows an attacker with access to the wire to flip most of the bits in the packet without the change getting detected .

Question 40

What is a federation

Answer 40

A portable identity that can be used across businesses and domains.

Question 41

What is SAML

Answer 41

Security Assertion Markup Language is security attestation model built on XML and SOAP-based services that allows for the exchange of authentication and authorization data between system and supports federated identity management.

Question 42

Name any 3 exploits against identity and authentication

Answer 42

Impersonation
Man-in-the-Middle
Session Hijack
Cross-Site Scripting
Privilege Escalation
Rootkit

Question 43

Describe 3 data analytic methods

Answer 43

Trend Analysis: Analysis focuses on long-term direction in the increase or decrease in a particular type of traffic or behavior in a network.

Historical Analysis: Analysis carried out with the goal of discovering the history of a value over time.

Data Aggregation and Correlation: The process of gathering a large amount of data and filtering and summarizing it based on some common variable in the information. Locating variables in the information that seem to be related.

Question 44

Describe 3 methods of defense in depth

Answer 44

Security Appliances: Hardware devices that are designed to provide some function that supports the securing of the network or detecting vulnerabilities and attacks. Ex: IPS, IDS, Firewalls, SIEM systems, Hardware encryption devices.

Security Suites: Collection of security utilities combined into a single tool. Ex: Gateway protection, Mail server protection, File server protection, Client protection, Centralized management.

Outsourcing: Third-party involvement that are contractually obliged to perform adequate security activities should be confirmed by the company prior to the launch of any products or services that are a result of third-party engagement.

Question 45

Describe 4 uses of cryptography

Answer 45

Authentication: Able to determine the sender’s identity and validity.

Confidentiality: Altering the original data in such a way as to ensure that data cannot be read except by the valid recipient.

Integrity: Allowing valid recipients to verify that data has not been altered.

Authorization: Providing the key to a valid user after that user proves his identity through authentication.

Question 46

Describe 4 types of transport encryption

Answer 46

SSL/TLS: Used when data needs to be encrypted while it is being transmitted over a medium from one system to another.

HTTP/HTTPS/SHTTP: HTTP is used on the web to transmit website data between a web server and a web client. HTTPS is the implementation of HTTP running over the SSL/TLS protocol. SHTTP encrypts only a single communication, not an entire session.

SSH: Used to remotely log in to another computer using a secure tunnel

IPsec: Is a suite of protocols that establishes a secure channel between two devices.