Chapter 1 - Mastering Security Basics Flashcards
Availability
Indicates that data and services are available when needed
Redundancy
Adds duplication to critical system and provides fault tolerance so if a critical component has a fault, the redundancy allows the service to continue without interruption.
-Disk redundancies (RAID)
-Server redundancies (virtualization can help)
-Network redundancies (NIC teaming)
-Power redundancies (UPS)
Scalability and elasticity
Both contribute to high availability
Scalability refers to the ability of a system to handle increasing workload or demand by adding resources such as processing power, memory, or storage capacity. It measures how well a system can accommodate growth without sacrificing performance or efficiency.
Elasticity refers to the ability of a system to automatically or dynamically adapt to changing workload or demand by provisioning or releasing resources as needed. It involves scaling resources up or down based on demand in a flexible and automated manner. Often described in regards to cloud computing.
Scalability focuses on the ability of a system to handle growth by adding resources in a proactive manner, whereas elasticity focuses on the dynamic and automated adjustment of resources in response to changing demand.
Resiliency
The ability for systems to heal themselves or recover from faults with minimal downtime.
-Performing and testing full backups
-Backup power sources (UPS, generators)
-NIC teaming
-Redundant disk subsystems
Managerial controls
Managerial controls are primarily administrative in function, typically documented in an organization’s security policy and focus on managing risk.
Two common managerial controls are:
-Risk assessments
-Vulnerability assessments
Operational controls
Help ensure that the day-to-day operations of an organization comply with the security policy. People implement and execute them.
Operational controls include:
- Awareness and training
-Configuration management.
Baselines to ensure that systems start in a secure, hardened state.
-Media protection.
Physical media like USB flash drives, external and internal drives, and backup tapes
-Physical and environmental protection
Includes physical controls such as cameras, door locks, and environmental controls such as heating and ventilation systems.
Types of Security Controls
Security controls are categorized as managerial (documented in written policies), operational (performed in day to day operations), or technical (implemented with technology).
Technical Controls
Technical controls use technology such as hardware, software and firmware to reduce vulnerabilities.
Some examples include:
-Encryption
-Antivirus software
-IDS and IPS
-Firewalls
-Least privilege principle
Physical controls and environmental controls
Include motion detectors and fire suppression systems.
Preventative controls
The primary goal of preventative controls is to prevent security incidents, some examples including:
-Hardening
-Training
-Security guards
-Change management (help prevent outages from configuration changes)
-Account disablement policy
-IPS
Detective controls
Attempt to detect when vulnerabilities have been exploited, resulting in a security incident. Detective controls discover the event after it has occurred. Examples include:
-Log monitoring
-SIEM systems (detect trends and raise alerts in real time)
-Security audit
-Video surveillance
-IDS
Corrective and recovery controls
Attempt to reverse the impact of an incident or problem after it has occurred.
-Backups and system recovery
-Incident handling process
Physical controls
Any controls you can physically touch:
-Bollards and barricades
-Access control vestibules
-Lighting
-Signs, fences, sensors and more
Can be multiple control types, ie locks are physical, deterrent and preventative
Deterrent controls
Attempt to discourage a threat, to discourage potential attackers from attacking and from employees from violating a security policy
Deterrent and preventative often overlap
-Security guard
-Cable locks
-Physical locks
Compensating controls
Alternative controls used instead of a primary control, such as requiring employees to use smart cards when authenticating on a system, but allowing new employees to access the network using a TOTP while their smart card gets made.
Response controls
Commonly referred to as incident response controls, are controls designed to prepare for security incidents and respond to them once they occur; usually started by creating security policies then training personnel on how to respond to incidents.
Ping
Basic command to test connectivity for remote systems; can verify a system can resolve valid hostnames to IP addresses, test the NIC, and asset organizational security.
*Checks connectivity by sending Internet Control Message Protocol (ICMP) echo request packets, and remote systems answer with ICMP echo reply packets, which is how you know a system is operational.
- Can be used for domain name resolution
-Can be filtered out by Firewalls - admins often configure firewalls to block ICMP traffic or echo requests to prevent DoS attacks. Can use the ping command to check the effectiveness of your IPS or firewall.
Hping
similar to ping but can send the pings using TCP, UDP and ICMP - helpful in identifying if a firewall is blocking ICMP traffic, but is only available on Linux-like systems.
ipconfig and ifconfig
ipconfig on Windows
-Shows the TCP/IP configuration information for a Windows system, including items such as the computer’s IP address, subnet mask, default gateway, MAC address and address of a DNS server.
-Shows the configuration info for all NICs on a system, including wired and wireless NICs. Often used by technicians for troubleshooting.
ifconfig on Linux (“interface configuration”), has more capabilities than ipconfig
EXAMPLES:
- ipconfig: provides basic info on the NIC, such as the IP address, subnet mask and default gateway
-ipconfig /all and ifconfig -a
Shows a comprehensive listing of TCP/IP configuration info for each NIC, including the MAC address, addressed of assigned DNS servers, and address of a DHCP server if the system is a DHCP client.
NEED SUDO ON LINUX FOR:
-ifconfig eth0
shows the configurations of the first ethernet interface (NIC) on a Linux system. If the system has multiple NICs you can use eth1, eth2 etc, and also use wlan0 to view information on the first wireless interface.
-ifconfig eth0 promisc
Enables promiscuous mode on the first Ethernet interface, which allows a NIC to process all traffic it receives. Normally a NIC is in non-promiscuous mode, and it ignores all packets not addressed to it. Disable this with ifconfign eth0 -promisc
-ifconfig eth0 allmulti
Enables multicast mode on the NIC, allowing the NIC to process all multicast traffic received by the NIC.
*Normally a NIC uses a non-promiscuous mode and only processes packets addressed directly to its IP address. You would want to see all traffic on a system if using a protocol analyzer
ip instead of ifconfig
Many Linux distros have deprecated ifconfig command and recommand using “ip” command instead, which displays info and configures network interfaces but doesnt use the same commands or have the same abilities like using a promiscuous mode.
sample commands:
-ip link show
Shows the interface along with some details on them
-ip link set eth0 up
Enables a network interface
-ip -s link
Shows statistics on network interfaces
Netstat
Alllows you to view statistics for TCP/IP protocols on a system and gives you the ability to view active TCP/IP network connections.
Many attacks establish connections from an infected computer to a remote computer, which you can identify via netstat if you expect this.
Netstat displays the state of a connection, such as ESTABLISHED, to indicate an active connection.
tracert and traceroute
tracert command lists all the routers between two systems, with each router referred to as a hop, in addition to the RTT (round trip time) for each hop. Used by Windows systems.
Linux systems use traceroute.
Used by network admins to identify faulty routers on the network.
pathping
combines the functions of the ping and tracert commands to locate potential problems between two systems - problems on any hops or problems on any of the segments between two hops.
Arp
command line tool that is related to the Address Resolution Protocol; however “arp” the command and ARP the protocol are not the same thing.
-ARP resolves IP addresses to MAC addresses and stores the result in the ARP cache.
*arp command is used to view and manipulate the ARP cache
