D7: Security Operations Flashcards

Question

Investigation Types

Answer 1

Operational Criminal Civil eDiscovery

Answer 2

Slack space on a disk should be inspected for hidden data and should be included in Disk Image

Answer 3

Legislative: writing laws (statutory laws) Executive: enforces laws (administrative laws) Judicial: Interpret laws (common laws from court decisions)

Answer 4

Individuals that violate government law Punishment mostly imprisonment

Answer 5

Wrongs against individual or organization that result in a damage or loss. Punishment can include financial penalties Tort Law (I'll Sue You!) Jury will decide liability

Answer 6

How the industries, organizations and officers have to act. Wrongs can be penalized with imprisonment or financial penalties

Answer 7

Federal Law that provides a common framework for the conduct of computer-related business transactions. UCITA contains provisions that address software licensing The terms of UCITA give legal backing to the previously questionable practivies of shrink--wrap licensing by giving them status as legally binding contracts

Answer 8

Federal Law that provides a common framework for the conduct of computer-related business transactions. UCITA contains provisions that address software licensing The terms of UCITA give legal backing to the previously questionable practices of shrink--wrap licensing by giving them status as legally binding contracts

Answer 9

- Unauthorized intrusion - Unauthorized alteration or destruction - Malicious Code

Answer 10

relevant, sufficient, reliable, does not have to be tangible

Answer 11

the legal action of luring an intruder, like in a honeypot

Answer 12

the illegal act of inducing a crime, the individual had no intent of committing the crime at first

Answer 13

provides judges and courts procedures on the prevention, detection and reporting

Answer 14

Automating much of the routine work of log review Provides real-time analysis of events occurring on systems throughout an organization but don't necessarily scan outgoing traffic.

Answer 15

Occurs when an attacker is able to bypass or thwart security mechanisms and gain access to an organization's resources.

Answer 16

A specific form of monitoring that monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion.

Answer 17

Automates the inspection of logs and real-time system events to detect intrusion attempts and system failures. An effective method of detecting many DoS and DDoS attacks Can recognize external attacks e.g. from the internet or attacks that spread internally like a malicious worm. Detections will trigger alarms and alerts, and sometimes will modify the environment to stop an attack IDS is part of defense-in-depth security plan - it will work with, and complement other security mechs like firewalls, but it does not replace them.

Answer 18

Intrusion prevention system includes all capabilities of an IDS, but can also take additional steps to stop or prevent intrusions - admins can disable the features of an IPS, and it becomes an IDS

Answer 19

Data loss prevention systems attempt to detect and block data exfiltration attempts. The systems have the capability of scanning data looking for keywords and data patterns. Can look for sensitive information stored on hard drives

Answer 20

Scans all outgoing data looking for spec ific data. Admin would place it on the edge of the negative to scan all data leaving the organization If a user sends out a file containing restricted data, the DLP system will detect and prevent it from leaving the organization The DLP system will send an alert such as an email to an administrator

Answer 21

Can scan files stored on a system as well as files sent to external devices such as printers An organization endpoint-based DLP can prevent users from copying sensitive data to USNB flash drives or sending sensitive data to a printer

Answer 22

Data at rest (storage) Data in transit (the network) Data being processed (must be decrypted) / in use / end point

Answer 23

Component whose state is recorded Version: recorded state of the CI

Answer 24

Collection of component CI's that make another CI

Answer 25

Assembling a version of a CI using component CI's

Answer 26

Set of versions of component CI's used to build a CI software library CI software library

Answer 27

Controlled area only accessible for approved users

Answer 28

System should restart in secure mode Startup should occur in maintenance mode that permits access only by privileged users from privileged terminals

Answer 29

Continues to function despite failure

Answer 30

Program execution is terminated and system protected from compromise when hardware or software failure DOORS usually

Answer 31

The most conservative from a security perspective

Answer 32

Human to see why it failed??

Answer 33

Reboot, selected, non-critical processing is terminated when failure occurs

Answer 34

Switches to hot backup

Answer 35

FAIL SAFE: doors UNLOCK | FAIL SECURE: doors LOCK

Answer 36

Protects data between users and a security component Channel established with strict standards to allow necessary communication to occur without exporing the TCB to security vulnerabilities A trusted path also protects system users (sometimes known as subjects) from compromise as a result of a TCB intechange ONLY WAY TO CROSS SECURITY BOUNDARY RIGHT WAY

Answer 37

Events: anything that happens; can be documented verified and analyzed. Incidents: event(s) that adversely impact the ability of an organization to do business. A suspected attack Intrusion: evidence attacker attempted or gained access to

Answer 38

Official: Detection, Response, Mitigation, Reporting, Recovery, Remediation, Lessons Learned Unofficial: Response Capability: policy, procedures, a team Incident Response and Handling: triage, investigation, containment and analysis tracking Recovery: Recovery or repair Debriefing / Feedback: External Communications Mitigation: limit the effect or scope of an incident

Answer 39

COME BACK TO AFTER READING

Answer 40

Host Based IDS Monitors activity on a single computer, including process calls and information recorded in firewall logs. It can often examine events in more detail than NIDS can, and it can pinpoint specific files compromised in an attack. It can also track processes employed by the attacker A benefit of HIDS over NIDS is that HIDS can detect anomalies on the host system that NIDS cannot detect

Answer 41

Network-IDS Monitors and evaluates network activity to detect attacks or event anomalies It cannot monitor the content of encrypted traffic but can monitor other packet details A single NIDS can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console.

Answer 42

All files, archive bit and modify bit are cleared Pro: only previous day needed for full restore Con: Time consuming

Answer 43

Only modifies files and archive bit is cleared Pro: Least time and space Con: must first restore full and then all incremental backups > makes it less reliable because it depends on more components

Answer 44

Only modifies files, and does not clear archive bit Pro: Full and only last diff needed, intermediate time between full and diff

Answer 45

Applies raid 1 mirroring concepts to servers On error servers can do a failover > aka server fault tolerance

Answer 46

Group of independent servers which are managed as a single system All servers are online and take part in processing service requests Individual computing devices on a cluster vs. a grid system --- cluster devices all share the same OS and application software but grid devices can have different OSs while working on same problem

Answer 47

COME BACK TO AFTER READING

Answer 48

Robotic mechanisms to transfer tapes between storage and drive mechanisms

Answer 49

AKA Reciprocal agreement Arrangement with another similar corporation to take over the processes Pro: cheap Con: must be exactly the same, is there enough capability, only for short term and what if disaster affects both corporations? Not enforceable

Answer 50

Third party, subscription servers provide alternate backups and processing facilities Most common of implementations

Answer 51

Mirrored Site, potential zero down time

Answer 52

Fully configured computer facility All applications are installed, up-to-date and mirror of the production system Extremely urgent critical transaction processing Pro: 24/7 availability and exclusive use are assured - short and long term Con: extra admin overhead, costly, security controls needs to be installed at the remote facility too Exclusive to one company hours to be up??

Answer 53

Cross between hot and cold site The computer facility is available but the applications may not be installed or need to be configured. External connections and other data elements that take long time to order are present Workstations have to be delivered and data has be restored Pro: Less costly, more choice of location, less admin resources required Con: it will take some time start production processing Nonexclusive and 12 hours to be up

Answer 54

Least ready but most commonly used Has no hardware installed, only power and HVAC Pro: Cost, ease of location choice, non-exclusive Con: very lengthy time of restoration, false sense of security but better than nothing

Answer 55

Contract to fully backup processing services Pro: quick response and availability, testing is possible Con: expense and it is more of a short time option

Answer 56

Processing is spread over several computer centers Can be managed by the same corporation (in house) or with another organization (reciprocal agreement) Pro: costs, multiple sites will chare resources and support Con: a major disaster could affect both sites, multiple configurations have to be administered

Answer 57

Mobile homes or HVAC trucks Could be considered a cold site

Answer 58

Supply of hardware replacements Stock of hardware either onsite or with a vendor May be acceptable for warm site but not for hot site

Answer 59

A very cold site

Answer 60

RAID 0: Striped - one large disk out of several; improved performance but no fault tolerance RAID 1: Mirrored - drives, fault tolerance from disk errors and single disk failure, expensive; redundancy only, not speed RAID 2: not used commercially; Hammering Code Parity/error RAID 3: Striped on byte level - extra parity drive; improved performance and fault tolerance, but parity drive is a single point of failure and write intensive. 3 or more drives RAID 4: same as RAID3, but striped on block level; 3 or more drives RAID 5: Striped on block level, parity distributed over all drives; requires all drives but one to be present to operate hot-swappable. Interleave parity, recovery control; 3 or more drives RAID 6: Dual Parity, parity distributed over all drives - requires all drives but two to be present to operate hot-swappable RAID 7: is the same as RAID 5 but all drives act as one single virtual disk

Answer 61

Tape: sequential, slow read, fast write 200GB an hour, historically cheaper than disk (now changing), robotic libraries Disk: fast read/write, less robust than tape Optical Drive: CD/DVD. Inexpensive Solid State: USB drive, security issues, protected by AES MTTF - mean time to failure MTTR - mean time to repair MTBF - mean time between failures (useful life) = MTTF + MTTR JBOD - most basic type of storage

Answer 62

Transfer of backup data to an offsite storage location via communication lines

Answer 63

Parallel processing of transactions to an alternative site via communication lines

Answer 64

Live processing of remote journaling and creating duplicates of the database sets to multiple servers

Answer 65

Use again after initial use

Answer 66

Remaining data after erasure; format magnetic media 7 times (orange book)

Answer 67

Overwriting media to be reused

Answer 68

Degaussing or overwriting to be removed

Answer 69

Complete destruction, preferably by burning

Answer 70

Restore normal business operations Statement of actions that have to be taken before, during and after a disruptive event that causes a significant loss of information Goal: provide organized way for decision making, reduce confusion and deal with crisis Planning and development must occur before the disaster BIA has already been completed prior - now it is time to protect

Answer 71

Any event, natural or manmade, that can disrupt normal IT operations The disaster is not over until all operations have been returned to their normal location and function It will be officially over when the data has been verified at the primary site, as accurate

Answer 72

Mandated to implement recover after the declaration of the disaster

Answer 73

Goes back to the primary site to normal processing environmental conditions Clean, repair, salvage Can declare when primary site is available again

Answer 74

Has all procedures on how the company will return processing from the alternate site

Answer 75

Interfacing with other groups: everyone outside the corporation Employee Relations - responsibility towards employees and families Fraud and Crime: like vandalism, looting and people grabbing the opportunity Financial reimbursement?? / Media Relations - find someone to run it

Answer 76

- activation and recover procedures - plan management - HR involvement - costs - required documentation - internal / external communications - detailed plans by teams **get communications up first, then most critical business functions

Answer 77

review plan contents

Answer 78

Members of the disaster recovery team gather in a large conference room and role-play a disaster scenario

Answer 79

More comprehensive and may impact one or more non-critical business units of the organization, all support personnel meet in a practice room

Answer 80

Involve relocating personnel to the alternate site and commencing operations there. Critical systems are run at an alternate site, main site open also

Answer 81

Involve relocating personnel to the alternate site and shutting down operations at the primary site

Answer 82

Plan for emergency response, backup operations and post disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation

Answer 83

Business Continuity - enduring the business can continue in an emergency, 1st business organization analysis Focus on Business Processes 1. Scope and Plan Initiation - consider amount of work required, resources required, management practice 2. BIA - helps understand impact of disruptive processes 3. Business Continuity Plan development - Use BIA to develop BCP (strategy development phase bridges the gap between the business impact assessment and continuity planning phases of BCP development) 4. Plan approval and implementation - management approval - create awareness **Update plan as needed, at least once a year testing

Answer 84

Recover as quickly as possible - Heavy IT focus - Allows the execution of the BCP - Needs planning - Needs testing CRITICAL, URGENT, IMPORTANT

Answer 85

- Defining the continuity strategy - Computing: strategy to preserve the elements of hardware/software/communication lines/applications/data - Facilities: use of main buildings or any remote facilities - People: operators, management, technical support persons - Supplies and equipment: paper, forms, HVAC - Documenting the continuity strategy

Answer 86

Senior Staff: ultimate responsibility, responsible for die care, due diligence Various business units: identify and prioritize time critical systems Information Systems Security Administrator There should be representatives from all departments who will execute the plan

Answer 87

Multiplexer allows multiple camera screens shown over one cable on a monitor - via coax cables (hence closed) - attacks: replayed (video images) - fixed mounting vs. PTZ Pan Tilt Zoom accunicator system (detects movements on screen and alerts guards) - Recording (for later review) = detective control - CCTV enables you to compare the audit trails and access logs with visual recording

Answer 88

Glare Protection: against blinding by lights Continuous Lightning: evenly distributed lightning Controlled Lightning: no bleeding over no blinding Standby lightning - timers Responsive Areas Illumination: IDS detects activities and turns on lightening NIST: for critical areas the area should be illuminated 8 feet in height with 2 foot candle power

Answer 89

Local Alarm: audible alarm for at least 4000 feet Central Stations: less than 10mins travel time for e.g. a private security firm Proprietary systems: owned and operated by the customer. System provides many of the features in-house Auxiliary Station Systems: on alarm ring out to local fire or police Line supervision check: if no tampering is done with the alarm wires Power Supplies: alarm systems need separate circuitry and backup power

Answer 90

Physical Parameter Detection - Electromechanical - detect a break or change in circuit magnets pulled loose, wire doors, pressure pads - Photoelectric - light beams interrupted (as in a store entrance) - Passive infrared - detects changes in temperature - Acoustical detection - microphones, vibrations sensors Motion Detection - Wave Pattern Motion Detectors - detects motions - Proximity/Capacitance detector - magnetic fields detects presence around an object

Answer 91

Warded Lock - hanging lock with a key Tumbler lock - cylinder slot Combination lock - 3 digits with wheels Cipher lock - electrical Device lock - bolt down hardware Preset - ordinary door lock Programmable - combination or electrical lock Raking - circumvent a pin tumbler lock

Answer 92

Should Include: - Date and time stamps - successful or unsuccessful attempt - where the access was granted - who attempted the access - who modified access privileges at supervisor level

Answer 93

Photo ID Card: Dumb cards. digitally coded cards - swipe cards - smart cards Wireless proximity cards - user activated - system sensing - passive device, no battery, uses power of the field - field powered device: active electronics, transmitter but gets power from the surrounding field from the reader - transponders: both card and receiver holds power, transmitter and electronics

Answer 94

Ensures that the security is not breached when a system crash or failure occurs Only required for B3 or A1 level systems

Answer 95

Backup critical information thus enabling data recovery

Answer 96

1. Reboot system in single user mode or recovery console so no user access is enabled 2. Recover all file systems that were active during failure 3. Restoring missing or damaged files 4. Recovering the required security characteristic, such as file security labels 5. Checking security-critical files such as system password file

Answer 97

Manual: system administrator intervention is required to return the system to a secure state Automatic: recovery to a secure state is automatic when resolving a single failure (though system administrators are needed to resolve additional failures) Automatic without Undue Loss: higher level of recovery defining prevention against the undue loss of protected objects Function: system can restore functional processes automatically

Answer 98

System Reboot: system shuts itself down in a controlled manner after detecting inconsistent data structures or runs out of resources Emergency restart: When a system restarts after a failure happens in an uncontrolled manner. E.g. when a low privileged user tries to access restricted memory segments System Cold Start: when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system in a more consistent state

Answer 99

Want to verify their skills as intruders

Answer 100

Refers to the amount of privileges granted to users, typically when first provisioning an account. User entitlement audit can detect when employees have excessive privileges

Answer 101

Privilege creep, accumulate privileges

Answer 102

Software component that manages the virtual components. The hypervisor adds an additional attack surface, so it's important to ensure it is deployed in a secure state and kept up-to-date with patches, controls access to physical resources

Answer 103

most preferred in a legal investigation is a bound notebook, pages attached to a binding

Answer 104

Allows officials to seize evidence before its destroyed (police team fall in)

Answer 105

A country or location that has no laws or poorly enforced laws

Answer 106

Collection, analysis and preservation of data Forensics uses bit-level copy of the disk

Answer 107

Unused network space that may detect unauthorized activity

Answer 108

false vulnerability in a system that may attract an attacker

Answer 109

- openness - collection limitation - purpose specification - use limitation - data quality - individual participation - security safeguards - accountability

Answer 110

Inserting bogus information to hope to mislead an attacker

Answer 111

Management approval When a question is asked about processes, there must always be management's approval as First Step

Answer 112

Customer view taken into account

Answer 113

6 basic SQL commands Select, Update, Delete, Insert, Grant, Revoke

Answer 114

Placeholders for literal values in SQL query being sent to database on a server

Answer 115

looking over someone's shoulder to see how someone gets access

Answer 116

- Walls from floor to ceiling - Floor: concrete slab, 150lbs square feet - No windows - Air-Conditioning should have own Emergency Power Off (EPO) Electronic Access Control (EAC): proximity readers, programmable logs or biometric systems

Answer 117

Natural Access Control: guidance of people by doors, fences, bollards, lightening. Security zones are defined. Natural Surveillance: cameras and guards Territorial Reinforcements: walls, fences, flags Target Hardening: focus on logs, cameras, guards Facility Site: core of the building (e.g. with 6 stores, it's on the 3rd floor)

Answer 118

Combination of hacker and activist, often combining political motivations with the thrill of hacking.

Answer 119

Attacks launched only for the fun of it. Pride, bragging rights, etc.

Answer 120

Attackers who lack the ability to devise their own attacks will often download programs that do their work for them. The main motivation behind these attacks is the "high" of successfully breaking into a system. Service Interruption may be the goal. An attacker may destroy data, the main motivation is to compromise a system and perhaps use it to launch an attack against another victim. Common to do website defacements.

Answer 121

Focus on illegally obtaining an organization's confidential information. The use of the information gathered during the attack usually causes more damage than the attack itself

Answer 122

Carried out to unlawfully obtain money or services

Answer 123

Purpose is to disrupt normal life and instill fear

Answer 124

Designed to extract secret information

Answer 125

Attacks that are carried out to damage an organization or person. The damage could be in the loss of information or information processing capabilities or harm to the organization or person's reputation.

Answer 126

A criminal act of destruction or disruption committed against an employee is knowledgeable enough about the assets of an organization, has sufficient access to manipulate critical aspects of the environment, and has become disgruntled.

Answer 127

The malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization Attackers often commit espionage with the intent of disclosing or selling information to a competitor or other interested organization (i.e. foreign). Attackers can be dissatisfied employees, and in some cases, employees who are being blackmailed from someone outside of the organization. Countermeasures against espionage are to strictly control access, to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities.

Answer 128

Unauthorized modification of information, violations are not limited to intentional attacks. Human error, oversight, or ineptitude accounts for many instances.

Answer 129

Theft of sensitive information