Day 2 - Defense-in-Depth and Attacks

Question 1

2 - Defense-in-Depth and Attacks

Answer 1

• defense in depth
• access control and password management
• security policies
• critical controls
• malicious code and exploit mitigations
• advanced persistent threats

Question 2

objectives of defense-in-depth

Answer 2

• risk = threat x vulnerabilities
• CIA triad
• strategies for defense-in-depth
• core security strategies

Question 3

what is defense in depth (DiD)?

Answer 3

• any layer of protection may fail
• multiple levels of protection must be deployed
• measures must be across a wide range of controls

Question 4

prevention is ideal, but detection is ?

Answer 4

a must

however, detection without response has minimal value

Question 5

security deals with?

Answer 5

managing risk to your critical assets

Question 6

risk is?

Answer 6

the probability of a threat crossing or touching a vulnerability

risk = threats x vulnerabilities

Question 7

Key Focus of Risk

Answer 7

CIA triad

Question 8

C - confidentiality

Answer 8

vs. Disclosure

Only shared among authorized persons or organizations

Question 9

I - Integrity

Answer 9

vs. Alteration

Authentic and complete. Sufficiently accurate. Trustworthy and reliable.

Question 10

A - Availability

Answer 10

vs. Destruction

Accessible when needed by those who need it

Question 11

Prioritizing CIA

Answer 11

all are important, which one is important in your organization?

Confidentiality: pharmaceuticals and govt
Integrity: Financial institutions
Availability: e-commerce

Question 12

Approaches to DiD

Answer 12

deploy measures to reduce, accept, or transfer risk

4 basic approaches:

1) uniform protection
2) protected enclaves
3) information centric
4) threat vector analysis

Question 13

uniform protection -DiD

Answer 13

• most common DiD approach
• firewall, VPN, intrusion detection, antivirus, patching
• all parts of the organization receive equal protection
• treats all systems the same

Question 14

protected enclaves DiD

Answer 14

• work groups that require additional protection are segmented from the rest of the organization
• restrict access to critical segments
• internal firewalls
• VLANs and ACLs

Question 15

information-centric DiD

Answer 15

• identify critical assets and provide layered protection
• data is accessed by apps
• apps reside on hosts
• hosts operate on networks

Question 16

vector-oriented DiD

Answer 16

threat requires vector to cross vulnerability
stop the capability of the threat to use the vector
- usb thumb drives: disable USB
- attachments in e-mails: block or scan attachments
- spoofed e-mails: check address at e-mail server

Question 17

fixing the problem - main strategy to fix infected system??

Answer 17

rebuild from scratch

Question 18

module 8:

Answer 18

Access Control and Password Management

Question 19

Access Control

Answer 19

• Data Classification
• Managing access
• Separation of duties

Question 20

Password management

Answer 20

• password management technologies

- how password assessment works

Question 21

IAAA

Answer 21

Identity
Authentication
Authorization
Accounting

Question 22

Controlling Access

Answer 22

• Least privilege
• Need to know
• Separation of duties
• Rotation of duties

Question 23

6 common types of access control

Answer 23

1- Discretionary Access Control (DAC)
2- Mandatory Access Control (MAC)
3- Role-based (RBAC)
4- Ruleset-based (RSBAC)
5- List-based 
6- Token-based

Question 24

John the Ripper crack modes

Answer 24

1- Wordlist
2- Single crack - usernames and gecos to guess pwds. should be used first becuz fast
3- incremental - brute force
4- external - custom

Question 25

Module 9

Answer 25

Security Policy

Question 26

Security Policies

Answer 26

• need for policies
• policy framework
• enforcement

Question 27

issue-specific policy examples

Answer 27

• NDA

- copyright

Question 28

Policy table of contents

Answer 28

• purpose
• related documents or references
• cancellation or expiration
• background
• scope
• policy statement
• responsibility
• action

Question 29

policies must be?

Answer 29

clear, concise, understood by everyone in the organization and enforced

Question 30

Module 10

Answer 30

Critical Security Controls

Question 31

Three control priority families?

Answer 31

• System (Controls 1-10)
• Network (Controls 11-15)
• Application (Controls 16-20)

Question 32

Key rules when the controls were chosen

Answer 32

• each control mapped to actual known attack
• if known attack doesn’t exist, can’t be a control
• offense must inform defense

Question 33

Critical Security Controls

Answer 33

1- inventory of authorized/unauthorized devices
2- inventory of authorized/unauthorized software
3- secure configurations for HW/SW
4- continuous vulnerability assessment and remediation
5- controlled use of administrative privileges
6- maintenance, monitoring, and analysis of audit logs
7- email and web browser protections
8- malware defenses
9- limitation and control of network ports
10- data recovery capability
11- secure configurations for network devices
12- boundary defense
13- data protection
14- controlled access based on the need to know
15- wireless access control
16- account monitoring and control
17- security skills assessment and appropriate training to fill gaps
18- application software security
19- incident response and management
20- pen tests and red team exercises

Question 34

Module 11: Malicious Code and Exploit Mitigation

Answer 34

• Mitnick-Shimomoura
• Defensive strategies
• Common types of attacks

Question 35

Input attacks

Answer 35

applications receive client data in many forms:
- treat all user supplied input as potential attack points

examples:

• OS command injection
• buffer overflows
• SQL injection

Question 36

Module 12: APT

Answer 36

• what are APTs and why are they so hard to manage?
• defending against APT
• how can cyber remediation be approached?
• offensive operations