Domain 7 - Security Operations Flashcards
1
Q
User and entity behavior analytics (UEBA)
A
- entity behavior is collected and input to a threat model, model establishes baseline of normal based on historical data, enables analysis to uncover anomalies
2
Q
Threat intel feeds
A
- feed containing malicious entities ingested by cyber tools, educational tools for threat landscape changes, single feed may contain many sources including OSINT, entity = IP, website, actor, hashes
3
Q
Role of AI and ML (SecOps)
A
- automate analysis, automated investigation feature, quickly analyze millions of events and identify many different types of threats, profiles are built on users/ assets/ networks/ devices allowing AI to detect and respond to deviations from established norms, factor in anti-malware, SIEM, IDS/IPS, IDaaS
4
Q
Collusion
A
- agreement among multiple persons to perform unauthorized action
5
Q
Separation of duties
A
- ensure 1 person doesn’t control all elements of a critical function
6
Q
Job rotation
A
- employees rotated into different jobs or tasks, flush out fraud
7
Q
Monitoring privileged operations
A
- monitor all assignment of privileges and the use of privileged operations, can detect many attacks because attackers commonly use special privileges
8
Q
Information lifecycle
A
- Creation (file creation by user or system logs) > classification (to ensure its handled properly) > storage (protect data with adequate controls based on classification) > usage (anytime data is in use or in transit) > archive (sometimes needed to comply with laws or regulations) > destruction (destroyed in a way so it is not readable)
9
Q
Service level agreements
A
-performance expectations like max downtimes/ availability numbers, can include penalties, usually applies to vendors
10
Q
Secure provisioning
A
- ensures that resources are deployed in a secure manner and maintained in a secure manner throughout lifecycle, ie PC deployed from secure image
11
Q
Virtual assets
A
- VMs, VDIs, SDN, SAN, hypervisors are primary component that manage virtual assets but also provide attackers with an additional target, KEEP IT PATCHED!!
12
Q
Configuration management
A
ensures that systems are configured in a similar manner, configs are KNOWN and DOCUMENTED
13
Q
Baselining
A
- ensures systems are deployed with a common baseline ie imaging, policy based config (GPOs), can then be TAILORED as needed
14
Q
Change management
A
- helps reduce outages/ weakened sec from unauthorized changes, make sure all changes are documented/ discussed/ authorized, changes are tested approved and documented
15
Q
Versioning
A
- uses labeling/ numbering to track changes in software, helpful in change management process
16
Q
Patch management
A
- ensures systems are kept up to date with current sec patches, evaluate/ test/ approve/ deploy patches, system audits verify the deployment of approved patches to system, vuln scanner can identify missing patches
17
Q
Vuln scanners
A
- detect vulns, weaknesses, absence of patches, weak passwords ie tenable, qualys
18
Q
Vuln assessments
A
- includes review and audits to detects vulns in addition to a scan
19
Q
Detection (IR)
A
- monitoring tools, IPS, firewalls, notifying management
20
Q
Response (IR)
A
- triage (is it really an incident?), decision to declare, LIMIT DAMAGE
21
Q
Mitigation (IR)
A
- first containment effort or step, create team, CONTAINMENT IS HERE
22
Q
Reporting (IR)
A
- to relevent stakeholders (customers, vendors, law enforcement), MANAGEMENT DECISION
23
Q
Recovery (IR)
A
- returning to normal ops, MANAGEMENT DECISION
24
Q
Remediation (IR)
A
- root cause is addressed, ROOT CAUSE ANALYSIS
25
Lessons learned (IR)
- prevent recurrence, improve IR process
26
Denial of Service attacks (DoS)
- prevent a system from responding to legit requests for service, blocks resources
27
SYN flood attack
- disrupts TCP 3 way handshake
28
Smurf attack
- amplification network (systems under control of bad actor) to send many response packets to victim
29
Botnet
-collection of compromised computing devices (often called bots or zombies)
30
Bot herder
- attacker who remotely controls botnet via a C2 server, often use them to launch attacks or send phishing emails
31
Honeypot
- has pseudo flaws and fake data to lure/ distract intruders, cant entrap someone to commit an actual crime, as long as attackers are in the honeypot they are not in the live network and admins can observe, some IDS can transfer attackers to padded cell after detection (hardened honeypot)
32
Anti-malware software
- up to date definitions, installed on each system/ boundary device/ email servers/ etc, also has behavioral analysis now
33
Policies (blocking malicious code)
- enforce basic sec principles ie least privilege, no local admin, etc
34
Education (blocking malicious code)
- teaching users about risks and methods attackers use to spread viruses
35
Penetration tests
- discover vulns then mimic an attack to identify what can be exploited, not without consent and knowledge from management, can result in damage so should be done on isolated systems whenever possible, schedule at time of minimal activity
36
Black box pentesting
- no knowledge of environment
37
White box pentesting
- full knowledge of environment, open book test
38
Gray box pentesting
- partial knowledge of environment
39
IDS
- can respond by passively logging and notifying OR actively by changing the environment, reactive
§ HIDS - monitor activity on single system only, attackers can discover and disable
§ NIDS - monitor activity on a network, not as visible to attackers
40
IPS
- placed inline with traffic, can block malicious traffic before it reaches target, proactive
41
Espionage
- external threat, competitor tries to steal info
42
Sabotage
- insider threat, malicious insiders can become disgruntled, ie mass deletion/ server shutdowns, data theft
43
Zero-day exploits
- attack that uses a vulnerability that is either unknown to anyone but the attacker or a limited # of people, basic sec practices can often prevent these from being fully utilized
44
Common log files
- security logs, system logs, application logs, firewall logs, proxy logs, protected by centrally storing them and restricting access so they can't be modified, read only!
45
Monitoring
- form of auditing, focuses on active review of log file data, used to hold subjects accountable and monitor system performance, automated by IDS/ SIEM
46
Audit trails
- used to reconstruct event, prove culpability, DETECTIVE security control, essential evidence in prosecution of criminals
47
Sampling
- extracting elements from a large body of data, construct a meaningful representation of the whole set of data
48
Statistical sampling
- uses precise math function to extract meaningful info from a large volume of data
49
Clipping
- non-statistical sampling, records only events that exceed a threshold
50
Accountability
- maintained for individual users aka subjects through AUDITING, logs record user activities and users can be held accountable for logged actions, promotes good user behavior because people know theyre being watched
51
Security audits/ reviews
- help ensure that management programs are effective and being followed, commonly associated with account management to prevent violations with least priv and need to know, can be used to oversee many programs and processes ie patch/ vuln/ change/ config management
52
Auditing
- examination of environment to ensure compliance, DETECTIVE control, frequency is based on risk, degree of risk affects how often an audit is performed, secure environments rely heavily on audits
53
Due care
- act with common sense, prudent management, responsible
54
Controlling access to audit reports
- contain sensitive info, purpose/ scope and any results discovered, only people with sufficient priv should have access, senior sec admins should have full details, senior management only needs high level summary to meet their requirement for due care
55
Access review
- ensures object access and account management practices support the security policy
56
User entitlement audit
- ensure that least priv is followed and focused on privileged accounts
57
Access control audit
- can track logon success and failure of any account, incloud resources (object) access and action performed on resources ie mass file exfiltration, IDS can monitor these logs and easily identify attacks and notify admins
58
Computer crime
- military and intelligence attacks, business attacks, financial attacks, terrorist attacks, grudge attacks, thrill attacks
59
Electronic discovery
- eDiscovery, info ID and governance, preservation and collection, processing, review and analysis, production and presentation (in case of lawsuit will need to present data)
60
Possession (evidence gathering)
- must have possession of equipment/ data to analyze and use it as evidence
61
Modification (evidence gathering)
- must acquire evidence w/o modifying it or allowing anyone else to modify it
62
Chain of evidence
- aka chain of custody, documents all who handle evidence
63
Voluntary surrender
- ask the person who owns the evidence to voluntarily surrender it for investigation
64
Subpoena
- compels a subject to surrender evidence
65
Search warrant
- when you need to confiscate evidence w/o giving subject the opportunity to alter it
66
Data retention
- ensure critical logs are retained for a reasonable period of time based on sec policy/ regulatory requirements, can be maintained in place or in archives
67
Best evidence
- original
68
Secondary evidence
- copy
69
Direct evidence
- proves or disproves an act based on the 5 senses ie something seen or heard in the 1st person
70
Conclusive evidence
- cannot be disproven, overrides all other types
71
Circumstantial evidence
- inferred from other info, often comes up in financial crimes
72
Corroborative evidence
- supporting evidence that cannot stand on its own
73
Opinions (evidence)
- expert and non-expert
74
Hearsay (evidence)
- not based on first hand knowledge
75
Evidence admissibility
- must be relevant to the case, must be material to the case, must be competent or legally collected, must comply with traditional notions of reliability ie court is satisfied with handling and type of evidence
76
Real evidence
- consists of ACTUAL objects that can be brought into a courtroom
77
Documentary evidence
- consists of written documents that provide insight into the facts
78
Testimonial evidence
- consists of verbal or written statements made by witnesses
79
Evidence collection
- start as soon as incident is discovered, collect as much evidence as possible, can be used in legal action or in finding attacker identity, determine extent of damage
80
Natural disasters
- earthquakes, floods, tornados, etc. can be location specific ie hurricanes by the coast
81
Man made disasters
- explosions, electrical fires, terrorist acts, power outages, other utility failures
82
Hot site
- "proactive" site, replication of production environment, keep servers and a live backup site up and running, allows for IMMEDIATE cutover in case of disaster, is a MUST for mission critical sites, HIGH COST LOW EFFORT
83
Warm site
- "preventative" site, allows pre-installed hardware and pre-configured bandwidth, if disaster strikes just load software and data to restore business systems MEDIUM COST MEDIUM EFFORT
84
Cold site
- just data center space, power, network connectivity. Ready when you need it. If disaster strikes, engineering and logistical support teams can help move hardware into the data center to get you up and running, LOW COST HIGH EFFORT
85
Service Bureau
- company that leases computer time, own large server farms and often fields of workstations, may be onsite or remote
86
Mobile site
- non-mainstream alternative to traditional recovery sites, consist of self-contained trailers or other easily relocated units
87
Recovery point objective (RPO)
- age of files that have to be recovered from backup storage for normal ops to resume if a system or network goes down
88
Recovery time objective (RTO)
- duration of time and service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity
89
Mutual Assistance Agreements (MAAs)
- entities agree to provide assistance to each other before during and after an emergency, inexpensive alternative to disaster recovery sites, can happen between gov agencies often, CONS: orgs may be shut down by same disaster and this does raise confidentiality concerns, difficult to enforce if one side lets the other down
90
Business continuity planning
- STEPS: Project scope and planning > business impact assessment > continuity planning > approval and implementation. GOAL: efficient response to enhance a companys ability to recover from a disruptive event promptly
91
BCP (business continuity plan)
- organizational plan for HOW TO continue business
92
COOP (Continuity of operations plan)
- plan for continuing to do business until IT infrastructure is restored
93
DRP (Disaster recovery plan)
- plan for recovering from an IT disaster and having the IT infrastructure back in operation
94
BRP (business resumption plan)
- plan to move from the disaster recovery site back to business environment/ back to normal operations
95
MTBF (mean time between failures)
- time determination for how long a piece of IT infrastructure will continue to work before it fails
96
MTTR (mean time to repair)
- how long it takes to get a piece of hardware/ software repaired and back online
97
MTD (max tolerable downtime)
- time we can be without the asset that is unavailable BEFORE we must declare a disaster and initiate the DRP
98
Goals of DR and BCP
- minimize effects of a disaster, improving responsiveness by the employees in different situations, ease confusion by providing written procedures and participation in drills, help make logical decisions during a crisis/ extreme stress
99
Read through test
- distribute copies of DRP for members of the disaster recovery team to review
100
Structured walk-through test (tabletop exercise)
- members of the disaster recovery team gather in a large conference room and role play a disaster scenario AKA tabletop exercise, scenario is known only to the moderator
101
Simulation test
- similar to structured walkthrough, except response measures are then tested on NON-CRITICAL FUNCTIONS
102
Parallel test
- relocate personnel to alternate recovery site and implement site activation procedures. Employees perform DRP responsibilities
103
Full interruption test
- shutting down ops at primary site and using the backup/ recovery site
104
Recovery team
- get critical business functions running at alternate site
105
Salvage team
- returns primary site to normal processing conditions
106
Electronic vaulting
- transfer database backups to a remote site as part of a bulk transfer
107
Remote journaling
- transmitting journal/ transaction logs to the off site facility (not actual files)
108
Remote mirroring
- live database server is maintained at the backup site, most advanced database backup solution (most expensive backup strategy)
109
Non-disaster (disruption category)
- disruption is service from malfunction or user error
110
Disaster (disruption category)
- whole facility unusable for a day or longer
111
Catastrophe (disruption category)
- major disruption that destroys facility altogether, requires short and long term solution
112
Uniform Computer
Information
Transactions Act
(UCITA)
Common framework for the conduct of computer-related
business transactions. A federal law Eg. Use of software
licensing
