Flashcards in Operation Security Deck (20):
What are the operations security triples?
threats, vulnerabilities, and assets
is the process of capturing a point-in-time understanding of the current system security configuration.
term vulnerability management
is used rather than just vulnerability scanning to emphasize the need for management of the vulnerability information.
rather than vulnerability, refers to the existence of exploit code for a vulnerability that has yet to be patched.
The term for a vulnerability being known before the existence of a patch is zero-day vulnerability.
is a process of identifying and documenting hardware components, software, and the associated settings.
Involves development of a security-oriented baseline configuration.
It involves tasks such as disabling unnecessary services; removing unnecessary programs; enabling security capabilities such as firewalls, antivirus, and IDS; and the configuration of security and audit logs.
Configuration Management process
o The change is requested.
o The change is approved.
o The change is documented in the change log.
o The change is tested and presented.
o The change is implemented.
purpose of the change control process is to understand, communicate, and document any changes with the primary goal of being able to understand, control,
and avoid direct or indirect negative impact that the changes might impose.
The general flow of the change management process includes:
• Identifying a change
• Proposing a change
• Assessing the risk associated with the change
• Testing the change
• Scheduling the change
• Notifying impacted parties of the change
• Implementing the change
• Reporting results of the change implementation
provide the ability to automatically terminate the processes in response to a failure.
An example would be an automated locking system that defaults to unlock in case of power failure.
refers to the ability of a system to maintain and preserve implies that a system should be able to protect itself and its information assets if critical processes are terminated and if a system becomes unusable.
An example would be an automated locking system that defaults to lock in case of power failure.
active-active HA cluster
a load balancing - actively processes data in advance of a failure.
hot standby, configuration in which the backup systems only begin processing when a failure is detected.
o Consists of dedicated block level storage on a dedicated network.
o Made of numerous storage devices such as tape libraries, optical drives and disk arrays.
o They utilize protocols like iSCSI to appear to operating systems as locally attached devices.
o Can provide warm or hot spares.
o Provide additional drive capacity.
o Commonly used in data centers and can occur over long distance.
o Used to serve and store files.
o Common used as FTP servers.
NIST Special Publication 800-61 outlines the incident response life cycle - step 1 & 2
1) Preparation: training, tools, policies,HW/SF
2) Detection and analysis (identification): analyze events to is determined whether an incident is actually occurring or has occurred.
6) Lesson learned: final report and feedback It is important to remember that the final step feeds back into the first step.
NIST Special Publication 800-61 outlines the incident response life cycle - Step 3 containment
3) Containment: Keep further damage from occurring as a result of the incident but the threat still there, perform a binary (bit by bit) forensic backup, Capture volatile data,
NIST Special Publication 800-61 outlines the incident response life cycle - step 4 Eradication
4) Eradication (Remediation and review):
1. removing any malicious software from a compromised system
2. Understanding the root cause of the incident.
3. Restore the system to a good state and should not be vulnerable to further impact. The restore involves either rebuilding the system from scratch or restoring from a known good backup.
4. Strengthening the defenses of the system
NIST Special Publication 800-61 outlines the incident response life cycle - step 5 Recovery
5) Recovery: involves cautiously restoring the system or systems to operational status.
It ensures that the system is validated, properly restored to operation status, and monitored for potential further compromise.