Operations

Question 1

Administrative Personnel Controls examples

Answer 1

Administrative Personnel Controls
•	Compartmentalization
•	Separation of Duties
•	Collusion
•	Rotation of duties
•	Mandatory Leave 
•	Non-disclosure agreement (NDA)- 
•	Background checks

Question 2

Least Privilege

Answer 2

• Least Privilege- (aka minimum necessary access) subject has no more access than is strictly required to perform duties

Question 3

Need to Know

Answer 3

Need to Know- deals with sensitive data; leverage Mandatory Access Control; access is based on security clearance of subject and data classification of object.

Question 4

Compartmentalization

Answer 4

Compartmentalization- a method for enforcing Need to Know

Question 5

Rotation of duties

Answer 5

Rotation of duties- one person does not perform critical functions without interruption; helps mitigate fraud (cost is always a consideration and can trump some controls)

Question 6

Compartmentalization

Answer 6

Compartmentalization- a method for enforcing Need to Know

Question 7

3 types of controls

Answer 7

Administrative, Technical, Physical

Question 8

Data remanence

Answer 8

Data remanence- data that persists beyond non-invasive means to delete it

Question 9

Wiping

Answer 9

Wiping (aka overwriting)- writes new data over each bit or block; disk damage may prevent successful overwriting

Question 10

Shredding

Answer 10

Shredding- physical destruction; most secure; incineration or pulverization

Question 11

Configuration Management

Answer 11

Configuration Management
• Defined by ISC2 as “a process of identifying and documenting hardware components, software and the associated settings.”

Question 12

Baselining

Answer 12

Baselining- capturing a point in time of the current system security config
o Necessitates monitoring config over time

Question 13

Vulnerability scanning

Answer 13

Vulnerability scanning- discovers poor configs and missing patches

Question 14

Vulnerability management

Answer 14

Vulnerability management- prioritization and remediation of vulnerabilities; prioritization based on risk to org and ease of remediation

Question 15

Full Backup

Answer 15

Full Backup- replica of all data; coupled with incremental or differential

Question 16

Incremental Backup

Answer 16

Incremental Backup- backup files changed since last incremental backup. Odds of failed restoration due to tape integrity increase with each incremental backup.

Question 17

Differential Backup

Answer 17

Differential Backup- backup files changes since the last full backup (does not change the archive bit)

Question 18

Copy Backup

Answer 18

Copy Backup- Same as full backup, but Archive Bit is not reset; Use before upgrades, or system maintenance

Question 19

Mirroring

Answer 19

Mirroring- full data redundancy

Question 20

Striping

Answer 20

Striping- increases read/write performance by spreading data across multiple disks

Question 21

Parity

Answer 21

Parity- data redundancy without the same costs of mirroring. One or more disk drives contain parity information that allows them to rebuild data if a drive failure occurs.

Question 22

RAID 0

Answer 22

RAID 0- Striped Set; increases performance, not data redundancy

Question 23

RAID 1

Answer 23

RAID 1- Mirrored Set; duplicate data on added disk; write performance decreased; read performance increased

Question 24

RAID 5

Answer 24

RAID 5- striped set with distributed parity (block level); one of the most popular; distributes parity across disks

Question 25

RAID 1 + 0

Answer 25

RAID 1 + 0 (aka RAID 10)- striped set of mirrors

Question 26

Clustering

Answer 26

Clustering is a fault tolerant server technology that is similar to redundant servers, except each server takes part in processing services that are requested.

Question 27

Traffic Analysis

Answer 27

Traffic Analysis (aka Side Channel Analysis)- Watching traffic and its patterns to try and determine if something special is taking place

Question 28

Traffic Padding

Answer 28

Traffic Padding- Generating spurious data in traffic to make traffic analysis more difficult

Question 29

Protocol Analyzers

Answer 29

Protocol Analyzers (Sniffers)- run on switches in promiscuous mode using port span

Question 30

Types of IDS

Answer 30

``` IDS (Intrusion Detection System)- Pattern Matching: • Rule-Based Intrusion Detection • Signature-Based Intrusion Detection—MOST COMMON • Knowledge-Based Intrusion Detection ``` Profile Comparison: • Statistical-Based Intrusion Detection • Anomaly-Based Intrusion Detection • Behavior-Based Intrusion Detection

Question 31

Signature-Based Intrusion Detection

Answer 31

Signature-Based Intrusion Detection o IDS has a database of signatures which are patterns of previously identified attacks o Cannot identify new attacks o Database needs continual updates

Question 32

Behavior-Based Intrusion Detection

Answer 32

Behavior-Based Intrusion Detection o Compares audit files, logs, and network behavior, and develops and maintains profiles of normal behavior o Better defense against new attacks o Creates many false positives

Question 33

NIST Computer Security Incident Handling Guide has 4 steps in incident lifecycle

Answer 33

NIST Computer Security Incident Handling Guide has 4 steps in incident lifecycle: 1. Preparation- training, defining policies & procedures, tools 2. Detection and Analysis (aka identification)- determine if events are an incident 3. Containment- keep further damage from occurring o Eradication- understanding cause so that the sys can be cleaned; root cause analysis; timeline developed to know when latest backup/image is good o Recovery- system restoration; monitor closely after returning to production 4. Post-incident activity (aka lessons learned, remediation, post mortem, reporting)- most likely to be neglected; feeds back to preparation.

Question 34

Threat vectors (and examples)

Answer 34

Threat vectors- mediums that allow a threat agent to potentially exploit a vulnerability. e.g.: o Network- attack against ports open through network and firewalls; most commonly defended against o Web applications- attack against web app, associated server, and content o Email attachment- malicious files that exploit client-side app vulnerabilities o Phone lines- oldest and often overlooked o Browser- hosts a malicious website or leverages a compromised trusted site o Pivot attack- leverages and internal client (already compromised) to attack internal servers o Insider threat- employee or contractor

Question 35

Security Assessment

Answer 35

Security Assessment- a physical, administrative, and logical holistic approach to assessing effectiveness of security controls.

Question 36

Penetration Testing

Answer 36

Penetration Testing- Ethical hacking to validate discovered weaknesses; Red Teams (Attack)/Blue Teams (Defend)

Question 37

NIST SP 800-42

Answer 37

NIST SP 800-42 Guideline on Security Testing

Question 38

Blind test

Answer 38

Blind test: The assessors have only publicly available knowledge. The network team knows that testing is taking place

Question 39

Double Blind test

Answer 39

Double Blind test: The assessors have only publicly available knowledge, but in this instance the network teams do NOT know the test is taking place. This will allow evaluation of incident response.

Question 40

Targeted test

Answer 40

Targeted test: External consultants work with internal staff to focus on specific systems or applications

Question 41

Test Attack Phases

Answer 41

Test Attack Phases: 1. Planning 2. Reconnaissance- WhoIs Database, Company Website, Job Search Engines, Social Networking 3. Footprinting- Mapping the network (Nmap); ICMP ping sweeps; DNS zone transfers 4. Fingerprinting- Identifying host information; Port scanning 5. Vulnerability assessment- Identifying weaknesses in system configurations; discovering unpatched software 6. The “attack”- Penetration; Privilege escalation; Root kits; Cover tracks with Trojaned Programs and Log Scrubbers 7. Reporting

Question 42

Vulnerability Testing

Answer 42

Vulnerability Testing- Aka vulnerability scanning; Scans sys or network for list of predefined vulnerabilities