Real Exam 2 Written

Question 1

Describe the functionality of an IDS.

Answer 1

IDS is responsible for detecting unauthorized access or attacks against systems and networks. Can verify, itemize, and characterize threats from outside and inside the network.

Question 2

Describe the three modes of detection for an IDS

Answer 2

Signature based - analyzes traffic for patterns associated with known attacks stored in database

Anomaly based - Analyzes traffic and compares it to normal or baseline traffic for deviations that might indicate attack

Rule/Heuristic based - Analyzes traffic by using pre-configured rules and an interface engine to determine when characteristics of an attack exists.

Question 3

What is the Security Onion

Answer 3

Open-source linux application suite of tools that provides IDS and IPS functionality, security monitoring, and log analysis

Question 4

What are the hardware requirements for the Security Onion

Answer 4

64-bit CPU, 4 cores, 8GB Ram 40-60GB Hard drive capacity

Question 5

What is the purpose of a NSM (Describe the functionality of the 4 major utilities types found in SO)

Answer 5

Network security monitoring
      Collects and displays suspicious 
      network activity
       Analyzes alerts of suspicious activity 
       Collects packets for analysis
       Allows for overview of network activity
4 Major Utilities types in Security Onion
IDS/IPS
    SNORT
IDS session analysis
    OSSEC
Session analysis
    BRO
Visibility to logs
    SGUIL
    ELSA

Question 6

Describe sources of Event Logs

Answer 6

Network devices/ appliances
End devices
IoT devices

Question 7

What are the Cisco alert logging categories

Answer 7

0 emergency: System unstable
1 alert: Immediate action needed
2 critical: Critical conditions
3 error: Error conditions 
4 warning: Warning conditions
5 notice: Normal, but significant condition
6 informational: Informational messages only
7 debug: Debugging messages

Question 8

What can be used to centralize logs from network devices

Answer 8

A central logging server, centralized logging management application (SYSLOG)

Question 9

What can be used to centralize logs from windows devices

Answer 9

A event log subscriber. A source and a collector. Have the source computer have the collector as an event log reader, enable windows remote management on the source

Question 10

Describe the 3 major logs available in a Windows environment

Answer 10

SYSTEM: Operating System events
SECURITY: Security events
APPLICATION: Application Events

Question 11

What are the three events seen in Windows logs?

Answer 11

Information: Events that describe the successful operation of a task, such as an application, driver, or service. E.g. when a network drive loads successfully
Warning: An event that is not necessarily significant, but may indicate a possible future problem
Error: An event that indicates a significant problem such as loss of data or loss of functionality. E.g. if a service fails to load during startup

Question 12

Audited events appear in which Windows Log?

Answer 12

Security Event Log

Question 13

Describe how RSYSLOG is configured and deployed on a LINUX computer

Answer 13

Install RSYSLOG
Configure RSYSLOG server to accept remote log messages
Configure RSYSLOG computer to send events to another server using UDP

Question 14

What are the three default chains in IPtables?

Answer 14

Input chain- Incoming to firewall for packets going to local server
Output chain - Outgoing from Firewall, For packets generated locally and going out of the local server
Forward Chain - Packet for another NIC on local server

Question 15

What are the three possible actions which can be taken to packets with IPtables?

Answer 15

Accept, Drop, and Reject

Question 16

Where are RSYSLOG events stored by default in linux?

Answer 16

/var/log/message

Question 17

Describe the functionality of Splunk

Answer 17

Splunk captures, indexes, and correlates real-time machine data in a searchable repository

Question 18

Describe the functionality of ELSA

Answer 18

Log receiver, archiver, indexer, and web for incoming syslogs. Web interface to search through several types of logs.

Question 19

Describe the functionality of Dumpit

Answer 19

Used to generate a physical memory dump snapshot of windows registry

Question 20

Describe the functionality of Volatility

Answer 20

Analyzes ram in 32 and 64-bit systems as a raw dump or crash dump

Question 21

Name four stakeholders involved in the IR process

Answer 21

HR, Legal, Marketing, and Management

Question 22

Describe 6 common network signs of a security incident

Answer 22

BandWidth Consumption: abnormal, non-legit traffic

Beaconing: Traffic leaving at regular intervals from within attempting to phone home

Irregular peer-to-peer communication: abnormal communication between peers could indicate something like illegal file sharing

Rogue Devices: Wireless keyloggers that collect info and transmit to criminal

Unusual traffic spikes: Could be something like increase bandwidth usage or network traffic

Unknown scan sweeps: When a scan is taking place without a known penetration test or routing scan

Question 23

Describe 10 common host signs of a security incident

Answer 23

Process consumption
Memory consumption
Hard drive capacity
Unauthorized software
Malicious processes
Unauthorized privileges
Data exfiltration
Unauthorized changes

Question 24

Describe any three containment techniques

Answer 24

Segmentation: Limits the scope of an incident by dividing the network into segments by using “barriers” to prevent the spread into other networks

Isolation: Blocking traffic to and from the device or by shutting down interfaces

Removal: Shutdown the device, but not advisable because you can erase volatile evidence

Question 25

Describe three important things to consider when eradicating a threat

Answer 25

Sanitization: remove all traces of threat by overwriting the drive multiple times

Reconstruction/Reimage: Rebuilding the system after sanitization

Secure Disposal: Dispose a compromised device rather than sanitize

Cleaning: Remove data to ensure data can’t recovered or reconstructed

Purging: Makes data unreadable

Destruction: Destroying the physical media that contains the data

Question 26

Describe three things you can do to validate that your system is backed up and running secure after a security incident

Answer 26

Patching: Check/install updates (OS, application, anti-virus, firmware)

Permissions: Review all permissions to ensure they’re all set correctly

Scanning: Use a vulnerability scanner to scan affected devices from an incident

Question 27

Given any of the following compliance laws, determine the application: SOX, HIPAA, GLBA, CFAA.

Answer 27

SOX: Controls accounting methods and financial reporting

HIPAA-Standards/procedures for storing, using, transmitting medical info and healthcare data

GLBA: Provides guidelines for scoring financial info and prohibits sharing financial info with third parties

CFAA: affects entities that might engage in hacking of “protected” computers

Question 28

Describe the usage of the following frameworks:

Answer 28

NIST SP 800-53, NIST Cybersecurity Framework, ISO 27000, COBIT, ITIL

NIST SP 800-53: Developed by US dept. Of Commerce. Divides controls into
technical, operational, and management

NIST CyberSecurity Framework: IT security, identify, and protect, detect, respond, and recover

ISO 27000: Security program development standard on how to develop/maintain an Info Security Management system (ISMS)

COBIT: Uses process methods to subdivide IT into 4 devices: Plan/Organize, Acquire/Implement, Support, Monitor/Evaluate

ITIL: Informational tech infrastructure library- office of management and budget, primarily concerned with SLAs

Question 29

What are the five functions in the NIST cybersecurity framework (important!) (be able to apply to a scenario)

Answer 29

dentify, protect, detect, respond, and recover

Question 30

Describe any three high level policy categories

Answer 30

Acceptable Use Policy: Used to inform users of the actions that we allowed and those that are not allowed

Password Policy: Up to organization to decide

Data Ownership Policy: Covers how the owner of data is identified

Question 31

Describe five out of the seven categories of controls

Answer 31

Compensative: substitute for primary access control and mitigates

Corrective: Reduce the effect of an attack

Detective: Detect an attack and alert appropriate personnel

Deterrent: To deter or discourage an attacker

Directive: Specify acceptable practice within an organization

Question 32

Describe 4 types of context based authentication

Answer 32

Time: Permitting or denying access to a company’s resources based on the time of day

Location: The geolocation of the person trying to access the resource, used to identify and authenticate based on where the request originated

Frequency: Based on the frequency of the requests, multiple requests may be somebody initiating a password-cracking attack

Behavior: Tracking the behavior of an individual and locating any discrepancy that arises when they fail to match the behavioral trend

Question 33

Name any three security issues relates to personnel

Answer 33

Dormant accounts remaining active leading to a disgruntled employee using that account to compromise company resources.

Easily guessed passwords, whereas complex passwords are more difficult to crack

Poor credential management; example: the local and domain administrator have the same username and password

Question 34

When looking at the lifecycle of accounts which is often overlooked?

Answer 34

The removal/disablement of accounts

Question 35

Name 3 security issues related to endpoints

Answer 35

Malicious software
People/End Users
Rogue Endpoints

Question 36

Name 3 advantages of Kerberos

Answer 36

User passwords do not need to be sent over the network

Both the client and server authenticate each other

The tickets passed between the server and client are time-stamped and include lifetime information

Question 37

Name 3 disadvantages of Kerberos

Answer 37

KDC redundancy is required if providing fault tolerance is a requirement. The KDC is a single point of failure.

The KDC must be scalable to ensure that performance of the system does not degrade.

Session keys on the client machines can be compromised.

Question 38

Name any 3 security issues related to RADIUS

Answer 38

The RADIUS shared secret can be weak due to poor configuration > default configuration

RADIUS Access-Request messages sent by RADIUS client are not authenticated

Sensitive attributes are encrypted using the RADIUS hiding mechanism

Question 39

Name any 3 security issues related to TACACS

Answer 39

If TACACS+ applications are compromised on a server, then the server’s account database can be accessed by the attacker

TACACS+ is vulnerable to replay attacks because it uses TCP and provides no security against it

Lack of integrity checking allows an attacker with access to the wire to flip most of the bits in a packet avoiding detection

Question 40

What is a federation?

Answer 40

A federation is a organization that enforces a common set of policies and standards. Those policies and standards define how to provision and manage user identities, authentication, and authorization.

Question 41

What is SAML?

Answer 41

SAML(Security Assertion Markup Language) is a security model built on XML and SOAP-based services that allows for the exchange of authentication and authorization data between systems and supports federated identity management.

Question 42

Name any 3 exploits against identity and authentication

Impersonation

Answer 42

Impersonation
Man-in-the-middle
Session-Hijacking

Question 43

Describe 3 data analytic methods

Answer 43

Data Aggregation and Correlation
Aggregation is collecting a large amount of data and filtering/summarizing it based on common variables while correlation is the process of locating said variables in the related information

Trend Analysis
Analyzes and tracks the trends on anomalies based on the established security baseline

Historical Analysis
Analysis that is carried out towards a goal to determine the history of a value over a period of time

Question 44

Describe 3 methods of defense in depth

Answer 44

Security Appliances: Hardware devices that are designed to provide some function that supports the securing of the network or detecting vulnerabilities and attacks. Ex: IPS, IDS, Firewalls, SIEM systems, Hardware encryption devices.

Security Suites: Collection of security utilities combined into a single tool. Ex: Gateway protection, Mail server protection, File server protection, Client protection, Centralized management.

Outsourcing: Third-party involvement that are contractually obliged to perform adequate security activities should be confirmed by the company prior to the launch of any products or services that are a result of third-party engagement.

Question 45

Describe 4 uses of cryptography

Answer 45

Authentication: Provide authentication by being able to determine the sender’s identity and validity: Digital Signatures

Confidentiality: Ensure the data cannot be read by normal means by encrypting the data by use of a public/private key

Integrity: The use of hash functions to allow valid recipients to verify that data has not been altered.

Authorization: Provides authorization by providing a key to a valid user after that user proves his identity through authentication such as Kerberos and TGT.

Question 46

Describe 4 types of transport encryption

Answer 46

SSL/TLS: Allows the exchange of private information between two parties. SSL provides encryption, server and client authentication, and message integrity. TLS is more extensible and provides privacy and data integrity between two communicating applications

HTTP/HTTPS/SHTTP: Used on the web to transmit website data between a web server and a web client, the variations of HTTP like HTTPS/SHTTP which provides encryption via SSL/TLS while S\HTTP encrypts only a single communication message, and not an entire session.

SSH: Secure Shell is an application and protocol that is used to remotely log in another computer using a secure tunnel. When the connection is established and after the session key is exchanged all communication between the two is encrypted over the channel.

IPsec: Suite of protocols that establishes a secure channel between two devices.