Security Operations

Question 1

Planning

Answer 1

security should be consider prior to development

Question 2

Provisioning

Answer 2

prep for deployment and instantiating user, system, or service
Security baseline and configuration management key principles

Question 3

Baseline configuration

Answer 3

need well-vetted hardened baseline configuration

Question 4

Building baseline configuration

Answer 4

don’t start from scratch
Determine reasonable starting point
establish consistent configuration across the majority of the systems
Reduce time to recover a deployed system

Question 5

Infrastructure as a Service (IAAS)
Platform as a Service (PAAS)
Software as a Service (SAAS)

Answer 5

Root access
Web Service
Gmail

Question 6

Cloud Server (Provisioning)

Answer 6

Vuln - weakness present in preconfigured image

Question 7

Types of Firewall

Answer 7

Packet Filter
Stateful
Proxy
Next Generation Firewalls (NGFW)

Question 8

Packet filtering firewall

Answer 8

examines each packet independently
No idea where packet came from
fast, not secure.
ACL on some devices

Question 9

Firewall: Stateful

Answer 9

Slower

Lookup table

Question 10

Proxy Firewall

Answer 10

2 TCP connection for each request, client & server

In between, inspect, process packets at all seven layers

Question 11

Firewall: Circuit Level

Answer 11

Operates at session layer
does not use application level proxy software
SOCKS - replaces network connection with socks call

Question 12

Firewall: Application Level

Answer 12

Proxy server software/Layer 7

Act as in between, moves packet from one network to another

Question 13

Firewall: Next Generation Firewall (NGFW)

Answer 13

packet inspection beyond ports/protocols

Question 14

Bastion Host

Answer 14

Host that is outside the firewall

Question 15

Firewall: Host-Based

Answer 15

e.g Windows Firewall/McAfee, etc…

Question 16

Intrusion Prevention Systems (IPS)

Answer 16

False positive on IPS cause outages
IDS - passive
IPS - active - think pen test so that why it will stop can cause outage

Question 17

Malware Detonating Devices (MDD)

Sandboxin

Answer 17

Isolate and try to see what would happen

Basically isolated denotation

Question 18

Sandboxing Capabilities

Answer 18

Malware checks to see if it is connected to internet before it detonates

Question 19

IDS

Answer 19

Sniff traffics/sniffer with rules
Passive - sent alert (Does not stop attack)
Active - stop attack (sending resets)

Question 20

IDS
True Positive
True Negative
False Positive
False Negative

Answer 20

True Positive - real attack
True Negative - normal traffic
False Positive - sets off alert and normal traffic
False Negative - does not set off alert and it is attack traffic

Question 21

Signature Matching

Answer 21

Detect pattern/detects on existing patterns

Will not detect on new patterns, polymorphic malware, or encrypted traffic

Question 22

Protocol Behavior

Answer 22

detects protocol, syn, syn-ack, ack

False positives on complex/non-standard protocols

Question 23

Honeypot

Answer 23

designed to be hacked into/public facing

Question 24

Security Information and Event Management (SIEM)

Answer 24

Devices to view logs for events that are triggered

Question 25

Audit Logs

Answer 25

Process: must be reviewed

Question 26

Audit Trails

Answer 26

Individual conducting Transactions Date Time Location(workstation)

Question 27

Preparing Incidents

Answer 27

Critical decisions must be made before it happens: pursue legal actions what actions are authorized to be taken Understand root cause or reimage/revert Allowed to attack attackers to persist gain intelligence templates needs to be built for data gathering

Question 28

Security Incidents: External Attacker

Answer 28

attacking back is a bad idea | IP is a pivot point so might not be the actual attacker IP

Question 29

Security Incidents: External Attacker Logs

Answer 29

Attackers will erase their tracks | Look for all systems that might have been connected to all offending IP addresses

Question 30

Security Incidents: Incident Handling

Answer 30

``` Preparation Detection (Identification) Response (Containment) Mitigation (Eradication) Reporting Recovery Remediation Lessons learned ```

Question 31

Security Incidents: Detection

Answer 31

Do not jump to conclusion Notify the correct people use help desk to track trouble tickets and problem Need primary handler

Question 32

SMART Guidelines

Answer 32

``` Specific Measurable Achievable Realistic Timely ```

Question 33

Security Incidents: Response

Answer 33

Incident handler should not make things worse Secure the area Make a forensic backup Pull system off the network

Question 34

Security Incidents: Mitigation

Answer 34

``` Fix system before putting it back online Determine cause & symptoms Improve defense Perform vuln analysis Analogy (Car accident): Response - EMT stability patient Mitigation - Doctor heal patient ```

Question 35

Security Incidents: Reporting

Answer 35

Occurs through all phases Need technical & Non-technical reporting Common mistake: focus on technical report only Reporting less formal during incident and more formal as it approaches being handled and recovered

Question 36

Security Incidents: Recovery

Answer 36

Do not restore compromised code validate system monitor: make sure the attacker does not come back in

Question 37

Security Incidents: Remediation

Answer 37

Occurs in phases Short term - change pw of affected users/patching affect systems Long term - reconfig systems to use dual factor auth improve org patching process

Question 38

Security Incidents: Lesson Learned

Answer 38

conduct lessons-learned meeting send recommendations to management (ask for money, resources, etc..) Conduct follow up meeting

Question 39

Forensic Investigation

Answer 39

Thorough and detailed analysis greater expectation that legal system could be involved presumes a violation might have been committed

Question 40

Incident Response

Answer 40

immediate limiting of averting operation impact

Question 41

Types of evidence

Answer 41

Direct - first hand witness Circumstantial - testimony from first hand witness of circumstances related to the legal matter Expert - opinion/interpretation from expert

Question 42

Hearsay

Answer 42

second hard, rather than direct Business records - 2nd hand Disk/memory are not treated as hearsay

Question 43

Chain of custody

Answer 43

integrity & authenticity Document time, location, & manner of collection specify individual responsible for control of evidence Employ tamper resistance/evidence storage Attestation Ensure chain of evidence control can be reviewed

Question 44

EDiscovery

Answer 44

All data gets handed over, NO EXCEPTION

Question 45

RAID 0

Answer 45

double of in size (stripe) - write on disk A, then disk B and so on and so on No redundancy

Question 46

RAID 1

Answer 46

Mirroring

Question 47

RAID 2

Answer 47

Needs 39 disk (32 disk for data, 7 for error recovery)

Question 48

RAID 3/4

Answer 48

RAID 3- byte level RAID 4- block level dedicated parity drive

Question 49

RAID 5

Answer 49

Block level Striping of data across disk Parity information striped across disk

Question 50

RAID 6

Answer 50

Like RAID 5, block level | Double the parity

Question 51

Electronic vaulting

Answer 51

batch processing | send data to remote server

Question 52

Remoting Journaling

Answer 52

transmitting data in real time to backup storage | think of SQL trans log

Question 53

Database Shadowing

Answer 53

same as remote journaling | storing duplicate data on multiple remote storage devices

Question 54

Disk duplexing

Answer 54

disk controller is duplicated

Question 55

Backup Concept: Full Backup

Answer 55

Full backup

Question 56

Backup Concept: Incremental Backup

Answer 56

backup files that have been created/modified since last backup Set archive bit to 0 Changes from the previous day need a lot of tape to restore

Question 57

Backup Concept: Differential Backup

Answer 57

backup files that have been created/modified since last backup does not set archive bit to 0 Only need last full backup and the differential tape Backup only changes from Sunday to the previous day, not day to day comparison

Question 58

Business Continuity Plan (BCP)

Answer 58

business remain viable even in the face of disaster | NIST SP800-34 REV1

Question 59

Continuity of Operations (COOP)

Answer 59

Subset of BCP | recover critical functions rapidly

Question 60

Disaster Recovery Plan (DRP)

Answer 60

detailed steps to restore critical information and systems | BRP long term, DRP short term

Question 61

Recovery Time Objective (RTO)

Answer 61

measure of when the system will be back online

Question 62

Work Recovery Time (WRT)

Answer 62

length of time after hardware/software restored to when normal operations are able to resume

Question 63

Maximum Tolerable Downtime

Answer 63

MTD = Recovery Time Objective (RTO) x Work Recovery Time (WRT)

Question 64

Recovery Point Objective

Answer 64

amount of data that be lost for a critical function

Question 65

Site Recovery Strategies

Answer 65

Self-Service - handle disruption within current facilities Reciprocal Agreement - agreement with another entity to help one another during disruption Alternate Sites: Hot, warm, cold, hybrid, mobile

Question 66

Alternate Sites

Answer 66

Hot - fully equipped and staffed Warm - pre-equip but not ready to go Cold - empty facility Hybrid - combination of hot/cold/warm - Hot/Cold - Immediate failover/long-term disaster use cold site Mobile- think of office on wheels Multiple processing site - mirror location, different locations - think mirror

Question 67

Read-Through, checklist, consistency testing

Answer 67

reviewing plan to ensure all areas are covered

Question 68

Structural Walk through

Answer 68

step through plans looking for errors or false assumptions

Question 69

Simulation/Tabletop

Answer 69

test with mock up scenarios

Question 70

Parallel

Answer 70

recover to alternate site while main site is running

Question 71

Full Interruption

Answer 71

full fail over to alternate site

Question 72

Training (BCP)

Answer 72

how to operate alternate site how to start emergency power how to perform a restorative backup

Question 73

Physical security & safety

Answer 73

``` Safety #1 In event of disaster Personnel safety Authorized access Equipment protection Information protection Availability ```