Cyber Ch 7

¡Supera tus tareas y exámenes ahora con Quizwiz!

Types of logs

-Event logs -Access logs -Security logs -Audit logs

Testing activites

-Reconnaissance: involves reviewing the system to learn as much as possible about the organization, its systems and networks -Network mapping: uses tools to determine the layout and services running on the organizations systems and networks -Vulnerability testing: finding all the weaknesses in a system and determining which places may be attack points -Penetration testing: try to exploit a weakness in the system and prove that an attacker could successfully penetrate it -Mitigation activities: any actions intended to reduce or address vulnerabilities found in either penetration tests or vulnerability tests.

Methods of detecting anomalies

-Statistical-based methods: develop baselines of normal traffic and network activity -Traffic-based methods: signal an alert when they identify any unacceptable deviation from expected behavior based on traffic -Protocol patterns: look for deviations from protocols

Two most common risks to security systems

-attackers who come in from outside, with unauthorized access, malicious code, Trojans, and malware -sensitive information leaking from inside the organization to unauthorized people who can damage your organization

Security Monitoring Tools

-baselines -alarms, alerts, and trends -closed-circuit TV -systems that spot irregular behavior

Potential impact of testing activities

-be aware of the potential for harm -be aware of the time of day and day of the week

Audit Report Parts

-findings -recommendations -timeline for implementation -level of risk -management response -follow up

Audit Data Collection Methods

-questionnaires -interviews -observation -checklists -reviewing documentation -reviewing configurations -reviewing policy -performing security testing

Monitoring issues

-spatial distribution: attacks are difficult to catch with logs if they come from a variety of attackers across a wide area -switched networks: it can be harder to capture traffic on networks that are very segmented through the use of switches and virtual LANs -encryption: encrypting data makes logging more difficult

Auditor planning and execution phases

-survey the site(s) -review documentation -review risk analysis output -review server and application logs -review incident logs -review results of penetration tests

Black-box testing

A method of security testing that isn't based directly on knowledge of a program's architecture.

Hardening

A process of changing hardware and software configurations to make computers and devices as secure as possible

Prudent

A reasonable list of things is permitted; all other prohibited. This permission level is suitable for most businesses

Operating system fingerprinting

A reconnaissance technique that enables an attacker to use port mapping to learn which operating system and version is running on a computer

COBIT (Control Objectives for Information and related Technology)

A set of best practices for IT management. Gives managers, auditors and IT users a set of generally accepted measures, indicators, processes and best practices

ITIL (Information Technology Infrastructure Library)

A set of concepts and policies for managing IT infrastructure, development, and operations.

Stateful matching

A technique of matching network traffic with rules or signatures based on the appearance of the traffic and its relationship to other packets.

Zone transfer

A unique query of a DNS server that asks it for the contents of its zone.

Clipping level

A value used in security monitoring that tells the security operations personnel to ignore activity that falls below a stated value

Application logging

All applications that access or modify sensitive data should have logs that record who used or changed the data and when

Covert act

An act carried out in secrecy.

Overt act

An act carried out in the open or easily viewed by others

Anomaly-based IDS

An intrusion detection system that compares current activity with stored profiles of normal (expected) activity.

Pattern (or signature) based IDS

An intrusion detection system that uses pattern matching and stateful matching to compare current traffic with activity patterns (signatures) of known network intruders

ISO 27002

An update to the ISO 17799 standard ISO 17799: An international security standard that documents a comprehensive set of controls that represent information systems best practices

Real-time monitoring

Analysis of activity as it is happening.

Permissive

Anything not specifically prohibited is ok. This permission level is suitable for most public Internet sites, some schools and libraries, and many training centers

Audit checks whether controls are:

Appropriate - Is the level of security control suitable for the risk it addresses? Installed correctly - Is the security control in the right place and working well? Addressing their purpose - Is the security control effective in addressing the risk it was designed to address?

Secure

Ensure that new, and existing, controls work together to protect the intended level of security

Promiscuous

Everything is allowed. This permission level is used by many home users but makes it easier for attackers to succeed

Host IDS

Excellent for noticing activity in a computer as the activity is happening

NIST Cybersecurity Framework (CSF)

Focuses on critical infrastructure components but is applicable to many general systems. The road map provides a structured method to securing systems that can help auditors align business drivers and security requirements

Improve

Include proposals to improve the security program and controls in the audit results. This step applies to the recommended changes as accepted by management

False negative

Incorrectly identifying abnormal activity as normal.

False positive

Incorrectly identifying normal activity as abnormal.

SOC 1

Internal controls over financial reporting Users and auditors

Security Controls

Monitor, Audit, Improve, Secure

Intrusion detection system (IDS)

Network security appliances typically installed with the LAN-to-WAN domain at the internet ingress/egress point to monitor and block unwanted IP traffic

Permission Levels

Promiscuous, Permissive, Prudent, Paranoid

Monitor

Review and measure all controls to capture actions and changes on the system

Audit

Review the logs and overall environment to provide independent analysis of how well the security policy and controls work

SOC 2

Security (confidentiality, integrity, availability) and privacy controls Management, regulators, stakeholders

SOC 3

Security (confidentiality, integrity, availability) and privacy controls Public

White-box testing

Security testing that is based on knowledge of the application's design and source code.

Gray-box testing

Security testing that is based on limited knowledge of an application's design.

Security Information and Event Management (SIEM) system

Software and devices that assist in collecting, storing, and analyzing the contents of log files

System integrity monitoring

Systems such as Tripwire enable you to watch computer systems for unauthorized changes and report them to administrators in near real time

Hardened configuration

The state of a computer or device in which you have turned off or disabled unnecessary services and protected the ones that are still running.

System logging

This type of logging provides records of who accessed the system and what actions they performed on the system

Data loss prevention (DLP)

Use business rules to classify sensitive information to prevent unauthorized end users from sharing it.

Network mapping

Using tools to determine the layout and services running on an organization's systems and networks.

Paranoid

Very few things are permitted; all others are prohibited and carefully monitored. This permission level is suitable for secure facilities

COSO (Committee of Sponsoring Organizations)

Volunteer run organization that gives guidance to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, risk management, fraud and financial reporting


Conjuntos de estudio relacionados

Science 805 lifepac test study guide

View Set

SmartBook Ch 16.3 - 16.5 Special Senses

View Set

Critical Care of Patients With Acute Coronary Syndromes (1)

View Set

chapter 15- personal finical planning

View Set

Chapter 23: Integumentary Problems

View Set

Chapter 8- Articulations Quiz Q's

View Set

Mod 3 Week 10 Quiz Review (Bible)

View Set