Info Security Chapter 7

The most common activities: -Reconnaissance -Network mapping - Vulnerability testing -Pen testing -mitigation testing

A Testing Road Map - pg. 256 Security testing Security testing might take several paths - pg. 257

Benchmark

A ______ is a standard used to measure how effective you system is as it relates to industry expectation.

Security Information and Event Management (SIEM)

A common platform for capturing and analyzing log entries is ____________.

False

A hardened configuration is a system that has had unnecessary services enabled.

Addressing their purpose

An audit examines whether security controls are appropriate, installed correctly, and ____________.

Common methods of detecting anomalies include: -Statistical based methods -Traffic based methods -Protocol patterns

Analysis Methods - pg. 250

An intrusion detection system that compares current activity with stored profiles of normal (expected) activity.

Anomaly-based IDS pg. 250

-audits are large in scope -high-level security policy audit -Your must also audit all of your organizations firewalls, routers, gateways, wireless access points, and other network devices to ensure they function as intended and that their configuration comply with your security policy.

Areas of Security Audits - pg. 234

check to see if all personnel are following policies, procedures, and standards -password standard -password procedure -password policies You should develop a separate access control policy that says: "Authorized users should be able to do only that which that are authorized to do. Unauthorized users should be prohibited from doing anything."

Areas of Security Audits - pg. 240

There are many ways to collect data, including: -Questionnaires -Interviews -Observation -Checklist -Reviewing documentation -Reviewing configuration -Reviewing policy -Performing security testing -vulnerability testing and pen testing

Audit Data-Collection Methods - pg. 240

-audit a computer system -manual tests -automated tests

Audit a computer system - pg. 230

see. benchmark -ISO 27002 -NIST SP 800 -ITIL -ISACA audit guidelines: -COBIT -COSO

Auditing Benchmarks - pg. 238

The standard by which your computer or device is compared to determine if it's securely configured.

Benchmark pg. 238

A method of security testing that isn't based directly on knowledge of a program's architecture.

Black-box testing pg. 262

A value used in security monitoring that tells controls to ignore activity that falls below a state value.

Clipping level pg. 245

A NIDS outside the network gives some idea of the the types of attacks faced by the firewall. The internal NIDS detects the types of attacks that may get by the firewall.

Control Checks: Intrusion Detection - pg. 252 Using NIDS to monitor outside attacks

When auditing an identity-management system, you should focus on these key area: -Approval process -Authentication mechanisms -Password policy and enforcement -Monitoring -Remote access systems

Control checks and Identity Management - pg. 241

The potential impact of testing: -be aware of the potential harm -be aware of the time of day and the day of the week

Covert Vs. Overt Testers - pg. 261

An act carried out in secrecy.

Covert act pg. 261, 243

issued (SAS 70) in 1993 Type I audit Type II audit (SAS 70) retired June 2011 In 2011( SSAE 16) is the predominate auditing

Customer Confidence - pg. 235

An auditor must identify the personnel- both from his or her own team and from the organization being audited- who will participate in the audit

Defining Your Audit Plan - pg. 237

Planning and execution phases: -survey the site -review documentation -review risk analysis output -review host logs -review incident logs -review results of penetration test

Defining the Scope of the Plan - pg. 237

-acceptable -unacceptable

Determine what is acceptable - pg. 233

END OF CHAPTER 7 ASSESSMENT

END OF CHAPTER 7 ASSESSMENT

END OF CHAPTER SECTIONS

END OF CHAPTER SECTIONS

END OF KEY CONCEPTS AND TERMS

END OF KEY CONCEPTS AND TERMS

Identify vulnerabilities and rank them according to how critical they are tho your system. Next document a point-in-time (snapsot) test for comparison to other time periods.

Establishing Testing Goals - pg. 257

Incorrectly identifying abnormal activity as normal.

False Negative pg. 245

Incorrectly identifying normal activity as abnormal.

False Positive pg. 245

Most audit reports contain a least three broad sections: -Findings -Recommendations -Timeline for implementation -Level of risk -Management response -Follow up

Generation of Audit Report- pg. 242

Security testing that is based on limited knowledge of an application's design.

Gray-box testing pg. 262

HIDS's system generally have the following qualities:

HIDS - pg. 251

The state of a computer or device in which you have turned off or disabled unnecessary services and protected the ones that are still running.

Hardening configuration pg. 253

Some servers, or hosts, must be open to the internet. A simple solution is to isolate the hosts connected to the Internet form the rest of your network. Host isolation isolates one or more host computers form your internal networks and created a demilitarized zone DMZ.

Host Isolation - pg. 252 Host isolation and the DMZ.

DMZ

Host isolation is the isolation of internal networks and the establishment of a(n)

Controls that monitor activity include intrusion detection systems (IDS) , intrusion prevention systems (IPSs), and firewalls. (NIDS) (HIDS)

How to Verify Security Controls - pg. 248 (IDS)

Signature-based

In _____ methods, the IDS compares current traffic with activity patters consistent with those of a known network intrusion via pattern matching and stateful matching.

The router detects and filters out some traffic, and the firewall detects and stop unwanted traffic.

Layered Defense: Network Access Control

Log files can help provide evidence of normal and abnormal system activity. You should store log files in a central location to protect and keep them handy for through analysis. If a log file fills up, you're faced with three bad choices: -stop logging -overwrite the oldest entries -stop processing

Log Management - pg. 246 Keeping Log Files

Type I - false positives -false alarm Type II- false negatives -failure to catch suspicious behavior Clipping Levels

Logging Anomalies - pg. 245

Any activities designed to reduce the severity of a vulnerability or remove it altogether.

Mitigation activities pg. 256

IPS goes a step beyond IDSs by actively blocking malicious traffic. IDS alerts you to the potential unauthorized activity: an IPS blocks it. Before you can your IPS or IDS, you create a baseline.

Monitoring - pg. 255

Although there are many risks associated with information security, two of the major risks are as follows:

Monitoring and Testing Security Systems - pg. 255

Monitoring issues that scare off some organizations form aggressive monitoring/logging: -Spatial distribution -Switched networks -Encryption -Data Link Layer encryption (wireless WEP and WPA) -Network Layer encryption (IPSE and some other tunneling protocols -Application Layer encryption (SSL and SSH and others)

Monitoring/Logging Issues pg. 245

Using tools to determine the layout and services running on a organization's systems and networks.

Network mapping pg. 260 pg. 256

A software program that allows an attacker to send logon packets to an IP host device.

Operating system fingerprinting pg. 260

An act carried out in the open.

Overt act pg. 261, 243

An intrusion detection system that uses pattern matching and stateful matching to compare current traffic with activity patterns (signature) of known network intruders.

Pattern-(signature) based IDS pg. 250

A testing method that tries to exploit a weakness in the system to prove that an attacker could successfully penetrate it.

Penetration testing pg. 256

The most common levels permission levels are as follows: -Promiscuous -Permissive -Prudent -Paranoid

Permission Levels - pg.233-234

Auditor tasks include exit interviews, data analysis, generation of the audit report, and a presentation of findings to management.

Post-Audit Activities - pg. 242 Exit Interview Data Analysis

all of the above

Post-audit activities include which of the following? a) presenting findings to management b) data analysis c) exit interviews d) reviewing of auditor's findings

Depending on your organization's structure and size, the findings presentation could be formal meeting or it could be simply delivering the report to a single person.

Presentation of Findings - pg. 243

An audit checks whether controls are -appropriate -installed correctly -addressing their purpose Audit report -recommend improvements or changes to organization's process, infrastructure, or other controls -necessary because of potential liability, negligence, and mandatory regulation compliance -can expose problems and provide assurance of compliance -can find an organization lacks sufficiently trained and skilled staff Laws and Regulation -(SOX) -(HIPPA) -(PCI DSS) -(PIPEDA) -new regulations make management personally responsible for fraud or mismanagement of corporate assets

Purpose of Audits - pg. 234-235

Analysis of activity as it is happening.

Real-time monitoring pg. 244

The process of gathering information.

Reconnaissance pg. 256, 257

Social engineering Whois service zone transfer

Reconnaissance Methods - pg. 257 WHOIS search results - pg.258

When you review your system, should check the following: -Are security policies sound and appropriate for the business or activity? -Are there controls supporting your policies? -Is there effective implementation and upkeep of controls?

Security Auditing and Analysis - pg. 231

The security include the following activates: -Monitor -Audit -Improve -Secure

Security Controls Address Risk - pg. 232

Software and devices that assist in collecting, sorting, and analyzing the contents of log files.

Security Information and Event Management (SIEM) system pg. 247

-over acts -cover acts Techniques for monitoring: -baselines -alarms -closed-circuit TV -Systems that spot irregular behavior

Security Monitoring - pg. 243 -244

Real time monitoring: -Host IDS -System integrity monitoring Non real time monitoring: -Application logging -System logging Partial list of activates that you need to log: -Host-based activity -Network and network devices

Security Monitoring for Computer Systems - pg. 244

Before you start testing process consider these points: -choose the right tools -tools make mistakes -protect your system -test should a real as possible

Security Testing Tips and Techniques - pg. 262

True

Some of the tools and techniques used in security monitoring includes baselines, alarms, closed-circuit TV, and honeypots.

A technique of matching network traffic with rules or signatures based on the appearance of the traffic and its relationship to other packets.

Stateful matching pg. 250

SOC 1 SOC 2 SOC 3

Table 7-1 Service Organization Control (SOC) reports - pg. 236

see above

Table 7-1 Security review cycle - pg.232

-Antivirus software -System access policies -Intrusion detection and event monitoring -Systems hardening controls -Cryptographic controls -Contingency planning -Hardware and software maintenance -Physical security -Access control -Change control process for configuration management -Media Protection

Table 7-2 Areas that you should include in an audit plan. - pg. 241

The audit domains: 1. Remote Access 2. WAN 3. LAN-to-WAN 4. Workstation and Users 5. LAN 6. Intranet Services 7. System and Major Applications

Table 7-2 Audit scope and the seven domains of the IT infrastructure. - pg. 238

volatility (rate of change) Common test-schedule triggers points are:

Testing - pg. 255

black box white box gray box

Testing Methods - pg. 262

Reconnaissance

The review of the system to learn as much as possible about the organization, its systems, and network is know as ______.

You should record all suspicious activity, errors, unauthorized access attempts, and access to sensitive information. See. (SIEM)

Types of Log Information to Capture - pg. 247

Can come from firewall, router, switch, NIDS Device, Web Host System Components: -Antivirus -Web Service Logs -Host IDS Logs -Low-level OS logs

Types of log information - pg. 247 Figure 7-3

A process of finding the weakness in a system and determining which places may be attack points.

Vulnerability testing pg. 256

True

When you use a control that cost more than the risk involved you're making a poor management decision.

all of the above

Which of the following is an example of a level of permissiveness? a) purdent b) permissive c) promiscuous d) paranoid

Security testing that is based on knowledge of the application's design and source code.

White-box testing pg. 262

A unique query of a DNS server that asks it for the contents of its zone.

Zone transfer pg. 258

Non-real-time monitoring

_____ is used when it's not as critical to detect and respond to incidents immediately.