ISM 4323
What are the common locations of log files on Unix-based systems? What is the syslog service? What are syslog selectors? What are the parts of a syslog selector?
/var/log/messages syslog.conf Facility and priority
What is a credential? What are the 3 categories of credentials?
Credentials are the piece (or pieces) of information used to verify the user's identity. Something you know, Something you have, Something you are
Chapter-9 What are firewalls? Write an example firewall rule and describe what the rule does.
A form of protection that allows one network to connect to another network while maintaining some amount of protection. They restrict entry and exit of network to carefully specified locations, limit incoming traffic to a specific application, and block outgoing traffic from suspected compromised hosts.
What is an information security policy? What is a standard? How are standards different from policies? How are the two similar?
A "standard" is a low-level prescription for the various ways the company will enforce the given policy. Standards are different from policies in the way they focus on how to get where the policy desires to go. The two are similar in a way that they depend on each other one is the focus of how and the other is the "how to do".
Briefly describe the Morris Worm and the Gang of 414's and their impact on information security
A 99-line program designed to count the size of the Internet. It caused 10% of the entire Internet to crash and led to the first conviction under the 1986 Act. Six teenagers from Milwaukee broke into high-profile computer systems for the thrill. Introduced the term hacker and led to the Computer Fraud and Abuse Act of 1986.
What are viruses and worms? What is the primary difference between them?
A computer virus is a type of malware that propagates by inserting a copy of itself into and becoming part of another program. Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate
What is asset criticality? What are the different classes of criticality commonly used to characterize assets?
A measure of the importance of an asset to the immediate survival of an organization. Essential, required and deferrable.
Chapter-14 What is risk? What is risk management? What is IT risk management and how is it related to an organization's overall risk management?
A risk is a quantitative measure for potential damage caused by a specific threat. Risk management is the process of managing the financial impacts of unusual events. IT risk management is managing the risk associated with the use of information systems in an organization. Four components of IT risk management in NIST 800-39 framework: Risk frame. Risk assessment Risk response (once risks are assessed) Ongoing risk monitoring (based on experiences gained from risk response activities)
Describe secret key cryptography, public key cryptography, digital signatures, and hash functions.
A secret key algorithm is a cryptographic algorithm that uses the same key to encrypt and decrypt data. Public key cryptography is any cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. A digital signature is a mathematical scheme for demonstrating the authenticity of digital messages or documents. Hash function accept a variable size message M as input and produces a fixed size hash code H(M) called as message digest as output.
Chapter-10 What is shell scripting and what is it used for? What is the important difference between scripting languages and other computer languages?
A shell script is a computer program designed to be run by the UNIX shell/interpreter. Shell scripting is a type of scripting program developed to perform servers tasks according to the admins instruction. Shell scripting is used to complete common administrator tasks, audit the security of a system and implement many controls. Shell scripts are used for automating processes throughout a UNIX system, starting the network services at boot stage and configuring the user shell environment during the login phase The main difference is scripts need not be converted in to binary file to run, as they are converted at run time directly
Briefly describe the terms Access Control and User Management and their role in information security
Access control is the act of limiting access to information system resources to authorized users, programs, processes or other systems. Weak access controls can compromise the confidentiality of a system, allowing outsiders to gain access to private information or resources. User management refers to defining the rights of organizational members to information in the organization. Poor user management compromises the integrity of a system, giving users access to material that they should not have the privilege of accessing.
What is asset characterization? What is asset sensitivity? What are the different classes of sensitivity commonly used to characterize assets?
Asset characterization helps us dedicate resources appropriately toward protecting assets. Asset sensitivity describes how much damage a breach of confidentiality or violation of integrity of an asset would cause to the organization. Restricted or Unrestricted
What is block encryption? What is cipher-block chaining?
Block encryption is the process of converting a plain text block into an encrypted block. This is done because breaking messages into reasonable-sized blocks offers the best combination of performance and security. Cipher-block chaining collects all the encrypted blocks and aggregate them together suitably to get the encrypted version of the user's input.
Chapter-6 What is a threat? Describe a threat model.
Capabilities, intentions, and attack methods of adversaries to exploit or cause harm to assets. The interactions between relevant agents, actions, and assets constitute the threat model.
Chapter-13 What is compliance? List at least 2 of the laws with implications for information security professionals. What is the difference between compliance and security?
Compliance is following specifications put forth by policies or legal requirements. My employer has to comply with HIPPA, SLB and SOX federal laws. Compliance are prescribed controls that are standard to all organization within a field. Security on the other hand is more finely tuned to a specific organization and what it does to protect data and respond to threats.
What is incident response policy? What is a disaster? What is disaster recovery? What is business impact analysis?
Describes the standard methods used by the organization for handling information security incidents. A calamitous event that causes great destruction. Disaster recovery is the process adopted by the IT organization in order to bring systems back up and running. The identification of services and products that are critical to the organization.
What are environment variables? What are built-in variables? How are they different from environment variables? What should the value of $? be if the last command that was executed completed successfully?
Environment variables are created automatically when you login or start a new terminal window. Built-in variables provide a wide array of small functions, from reporting on the type of hardware the server is running on to returning the status of the last command issued. 0
Deny all rule - All actions, which are not explicitly allowed, remain forbidden What are deep packet inspection firewalls? What additional capabilities do they offer, compared to packet-filtering firewalls?
Examine the data carried by a packet in addition to the protocol headers to decide how to handle the packet. This enables packets to be compared against a database of known malicious payloads.
What are IDS/ IPS? Briefly describe signature-based IDSs, anomaly-based IDSs, and protocol-state-based IDSs.
IDS is intrusion detection system and it is able to detect malware but not take any action. IPS is intrusion prevention system and it is able to take action based on a set of user defined rules. Signature based IDS uses known attacks for detection. Signature-based IDS refers to the detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. The anomaly detection technique uses the concept of a baseline for network behavior. This baseline is a description of accepted network behavior, which is learned or specified by the network administrators, or both. Events in an anomaly detection engine are caused by any behaviors that fall outside the predefined or accepted model of behavior. A PIDS will monitor the dynamic behavior and state of the protocol and will typically consist of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication between a connected device and the system it is protecting.
Chapter-8 What is Identity Management? Briefly describe the phases of the Identity Management model.
Identity management is the processes of identifying individuals and collating all necessary data to grant or revoke privileges for these users to resources. Identity discovery locates new and updated identities throughout the organization. Compares the located identities to a record of all individuals in the organization. Identity enrichment collects information about the individuals' relationships to the organization.
What is information security? What is CIA-triad in information security context?
Information security is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability. Confidentiality is the preservation of authorized access on access and disclosure, including means for protecting personal privacy and proprietary information. Integrity is guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. Availability is ensuring timely and reliable access to and use of information.
Chapter-12 What is log analysis? What is the goal of log analysis?
Log analysis provides some sort of logging mechanism to record the status information. The goal depends on the application.
Provide a brief overview of the NIST 800-39 risk management framework. Draw a figure showing the components of the framework, and the relationships of these components to each other.
NIST recommendations for managing information security risk published a special publication the 800-39. It was developed with inputs from the Civil, Defense, and Intelligence Communities. It provides information security framework for the federal government.
What is reactive monitoring? What is proactive testing? Provide some common reactive monitoring methods and some common proactive testing methods?
Reactive monitoring is the act of detecting and analyzing failures after they have occured. Network admins can use tools such Nagios, as well as utilizing log managements tools. These tools collect analyze system logs in order for admins to retroactively resolve an issue. Proactive testing is the act of testing a system for specific issues before they occur. Some common testing methods for this include is to utilize vulnerability scanners. These scanners search for a broad range of common issues. Another method is hiring a professional security firm.
Name at least one advantage and disadvantage to using:
Shared Tokens Seamless collaboration Difficult to integrate external applications CAS Verifies with CAS server Takes longer to authenticate Shibboleth Enables university employees to access information on other campuses Usually for large scale OpenID Excellent solution for business and employees Requires extensive planning and forethought
Briefly describe the following in context of Information Security:
Single point of failure- A single point of failure is a part of a network system whose failure will stop the entire system from working Active Directory- Active Directory is a collection of technologies that provide centralized user management and access control across all computers that are "members" of the domain Domain Controller- A domain controller is a server that implements the active directory rules within a domain Group Policies- A group policy is an infrastructure that allows you to implement specific configurations for users and computers
Provide a brief overview of the OCTAVE methodology developed by the SEI. How is it related to the NIST 800-39 and ISO 27000 standards?
The OCTAVE Method was developed with large organizations in mind (300 employees or more). These organizations generally maintain their own IT infrastructure and have the capability to manage their own information security operation. OCTAVE uses a three-phased approach to examine organizational and technology issues, assembling a comprehensive picture of the organization's information security needs. OCTAVE stands for Operationally Critical Threat, Asset, Vulnerability Evaluation. The methodology corresponds to the risk assessment phase of the NIST 800-39 framework.
What is the first line of every BASH script? What happens when the script file does not have execute permissions for the user attempting to run the script?
The first line of every bash script is #! /bin/bash The user gets an error which reads 'permission denied'.
What are Threat Agents? What are the different types of threat agents?
The individual, organization, or group that originates a particular threat action. External, internal, and partners
Chapter-4 Briefly describe the Information Security Model and define the components.
The information security model has four components. The first is assets which are an information or resource that needs to be protected. Next are vulnerabilities which is weakness in an information system that can compromise the system. A threat is an intention or attack method that would exploit or cause harm to the asset. Lastly, controls are a safeguard measure to minimize the impact of threats
How do HIPAA (the Health Insurance Portability and Accountability Act) and Sarbanes-Oxley act relate to information security?
The law had provisions to make organizations responsible for maintaining the confidentiality of patient records in the healthcare industry. Section 302 of the Act requires the CEO and CFO of firms to sign a declaration of personal knowledge of all the information in annual filings. Section 404 of the Act has had a major impact on the information security profession because it requires that the certification in Section 302 be based on formal internal controls.
What is the policy cycle? Why does policy development proceed through a cycle?
The policy cycle
Chapter-7 What is encryption? What is confusion-diffusion paradigm of cryptography?
The process of converting information or data into a code, especially to prevent unauthorized access. Confusion is making the relationship between the plaintext and ciphertext as complex as possible. Diffusion is spreading the impact of a change in 1 bit of the plaintext to all bits in the ciphertext.
Chapter-3 What is the top of a filesystem hierarchy called? How is it represented in UNIX systems? What is a path? Give the difference between a relative and absolute path?
The top is referred to as the file system root, and is represented as a single slash. The location of a file or directory in the hierarchy is referred to as its path. Absolute gives the exact route to the file, where as relative gives the location of the file in relation to the current directory.
What is the IT asset lifecycle? What are the stages in the life cycle?
The useful life of an IT asset. The stages include: planning, acquisition, deployment, management, and retirement.
What are the goals of incident analysis? What is containment? What is eradication?
To analyze and traffic possible threats. Containment is the act of preventing the expansion of harm. The removal of the causes of the adverse event.
Chapter-11 What is an information security incident? What are the basic steps involved in handling an incident?
Violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Preparation, Detection & analysis, Containment, eradication & recovery, and Post-incident analysis
What is the wtmp file? What is the utmp file? How can the information in these files be useful?
Wtmp files stores the information regarding login and logout on the system. Utmp has current status of the system. It is used to identify unknown hosts logging onto the server.
Given the following ls -l output, what do you know about the ownership and access permissions for the accounting folder? How can you use the chmod command to give write permissions to all members of "accounting_grp" to the "accounting" folder? drwxr-xr--. 2 root accounting_grp 4096 Jan 28 19:07 accounting/
a). Owned by root accounting. Root accounting can read, edit and execute. Accounting can read and execute, but not edit. Everyone else can only execute
Briefly define the following:
brute-force attack- When a hacker uses continuous combinations to try and crack someone's password. 0-day vulnerability- An undisclosed computer-software vulnerability that hackers can exploit to adversely affect computer programs, data, additional computers or a network. cross-site scripting attack (XSS)- When a website allows a malicious user to enter information with malicious content in it threat shifting- The response of hackers to controls. They change some characteristic of their intent/targeting in order to avoid and/or overcome those safeguards/countermeasures.
Describe the following vulnerabilities:
lack of input validation- A situation where user input is used in the software without confirming its validity. If user input isn't properly validated, users can gain access to information that they are not supposed to see. buffer-overflow- Buffer overflow is when a program puts more data into a storage location than it can hold. unrestricted upload- An unrestricted upload occurs when files are accepted by software without verifying the file follows strict specifications. E-commerce sites like Amazon encourage users to provide photos of the product they bought in their reviews. If these pictures are not verified to be a picture file like .jpg, then an attacker would be able to upload malicious software programs to the site instead of a photo. missing authorization- When a software program allows users access to privileged parts of the program without verifying the credentials of the user. These vulnerabilities are the biggest concern for the financial industry.
What are the following UNIXs command used for?
pwd- (for Print Working Directory) shows the current directory that you are in. cd- changes the current directory of the shell ls- is a utility for listing the files in a directory rm- deletes a file from the filesystem
