IT security final
What is shell scripting and what is it used for? What is the important difference between scripting languages and other computer languages?
A shell script is an application constructed from multiple command line applications to accomplish complex tasks, this is done through a "shell" like BASH. It is used for automating processes throughout a Unix system, from starting network services at book up or configuring the user's shell environment during login. The most important difference between scripting and computer languages is that scripts do not have to be compiled into a binary file to be run. The script is interpreted and converted into the necessary binary code at run-time.
What are the following UNIXs command used for? pwd, cd, ls, rm
pwd: "print working directory," returning the absolute path of the directory you are currently in. cd: change directory command, allowing users to switch to another directory. ls: list contents of the current directory. rm: delete a file
What is the wtmp file? What is the utmp file? How can the information in these files be useful?
wtmp is a binary file that store historical login and logout information. The utmp file indicates who is logged in to the system at the present time. The information in these files are useful when investigating a breach in the system.
lack of input validation: User input not verified for appropriateness. User input used as parts of SQL queries into databases, and can exploit input. buffer-overflow: a program puts more data into a storage location than it can hold unrestricted upload: when files are accepted by software without verifying that the file follows strict specifications. missing authorization: software program allows users access to privileged parts of the program without verifying the credentials of the users.
Describe the following vulnerabilities: lack of input validation, buffer-overflow, unrestricted upload, and missing authorization.
What is log analysis? What is the goal of log analysis?
Log analysis records status information for software developers, system administrators and security administrators. Logs can help software developers ensure application is behaving as expected. For system administrators, logs can do performance analysis on a running app (memory & disk space). For security administrators, they use logs during the analysis phase of an incident.
Briefly describe the terms Access Control and User Management and their role in information security
Access control is the act of limiting access to information system resources only to authorized users, programs, processes, or other systems. available in a business application. A key component of access control is user management. User management refers to defining the rights of organizational members to information in the organization. Together, they ensure unauthorized users do not have access or rights to view and modify confidential information/systems.
What is incident response policy? What is a disaster? What is disaster recovery? What is business impact analysis?
An incident response policy describes the standard methods used by the organization for handling information security incidents (provides understanding to management when an incident occurs). A disaster is a calamitous event that causes great destruction. Disaster recovery is the process adopted by the IT org in order to bring systems back up and running. A business impact analysis is the identification of services and products that are critical to the organization.
What is asset characterization? What is asset sensitivity? What are the different classes of sensitivity commonly used to characterize assets?
Asset characterization is identifying sensitivity and critically of assets. Asset sensitivity is how much damage a breach of confidentiality or integrity would cause to the organization. The two classes of sensitivity are restricted and unrestricted. Restricted means the disclosure of alteration would have adverse consequences for the organization (e.g. Student grades) Unrestricted means a leak or modification would not have adverse consequences for the organization (e.g. student directory)
What is asset criticality? What are the different classes of criticality commonly used to characterize assets?
Asset criticality is the measure of the importance of an asset to the immediate survival of the organization. The classes of criticality used to characterize assets are essential, required, and deferrable assets. Essential: Loss of availability would have severe immediate repercussions for the organization (e.g. DNS server) Required: Organization would be able to continue for a time without the asset Deferrable: Loss of availability is tolerable, and would not cause major issues to the organization in the near term (e.g. Microsoft office suite)
What is a threat? Describe a threat model.
Threats are capabilities, intentions, and attack methods of adversaries to exploit or cause harm to assets. The threat model is the interactions between relevant agents, actions, and assets. Threats arise from motivated people (agents) taking specific actions to exploit assets.
What is block encryption? What is cipher-block chaining?
Block Encryption: Process of converting a plaintext block into an encrypted block. Uses substitution and permutation. Cipher-block chaining: a way of combining encrypted blocks. Uses information from the previous cipher block while encrypting a cipher block.
What is encryption? What is confusion-diffusion paradigm of cryptography?
Encryption is the cryptographic transformation of data to produce ciphertext. Confusion-diffusion is the diffusion of confusion (Claude Shannon). Confusion is making the relationship between plaintext and ciphertext as complex as possible. Diffusion is spreading the impact of a change in one bit of the plaintext to all bits in the ciphertext.
What is information security? What is CIA-triad in information security context?
Information security is the protecting of information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability. Information security states that the goals of security are availability, confidentiality and integrity (CIA) Confidentiality: preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information. Individual right to privacy (extends to personal information) Integrity: guarding against improper information modification/destruction, and includes ensuring information non-repudiation and authenticity. Makes information actionable. Regulators (Sarbanes-Oxley) Availability: ensuring timely and reliable access to use of information. Important to end users, and has revenue implications in e-commerce.
What are viruses and worms? What is the primary difference between them?
Viruses and worms are computer programs that adversely affect computers and propagate through the network without the user's consent. Viruses, however, use other programs (e.g. users email client) to spread (they need an active host), while worms can propagate all by itself.
What are firewalls? Write an example firewall rule and describe what the rule does.
A firewall is a form of protection that allows one network to connect to another network while maintaining some amount of protection. Example: pass in log quick from any to any port = 22 pass out log quick from any port = 22 to any This rule allows all incoming and outgoing connections to the ssh service and also specifies that all ssh transactions be logged.
What is an information security policy? What is a standard? How are standards different from policies? How are the two similar?
A policy specifies the general direction (high-level course of action) for the organization to follow (not concerned how to get there), standards focus on how to get where the policy desires to go. Standards are directly related and backed up by a policy. Standards are defined sets of rules, and are adopted and accepted by several organizations (industry standards are considered the norm). Policies are harder to modify than standards, and standards make policies more meaningful.
What is an information security incident? What are the basic steps involved in handling an incident?
A security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standards security practices. The steps to handling an incident are: (1) preparation, (2) detection and analysis, (3) containment, eradication, recovery, (4) post-incident analysis.
What are the common locations of log files on Unix-based systems? What is the syslog service? What are syslog selectors? What are the parts of a syslog selector?
Common location of log files on Unix based systems is: /var/log The syslog service is a way for network devices to send event messages to a logging server (Syslog server). It's used to handle messages for programs that are "syslog-aware", allowing any programmer to use the facility to store log information on a location specified in the configuration file. Syslog selectors - Specifies the types of messages and priorities to which a specific line in the configuration file applies to. It is composed of two parts: (1) the facility describes the part of the system generating the message. (2) priority classifies the message by criticality. Priorities are additive, meaning that when a priority selector messages with that priority, that priority and all higher priorities will be logged.
What is compliance? List at least 2 of the laws with implications for information security professionals. What is the difference between compliance and security?
Compliance are specifications put forth by policies or legal requirements, while policies help orgs meet legal requirements. Compliance does not always address the reason for a requirement, while security is being free from danger. It's possible to be secure without being compliant, budget and infrastructure may prevent compliance. The Califormia's Breach Notification Law requires the company to notify individuals of a data breach involving PII. HIPPA protects personal health information.
What is a credential? What are the 3 categories of credentials?
Credentials are the piece (or pieces) of information used to verify the user's identity. Categories are something you know (passwords), something you have (tokens), something you are (biometrics).
What are environment variables? What are built-in variables? How are they different from environment variables? What should the value of $? be if the last command that was executed completed successfully?
Environment variables hold default values and user preferences for the current terminal session. Built-in variables are variables with useful values, from reporting on the type of hardware the server is running on to running the status of the last command issued. Built-in variables are defined by BASH while environment variables are created automatically when the user logs in or starts a new terminal window. The value of $? if the last command that was executed completed successfully would be 0
What is the first line of every BASH script? What happens when the script file does not have execute permissions for the user attempting to run the script?
First line of every BASH script is #! /bin/bash If the script does not have execute permissions for the user attempting to run the script, the user will not be able to execute the script.
Given the following ls -l output, what do you know about the ownership and access permissions for the accounting folder? How can you use the chmod command to give write permissions to all members of "accounting_grp" to the "accounting" folder? drwxr-xr--. 2 root accounting_grp 4096 Jan 28 19:07 accounting/
For the accounting folder, group ownership belongs to the accounting_grp, and the user ownership belongs to Root. Access permissions are as follows: Root has permission to read, write and execute, members of the accounting_grp have permission to read and execute and all users (the world) have permission to read. chmod command to give write permissions to all members of "accounting_grp": [chmod 774 accounting
How do HIPAA (the Health Insurance Portability and Accountability Act) and Sarbanes-Oxley act relate to information security?
HIPPA was a push for electronic health records to reduce costs. Therefore, the healthcare industry is responsible for ensuring the confidentiality of patient information (must be protected). Sarbanes-Oxley relates to information security in terms of integrity (accuracy of information) and ensures the correctness in financial reporting from executives. Section 404 impacts information security because financial statements are produced by IT systems, and it requires that the certification of Section 302 is based on formal internal controls.
What is Identity Management? Briefly describe the phases of the Identity Management model.
Identity management is identifying and collecting all necessary data to grant or revoke privileges for these users to resources. Phase 1: identity discovery, which is locating all new and updated identities throughout the org. Phase 2: Identity reconciliation is the process of comparing each discovered identity to a master record of all individuals in the org. This step includes the person registry (hub connecting identifiers into a master identity). Main functions: identity matching, merging, and creation. Phase 3: Identity enrichment: collecting data about each individual's relationship to the org.
What are IDS/ IPS? Briefly describe signature-based IDSs, anomaly-based IDSs, and protocol-state-based IDSs.
Intrusion detection systems (IDS) are hardware devices or software applications that monitor IT systems for malicious activity or violations of usage policies established by the system administrator. Intrusion prevention systems (IPS) build on IDS and attempt to stop potential intrusions. Signature-based IDSs: A signature is a sequence of bytes that is known to be part of malicious software. Signature-based detection methods compare observed events to a database of signatures to identify possible incidents. Anomaly-based IDSs: Detects deviations between observed events and defined activity patterns based on users, hosts, network connections, or applications. Protocol-stated-based IDss: compares observed events against defined protocol activity for each protocol state to identify deviations. Stateful protocol analysis specifies how particular protocols should and should not be used. Deviations from expected protocol behavior can be detected and flagged, as well as identify unexpected sequences of commands.
Briefly describe the Morris Worm and the Gang of 414's and their impact on information security
Morris Worm: 99-line program used to count the size of the internet, and caused 10% of the internet to crash. CERT was established at Carnegie Mellon (Computer Emergency Response Team). Availability issue Gang of 414's: 6 teenages from Milwaukee, WI, broke into 60 high-profile computer systems, introduced the term "hacker." US congress hearings on computer security, introducing Computer Fraud and Abuse Act, 1986. Loss of privacy was the primary concern (confidentiality).
Provide a brief overview of the OCTAVE methodology developed by the SEI. How is it related to the NIST 800-39 and ISO 27000 standards?
OCTAVE stands for Operationally Critical Threat, Asset Vulnerability Evaluation. It corresponds to the risk assessment phase of NIST 800-39 framework. OCTAVE is related to the other standards because these plans identify assets and threats to assets, identify vulnerabilities that can create risk in the organization, and they develop ways to protect and mitigate risk. All strategies work to help with risk management.
What are deep packet inspection firewalls? What additional capabilities do they offer, compared to packet-filtering firewalls?
Packet-filtering firewalls examine the protocol headers fields of packets flowing through the firewall to determine whether to allow the packets to enter the network. Deep packet inspection firewalls examine the data carried by a packet, in addition to the protocol headers, to decide how to handle the packet. The data carried by the packet can then be compared against a database of known malicious payloads.
What is the policy cycle? Why does policy development proceed through a cycle?
Policies, like the incident response cycle, work in cycles due to incidents or revisions needed in organizations. It is written for employees or customers, or to satisfy state/federal regulation. Policies work to protect the CIA of assets. The stages of the policy cycle are: writing the policy, impact assessment and promulgation (review by stakeholders), and review (periodic re-evaluation).
What is reactive monitoring? What is proactive testing? Provide some common reactive monitoring methods and some common proactive testing methods?
Reactive monitoring is the act of detecting and analyzing failures after they have occurred. Proactive testing is the act of testing a system for specific issues before they occur. Similarly, log management tools collect and analyze the system logs from all of the servers across a network and correlate events between servers. Monitoring tools such as these assist system administrators in detecting unusual patterns or events, which may indicate a security compromise and, once a compromise is detected, how many systems are potentially affected. Use vulnerability scanners to access systems and look for potential vulnerabilities. These vulnerabilities can then be prioritized and resolved.
Provide a brief overview of the NIST 800-39 risk management framework. Draw a figure showing the components of the framework, and the relationships of these components to each other.
Recommendations for managing information security risks (developed by federal government), very general. Useful for commercial and non-profit orgs, high security environments/HIPPA orgs use more stringent procedures. risk frame: describes environment which risk-based decisions are made (clarifies to members the criteria used, and identifies risks to be managed by leaders) risk assessment: identifies and aggregates the risks facing the org (threats, vulnerabilities, harm if threats exploit vulnerabilities. risk response (once risks are assessed): addresses how the organization responds to risks once determined from risk assessments. Ongoing risk monitoring (based on experiences gained from risk response activities): evaluates the effectiveness of the organization.
What is risk? What is risk management? What is IT risk management and how is it related to an organization's overall risk management?
Risk: quantitative measure of the potential damage caused by a specific threat. Top management attention Risk management: Managing the financial impacts of unusual events. IT risk management: IT risk is the risk associated with the use of information systems in an organization. One of many risks. Can be integrated with the design and business process, and senior leadership should be involved.
Describe secret key cryptography, public key cryptography, digital signatures, and hash functions.
Secret key cryptography is encryption methods that use one key for both encryption and decryption, secures data storage and transmission. Public key cryptography is encryption methods that use two keys, one for encryption and another for decryption. Secure key exchange, authentication, digital signatures. Digital signatures: cryptographic transformation of data that allow a recipient of the data to prove the source (non-repudiation) and integrity of the data. Hash functions refer to encryption methods that use no keys. Password protection, data integrity check.
Name at least one advantage and disadvantage to using: shared tokens, CAS, Shibboleth, Open ID
Shared Tokens: very secure and easy to implement, but you need multiple devices. Advantage: once a user is logged on there is no need to re-authenticate until the cookie is cleared. Disadvantage: if someone were to gain access to the user's browser and data, it would be easy to gain access to their accounts. CAS: helps you integrate with the webpage, unlike Kerberos Advantage: ticket based system is more secure for users Disadvantage: Only able to be used with the URL that the ticket was requested for and is only valid for a short period of time. Shibboleth Advantage: a lot of information available about its implementation and troubleshooting Disadvantage: Each resource being served must be approved and registered before being integrated into the system. OpenID Advantage: allows many users to be a part of the system without requiring each identity provider to register with a central authority. Disadvantage: the amount of security offered by each site operating with OpenID differs.
What is the IT asset lifecycle? What are the stages in the life cycle?
Since assets have long lives they could be forgotten and compromised, and security analysts mus plan for this and gain awareness of the life cycle (show the high-level stages of an asset. Stages include: planning (request for info), acquisition (invite to negotiate, request for proposal, invitation to bid), deployment, management, and retirement.
Briefly describe the following in the context of Information Security: Single point of failure, active directory, domain controller, group policies
Single point of failure: A part of a system whose failure will stop the entire system from working is a single point of failure active Directory: A collection of technologies that provide centralized user management and access control across all computers that are "members" of the domain. Domain Controller: The server that implements the active directory rules within a domain. Group Policies: An infrastructure that allows you to implement specific configurations for users and computers.
What is the top of a filesystem hierarchy called? How is it represented in UNIX systems? What is a path? Give the difference between a relative and absolute path?
The filesystem root is the top of the hierarchy and is represented by a single slash. The location of the file or directory in the hierarchy is the path. An absolute path is the exact location of the file that is being referenced, including each directory above the current one up to the filesystem root. Relative paths give the location of the file in relation to the current directory.
What are the goals of incident analysis? What is containment? What is eradication?
The goal of incident analysis is to discover all adverse events that compose the incident in order to properly and effectively management the next phase of the cycle, which is containment and eradication. Containment is the act of preventing the expansion of harm (disconnecting affected computers from network). Eradication is the removal of the cause of the adverse event.
Briefly describe the Information Security Model and define the components.
The information security model includes the core components of information security, and the relationship between the components, excluding everything else. Assets: a resource or information that is to be protected (e.g. customer PII) Vulnerabilities: weaknesses in a system that can be exploited (e.g hard drive crashes) Threat: capabilities, intentions and attack methods of adversaries to exploit or cause harm to assets (e.g. guessing passwords) Controls: Safeguards used to minimize the impact of threats (e.g. strong passwords)
What are Threat Agents? What are the different types of threat agents?
Threat agents are individuals, organizations, or groups that originate a particular threat actions. Different types of threat agents are: external, internal, and partners. External: agents outside of the organization with no direct links (e.g. anonymous) Internal: people linked to the organization (employees) Partners: third parties sharing a business relationship with the organization (contractors)
Briefly define the following: brute-force attack, zero day vulnerability, cross-site scripting attack, threat shifting.
brute-force attack: A hacker tries to access an account by trying to "guess" the correct password. Poor choice of passwords cause this attack to be successful. 0-day vulnerability: a threat developed by a threat agent before a solution to eliminate the vulnerability was found and made public. cross-site scripting attack (XSS): occurs when website allows a malicious user to enter information with malicious content, usually javascript code executed when other users visit site. threat shifting: Response of hackers to controls, in which they change some characters of their intent/targeting in order to avoid/overcome those safeguards/countermeasures.