Chapter 6 - Security Operations and Administration, Chapter 7 - Auditing, Testing and Monitoring

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Prudent

A reasonable list of things is permitted; all others are prohibited. This permission level is suitable for most businesses.

Blanket purchase agreement

A streamlined method of meeting recurring needs for supplies or services

Protocol patterns

Another way to identify attacks without a signature is to look for deviations from protocols.

Mitigation activities

Any actions intended to reduce or address vulnerabilities found in either penetration tests or vulnerability tests.

Permissive

Anything not specifically prohibited is OK. This permission level is suitable for most public Internet sites, some schools and libraries, and many training centers.

Techniques for security monitoring

Baselines Alarms, alerts, and trends Closed-circuit TV

Secure

Ensure that new, and existing, controls work together to protect the intended level of security.

Promiscuous

Everything is allowed. This permission level is used by many home users but makes it easier for attackers to succeed.

Post audit activities

Exit interview Data analysis Generation of audit report

Generation of audit report

Findings Recommendations Timeline for implementation Level of risk Management response Follow-up

Goal of penetration testing

Identify threats Bypass controls Exploit vulnerabilities

Goals of vulnerability testing

Identify vulnerability (passively) Document lack of security control or misconfiguration Examine vulnerabilities related to credentialed and noncredentialed users

Improve

Include proposals to improve the security program and controls in the audit results. This step applies to the recommended changes as accepted by management.

Steps in system life cycle

Project initiation and planning System design specification Build (develop) and document Acceptance testing Implementation (transition to production) Operations and maintenance Disposal

How to collect audit data

Questionnaires Interviews Observation Checklists Reviewing documentation Reviewing configurations Reviewing policy Performing security testing

Monitor

Review and measure all controls to capture actions and changes on the system.

Audit

Review the logs and overall environment to provide independent analysis of how well the security policy and controls work.

Auditor throughout planning and execution phases

Survey the site(s) Review documentation Review risk analysis output Review server and application logs Review incident logs Review results of penetration tests

Certifier

The individual or team that is responsible for performing the security test and evaluation (ST+E) for the system.

Organizational compliance

The organization must comply with its own policies, audits, culture, and standards.

Regulatory compliance

The organization must comply with laws and government regulations.

System Owner

The person responsible for the daily operations of the system and ensuring that the system continues to operate in compliance with the conditions set out by the AO

configuration management

The process of managing all changes to computer and device configurations

Authorizing official

The senior manager who must review the certification report and make the decision to approve the system for implementation.

Statistical-based methods

These develop baselines of normal traffic and network activity. The device creates an alert when it identifies a deviation.

Network and network devices

These include access, traffic type and patterns, malware, and performance.

Traffic-based methods

These signal an alert when they identify any unacceptable deviation from expected behavior based on traffic.

Reconnaissance

This activity involves reviewing the system to learn as much as possible about the organization, its systems, and its networks.

change control committee

This committee oversees all proposed changes to systems and networks.

Host-based activity

This includes changes to systems, access requests, performance, and startups and shutdowns.

Network mapping

This phase uses tools to determine the layout and services running on the organization's systems and networks.

Paranoid

Very few things are permitted; all others are prohibited and carefully monitored. This permission level is suitable for secure facilities.

False positives

alerts that seem malicious yet are not real security events.

Memorandum of understanding

an agreement between two or more parties that expresses areas of common interest that result in shared actions.

Interconnection security agreement

an agreement that documents the technical requirements of interconnected assets.

SOC 2 and SOC 3 reports

both address primarily security-related controls. The security-related controls in these reports are critical to the success of today's technology service provider organizations.

functional policy

declares an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing.

Baselines

define basic configurations for specific types of computers or devices.

False negatives

failure of the alarm system to detect a serious event.

Security Information and Event Management

helps organizations manage the explosive growth of their log files. It provides a common platform to capture and analyze entries.

Stateful matching

improves on simple pattern matching. It looks for specific sequences appearing across several packets in a traffic stream rather than just in individual packets.

Controls that monitor activity

intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and firewalls.

Remediation

involves fixing something that is broken or defective. With computer systems, remediation refers to fixing security vulnerabilities.

Penetration testing

is a focused attack to exploit a discovered vulnerability.

classifying data

is the duty of the person who owns the data or of someone the owner assigns.

Configuration Control

is the management of the baseline settings for a system device. The baseline settings meet security requirements. They require that you implement them carefully and only with prior approval.

Host isolation

isolates one or more host computers from your internal networks and creates a demilitarized zone

Non-real-time monitoring

keeps historical records of activity

Compliance Liaison

makes sure all personnel are aware of—and comply with—the organization's policies.

proactive change management

management initiates the change to achieve a desired goal.

reactive change management

management responds to changes in the business environment.

Job rotation

minimizes risk by rotating employees among various systems or duties.

SOC 1 report

primarily focuses on internal controls over financial reporting (ICFR). This type of report is often used to prepare financial statements for the user organization and to implement proper controls to ensure the confidentiality, integrity, and availability of the data generated by the financial reporting requirements.

Real-time monitoring

provides information on what is happening as it happens

Event logs

records of actions that your operating system or application software create. An event log records which user or system accessed data or a resource and when.

Anomaly-based IDSs

sometimes called profile-based systems, compare current activity with stored profiles of normal (expected) activity.

Change Control

the management of changes to the configuration.

Benchmark

the standard to which your system is compared to determine whether it is securely configured.

Hardening

to change hardware and software configurations to make computers and devices as secure as possible.

Vulnerability testing

tries to find a system's weaknesses.

Pattern- or signature-based IDSs

using what's known as rule-based detection, rely on pattern matching and stateful matching to compare current traffic with activity patterns (signatures) of known network attacks.

Security Administration

within an organization refers to the group of individuals responsible for planning, designing, implementing, and monitoring an organization's security plan.


Ensembles d'études connexes

CFOR101 Chps 9, 10, 14 Final Exam

View Set

LESSON 2. VOICES AND MOODS OF VERB

View Set

promulgated contracts final exam qs

View Set