Cyber War Gaming Midterm Two Review

SIEM (Security Information and Event Management) is

A security system that attempts to look at security events throughout the organization.

OpenVAS is what type of tool?

A security tool for conducting port scanning, OS identification, and vulnerability assessments.

Splunk is known for its ease of ____ and ____, yet simplistic, search and data mainipulation abilities.

configuration and powerful

One of hte primary purposes of pfSense is to act as a ___.

firewall

Firewall are based on _____.

firewall rules

Transfer Risk

have a third party or other entity deal with the risk.

Splunk is used on ______ and ____ to network and security devices such as _____ and _____.

host systems and applications; firewalls and antivirus filters

exploit (risk response)

A risk response to an opportunity by seizing the opportunity to ensure that it will happen and that the impact will be realized.

Splunk

(the product) captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.

Five ways to manage risk:

1. Accept Risk 2. Avoid Risk 3. Transfer Risk 4. Mitigate Risk 5. Exploit Risk

Vulnerability Assesment and Risk procedure:

1. Do a port scan. 2. Look at what you get and develop a plan. 3. Use OpenVAS.

What are the pfSense firewall rules?

1. Firewall rules on interface and Group tabs process traffic in the Inbound direction. 2. Rules are processed from the top down, stopping at the first match. 3. Where no users-configured firewall rules match, traffic is denied. 4. Rules on the LAN interface allowing the LAN subnet to any destination come by default. 5. Only what is explicitly allowed via firewall rules will be passed.

Splunk 3 main components.

1. Forwarders/Data Input. 2. Indexers. 3. Search Heads.

Steps to use OpenVAS for KaliLinux:

1. Login in on the web interface, we're redirected to the Greenbone Security Assistant dashboard. 2. IP address is 127.0.0.1 3. Click Scans>>Tasks>>either Task Wizard and enter ipaddresses with subnet masks

When is Transfer Risk used?

1. More common in projects where there are several parties involved. 2. Transfer the impact and management of the risk to someone else. 3. Normally transerence arrangements are written up into project contracts.

Accept Risk steps:

1. Risk is identified. 2. No Acction taken. 3. Accept that it might hapepn and decide to deal with it if it does(Reacitve).

Firewall Rule Processing Order:

1. Rules in pfSense are processed in a specific order. 2. Understanding this order is important when crafting more complicated set of rules and when troubleshooting. 3. Rules can be much more complicated, especially when floating rules are involved and out direction rules are used.

Accept the Risk is a good strategy for:

1. Very small risks. 2. Risks that won't have much of an impact on your project. 3. Easily dealt with. 4. Take a lot of time/resources to build a risk management strategy.

What is Mitigation?

1. limits the impact of a risk. 2. Problems are smaller and easier to fix. 3. Mitigate against impact such as Create an incident response team. 4. Mitigate aganist likelihood of happening such as Penetration Test your system(s) on a regular basis.

For OpenVAS, what must connect to the server to perform the tests?

A client computer("nix or Windows)

accept (risk response)

A risk response to a threat where a conscious and deliberate decision is taken to retain the threat, having discerned that it is more economical to do so than to attempt a risk response action. The threat should continue to be monitored to ensure that it remains tolerable.

Accept the Risk

Accept the likelihood and impact of the risk(reactive)

Risk Management

All efforts designed to preserve assets and earning power associated with a business.

When do you Avoid Risk?

Good strategy for when a risk has a potentially large impact on your project.

Floating Rule Example4:

Apply filtering in a "last match wins" way rather than "first match wins" (quick)

Floating Rule Example3:

Apply rules to multiple interfaces.

Floating Rule Example5:

Apply traffic shaping to match traffic but not affect it's pass/block action(Like load balancing-if you have a cluster)

Floating Rules

Are advanced Firewall Rules which can apply in any direction and to any or multiple interfaces.

Splunk main component 2 Indexers:

Are what receives, stores, and categorizes the data for later use in searching .

Exploit Risk Example:

Example: Company product so successful the eCommerce site becomes overwhelmed; Positive risk-sometimes that would have a benefit to the project and the company if it happened; Priority is maximize the chance that the risk happens.

Avoid the Risk

Change plans completely to avoid the risk.

By default, firewall rule schedule do what.

Clear the states of existing connectins when the expiration time is reached. That behavior may be changed to not clear states for existing connections.

Splunk ____ and ____ log data generated throughout the organization's technology infrastructure.

Collects and aggregates

OpenVAS is what type of scanner?

Commercial Vulnerability Scanner

What is an example of avoiding the risk?

Example: New software roll out is scheduled in January; Putting team through training course in January to learn new time management process--not a good idea; change the project plan and schedule training for February.

Example of a Transfer risk:

Example: A third party contracted to manage company web site. They would be responsible for managing security and thus risk of that site.

Floating Rule Example1:

Filter traffic from the firewall itself.

Floating Rule Example2:

Filter traffig in the outbound direction(all other tabs are Inbound processing only)

____ control what traffic is allowed to enter an interface on the firewall.

Firewall rules.

pfSense is based on what operating system?

FreeBSD

What does Splunk improve?

Improves visibility and security within a large network.

OpenVAS is furnished with what?

It is furnished with a Greenbone Security Assistant program guide for ease of use

What is OpenVAS intended to be in regards to its scanning capabilities?

It is intended to be an all-in-one vulnerability scanner with a variety of built-in test.

What do you need to do before a firewal rule schedule can be applied?

It must be created under Firewall>Schedules. Then when creating a rule, pick up the defined schedule from the list.

Which risk management is easiest to understand?

Mitigate the Risk:

Which risk management technique is easiest to implement?

Mitigate the risk

Which is the most common risk management technique:

Mitigate the risk.

Do many firewalls need Floating Rules?

No.

A Splunk user does what?

Only see own knowledge objects and those shared to them.

Which of the following interfaces enables you to scan several IP addresses at once or type in an IP address to create a simple scan of any machine?

OpenVAS

The __________ report includes a report overview and the details for each host.

OpenVas

How can Firewall Rules be scheduled?

Scheduled so tht they are only active at certine times of day or specific days or days of the week.

By default, firewall schedule rules do what of existing connectins when the expiration time is reached.

Schedules clear the states. the behavior may be changed to not clear states for existing connections.

SIEM

Security Information and Event Management

SIEM is a

Security Information and Event Management. A security system that attempts to look at security events throughout the organization.

SIEM (Security Information and Event Management)

Software that can be configured to evaluate data logs from IDS, IPS, firewalls, and proxy servers in order to detect significant events that require the attention of IT staff according to predefined rules.

SIEM (Security Information and Event Management) is a

Software that collects and analyzes security alerts, logs and other real time and historical data from security devices on the network

OpenVAS is the scanning engine, but which of the following is the Web interface that allows users to quickly scan and analyze their network?

The Greenbone Security Assistant

Splunk main component 3. Search Heads:

The Splunk search head is hwere the user performs searches and generates reports onthe date within Splunk.

Risk

The chance of loss from an event that cannot be entirely controlled

Floating Rules make complex filtering scenarios easier at what cost?

The cost of being a little harder to follow logically in the GUI.

Which risk management technique is less used?

Transfer Risk

What can pfSense do?

Uses include: 1. LAN/WAN Router. 2. Intenet Cafes. 3. Wireless Hotspot(Captivate Portal). 4. VPN Router. 5. Firewall. 6. DHCP/DNS Server. 7. Wireless Access Point. 8. Transparent Squid Proxy Server.

How will the Firewall Schedules Rules act when the scheduled time is not active?

Will act as though they do not exist.

May the behavior be changed to not clear states for existing connectins in firewall rule schedule?

Yes.

Splunk main component 1 Forwarders/Data Input:

are installed or available on server/hosts provide the data to be used in the SIEM. Any log data from any type of machine can be taken in by Splunk.

Splunk can ___ and ___ incidents and events, as well as analyzes them.

identify and categorize

pfSense

is an open source firewall/router computer software distribution based on FreeBSD.

Floating Rules are ___ before rules on other interfaces.

parsed

IIf a packet matches a Floating Rule and the Quick option is active on that rule, what will pfSense do?

pfSense will not attempt to filter the packet against any rule on any other group or interface lab.

OpenVAS initially perform a _______ of an IP address to find open services.

port scan

Splunk provides ____ analysis of security alerts generated by applications and network hardware.

real-time

Mitigate the Risk

reduce probability or impact

Splunk uses ____________ to categorize the type of data being indexed.

sourcetypes

A ____ entry allows through subsequent packets that are part of that connection.

state table

PfSense requires no knowledge of what?

the underlying FreeBSD system(free open source unix system)

How can pfSense be configured and upgraded?

through a web-based interface.

OpenVAS list of scanning capabilities include:

unauthenticated testing; authenticated testing; various high level(SMTP, FTP, SSH, HTTP) and low level(TCP, UDP, IP) Internet and Industrial protocols; performance tuning for large-scale scans; powerful internal programming language to implement any type of vulnerability test

In OpenVAS once listening servicces are discovered, they are then tested for known ____ and ____ using _____.

vulnerabilities; mis-configuration; a large database( more than 5300 NVT checks)