Block 3-Thomson Hall : CYBER SYS OPS
Fault Isolation Tools
Multi-meter Cable Toner Time Domain Reflectometer (TDR)
1a3 What is commonly used to measure the voltage of batteries or electrical outlets?
Multimeter
2ab18 The AFNOSC, Network Control Centers (NCCs), and ________ are authorized to terminate network services and isolate an offending network/system.
Network Operations Security Center (NOSC)
Contingency Planning
Normally applies to information systems and provides the steps needed to recover the operation of all or part of designated information systems at an existing or new location in an emergency.
Continuity Planning
Normally applies to the mission/business itself. It is concerned with the ability to continue critical functions and processes during and after an emergency event.
3a13 This command queries domain name service data from DNS server.
Nslookup
2ab1 Refers to a location away from the computer center where paper copies and backup media are kept.
Offsite Storage
1a11 First step toward appropriate accounting management is to measure the usage of all of the important network _______
Resources
5a4 Provides the ability of automating many management activities.
Scripting
1a14 _____ management subsystems work by partitioning network resources into authorized and unauthorized areas.
Security
1a1 Records security events as valid/invalid logon
Security Log
2ab11 what capabilities of the storage facility and employee confidentiality, which must meet data's sensitivity.
Security capabilities
Coordinate With Security Policies and System Security Controls
Server contingency solutions should be coordinated with security policies and system security controls. Thus, in choosing the appropriate technical contingency solution, similar security controls and security-related activities in the operational environment is implemented.
1. Develop The Contingency Planning Policy Statement
A formal policy provides the authority and guidance necessary to develop an effective Contingency Plan.
REMOTE ACCESS TYPES
Administrative Access End-User Access Limited (General) Access
Step 1: Define the Problem
All too often, inexperienced troubleshooters concentrate on the symptoms rather than the real problem. Use the symptoms to identify and pin-point the real problem. -Separate the problem's symptom(s) from associated causes. -Identify the possible kinds of problems resulting from the list of symptom(s). -Use the symptoms to determine the root cause of the problem.
Failure Audit
An audited security access attempt that fails
Success Audit
An audited security access attempt that succeeds
Information in Event Type
An event that describes the successful operation of an application, driver, or service
Warning
An event that might not be significant, but might indicate a future problem
1a6 Records events logged by programs
Application Log
4a13 Characteristic or property of the entity that will be stored. Forms the columns of a table/entity.
Attribute
2ab2 This fleet of sensors is the primary detection tool deployed across the AFEN.
Automated Security Incident Measurement (ASIM)
3a3 Operational cyber organizations use this for creating and maintaining trouble tickets.
BMC Remedy
2ab12 Term meaning to save important data/files to a predetermined location at intervals to restore when necessary.
Backup
Store Backup Media and Software Offsite
Backup media and software should be stored offsite in a secure, environmentally controlled facility. The storage facility should be located far enough away from the original site reducing the likelihood both sites would be affected by the same event.
3a6 Refers to internet access telecommunications signaling methods used for high-speed internet connection.
Broadband
REMOTE COMMUNICATIONS METHODS
Broadband Wireless Dial-up
Performance Tab is including:
CPU Usage, CPU Usage History, PF Usage, Page File Usage History, Totals, Commit Charge (K), Physical Memory (K), Kernel Memory (K).
5a5 PowerShell scripting language lets you use a specialized type of command called _____.
Cmdlet
5a2 The Windows ______ ______ is a program allowing the user to communicate directly with the operating system through a command line environment.
Command Shell
3a12 Used as a mean to help enforce the organization's security policy as well as indication and warning system.
Common Intrusion Detection Director System (CIDDS)
Controlling Security Events Audited
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
5a1 ______ in PowerShell are similar to loops except they are only processed one time.
Conditional Statement
1a4 ______ management subsystem may provide the ability to initialize, reconfigure, operate, and shut down managed devices.
Configuration Management
3a11 Synchronous communications capability includes web conferencing and instant messaging. A virtual conference room.
Defense Collaboration Services (DCS)
3a4 This agency provides the antivirus solution for the AF network.
Defense Information System Agency (DISA)
2ab7 Backup does not uncheck the archive flag for files it has backed up. Copes all modified files since last backup.
Differential Data Backup
Step 2: Gather Facts
Diving headfirst into a problem without any facts often results in wasted time and effort. -Ask the affected users questions. -Use any commands or tools that help to show the configuration setup. Look at any system logs that apply to the problem. -Analyze the data from these tools and commands.
4a15 There are four broad classes of users: ______, Database Designer, Database Administrators, and Application Programmers.
End-User
3a14 Remote users who will be using network services or accessing, downloading, or uploading data.
End-User Access
4a5 Refers to an object we may wish to store information about. It's also known as table.
Entity
4a6 Used to visually represent the relationship of all entities in a database.
Entity Relationship (ER) Diagram
Event Types:
Error Warning Information Success Audit Failure Audit
3a5 The nation's premier system for the command and control of joint and coalition forces.
Global Command and Control System (GCCS)
2ab14 Office spaces approximately sized to support system requirements and are fully configured. Only missing data and personnel.
Hot Sites
The ISCP differs from a Disaster Recovery Plan (DRP) primarily in
ISCP procedures are developed for recovery of the system regardless of site or location.
Data Changes Constantly
If it is deleted, corrupted, or lost and there is no backup, it cannot be reloaded.
ELECTRIC POWER
If possible, it is best the data center be on a different electrical grid separate from the rest of the building.
5a3 Scripting out an action that needs to take place more than one time.
Loop
Document System Configurations and Vendors
Maintaining detailed records of system configurations enhances system recovery capabilities. Additionally, vendors supplying essential hardware, software, and other components should be identified in the Contingency Plan.
There are currently two AV and anti-spyware solutions available for DoD use:
McAfee Virus Scan and Symantec Endpoint Protection.
3. Identify Preventive Controls
Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
2ab13 There must be a _______ between your organization and the storage facility's organization.
Memorandum of Agreement (MOA)
1a5 The Resource Monitor provides real time collection of CPU, Disk, Network, and _____ resources.
Memory
3a2 Tool permitting members to share electronic files for collaboration with their team.
Microsoft Share Point
Business Continuity Plan (BCP)
focuses on sustaining an organization's mission/business processes during and after a disruption. It may be used for long-term recovery, in conjunction with the COOP to allow additional functions to come online as resources or time permit.
We are going to look at four of the more common methods:
full data backup, daily backup, incremental backup, and differential backup.
Binary data is
generated by the program that is the source of the event record and is displayed in hexadecimal format.
Integrity
guards against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
Air Combat Command (ACC)
has converted all their bases a Storage Area Network (SAN)/RAID/network storage backup system.
The Air Force Information Network (AFIN)
has recently been identified as a weapon system due to its capabilities and our reliance on it for all air, space, and cyberspace operations.
Cable Toner
has two parts: the tone generator and probe. The toner uses alligator clips to connect to non-terminated cables and modular connectors for a direct connection to telephone RJ11 and internet wiring RJ45.
Filtering the events occurring on your network can
help you pinpoint the source of problems.
The Users tab is displayed only
if the computer you are working on has Fast User Switching enabled, and is a member of a workgroup or is a standalone computer.
Incidents
include network/system events such as intrusions, scans, probes, and malicious logic events. Reporting accurate incident information as close to near-real-time as possible is crucial to effective countermeasure response.
Task Manager provides
information about programs and processes running on your computer. It also displays the most commonly used performance measures for processes.
The Processes tab shows
information concerning the processes running on the computer.
An adversary's motivation may include
intelligence gathering, theft of intellectual property, denial of service, embarrassment, or just anticipated pride in having exploited a notable target.
Malicious insiders
intentionally eavesdrop, steal or damage information, use information in a fraudulent manner, or deny access to other authorized users.
CiscoWorks
is a LAN Management Solution (LMS) simplifying the administration, configuration, monitoring, and troubleshooting of Cisco-based networks. It provides network managers a centralized system for sharing device information across all LAN management applications, improving manageability, and increasing system-wide awareness of network changes.
An archive bit
is a file attribute checked (set to "on") or unchecked (set to "off) to indicate whether the file must be archived. When a file is created or changed, the operating system automatically sets the file's archive bit to "on."
WINDOWS POWERSHELL
is a framework created by Microsoft containing a Command Line Shell (similar to MS-DOS) and an associated scripting language.
GCCS Common Operational Picture (COP)
is a key toolset for Commanders in planning, conducting operations, monitoring, execution, and coordinating operations. Finally, it is used to execute operational directives with the Joint Task Force and individual units.
Baseline Performance
is a process of gathering statistics over time to determine normal network traffic/activity. These statistics are then used in the troubleshooting process to identify abnormal traffic/activity.
The Windows Command Shell
is a program allowing the user to communicate directly with the operating system through a Command Line type environment.
A Database Management System (DBMS)
is a set of programs and utilities executed on a computer to create, process, and administer a database. The DBMS is a sophisticated tool used to construct a database and operate on data stored within it. The DBMS term will be expounded a little later in this unit.
Network Monitor
is a software implementation of a protocol analyzer. This software lets a workstation capture and monitor network traffic going to and from the machine on which it is being executed. It can capture traffic between nodes and provide: analysis, decode, analyze, packet type statistics, errors to determine baseline performance statistics.
THEATER BATTLE MANAGEMENT CORE SYSTEM (TBMCS)
is a special AF program with Joint interest. TBMCS serves as the focal point for Joint Air Warfare Command and Control. It integrates systems used for planning, tasking, intelligence gathering and execution into a single, common interface.
DELIBERATE AND CRISIS ACTION PLANNING EXECUTION SEGMENT (DCAPES)
is a special set of processes supporting the AF planning and execution community in deliberate planning, crisis planning, and crisis execution. It enables timely, employment-driven, collaborative planning for AF participation in the Joint Operation Planning Execution System (JOPES) process
A database system
is a systematic way to access data stored within a database.
Theater Battle Management Core System Unit Level (TBMCS-UL)
is a weapon system providing real-time command and control capability including a survival and recovery center, wing flight scheduling, resource management applications, and interfaces with maintenance, aircrew qualifications and AOC systems.
Disaster Recovery Plan (DRP)
is an information system- focused plan designed to restore operability of the target system, application, or computer facility infrastructure at an alternate site after an emergency.
JOINT OPERATION PLANNING EXECUTION SYSTEM (JOPES)
is another special system on the AFIN and specifically used for the development, maintenance, and management of Time Phased Force Deployment Data (TPFDD), functional plans, and Operation Orders (OPORD) in joint operations.
The Set Affinity command
is available only on multiprocessor computers. Using __ __ __ __ limits the execution of the program or process to the selected processors and may decrease overall system performance.
Policy on backups
is established during the certification and accreditation phase when the system was implemented.
TBMCS-UL Ops
is in the middle and bottom of the TBMCS Structure. It provides Wing Level decision support tools, resource management, an aircraft scheduling application, ATO parser, secure messaging, document libraries, Wing reporting tools, a situation room, and it is the last stop for the execution of the ATO and Order of Battle.
Theater Battle Management Core System Unit Level Intel (TBMCS-UL Intel)
is in the middle of the TBMCS Logical Structure. It feeds TBMCS with intelligence for Joint Headquarters and AOCs to make better and more precise decisions.
The Event Log service
is initiated automatically when the computer is started. All users can view Application and System logs.
As an AF network administrator, creating and/or knowing the steps in your organization's disaster/contingency/crisis management plan
is key to keeping your organization's mission going without interruption.
Nonpaged
is memory remaining resident in physical memory and will not be copied out to the paging file.
Paged
is memory that can be copied to the paging file thereby freeing the physical memory. The physical memory can then be used by the operating system.
A good contingency plan
is only as good as the network administrator following the plan and safeguarding the network's data and assets.
Resilience
is the ability to quickly adapt and recover from any known or unknown changes to the environment. Resiliency is not a process, but rather an end-state for organizations.
The Global Command and Control System (GCCS)
is the nation's premier system for the command and control of joint and coalition forces. It also identifies the resources of our adversaries. It is what the military uses to see the battlefield (i.e. operational picture).
The Full Backup
is the starting point for all other backups. It contains all files and folders, regardless of whether the data is new or was unmodified. Each time you execute it, the entire data set is copied. After backing up the files, a Full Backup unchecks (turns "off") the file's archive bit (flag).
The goal of a resilient organization
is to continue mission essential functions at all times during any type of disruption.
The overall purpose of the various incident and vulnerability reporting processes is
is to improve the overall security posture of the AF Enterprise Network (AFEN), AF information systems, and stand-alone computing devices.
WINDOWS EVENT VIEWER
lets you to monitor system events. It maintains logs about computer program, security, and system events. It provides the capability to view and manage the event logs, gather information about hardware and software problems, and monitor security events.
Time Domain Reflectometer (TDR)
looks for breaks or other imperfections in a cable by sending out pulses of electricity or light at regular intervals and measuring the time for the single to return to indicate where a cable break is located.
Interim measures
may include the relocation of IT systems and operations to an alternate site, the recovery of IT functions using alternate equipment, or the performance of IT functions using manual methods.
Daily Backups
merely backs up all selected files and folders changed during the course of a day (24-hour period). It does not look for, nor does it clear, the archive bit. It looks at a file's date to see if it was created or changed during that day. If so, it is included in the backup.
The Users tab is unavailable
on computers who are members of a network domain.
Mirrored Sites
one site is equipped and configured exactly like the primary site. This serves as a redundant environment. These sites are owned by the organization and are mirrors of the original production environment. This is one of the most expensive backup facility options
Offsite storage
refers to a location away from the computer center where paper copies and backup media are kept. Commercial data storage facilities are specially designed to archive media and protect data from threatening elements.
The organization using the cold site is
responsible for providing and installing necessary equipment as well as telecommunications capabilities.
Non-malicious attacks typically
result from carelessness, lack of knowledge, or intentional circumvention of security for such reasons as "getting the job done".
The Event Properties dialog box
shows a text description of the selected event and any available binary data.
The choice of media is based on the three things:
size, cost, and speed.
There are two main components of GCCS providing unique capabilities to commanders:
the Common Operational Picture (COP) and Integrated Imagery and Intelligence (I3).
A checklist format is
useful for documenting the sequential recovery procedures and for troubleshooting problems if the system cannot be recovered properly.
The Users tab displays
users who can access this computer, and session status and names.
GCCS Integrated Imagery and Intelligence (I3)
uses horizontally integrated intelligence services to enhance operational situational awareness as well as command decision-making enabling deliberate and time-critical target planning. It also optimizes full interoperability across the tactical, theater, and national communities.
Alternatives should be considered
when developing the recovery strategy based on cost, allowable outage time, security and integration with larger, organization-level contingency plans.
On the Networking Tab
you can view: -the quality and availability of the network connections -a quick reference for determining the amount of network bandwidth being consumed. -easy comparison of the traffic for each connection. -the chart displays a composite index of all networks representing all network traffic.
INFORMATION PROTECTION TOOLS
• Boundary protection • Viral detection • Configuration inspection • Network mapping • Remote patching • Vulnerability testing
The Resource Monitor provides a real time collection of resources used for the following:
• CPU • Disk • Network • Memory
3a7 Graphically displays response times, availability, and performance of the network devices.
SolarWinds
2ab17 This type of UPS stays inactive until the power grid fails.
Standby UPS
TROUBLESHOOTING STEPS
Step 1: Define the Problem Step 2: Gather Facts Step 3: Consider All Possible Causes Step 4: Create a Plan of Action Step 5: Implement the Plan of Action Step 6: Observe the Results of Each Action Step 7: Repeat the Process.
3a10 The AF's primary combined software/server tool for handling the task of mass-produced software patches.
System Center Configuration Manager (SCCM)
1a15 Records events logged by the system components.
System Log
Standardize Hardware, Software, and Peripherals
System recovery may be expedited if hardware, software, and peripherals are standardized throughout the organization or site. Standard configurations should be documented in the Contingency Plan.
Theater Battle Management Core System Force Level (TBMCS-FL)
TBMCS-FL is at the top of the TBMCS Logical Structure and includes "big picture" elements such as bases, areas of responsibility (AOR), and the total mission.
TBMCS-UL is split into two sub-systems:
TBMCS-Unit Level Intel and TBMCS-Unit Level Operations.
Logs archived in text or comma-delimited format have
TXT and CSV file name extensions, respectively.
6. Ensure Plan Testing, Training, and Exercises
Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation. Exercising the plan identifies planning gaps; combined, the activities improve plan effectiveness and overall organization preparedness.
2. Conduct the Business Impact Analysis (BIA)
The BIA helps identify and prioritize information systems and components critical to supporting the organization's mission/business processes.
4. Create Contingency Strategies
Thorough recovery strategies ensure the system can be recovered quickly and effectively following a disruption.
Combat Information Transport System (CITS)
To support IA, it includes: • Internet Security Scanner • Enterprise Security Manager • Intruder Alert • Sniffer Pro • Bluecoat Web Proxy
NETWORK RESOURCE MEASUREMENT TOOLS
Tools utilized to analyze and measure the use of network resources can be either hardware or software based. Two such tools are the Protocol Analyzer and Network Monitor.
3a8 Command is a diagnostic tool for displaying the path and measuring transit delays of packets across and IP network.
Traceroute
Step 5: Implement the Plan of Action
Troubleshooting one variable at a time. This ensures isolating a definite cause if the action fixes the problem. Gather expertise and assistance from other individuals, experts, and agencies when necessary
1a7 Allows you to monitor system events
Window Event Viewer
Recovery Strategies provide
a means to restore local IT operations quickly and effectively following a service disruption. These strategies should address disruption impacts and allowable outage times identified in the Contingency Plan.
Close-in attack consists of
a regular type individuals attaining close physical proximity to networks, systems, or facilities for the purpose of modifying, gathering, or denying access to information.
Recovery procedures should be written in
a straightforward, step-by-step style. To prevent difficulty or confusion in an emergency, no procedural steps should be assumed or omitted.
One factor to consider when deciding the appropriate size of the storage media is
all media must be stored at the same classification level (i.e. Unclassified, Secret, etc.) as the system it is backing up.
Archiving data
allows us to safeguard that data by implementing layers of physical security and by way of redundancy.
Software utilities
are functional in nature and are system software used to perform basic functions in direct support of a standalone computer or network. Utilities focus on how the system works. They are designed to help analyze, configure, optimize, or maintain one or more systems on the network.
Vulnerabilities
are generally defined as a weakness in an information system, cryptographic system, or components that could be exploited.
Hot Sites
are office spaces appropriately sized to support system requirements and fully configured. They are ready to operate within a few hours. The only missing resources from a hot site are the data (which will be retrieved from a backup site) and the people to process the data.
Warm Sites
are partially equipped office spaces containing some or all of the system hardware, software, telecommunications, and power sources. It is maintained in an operational status ready to receive the relocated system.
UNSCHEDULED SERVICE INTERRUPTIONS (USI)
are those unscheduled network, equipment, or application outages or degradations caused by such things as environmental problems (e.g., fire, flood, loss of power, loss of air conditioning), equipment malfunctions, system crashes, etc.
Active attacks include
attempts to circumvent or break protection features, introduce malicious code, or steal or modify information. These attacks may be mounted against a network backbone, exploit information in transit, electronically penetrate an enclave, or attack an authorized remote user during an attempt to connect to an enclave.
Searches
can be useful when viewing large logs. For example, you can search for all Warning Events related to a specific application, or search for all Error Events from all sources.
TASK MANAGER
can be very useful for a first quick analysis of a problem, such as when users report that their connection response to the server is slow.
Multi-meter
combines the functions of an ammeter, a voltmeter, and an ohmmeter into a single instrument. It is commonly used to measure the voltage of batteries or electrical outlets. In a networking environment, its primary use is for cable continuity testing.
Event Logs consist of
consist of a header, a description of the event (based on the event type), and optional data.
Blue Force Tracker (BFT)
consists of vehicle mounted transponders (land and air) giving commanders constant awareness of where their troops and valuable assets are on the battlefield.
a Differential Backup
copies only selected files and folders changed since the last Full Backup as indicated by the archive flag. The copied files and folders are then marked for subsequent backups regardless of whether or not that file was subsequently changed.
The Networking tab
displays a graphical representation of network performance. It provides a simple, qualitative indicator showing the status of the network(s) running on the computer. The tab is displayed only if a network card is present.
Logs saved in text or comma- delimited format
do not retain the binary data. When you archive a log file, the entire log is saved regardless of filtering options.
Implement Defense-in-Depth can
effectively resist attacks on information and information systems (IS), we must be able to characterize our adversaries, their potential motivations, as well as their attack capabilities.
Defense Collaboration Services (DCS)
enables synchronous communication among NIPRNet and SIPRNet users.
Availability
ensures timely and reliable access to and use of information.
Effective planning, execution, and testing are
essential to mitigate the risk of system and service unavailability.
Cyber Incident Response Plan
establishes procedures to address cyber-attacks against an organization's information system(s)
Fault management is perhaps the most widely implemented of the ISO network management elements because
faults can cause downtime or unacceptable network degradation.
5a8 Cmdlet is not only used for output but they also use objects for input via the _____.
Pipeline
5a7 Windows _____ is a framework created by Microsoft containing a Command Line Shell and an associated scripting language.
PowerShell
4a7 The specific attribute or set of attributes having been selected as the unique identifier for the entity.
Primary key
1a9 Shows information concerning the processes running on the computer
Process Tab
Task Manager Tabs
-Applications Tab -Processes Tab -Performance Tab -Networking Tab -Users Tab
Types of Alternate Sites
-Cold Sites -Warm Sites -Hot Sites -Mirrored Sites -Mobile Hot Site -Multiple Processing Centers
Network management systems incorporating performance management functions may:
-Gather statistical information to establish a baseline of normal behavior -Maintain and examine error logs of systems and state histories -Determine system performance under natural and artificial conditions -Alter system modes of operation to conduct performance management activities -Sample critical performance parameters -Produce trend analysis reports and graphs -Sort and file network traffic data based on source and destination IP addresses
Network management systems incorporating accounting management functions may:
-Inform users of costs incurred or resources consumed. -Enable accounting limits to be set and schedules to be associated with the use of resources. -Enable costs to be combined where multiple resources are used to achieve a given communication objective. -Collect customer traffic statistics. -Display and print real-time analysis of interface related data and reports.
Information Assurance (IA) Systems Suite
-Network Defense Tools -IA Systems Capability -Combat Information Transport System (CITS)
FAULT MANAGEMENT TYPES
-Passive Fault Management -Active Fault Management.
To address server vulnerabilities, the following practices should be considered:
-Store Backup Media and Software Offsite -Standardize Hardware, Software, and Peripherals -Document System Configurations and Vendors -Coordinate With Security Policies and System Security Controls -AF Communication - Special Note
Event Log Types:
-System Log -Application Log -Security Log
The Performance tab displays
-information about your computer's performance such as CPU and various kinds of memory usage. -a dynamic overview of your computer's performance.
Security management subsystems can
-partition network resources into authorized and unauthorized areas -identify sensitive network resources -determine mappings between sensitive network resources and users -monitor access points to sensitive network resources -log inappropriate access to sensitive network resources.
Active attacks countermeasure
1-Defend to the enclave boundaries 2-Defend the computing environment
Passive attacks countermeasure
1-Encryption and traffic flow security 2-Security enabled applications.
Insider attacks countermeasure
1-Physical and personnel security 2-Authenticated access, controls and audits
Close-In attacks countermeasure
1-Physical and personnel security 2-Technical surveillance countermeasures
Distribution attacks countermeasure
1-Trusted software development and distribution 2-Run time integrity controls
These seven progressive steps are designed to be integrated into each stage of the system development life cycle.
1. Develop The Contingency Planning Policy Statement 2. Conduct the Business Impact Analysis (BIA) 3. Identify Preventive Controls 4. Create Contingency Strategies 5. Develop an Information System Contingency Plan 6. Ensure Plan Testing, Training, and Exercises 7. Ensure Plan Maintenance
AF Communication - Special Note
A key criteria in any contingency or crisis, whether small or large, is communications. You must communicate with the upper echelon of network controllers as well as managers for notification purposes, instructional guidance, and technical assistance. As an administrator, the task of coordinating a fix to a network outage/disruption falls upon you.
Error
A significant problem, such as loss of data or loss of functionality
Step 4: Create a Plan of Action
A well thought out plan based on a clear definition of the problem and a thorough consideration of the causes usually guarantees a successful end. --Consider designing your plan in a step-by-step format. --Consider ways to prove that one element or another is the cause of the problem. --A plan must be designed so when completed it must have proven or disproven some fact about the problem. --That fact is it is the definite element either causing the problem or defines some new clue bringing the troubleshooter closer to the true cause.
2ab5 Events identified by an ASIM sensor are analyzed by crew members at the NOSC/AFNOSC.
ASIM-Identified Incidents
1a13 Goal is to measure select network utilization parameters.
Accounting Mangement
1a12 This attack includes attempts to circumvent or break protection features, introduce malicious code, or steal/modify information.
Active Attack
Step 3: Consider All Possible Causes
Considering the possible causes requires general knowledge about the operating system, hardware, and software. Moreover, it allows you to concentrate on the things particularly relevant to the problem. --Consider ALL possible causes and test them against the gathered facts. --Rank-order the possible causes according to likelihood. --Be prepared to eliminate each cause in light of the facts gathered in the following steps. --Sort software or hardware configuration problems to better pin-point where to look.
2ab4 _____ refers to interim measure to recover IT services following an emergency or system disruption.
Contingency Planning
CONTINGENCY PLANS
Continuity Planning Contingency Planning Cyber Incident Response Planning
2ab10 Focuses on restoring an organization's mission essential functions at an alternate site.
Continuity of Operations Plan (COOP)
2ab16 The choice of media is based on three things: size, ________, and speed.
Cost
2ab3 Priority systems included in any Contingency Plan are Email, Domain Controllers, Web Servers and _______.
DHCP server
2ab6 Backup merely backs up all selected files and folders changed during the course of the day.
Daily Data Backup
4a10 Defined as a collection of related data represents some aspect of the real world.
Database
4a12 Primary individuals responsible for the technician implementation and maintenance of the database.
Database Administrator (DBA)
4a11 Set of programs and utilities executed on a computer to create, process, and administer a database.
Database management system (DBMS)
4a14 Contains records with no structured relationship. It stores data in plaintext with only basic formatting. Tables in Word/Excel.
Flat File
4a2 Those attributes within an entity that exist as the Primary Key from another entity.
Foreign Key
5a9 A PowerShell ____ is a named block of code.
Function
OFFSITE STORAGE CRITERIA
Geographic Area Accessibility Security Environment Cost
Step 7: Repeat the Process
If the plan did not fix the problem then repeat the problem-solving process. --Start with a new action plan based on the next most likely cause from the list of possibilities. --If all possibilities from the list are exhausted, more facts must be gathered so that another list of possible causes can be developed. --Continue the process until a solution is found. --Do not get discouraged. At the very least, troubleshooters should be able to learn something from each failure they encounter in trying to solve the problem. --Remember we learn best by our mistakes.
Programs Seldom Change
If they are lost, deleted, or corrupted, just reload the software and any updates to the program.
2ab15 Include network/system events such as intrusions, scans, probes, and malicious logic events.
Incident
In today's highly networked environment, ________ _______ utilize the practical strategy of Defense in Depth.
Information Assurance (IA)
4a9 Simply a row of data in the entity.
Instance
4a3 Data in the database interacts and corresponds with other data.
Integrated
4a4 Data ______ allows for the creation of database objects, the creation and manipulation of data within those objects, and it's required to allow database interaction.
Interface
The Installation Warning Systems (IWS)
It is a command-wide, network-centric, emergency alert and management solution offering reliable, early, pervasive warning and accountability during critical situations and emergencies. Examples of IWS messages include: • Force protection condition changes • Extreme weather information • General safety concerns
Information System Contingency Plan (ISCP)
It provides key information needed for system recovery including: • Roles and responsibilities • Inventory information • Assessment procedures • Detailed recovery procedures • System testing
1a2 Memory used by the operating system and device drivers
Kernel Memory (K)
Step 6: Observe the Results of Each Action
One of the greatest downfalls of people to troubleshoot a problem is their failure to observe and document the results of their individual efforts accurately and thoroughly. --Turn on system logging features to record results or log the results manually. --Use the information gathered to fine-tune the action plan until the proper solution is established. --Determine whether the problem has been resolved and identify which action fixed it. --Determine WHY that action was the fix. --Accurately and thoroughly document actions taken and the fix-action for future reference.
Two types of UPSs are available: online or standby.
Online UPS systems use AC line voltage to charge a bank of batteries. When in use, the UPS has an inverter changing the DC output from the batteries into the required AC form. It regulates that voltage as it powers computer devices. Standby UPS devices stay inactive until the power grid fails. The system has sensors to detect a power failure and the load is switched to the battery pack. The switch to the battery pack causes a small delay in providing electricity and it may be enough to knock sensitive equipment off-line (i.e. requiring a restart).
1a8 The process of collecting alarms is known as which fault management
Passive Fault Management
4a16 Data in the database that remains unchanged until acted upon.
Persistent
Data Characteristics
Persistent Integrated Shared
1a10 Can transmit, capture, decode packets, and provide statistics based upon real-time network traffic
Protocol Analyzer
SYSTEM RESTORE
Recovering Databases for Failed Systems Recovering From Programmer or User Error Ensuring Data Integrity Restore
4a8 _____ database consists of numerous tables containing rows and columns of data.
Relational
3a9 Allows users to remotely control an organization's computer to access network resources.
Remote Desktop Control
REMOTE ACCESS METHODS
Remote Desktop Control Remote Node
5. Develop an Information System Contingency Plan
The Contingency Plan should contain detailed guidance and procedures for restoring a damaged system unique to the system's security impact level and recovery requirements.
IA Systems Capability
The IA systems must provide the following from unauthorized intrusions, abuse, denial of service, or misuse of network resources: • Monitor • Deter • Detect • Isolate • Contain • Control • Report • Recover
Network Defense Tools
The IA systems provide an evolving suite of network defense tools delivering: • Boundary Protection • Intrusion/Misuse Detection • Internal Control • Access Preservation • Authentication • Encryption • Backup • Recovery
7. Ensure Plan Maintenance
The plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes.
PRIORITY SYSTEMS
The priority systems included in any Contingency Plan are: • E-mail servers • DHCP servers • Domain Controllers • File servers containing mission critical information • Web servers • Specialized systems necessary in a war zone environment
3a1 Primary system for planning, managing, and executing the air battle.
Theater Battle Management Core System (TBMCS)
Multiple Processing Centers
They are able to move all data processing from one facility to another in a matter of seconds when an interruption is detected. This technology can be implemented within the organization or from one facility to a third-party facility.
Mobile Hot Site
This type of site is a large truck or a trailer turned into a data processing or systems allowing for immediate processing. The trailer can be brought to the company's parking lot or another location.
Cyber Incident Response Planning
Type of plan normally focuses on detection, response, and recovery to a computer security incident or event.
Electrical power protection can be done in three ways:
UPSs, power line conditioners, and backup sources.
2ab9 Should be appropriately sized to provide short-term backup power to all system components.
Uninterruptible Power Supply (UPS)
4a1 When a database requires every entry placed in it to have a unique value for the particular table.
Unique
5a6 Are used to store pieces of information so they can be used later.
Variable
2ab8 Generally defined as a weakness in an information system, cryptographic system, or components that can be exploited.
Vulnerabilities
Occupant Emergency Plan (OEP)
outlines first-response procedures for occupants of a facility in the event of a threat or incident to the health and safety of personnel, the environment, or property. Such events include fire, bomb threat, chemical release, domestic violence in the workplace, or a medical emergency. It's developed at the facility level, specific to the geographic location and structural design of the building.
Protocol Analyzer
performs a number of functions during analysis of network traffic. It can transmit, capture, decode packets, and provide statistics based upon real-time network traffic. This is probably the most popular analytical tool for network technicians because it covers the whole gamut of testing needs.
Confidentiality
preserves authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
An Incremental Backup
processes only new files or files changed since the last Full or Incremental Backup. It saves only those files whose archive bit is checked. After backing up these marked files, it unchecks the archive bit for every files saved.
Federal Information Processing Standard (FIPS) 199
provides guidelines on determining information and information system impact to organizational operations and assets, individuals, other organizations and the nation through a formula that examines three security objectives: confidentiality, integrity, and availability.
Application Log
records events logged by programs. For example, a database program might record a file error in the Application log.
System Log
records events logged by the system components. For example, the failure of a driver or other system component to load during startup is recorded in the System log.
Security Log
records security events such as valid and invalid logon attempts as well as events related to resource use (such as creating, opening, or deleting files or other objects). It helps track changes to the security system and identifies any possible breaches to security.
Configuration management subsystems may provide
the ability to initialize, reconfigure, operate, and shut down managed devices. --Discover, determine, map and record network components, applications and configurations (hardware and software). --Collect information concerning the current configuration of a system. --Receive notifications of significant changes in the configuration of a system. --Change the system's hardware and software configuration.
Effective contingency planning begins with
the development of an organization contingency planning policy and developing a business impact analysis (BIA) to each information system.
The primary detection tool is
the fleet of Automated Security Incident Measurement (ASIM) sensors deployed cross the AFEN.
Distribution attacks focus on
the malicious modification of hardware or software at the factory or during distribution. These attacks can introduce malicious code into a product, such as a back door, to gain unauthorized access to information or a system function later.
The Applications tab shows
the status of the programs running on your computer. On this tab, you can end, switch to, or start a program.
Active Fault Management
the system actively sends a ping request to determine if a device is responding. If the ping request is not answered, then the active monitoring service sets off an alarm.
Passive Fault Management
the system only knows there is a fault if the device being monitored is intelligent enough to generate an error and report it to the fault management tool.
Vulnerabilities can be minimized or eliminated
through technical, management, or operational solutions as part of the organization's risk management effort.
The goal of security management is
to control access to network resources so the network cannot be sabotaged and sensitive information cannot be accessed by those without appropriate authorization. It is provided by the Information Assurance (IA) systems suite of tools.
An effective countermeasure is
to deploy multiple defense mechanisms between the adversary and his target. Each mechanisms must be tested to ensure effectiveness of presenting unique obstacles to the adversary.
The goal of fault management is
to detect, log, notify users of, and (to the extent possible) automatically fix network problems to keep the network running effectively.
The goal of all data backup jobs is
to ensure lost data, no matter how it got lost, can be recovered quickly, efficiently and as completely as possible.
The main goal of the TBMCS Program Management Directive was
to identify the command and control systems already in place, then migrate them towards commonality and interoperability.
The goal of accounting management is
to measure select network utilization parameters so individual or group usage on the network can be regulated appropriately. Such regulation minimizes network problems and maximizes the fairness of network access across all users.
The first step toward appropriate accounting management is
to measure the usage of all of the important network resources. Analysis of the results provides insight into current usage patterns, and quotas can be set at this point. Of course, some correction may be required to reach optimal access practices.
The goal of performance management is
to measure various aspects of network performance so internetwork performance can be maintained at an acceptable level.
The goal of configuration management is
to monitor network and system configuration information so the affected hardware and software can be managed and tracked.
Passive attacks include
traffic analysis, monitoring of unprotected communications, decrypting weakly encrypted traffic, and capture of authentication information (e.g., passwords).
Cold Site
typically consists of a facility with adequate space and infrastructure (electric power, telecommunications connections, and environmental controls) to support the IT system.
COMPUTER SECURITY INCIDENT CATEGORIES
• Compromise of Integrity A macro-virus infects an application or a serious system vulnerability is discovered. • Denial of Service An attacker disables a system or a worm saturates network bandwidth. • Misuse An intruder (or insider) makes unauthorized use of an account. • Damage Data destruction by a virus. • Intrusions An intruder penetrates system security. • Alterations Data is changed to affect system performance.
Event Viewer shows information about a single event including:
• Date • Time • Source • Event Type • Category • Event Id • User Account • Computer Name
In general, three types of alternate sites are available:
• Dedicated site owned or operated by the organization • Reciprocal agreement or memorandum of agreement with an internal or external entity • Commercially leased facility
Performance management involves three main steps:
• First - performance data is gathered over time on variables of interest to network administrators. • Second - the data is analyzed to determine normal (baseline) levels. • Finally - appropriate performance thresholds are determined for each important variable so exceeding these thresholds indicates a network problem worthy of attention.
Warm and Cold Site Advantages
• Less expensive • Available for longer timeframes because of the reduced costs • Practical for proprietary hardware or software use
CiscoWorks Primary functions include:
• Monitoring and troubleshooting • Configuration management • Compliance and auditing • Comprehensive reporting
Warm and Cold Site Disadvantages
• Not immediately available • Operational testing not usually available • Resources for operations not immediately available
Procedures should be assigned to the appropriate recovery team and typically address the following actions:
• Obtaining authorization to access damaged facilities and/or geographic area • Notifying internal and external business partners associated with the system • Obtaining necessary office supplies and work space • Obtaining and installing necessary hardware components • Obtaining and loading backup media • Restoring critical operating system and application software • Restoring system data • Testing system functionality including security controls • Connecting system to network or other external systems • Operating alternate equipment successfully
To better identify what kind of attack has occurred, the National Security Agency (NSA) Information Assurance Technical Framework (IATF) has distinguished five classes of attacks:
• Passive • Active • Close-In • Inside • Distribution
Standard AV Features:
• Protect assets from SPAM and MALWARE (e.g. Viruses, Trojan horses, worms,bots, androotkits)byfilteringe-mail. • Identify unsafe websites during searches. • Protects against identity theft by securing, storing, and managing login credentialsand personalinformation. • Prevents hackers from eavesdropping and stealing information while you type(i.e. keylogging). • Automatically finds and fixes PC problems while preventing excessive bandwidth usage.
Network management systems incorporating fault management functions may:
• Provide automated trouble ticketing • Maintain error logs or databases • Accept and act upon error detection notification • Trace and identify faults • Perform diagnostic testing • Correct faults • Poll managed devices for status • Provide automated recovery and backup of managed devices
Hot Site Advantages
• Ready within hours for operation • Highly available • Usually used for short-term solutions, but available for longer stays • Annual testing available
DoD regulations require written Contingency Plans and generally includes one or more approaches to restore disrupted IT services:
• Restoring IT operations at an alternate location • Recovering IT operations using alternate equipment • Performing some or all of the affected business processes using non-IT (i.e. manual) means (typically acceptable for only short-term disruptions) • Storing data backup devices and media at an offsite storage facility
When using an offsite storage facility for backup storage there are two things required:
• There must be a Memorandum of Agreement (MOA) between your organization and the storage facility's organization. This MOA, should at a minimum, include access to facility times, amount of allotted space, and how long that space will be used. • The Storage facility must be at the same or higher classification level as the data to be stored.
INCIDENT CATEGORIES
• Unauthorized probing • Browsing • Disruption or denial of service • Altered or destroyed input, processing, storage, or output of information • Changes to system hardware, firmware, or software characteristics with or without the user's knowledge, instruction or intent (e.g., malicious logic)
In order for Contingency Planning to be successful, network administrators must ensure the following:
• Understand the IT Contingency Planning Process and its place within the overall Continuity of Operations plan for the organization. • Develop or re-examine their contingency policy and planning process as well as apply elements of the planning cycle. These elements include preliminary planning, operations impact analysis, alternate site selection, and recovery strategies. • Develop or re-examine IT contingency planning policies and plans with emphasis on maintenance, training, and exercising the Contingency Plan.
Hot Site Disadvantages
• Very expensive • Limited on hardware and software choices