Cyber-Sec Chapter 15 Quiz Review (Full Version)

5. Differentiate between a security event and a security incident.

A security event is any occurrence during which private company data or records may have been exposed. If a security event was proven to have resulted in a data or privacy breach, that event is deemed a security incident. For example, a delay in patching a security weakness in vital company software would be an event. It would only be deemed an incident after the security monitoring team confirms a resulting data breach by hackers who capitalized on the weakness. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

4. What are some of the common patch management techniques used in organizations?

4. Three types of patch management techniques are commonly used: *Agent-based scanning*—Requires an agent to be running on each host to be patched, with one or more servers managing the patching process and coordinating with the agents. Each agent is responsible for determining what vulnerable software is installed on the host, communicating with the patch management servers, determining what new patches are available for the host, installing those patches, and executing any state changes needed to make the patches take effect. *Agent-less scanning*—Uses one or more servers that perform network scanning of each host to be patched and determine what patches each host needs. Generally, agentless scanning requires that servers have administrative privileges on each host so that they can return more accurate scanning results and so they have the ability to install patches and implement state changes on the hosts. *Passive network monitoring*—Monitors local network traffic to identify applications (and, in some cases, operating systems) that are in need of patching. Unlike the other techniques, this technique identifies vulnerabilities on hosts that don't permit direct administrator access to the operating system, such as some Internet of Things (IoT) devices and other appliances. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

6. For security event logging, what events should be captured in operating system logs, network device logs, and web server logs?

6. You should log the following events: *Operating system logs*—This includes successful user logon/logoff; failed user logon; user account change or deletion; service failure; password changes; service started or stopped; and object access denied. *Network device logs*—These logs comprise traffic allowed through firewall, traffic blocked by firewalls, bytes transferred, protocol usage, detected attack activity, user account changes, and administrator access. *Web servers*—This is about excessive access attempts to nonexistent files, code (SQL, HTML) seen as part of the URL, attempted access to extensions not implement on the server, web service stopped/started/failed messages, failed user authentication; invalid request, and internal server errors. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

8. How can you categorize threat sources?

8. You can categorize threat sources in following manner: *Adversarial*—This type of threat comes from individuals, groups, organizations, or states that seek to exploit the organization's dependence on cyber resources. *Accidental*—This type of threat is spawned by erroneous actions taken by individuals in the course of executing their everyday responsibilities. *Structural*—This type of threat originates from failures of equipment, environmental controls, or software due to aging, resource depletion, or other circumstances that exceed expected operating parameters. *Environmental*—This type of threat arises from natural disasters and failures of critical infrastructures on which the organization depends but that are outside the control of the organization. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

1. Explain the term technical vulnerability. What are five key steps involved in vulnerability management?

A technical vulnerability is a hardware, software, or firmware weakness or design deficiency that leaves an information system open to assault, harm, or unauthorized exploitation, either externally or internally, thereby resulting in unacceptable risk of information compromise, information alteration, or service denial. Five key steps are involved in vulnerability management: *Plan vulnerability management*—This first step in managing technical vulnerabilities involves many things, such as integration with asset inventory, establishment of clear authority to review vulnerabilities, proper risk and process integration, and integration of vulnerabilities with the application/system life cycle. Discover known vulnerabilities—This involves monitoring sources of information about known vulnerabilities to hardware, software, and network equipment. *Scan for vulnerabilities*—Apart from regular monitoring, enterprises should regularly scan software, systems, and networks for vulnerabilities and proactively address those that are found. *Log and report*—After the vulnerability scan, the results should be logged to verify the activity of the regular vulnerability scanning tools. *Remediate vulnerabilities*—The enterprise should deploy automated patch management tools and software update tools for operating system and software/applications on all systems for which such tools are available and safe. As a good practice, patches should be applied to all systems. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

10. What are the steps to prevent delivery of malicious payload in a cyber attack kill chain?

A variety of technical tools can be used to prevent delivery, such as the following: *Antivirus* software (AVS)—AVS is a program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents. Continuously running AVS can identify, trap, and destroy incoming known viruses. If a virus is detected, the AVS can be configured to trigger a scan of the rest of the IT infrastructure for indicators of compromise associated with this outbreak. *Firewall*—A firewall can block delivery attempts from known or suspected hostile sources. *Web application firewall (WAF)*—A WAF is a firewall that monitors, filters, or blocks data packets as they travel to and from a web application. Intrusion prevention system *(IPS)*—An IPS is a system that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets. This is similar to an intrusion detection system but is proactive in attempting to block the intrusion Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

9. Briefly describe an APT attack and list the steps in a typical APT attack.

An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there, undetected, for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing, and the financial industry. *A typical APT attack has the following pattern*: *Conduct* background research to find potential targets *Execute* the initial attack on the chosen target(s) *Establish* a foothold in the target environment Enable persistent command and control over compromised computers in the target environment *Conduct enterprise reconnaissance* to find the servers or storage facilities holding the targeted information Move laterally to new systems to explore their contents and understand to what new parts of the enterprise can be accessed from the new systems *Escalate privileges* from local user to local administrator to higher levels of privilege in the environment Gather and encrypt data of interest *Exfiltrate data* from victim systems Maintain persistent presence Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

3. Describe two difficulties, or challenges, that result from the use of vulnerability scans

An enterprise needs to address two challenges involved in scanning: *Disruptions caused by scanning*—The scanning process can impact performance. IT operations staff need to be in the loop. They should be made aware of the importance and relevance of scans. Also, timing needs to be resolved to ensure that scanning does not conflict with regular maintenance schedules. *Huge amounts of data and numerous false positives*—Technical vulnerability management practices can produce very large data sets. It is important to realize that even though a tool indicates that a vulnerability is present, frequently follow-up evaluations are needed validate these findings. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

2. What are key sources for discovering vulnerabilities?

Key sources that are used to discover vulnerabilities are as follows: *National Vulnerability Database (NVDB)* is a comprehensive list of known technical vulnerabilities in systems, hardware, and software. *Computer emergency response team (CERT) or computer emergency readiness team*—Such a team is a cooperative venture that collects information about system vulnerabilities and disseminates it to systems managers. Hackers also routinely read CERT reports. Thus, it is important for system administrators to quickly verify and apply software patches to discovered vulnerabilities. One of the most useful of these teams is the U.S. Computer Emergency Readiness Team, which is a partnership between the Department of Homeland Security and the public and private sectors, intended to coordinate responses to security threats from the Internet. Another excellent resource is the CERT Coordination Center, which grew from the computer emergency response team formed by the Defense Advanced Research Projects Agency. Packet Storm—Packet Storm provides around-the-clock information and tools to help mitigate both personal data and fiscal loss on a global scale. *SecurityFocus*—This site maintains two important resources: BugTraq and the SecurityFocus Vulnerability Database. BugTraq is a high-volume, full-disclosure mailing list for detailed discussion and announcement of computer security vulnerabilities. The SecurityFocus Vulnerability Database provides security professionals with up-to-date information on vulnerabilities for all platforms and services. *Internet Storm Center (ISC)*—The ISC (maintained by the SANS Institute) provides a free analysis and warning service to thousands of Internet users and organizations and is actively working with Internet service providers to fight back against the most malicious attackers. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

13. What are some key capabilities of a typical SIEM?

Summary: Data aggregation, Data normalization, Correlation, Alerting, Reporting, Forensics, Dashboard Key capabilities of a typical SIEM are as follows: Data aggregation—The aggregator serves as a consolidating resource before data is sent to be correlated or retained. Data normalization—This is the process of resolving different representations of the same types of data into a similar format in a common database. Correlation—Event correlation is the function of linking multiple security events or alerts, typically within a given time window and across multiple systems, to identify anomalous activity that would not be evident from any singular event. Alerting—After data that trigger certain responses, such as alerts or potential security problems, are gathered or identified, SIEM tools can activate certain protocols to alert users, such as notifications sent to the dashboard, an automated email, or a text message. Reporting/compliance—Protocols in a SIEM can be established to automatically collect data necessary for compliance with company, organizational, and government policies. Both custom reporting and report templates (generally for common regulations such as Payment Card Industry Data Security Standards [PCI DSS] and the U.S. Sarbanes-Oxley Act) are typically part of a SIEM solution. Forensics—This is the ability to search log and alert data for indicators of malicious or otherwise anomalous activities is the forensic function of the SIEM. Forensics, which is supported by the event correlation and normalization processes, requires highly customizable and detailed query capabilities and drill-down access to raw log files and archival data. Retention—This refers to storing data for long periods so that decisions can be made based on more complete data sets. Dashboards—This refers to the primary interface to analyze and visualize data in an attempt to recognize patterns or target activity or data that does not fit into a normal pattern Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

14. According to ISO 27035, how are security incidents classified?

Summary: Emergency, Critical, Warning, Information 14. ISO 27035 classifies security incidents in the following way: Emergency—Severe impact. These are incidents that: Act on especially important information systems and Result in especially serious business loss or Lead to especially important social impact Critical—Medium impact. These are incidents that: Act on especially important information systems or important information systems and Result in serious business loss or Lead to important social impact Warning—Low impact. These are incidents that: Act on especially important information systems or ordinary information systems and Result in considerable business loss or Lead to considerable social impact Information—No impact. These are incidents that: Act on ordinary information systems and Result in minor business loss or no business loss or Lead to minor social impact or no social impact Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

15. Explain typical phases in the digital forensics process. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

Summary: Preparation, Identification, Collection, Preservation, Analysis, Reporting Typical phases in a digital forensics process are as follows: *Preparation*—This refers to the planning and policy-making activities related to forensic investigation. SP 800-86 recommends the following considerations: Organizations should ensure that their policies contain clear statements addressing all major forensic considerations, such as contacting law enforcement, performing monitoring, and conducting regular reviews of forensic policies and procedures. Organizations should create and maintain procedures and guidelines for performing forensic tasks, based on the organization's policies and all applicable laws and regulations. Organizations should ensure that their policies and procedures support the reasonable and appropriate use of forensic tools. Organizations should ensure that their IT professionals are prepared to participate in forensic activities. Identification—This phase is initiated when there is a request for a forensic analysis. This phase involves understanding the purpose of the request and the scope of the investigation, such as type of case, subjects involved, and system involved. The identification phase determines determines where the data of interest are stored and what data can be recovered and retrieved. Collection—When the location or locations of data are identified, the forensic process ensures that the data are collected in a manner that preserves the integrity of the evidence. Preservation—Several actions comprise the preservation of data process, including the following: Creating a log that documents when, from where, how, and by whom data were collected Storing the data in a secure fashion to prevent tampering or contamination Logging each access to the data made for forensic analysis Analysis—Examples of analysis tasks include: Checking for changes to the system such as new programs, files, services, and users Looking at running processes and open ports for anomalous behavior Checking for Trojan horse programs and toolkits Checking for other malware Looking for illegal content Looking for indicators of compromise Determining the who, when, where, what, and how details of a security incident Reporting—This phase involves publishing a report resulting from a forensic investigation. SP 800-86 lists the following factors that affect reporting for any type of investigation. Alternative explanations: The available information may not provide a definitive explanation of the cause and nature of an incident. The analyst should present the best possible conclusions and highlight alternative explanations. Audience consideration: An incident requiring law enforcement involvement requires highly detailed reports of all information gathered and can also require copies of all evidentiary data obtained. A system administrator might want to see network traffic and related statistics in great detail. Senior management might simply want a high-level overview of what happened, such as a simplified visual representation of how the attack occurred and what should be done to prevent similar incidents. Actionable information: Reporting also includes identifying actionable information gained from data that allows an analyst to collect new sources of information.information. For example, a list of contacts may be developed from the data that can lead to additional information about an incident or a crime. Also, information that is obtained might help prevent future events, such as learning about a backdoor on a system that is to be used for future attacks, a crime that is being planned, a worm scheduled to start spreading at a certain time, or a vulnerability that could be exploited. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

12. According to ISO 27035-1, what are the objectives for security incident management?

Summary: detection, assessment, response, lessons learned 12. ISO 27035-1 lists the following objectives for security incident management: Information security events are detected and dealt with efficiently. This involves deciding when they should be classified as information security incidents. Identified information security incidents are assessed and responded to in the most appropriate and efficient manner. The adverse effects of information security incidents on the organization and its operations are minimized by appropriate controls as part of incident response. A link with relevant elements from crisis management and business continuity management through an escalation process is established. Information security vulnerabilities are assessed and dealt with appropriately to prevent or reduce incidents. Lessons are learned quickly from information security incidents, vulnerabilities, and their management. This feedback mechanism is intended to increase the chances of preventing future information security incidents from occurring, improve the implementation and use of information security controls, and improve the overall information security incident management plan. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

11. For protecting against cyberattack exploits, list and briefly describe three countermeasures

You can counteract exploits by adopting following methods: *Host-based intrusion detection system (HIDS)*—When the exploit is inside the enterprise network and attacking hosts, a HIDS can detect and alert on such an attempt. *Regular patching*—Patching discovered vulnerabilities can contain the damage. *Data restoration from backups*—After an exploit is discovered and removed, it may be necessary to restore a valid copy of data from a backup. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

7. What kind of analysis can you do on cleaned SEM data?

You can do the following analysis on cleaned SEM data: *Pattern matching*—You can look for data patterns within the fields of stored event records. A collection of events with a given pattern may signal a security incident. *Scan detection*—Attacks often begins with scans of IT resources by the attacker, such as port scans, vulnerability scans, or other types of pings. If a substantial number of scans are found from a single source or a small number of sources, this may signal a security incident. *Threshold detection*—You can detect threshold crossing. For example, if the number of occurrences of a type of event exceeds a given threshold in a certain time period, that can constitute an incident. *Event correlation*—Correlation consists of using multiple events from a number of sources to infer that an attack or suspicious activity has occurred. For example, if a particular type of attack proceeds in multiple stages, the separate events that record those multiple activities need to be correlated in order to see the attack. Another aspect of correlation is to correlate particular events with known system vulnerabilities, which results in a high-priority incident. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.