Surety Obstacle 3
Incident Catergories
Unauthorized probing Browsing Disruption or DOS Altered or destroyed input, processing, storage, or output of information, Changes to system hardware, firmware, or software characteristics with or without the user's knowledge, instruction or intent (e.g., malicious logic)
In addition to previous reporting actions,
actions, the AFNOSC, NOSCs, and NCCs are authorized to terminate network services and isolate an offending network or system until an incident is resolved. Purpose = improve overall security posture of AF Information Network (AFIN) and stand-alone computing devices through quick positive control and reporting of network as well as IS incidents.
Web Services
a) A service offered by one electronic device to another electronic device, communicating data via the Web. b) A server running on a computer device, listening for requests on a particular port over a network, communicating various types of web documents, and creating web application services, which serve to solve specific domain problems on the Web.
Infrastructure as a Service (IaaS)
Targeted primarily at Information Technology managers. Vendor provides clients pay-as-you-go access to storage, networking, servers, and other computing resources in the cloud. Organizations use their own platforms and applications within a service provider's infrastructure.
Application Log
The Application log records events logged by programs, ex a database program might record a file error in the Application log.
Event Viewer
The Event Viewer enables administrators to monitor events that occur on a system. The Event Log service starts automatically when a computer is started. All users can view Application and System logs.
Security Log
The Security log records security events, such as valid and invalid logon attempts, and events related to resource use, such as creating, opening, or deleting files/objects. Only administrators can view the Security log for a system. By default, security logging is turned off, but administrators can use Group Policy to enable this type of logging.
System Log
The System log records events logged by the system components, ex failure of a driver or other system component to load during startup is recorded in the System log.
JavaScript
Client scripting language that is used for creating web pages. Standalone language originally developed by Netscape (and not associated with Java).
Malicious Logic Incidents
End users accessing the AFIN are required to report unusual network, IS, and stand-alone computing device events suspected to stem from some form of malicious logic Prepare malicious logic reports (MLR) for each malicious logic incident Unless otherwise directed by the AFNOSC, do not up-channel report any malicious logic event detected and eradicated by approved anti-virus software.
Event Descriptions
Error - A significant problem, such as loss of data or loss of functionality. Warning - An event that might not be significant, but might indicate a future problem. Information - An event that describes the successful operation of an application, driver, or service. Success Audit - An audited security access attempt that succeeds. Failure Audit - A security access attempt that fails.
VMs have the following components in common:
Host Server, Hypervisor, Guest OS
The NOS will execute two types of Production Deployments:
Mandatory and Available
Classes of Attacks:
National Security Agency (NSA) Information Assurance Technical Framework (IATF) has distinguished five classes of attacks: Passive, Active, Close-In, Inside, Distribution
UNIX
OS developed to operate on a wide range of computer systems...one of the first to be written in a high-level programming language "C". Portability, flexibility and power make it a leading OS for workstations.
Java
One of the most popular programming languages. Used to develop website content, games, applications, and software.
Server Virtualization Main Types:
Operating-system-level Virtualization, Hardware Emulation, Para-virtualization
Password Construction:
The amount of characters a password should have, the use of capitalization/numbers/special characters, not basing the password on a dictionary word, personal information, and not making the password a slight modification of an existing password.
Flat Files
Database consisting of only one large table. Contains records with no structured relationships. Store data in plain text with only basic formatting (comma separated fields). Tables found in Microsoft Word and Excel are examples of flat files.
Vulnerability Management program should contain the following stages:
A process to determine the criticality of all assets, the owners of these assets, and how often scanning is taking place on these assets. The discovery and inventorying of all assets on your network. The discovery of any vulnerabilities on the assets discovered. Reporting and remediation of discovered vulnerabilities.
Service
A software functionality or a set of software functionalities with a purpose that different clients can reuse for different purposes, together with the policies that should control its usage.
Adversaries:
Adversaries are any person, group or forces that opposes or attacks.
Viewing Events
After selecting a log in the Event Viewer, an administrator can search, filter, sort, and view details about events.
Motivations:
An adversary's motivation may include intelligence gathering, theft of intellectual property, denial of service, embarrassment, or just anticipated pride in having exploited a notable target.
Vulnerabilities are generally defined as a weakness in an information system, cryptographic system, or components that could be exploited.
Anyone detecting a new vulnerability must report it through the chain of command. Timely, accurate vulnerability reports are crucial to the success of mitigating the threats posed by identified vulnerabilities. A TCNO may be generated as a direct result of vulnerability reports
API
Application programs make use of the OS by making requests for services
Close-In:
Attaining close physical proximity to networks, systems, or facilities for the purpose of modifying, gathering, or denying access to information. Close physical proximity is achieved through surreptitious entry, open access, or both.
Active:
Attempts to circumvent or break protection features, introduce malicious code, or steal or modify information.
VMs have
Basic Input/Output System (BIOS), hard disks, memory, Central Processing Units (CPUs), Operating Systems (OSs), and applications.
Insider:
Can be malicious or non-malicious Malicious insiders intentionally eavesdrop, steal or damage information, use information in a fraudulent manner, or deny access to other authorized users. Non-malicious attacks typically result from carelessness, lack of knowledge, or intentional circumvention of security for such reasons as "getting the job done".
CSS
Cascading Style Sheets, Used for describing the presentation of a document written in a markup language such as HTML.
Port
Communication endpoint, At the software level, within an OS, a port is a logical construct that identifies a specific process or a type of network service. Ports are identified for each protocol and address combination by 16-bit unsigned numbers, commonly known as port numbers. A port number will range from 0 to 65535. The most common protocols that use port numbers are TCP and the User Datagram Protocol (UDP).
Python
Considered one of the easiest languages to use and work with. Creates a framework for just about any type of website you might need.
Relational Database
Consists of numerous tables containing rows and columns of data. These tables "relate" to one-another through shared data values
Consider classifying when an incident/vulnerability's impact may cause:
Damage, serious damage, or grave damage to national security. Failure of the entire AFIN or significant portion. Failure of one or more MAJCOM networks/Failure of an entire base network. Failure of a C2 functional system. Significant adverse operational impact to a critical mission due incident (e.g., exploited vulnerability, CMI, DOS attack)
Distribution:
Distribution attacks focus on the malicious modification of hardware or software at the factory or during distribution.
Filter Events
Event Viewer lists all events recorded in the selected log. However, logs can be filtered using specified criteria. By event level, such as information, warning, error, critical, and verbose. By log type, such as the system or security log. By source of the event, such as a particular service or software component. By task category of the event, such as a security change. By key words of the event, such as a security change. By user associated with an event. By computer associated with an event. By date range. By time of day range.
Event Logs
Event logs consist of a header, a description of the event (based on the event type), and other optional data. Each line shows information about a single event, including date, time, source, event type, Event ID, user account, and computer name. Administrators can use Event Viewer to view and manage the System, Application, and Security event logs.
XML
Extensible Markup Language, Software and hardware independent tool used to transport and store data.
Database Categories
Flat Files and Relational.
HTML
Hypertext Markup Language, Standard markup language for documents designed to be displayed in a web browser.
Hypervisor
Hypervisor or Virtual Machine Monitor (VMM) is the link managing the communications between the host server and the virtualized environment.
Reuse restrictions:
Identifies the policy on reusing a password such as how many different passwords must be used before you can reuse one you use previously.
Consequences:
Implementing consequences associated with violation or noncompliance with the org policies.
Guest OS
Installed on virtual computer architecture and allows for end-user interaction that is indistinguishable from a standard physical computer. A single virtual environment can consist of more than one guest OS assuming the physical machine has sufficient hardware capacity and memory to host multiple VMs.
Unclassified Report Guidance
Mark unclassified reports as CUI and protect the report from public distribution under the FOIA. Mark reports as CUI when: An incident DOES NOT result in a compromise or significant adverse impact to national security (AF, MAJCOM, or Wing operational missions or networks). A report identifies an incident on a specific unclassified network, information systems, or stand-alone computing device.
NoSQL (Non-Relational)
Mechanism for storage and retrieval of data that is modeled in means other than the tabular relations used in relational databases.
Duration:
Minimum and maximum number of days a password can be used before it can be changed or must be changed.
Server Virtualization
Partitioning of a physical server into smaller virtual servers.Accomplished using software like VMware (the current industry leader), Citrix XenServer, or Microsoft® Hyper-VTM.
The main client virtualization architectures are:
Presentation virtualization, Virtual desktop infrastructure, Intelligent desktop virtualization, Application virtualization, Application streaming, User profile virtualization
Incident/Event reporting
Purpose = improve overall security posture of AFIN) AF ISs, and stand-alone computing devices through quick positive control/reporting of network and IS incidents.
Benefitsof cloud computing
Reduced IT costs, Scalability, Business Continuity, Collaboration Efficiency, Flexibility of Work Practices, Access to Automatic Updates
Scripting
Scripting in Windows can make tasks, such as performing a backup of the network's Remedy Ticket database, as easy as launching one script...PowerShell, Command Shell.
Searching for Events
Searches can be useful when viewing large.
View Details about Events
Shows a text description of the selected event and any available binary data. If a logon log file format is archived, it can be reopened in the Event Viewer. Such logs can be reopened in most word-processing or spreadsheet applications. Logs saved in text or comma-delimited format do not retain the binary data. When a log file is archived, the entire log is saved, regardless of filtering options.
Cloud Computing Service Models
Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Targeted primarily at Information Technology developers, as well as software designers/developers. Provider supplies underlying infrastructure. A service provider offers access to a cloud-based environment in which users can build and deliver applications. Users are able to use a suite of pre-built tools to develop, customize, and test their own applications.
Host Server
The computer on which the virtualized environment resides. It is the hardware providing computing resources such as processing power, memory, disk and the network Input/Output (I/O).
Server and Client
The two main types of virtualization
It is the responsibility of NOS personnel to execute vulnerability remediation to reduce Air Force Information Network (AFIN) risk through the implementation of approved countermeasures.
These countermeasures, when tasked by approved orders, include, but are not limited to: Configuration changes to systems and system registries. Installation of software patches. Removal of non-approved software. Searching for and removing malicious files. Upgrades of applications. Reinstallation of OSs. Correction of system configuration against approved configuration guidelines if the system deviates from those guidelines.
Software as a Service (SaaS)
This type is targeted primarily at the end user Users do not install applications on their local devices. Service provider delivers software and applications through the Internet. Users subscribe to the software and access it via the web or vendor Application Programming Interface.
Protection of Passwords:
This will include where and how you store your passwords. Not where others can find and see them, not saving passwords allowing automated logins, and not sharing passwords with other users, etc..
Passive:
Traffic analysis, monitoring of unprotected communications, decrypting weakly encrypted traffic, and capture of authentication information.
Network operating system (NOS)
a computer operating system (OS) that is designed primarily to support workstations, personal computers, and in some instances, older terminals that are connected on a local area network (LAN).
Command Line Interface (CLI) or a Graphical User Interface (GUI).
users can interact directly with the OS through
Endpoint security or endpoint protection is
an approach to the protection of computer networks that are remotely bridged to client devices. The connection of laptops, tablets, mobile phones, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security aims to keep these endpoints safe from malicious attacks and the hackers who would use them.
Protocols
define the standards for communication between nodes on the network
PowerShell
enables admin to perform admin/management tasks on both local and remote machines running either Windows or Linux operating systems. Applications can allow implementation of certain ops normally only accessible through their GUI. This provides the capability of automating many management activities with scripting.
Biometrics
generally the most secure authentication method, if properly implemented. Information about a person's body is stored in a database,
End users/AF network professionals must report all identified incidents and vulnerabilities:
including NOSC, FSA, WM, ISSOs, ISSMs
Virtualization software separates a physical computing device
into one or more "virtual" devices, each of which can be used and managed to perform computing tasks.
Four Factors of Authentication
knowledge (something you know), possession (something you have), biometric (something you are), and location (where you are).
Data
meaningful information within a database
Cloud computing
on-demand availability of computer system resources...data storage and computer power, without direct active management of the hardware by the user. May be limited to a single organization (enterprise clouds). May be available to many organizations (public cloud).
Secure Socket Layer (SSL)
provides security to the data that is transferred between the web browser your users are operating and the server it is connecting to for its requested information SSL encrypts the link between a web server and the browser in order to ensure that all data passed between the two of them remain private and free from attack. Transport Layer Security (TLS) is an updated, more secure, version of SSL.
Database
purpose of a database is to collect meaningful information.
Session Management
refers to the process of securely handling multiple requests to a web-based application or service from a single user or entity Typically, a session is started when a user authenticates their identity using a password or other authentication protocol (such as our own Common Access Cards)
Schema
schema of a database is its structure described in a formal language supported by the Database Management System (DBMS). Refers to the organization of data as a blueprint of how the database is constructed (divided into database tables in the case of relational databases). A set of formulas (sentences) called integrity constraints imposed on a database. These integrity constraints ensure compatibility between parts of the schema.
Database Management System (DBMS)
set of programs and utilities executed on a computer to create, process, and administer a database.
Virtualization
simply separates hardware from the software
OS
software that acts as an interface between hardware and a user.
Sort Events
sorts events by date and time from the newest to the oldest
The CFP, NOSCs, and AFNOSC record
suspicious and unauthorized network and information systems access and activity. Suspicious activity = detection of network scanning, multiple connection attempts to a network device from an unknown entity, etc. Intrusion activity = unauthorized individuals gaining full (root) or limited (user) access to a network device or IS, and unusual or excessive network activity.
BIOS
tells the computer where to look for the OS on the hard drive and starts the load process.
Primary detection tool is
the fleet of Automated Security Incident Measurement (ASIM) sensors deployed cross the AFIN Review of critical audit logs by network professionals (e.g., Firewall logs) Virus detection and prevention software.
Transmission Control Protocol (TCP) and the Internet Protocol (IP),
the most popular protocol suite because of its low cost, open nature, ability to communicate between dissimilar platforms, and that it is routable
Authentication
the process of attempting to verify or binds the identity of a user, system or process
Purpose of Patch Management
to ensure that all of the components of your network are up to date with the latest content and security patches
ASIM sensors are utilized
to monitor the various enclaves that make up the AFIN Events are analyzed by crew members at the NOSCs and the AFNOSC. Incident Reports (IR) are created for confirmed incidents
Client virtualization
virtualization technology used to separate a desktop computer environment from the physical device used to access it.
Base level Comm Focal Point (CFP) personnel
will remediate assets owned and operated by the host base personnel.