D7 Security Operations
Common Vulnerability and Exposures (CVE) database
- Patch management and vulnerability management tools commonly use the CVE dictionary as a standard when scanning for specific vulnerabilities. - CVE database makes it easier for companies that create patch management and vulnerability management tools. - companies don't have to expend any resources to manage the naming and definition of vulnerabilities but can instead focus on methods used to check systems for the vulnerabilities.
occupant emergency plans (OEPs)
- People should always be your top priority. - Only after personnel are safe can you consider addressing business continuity. - OEPs are used to guide and assist with sustaining personnel safety in the wake of a disaster. - provides guidance on how to minimize threats to life, prevent injury, manage duress, handle travel, provide for safety monitoring, and protect property from damage in the event of a destructive physical event. - does not address IT issues or business continuity, just personnel and general property
Quality of Service (QoS)
- Policies that control how much bandwidth a protocol, PC, user, VLAN, or IP address may use. - controls protect the integrity of data networks under load. - Many different factors contribute to the quality of the end-user experience, and QoS attempts to manage all of those factors to create an experience that meets business requirements.
Service Bureaus
- Provide data processing, data mining, outsourcing, online analytical processing (OLAP), and other services to support the interchange of lists and database information within the direct marketing industry. - groups that provide data processing, data mining, outsourcing, online analytical processing, and so on to support the interchange of lists and database information. - Can put the entire direct marketing program together for you (data processing, data mining, online analytics, database management, etc.)
Remote Journaling
- Real-time, automatic and transparent backup of data. - A database backup type which records at the transaction level. - Transmit the journal or transaction log offsite to a backup location. - Data transfers still occur in a bulk transfer mode, but they occur on a more frequent basis, usually once every hour and sometimes more frequently. - remote journaling setups transfer copies of the database transaction logs containing the transactions that occurred since the previous bulk transfer.
Handling Data
- Refers to transporting it, and the key is to provide the same level of protection for the data during transport as it has when it is stored. - The level of protection is dependent on the value of the data. - For example, sensitive data stored on a server in a datacenter has several security controls to protect it. A backup of this data requires protection when taking it to an offsite location for storage. - Encrypting data before sending it provides this protection.
important audits within the context of access control
- Secure IT environments rely heavily on auditing as a detective security control to discover and correct vulnerabilities. - Two important audits within the context of access control are 1. access review audits and 2. user entitlement audits.
Storing Data
- physical security methods protect stored backups against theft. - Storage locations require protection against losses. - Data is primarily stored on disk drives and personnel periodically back up valuable data. - Backups of sensitive information are stored in one location onsite, and a copy is stored at another location offsite. - Physical security methods protect these backups against theft. - Environmental controls protect the data against loss due to corruption.
NIST Special Publication 800-47
"Security Guide for Interconnecting Information Technology Systems," includes detailed information on MOUs and ISAs.
Warm Sites (Disaster recovery):
- A "preventative" warm site allows a business to pre-install hardware and pre-configure their bandwidth needs. - In the event of a disaster, the business can then load their software and restore their business systems. - occupy the middle ground between hot and cold sites for disaster recovery specialists. - They always contain the equipment and data circuits necessary to rapidly establish operations. - As with hot sites, this equipment is usually preconfigured and ready to run appropriate applications to support an organization's operations. - Unlike hot sites, however, warm sites do not typically contain copies of the client's data. - The main requirement in bringing a warm site to full operational status is the transportation of appropriate backup media to the site and restoration of critical data on the standby servers. - Activation of a warm site typically takes at least 12 hours from the time a disaster is declared.
Change Logs
- A change log is used to document changes that occur during a project. These changes and their impact to the project in terms of time, cost, and risk, are communicated to the appropriate stakeholders. - record change requests, approvals, and actual changes to a sytem as part of a change management process
civil investigation
- A civil action occurs when two parties settle a disagreement in court. - involve internal employees/outside consultants working on behalf of a legal firm -follow the *preponderance of evidence* evidence standard: weaker than criminal law. - Meeting this standard simply requires that the evidence demonstrate that the outcome of the case is more likely than not. - do not involve law enforcement
Virtual Machines (VMs)
- A collection of files on a physical computer that define the virtual machine's configuration and the contents of its virtual disk drives; creates an environment separate from the physical computer in which different OSs can run, application software can be tested, and so forth. - VMs run as guest operating systems on physical servers. The physical servers include extra processing power, memory, and disk storage to handle the VM requirements.
violation analysis
- A form of auditing that uses clipping levels. - an older form of auditing, the environment is monitored for error occurrences. The baseline for errors is expected and known, and this level of expected, known errors defines the clipping level. - Any errors that exceed the clipping level threshold trigger a violation, and details about such events are recorded into a violation record for later analysis.
hot site
- A fully configured alternate network that can be online quickly after a disaster. - a disaster recovery option that relies on access to a completely operational alternative data center that is not only prewired but also contains all necessary hardware and software. - A separate and fully equipped facility where the company can move immediately after a disaster and resume business. - a backup facility is maintained in constant working order, with a full complement of servers, workstations, and communications links ready to assume primary operations responsibilities. - The servers and workstations are all preconfigured and loaded with appropriate operating system and application software. - The data on the primary site servers is periodically or continuously replicated to corresponding servers at the hot site, ensuring that the hot site has up-to-date data. - switchover times for most hot sites are often measured in seconds or minutes, and complete cutovers seldom take more than an hour or two.
Patch
- A general software security update intended to cover vulnerabilities that have been discovered. - a blanket term for any type of code written to correct a bug or vulnerability or improve the performance of existing software. The software can be either OS or application. - also called updates, quick fixes, and hot fixes.
Change management
- A methodology for making modifications to a system and keeping track of those changes. - a set of techniques that aid in evolution, composition, and policy management of the design and implementation of a system. - Process of making sure changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability. - Unauthorized changes directly affect the A in the CIA Triad-availability
RAID 1 (mirroring)
- A mirrored volume stores data to two duplicate disks simultaneously. - Two drives are used in unison, and all data is written to both drives, giving you a mirror or extra copy of the data, in the case that one drive fails. - File blocks are duplicated between physical drives - High disk space utilization - High redundancy - Minimum of 2 drives
examples of privileged operations to monitor
- Accessing audit logs - Changing system time - Configuring interfaces - Managing user accounts - Controlling system reboots - Controlling communication paths - Backing up and restoring the system - Running script/task automation tools - Configuring security mechanism controls - Using operating system control commands - Using database recovery tools and log files
evidence rules to documentary evidence
1. best evidence rule 2. parol evidence rule
types of tests for DRP
1. checklist tests, 2. structured walk-throughs, 3. simulation tests, 4. parallel tests, and 5. full-interruption tests
Auditing and Auditing
1st, auditing refers to the use of audit logs and monitoring tools to track activity. For example, audit logs can record when any user accesses a file and document exactly what the user did with the file and when. 2nd, auditing also refers to an inspection or evaluation. Specifically, an audit is an inspection or evaluation of a specific process or result to determine whether an organization is following specific rules or guidelines.
What is the height of fences that make it too hard to climb easily and deter most intruders, except determined ones?
6 to 7 feet
failover cluster
A server cluster configuration used for fault tolerance so that if one server fails, the other takes over its functions immediately, with no or little downtime.
advantages and disadvantages of hot site
Advantages: - the level of disaster recovery protection provided by this type of site is unsurpassed. Disadvantages: - the cost is extremely high. - Maintaining a hot site essentially doubles an organization's budget for hardware, software, and services and requires the use of additional employees to maintain the site.
Incident
An event that has a negative outcome affecting the confidentiality, integrity, or availability of an organization's data
can an intrusion detection system detect man-in-the-middle or hijack attacks?
An intrusion detection system cannot usually detect man-in-the-middle or hijack attacks, but it can detect abnormal activities occurring over communication links and raise alerts on suspicious activity.
Cloud Computing
A system in which all computer programs and data is stored on a central server owned by a company (e.g. Google) and accessed virtually. - use of web services to perform functions that were traditionally performed with software on an individual computer; i.e. Flickr, Google Docs, etc. - the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer. - highly available and easily scalable.
Software Escrow Arrangement
A tool used to protect a company against the failure of a software developer to provide adequate support for its products or against the possibility that the developer will go out of business and no technical support will be available for the product.
Non-transitive Trust
A trusts B but doesn't allow that trust to extend. - enforces the principle of least privilege and grants the trust to a single domain. - exists between two security domains, which could be within the same organization or between different organizations. - It allows subjects in one domain to access objects in the other domain. - enforces the principle of least privilege and grants the trust to a single domain at a time.
application-based IDS
IDS software component that monitors a specific application on a host. - this is a specialized IDS that analyzes transaction log files for a single application. This type of IDS is usually provided as part of the application or can be purchased as an add-on. - a specific type of network- based IDS. - It monitors specific application traffic between two or more servers. - For example, it can monitor traffic between a web server and a database server looking for suspicious activity.
Recovery vs. Restoration
In the disaster recovery context, recovery involves bringing business operations and processes back to a working state. Restoration involves bringing a business facility and environment back to a workable state. - A disaster recovery team may be assigned to implement and maintain operations at the recovery site, and a salvage team is assigned to restore the primary site to operational capacity. Make these allocations according to the needs of your organization and the types of disasters you face.
Monitoring and Accountability
Monitoring is a necessary function to ensure that subjects (such as users and employees) can be held accountable for their actions and activities. - Users claim an identity (such as with a username) and prove their identity (by authenticating), and audit trails record their activity while they are logged in. - Monitoring and reviewing the audit trail logs provides accountability for these users.
Ethical hacking
Planned attempts to penetrate the security defenses of a system in order to identify vulnerabilities - Broadly covers the use of any/all hacking techniques for "good" use.
Change Management
Process of making sure changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability. - protect against outages from unauthorized changes
Jailbreaking
Process of making unauthorized modifications to operating systems and bypassing the DRM restrictions on Apple iPhones and iPads in order to run unapproved apps. - Jailbreaking removes restrictions on iOS devices and permits root-level access to the underlying operating system. - It is similar to rooting a device running the Android operating system.
War Dialing
Programming a computer to dial thousands of phone lines searching for dial-up modem lines. Hackers hack into the PC attached to the modem and access the network to which it is connected.
1st Code of Ethics Canon
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
3rd Code of Ethics Canon
Provide diligent and competent service to principals
What is the ideal placement of lights for the use of lighting?
Standards seem to indicate that light poles should be placed the same distance apart as the diameter of the illuminated area created by illumination elements. Thus, if a lighted area is 40 feet in diameter, poles should be 40 feet apart.
NIST SP 800-61 Computer Incident Definition
The Computer Security Incident Handling Guide defines a computer security incident as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
Patch Management
The practice of monitoring for, evaluating, testing, and installing software patches and updates. - The process of applying code supplied by a vendor to fix a problem in that vendor's software. - program ensures that systems are kept up-to-date with current patches. - Steps: 1. Evaluate patches 2. Test patches 3. Approve the patches 4. Deploy the patches 5. Verify that patches are deployed
Types of Evidence
Three types of evidence can be used in a court of law: 1. real evidence, 2. documentary evidence, and 3. testimonial evidence.
A company storing data on a secure server wants to ensure it is legally able to dismiss and prosecute staff who intentionally access the server via Telnet and illegally tamper with customer data. Which of the following administrative controls should be implemented to BEST achieve this?
Warning Banners
Tape media
When troubleshooting a failed backup, a technician runs the backup using the same tape but on a different tape drive in the same tape library. The backup fails again. Which of the following should be the FIRST item the technician should examine as a failure?
Detection and Identification of Incident
incident identification process has two main goals: detecting security incidents and notifying appropriate personnel. - To successfully detect and identify incidents, a security team must monitor any relevant events that occur and notice when they meet the organization's defined threshold for a security incident. The key to identifying incidents is to detect abnormal or suspicious activity that may constitute evidence of an incident.
what are the countermeasures against malicious war dialing?
include imposing strong remote access security (including strong authentication), using callback security, ensuring that no unauthorized modems are present within the organization, restricting what protocols can be used, and using call logging.
public cloud model
includes assets available for any consumers to rent/lease and is hosted by an external CSP -SLAs can ensure the CSP provides acceptable services -vendor builds a single platform that is shared among many different customers
Admissible evidence
Evidence that can be legally and properly introduced in a civil or criminal trial. - Requirements: 1. The evidence must be relevant t to determining a fact. 2. The fact that the evidence seeks to determine must be material (that is, related) to the case. 3. The evidence must be competent , meaning it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.
permissions
permissions allow access to objects such as files.
Shimming
preset locks or key-based locks are subject to picking, which is often categorized under a class of lock mechanism attacks called shimming.
Denial-of-service (DoS) attacks
prevent legitimate users from accessing a system, because a hacker is instructing zombies to make repeated requests to the system in order to overwhelm it. - Other forms of focus on the exploitation of a known fault or vulnerability in an operating system, service, or application. Exploiting the fault often results in a system crash or 100 percent CPU utilization.
Criminal Investigations
process of discovering, collecting, preparing, identifying and presenting evidence to determine what happened and who is responsible
Privacy
protecting personal information from disclosure to any unauthorized individual or entity.
cloud models
that serve various environments, including private clouds, community clouds, public clouds, and hybrid clouds.
vulnerability scan and pen testing
- A penetration test will commonly include a vulnerability scan or vulnerability assessment to detect weaknesses. - However, the pen test goes a step further and attempts to exploit the weaknesses. - For example, a vulnerability scanner may discover that a website with a backend database is not using input validation techniques and is susceptible to a SQL injection attack. The pen test may then use a SQL injection attack to access the entire database. - Similarly, a vulnerability assessment may discover that employees aren't educated about social-engineering attacks and a penetration test may use social-engineering methods to gain access to a secure area or obtain sensitive information from employees.
Mantrap (Double Door System)
- A physical enclosure for verifying identity before entry to a facility. - is a double set of doors that is often protected by a guard or some other physical layout that prevents piggybacking and can trap individuals at the discretion of security personnel - purpose : is to immobilize a subject until their identity and authentication is verified. - If a subject is authorized for entry, the inner door opens, allowing entry into the facility or onto the premises. - If a subject is not authorized, both doors remain closed and locked until an escort (typically a guard or a police officer) arrives to escort the subject off the property or arrest the subject for trespassing (this is called a delay feature). - Often a mantrap includes a scale to prevent piggybacking or tailgating.
disaster recovery plan (DRP)
- A plan to restore an organization's IT capability in the event that its data center is destroyed. - A written document that details the process for restoring IT resources following an event that causes a significant disruption in service. - A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster.
Intrusion detection
- A process of monitoring the events occurring on a computer or a network, and analyzing them to detect possible incidents, which are violations or imminent threats of violation of computer security policies, and standard security practices. - specific form of monitoring that monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion.
Single Point of Failure (SPOF)
- A single weakness that is capable of bringing an entire system down. - If a computer has data on a single disk, failure of the disk can cause the computer to fail, so the disk is a single point of failure. If a database-dependent website includes multiple web servers all served by a single database server, the database server is a single point of failure.
security incident
- A specific instance of a risk event occurring, whether or not it causes damage. - security incident cannot be eliminated but they can be minimised and prevented. - attempt or successful unauthorized access, use, disclosure or destruction of PHI within a system. - an incident that is the result of an attack, or the result of malicious or intentional actions on the part of users. - RFC 2350, 'Expectations for Computer Security Incident Response,' defines both a security incident and a computer security incident as 'any adverse event which compromises some aspect of computer or network security.' - National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61 'Computer Security Incident Handling Guide" defines a computer security incident as "a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices."
RAID 0 (striping)
- A stripe set breaks data into units and stores the units across a series of disks by reading and writing to all disks simultaneously. - File blocks are split between physical drives - High performance - No redundancy - Minimum of 2 drives - improves the disk subsystem performance, - NOT provide fault tolerance.
Parol Evidence Rule
- A substantive rule of contracts under which a court will not receive into evidence the parties' prior negotiations, prior agreements, or contemporaneous oral agreements if that evidence contradicts or varies the terms of the parties' written contract. - when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreements may modify the written agreement.
Warning Banners
- A technical control that makes use of a pop-up message that is displayed on a computer or website that displays legal status. For example, the banner may state that all activity is monitored for actions that violate company policy. - informs users and intruders about basic security policy guidelines. - mention that online activities are audited and monitored, and often provide reminders of restricted activities. - wording in banners is important from a legal standpoint because these banners can legally bind users to a permissible set of actions, behaviors, and processes.
Smurf Attack
- A threat to networked hosts in which the host is flooded with broadcast ping messages. - type of denial-of-service attack. - it floods the victim with Internet Control Message Protocol (ICMP) echo packets instead of with TCP SYN packets. - it is a spoofed broadcast ping request using the IP address of the victim as the source IP address. - Ping uses ICMP to check connectivity with remote systems. Normally, ping sends an echo request to a single system, and the system responds with an echo reply. However, in a smurf attack, the attacker sends the echo request out as a broadcast to all systems on the network and spoofs the source IP address. All these systems respond with echo replies to the spoofed IP address, flooding the victim with traffic. - take advantage of an amplifying network (also called a smurf amplifier) by sending a directed broadcast through a router. All systems on the amplifying network then attack the victim. - Smurf attacks are reduced: -- RFC 2644, released in 1999, changed the standard default for routers so that they do not forward directed broadcast traffic. When administrators correctly configure routers in compliance with RFC 2644, a network cannot be an amplifying network. This limits smurf attacks to a single network. - disable ICMP on firewalls, routers, and even many servers to prevent any type of attacks using ICMP.
anti-malware systems (antivirus software)
- A utility that searches for and removes any malware on a computer. - software that prevents attacks by a wide range of destructive, malicious, or intrusive programs. - Software whose purpose is to remove harmful software from your system. - Firewalls with content-filtering capabilities (or specialized content-filter appliances) are commonly used at the boundary between the Internet and the internal network to filter out any type of malicious code.
business impact assessment (BIA)
- An analysis of an information system's requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption. - identifies vulnerabilities, develops strategies to minimize risk, and ultimately produces a BIA report that describes the potential risks that an organization faces and identifies critical business units and functions. - A BIA also identifies costs related to failures that include loss of cash flow, equipment replacement, salaries paid to clear work backlogs, profit losses, opportunity costs from the inability to attract new business, and so forth. - Such failures are assessed in terms of potential impacts on finances, personnel, safety, legal compliance, contract fulfillment, and quality assurance, preferably in monetary terms to make impacts comparable and to set budgetary expectations. With all this BIA information in hand, you should use the resulting documentation as the basis for this prioritization task.
Drive-by download attack
- An attack on an innocent victim machine where content is downloaded without the user's knowledge. - Malware included in requested file or downloaded by a user. - Attackers modify the code on a web page and when the user visits, the code downloads and installs malware on the user's system without the user's knowledge or consent. - They host their own malicious websites and use phishing or redirection methods to get users to the malicious website. - use vulnerabilities in unpatched systems, so keeping a system up-to-date protects them.
SYN flood attack
- An attack that takes advantage of the procedures for initiating a TCP/IP session. - common DoS attack. - disrupts the standard three-way handshake used by TCP to initiate communication sessions. - the attackers send multiple SYN packets but never complete the connection with an ACK. - example: a single attacker has sent three SYN packets and the server has responded to each. For each of these requests, the server has reserved system resources to wait for the ACK. Servers often wait for the ACK for as long as three minutes before aborting the attempted session, though administrators can adjust this time.
zero-day exploit
- An exploit that takes advantage of a software vulnerability that hasn't yet become public, and is known only to the hacker who discovered it. - dangerous because the vulnerability is exploited before the software developer has the opportunity to provide a solution for it. - A vulnerability that is exploited before the software creator/vendor is even aware of its existence. - can be used in following contexts: -- Attacker First Discovers a Vulnerability -- Vendor Learns of Vulnerability -- Vendor Releases Patch --
Event
- Any occurrence that takes place during a certain period of time. - anything that happens or is regarded as happening
Clipping Levels
- Clipping is a form of nonstatistical sampling. - It selects only events that exceed a clipping level , which is a predefined threshold for the event. - The system ignores events until they reach this threshold. - For example, failed logon attempts are common in any system as users can easily enter the wrong password once or twice. Instead of raising an alarm for every single failed logon attempt, a clipping level can be set to raise an alarm only if it detects five failed logon attempts within a 30-minute period. Many account lockout controls use a similar clipping level. They don't lock the account after a single failed logon. Instead, they count the failed logons and lock the account only when the predefined threshold is reached.
Regulatory Investigations
- Conducted by government agents investigation where it is believed that an individual or corporation has violated administrative law. - conduct these investigations with a standard of proof commensurate with the venue where they expect to try their case.
RAID 10 (RAID 1 + 0 or a stripe of mirrors)
- Data is distributed as a stripe of mirrors requiring a minimum of four (4) disks to be implemented; - configured as two or more mirrors (RAID-1) configured in a striped (RAID-0) configuration. - good performance with fault tolerance (no parity blocks). - combination of RaID 1 and RaID 0 that requires at least four disks to work as an array of drives and provides the best redundancy and performance. - The opposite of RAID 0+1, two mirrored RAID 0 configurations. - provides both speed and redundancy. -
Employee Sabotage
- Destruction of hardware, software, or data Plant time bomb or logic bomb on computer. - a criminal act of destruction or disruption committed against an organization by an employee. - occurs most often when an employee suspects they will be terminated without just cause, or if an employee retains access after being terminated. - safeguards against employee sabotage are intensive auditing, monitoring for abnormal or unauthorized activity, keeping lines of communication open between employees and managers, and properly compensating and recognizing employees for their contributions.
BCP and DRP
- Disaster recovery planning (DRP) steps in where BCP leaves off. - When a disaster strikes and a business continuity plan fails to prevent interruption of business activities, the disaster recovery plan kicks in and guides the actions of emergency-response personnel until the end goal is reached—which is to see the business restored to full operating capacity in its primary operations facilities.
documents worth considering for DRP
- Executive summary providing a high-level overview of the plan - Department-specific plans - Technical guides for IT personnel responsible for implementing and maintaining critical backup systems - Checklists for individuals on the disaster recovery team - Full copies of the plan for critical disaster recovery team members
RAID 5 - Striping with Parity
- File blocks are striped along with a parity block. - This requires at least three disks. - Efficient use of disk space as files aren't duplicated, but space is still used for parity. - High redundancy - Data is available after drive failure but parity calculation may affect performance. - If any single disk fails, the RAID array will continue to operate, though it will be slower.
System Logs
- Files that store a variety of information about system events, including device changes, device drivers, and system changes. - record system events such as when a system starts/stops/reboots, or when services start/stop
turnstile
- a mechanical gate consisting of revolving horizontal arms fixed to a vertical post, allowing only one person at a time to pass through. - is a form of gate that prevents more than one person at a time from gaining entry and often restricts movement in one direction. - It is used to gain entry but not to exit, or vice versa. - It is basically the fencing equivalent of a secured revolving door.
next-generation firewall
- Firewall technology based on packet contents as opposed to simple address and port information. - functions as a unified threat management (UTM) device and combines several filtering capabilities. - It includes traditional functions of a firewall such as packet filtering and stateful inspection. - it is able to perform packet inspection techniques, allowing it to identify and block malicious traffic. - It can filter malware using definition files and/or whitelists and blacklists. - includes intrusion detection and/or intrusion prevention capabilities.
benefit of NIDSs over HIDS
- HIDSs more costly to manage than NIDSs because they require administrative attention on each system, whereas NIDSs usually support centralized administration. - An HIDS cannot detect network attacks on other systems. - HIDS consume a significant amount of system resources, degrading the host system performance. Although it's often possible to restrict the system resources used by the HIDS, this can result in it missing an active attack. - HIDSs are easier for an intruder to discover and disable, and their logs are maintained on the system, making the logs susceptible to modification during a successful attack.
botnets or zombie networks
- Hordes of surreptitiously infiltrated computers, linked and controlled remotely, also known as zombie networks. - a set of computers that are penetrated by malicious software known as malware that allows an external agent to control their actions. - like robots and will do whatever attackers instruct them to do.
Configuration Documentation
- Identifies the current configuration of systems. - identifies who is responsible for the system and the purpose of the system, and - lists all changes applied to the baseline
Transitive Trust
- If Organization A trusts Organization B and Organization B trusts Organization C, then Organization A trusts Organization C. - A trust relationship between two or more domains in a tree, in which each domain has access to objects in the others. - extends the trust relationship between the two security domains to all of their subdomains.
options to activate the hot site
- If enough bandwidth is available, operators could move operations to the hot site at a moment's notice. - If it's not the case, disaster recovery managers have three options to activate the hot site: 1. If there is sufficient time before the primary site must be shut down, they can force replication between the two sites right before the transition of operational control. 2. If replication is impossible, managers may carry backup tapes of the transaction logs from the primary site to the hot site and manually reapply any transactions that took place since the last replication. 3. If there are no available backups and it isn't possible to force replication, the disaster recovery team may simply accept the loss of some portion of the data.
Mutual assistance agreements (MAAs) or reciprocal agreements
- In theory, they provide an excellent alternate processing option. - Under an MAA, two organizations pledge to assist each other in the event of a disaster by sharing computing facilities or other technological resources. - They appear to be extremely cost effective at first glance—it's not necessary for either organization to maintain expensive alternate processing sites. - rarely implemented in real-world practice
Watermarking
- Intellectual property management technique for identifying after distribution. - The process of adding an author name or logo into an image to identify its owner and prevent intellectual property theft.
Land Attacks
- Involve sending a packet to the router with the same IP address in the source and destination address fields and with the same port number in the source port and destination port fields. - the attacker sends spoofed SYN packets to a victim using the victim's IP address as both the source and destination IP address. This tricks the system into constantly replying to itself and can cause it to freeze, crash, or reboot. - discovered in 1997, and it has resurfaced several times attacking different ports. Keeping a system up-to-date and filtering traffic to detect traffic with identical source and destination addresses helps to protect against LAND attacks.
Gate
- It is a controlled exit and entry point in a fence. - The deterrent level of a gate must be equivalent to the deterrent level of the fence to sustain the effectiveness of the fence as a whole. - Hinges and locking/closing mechanisms should be hardened against tampering, destruction, or removal. - When a gate is closed, it should not offer any additional access vulnerabilities. - Keep the number of gates to a minimum. They can be manned by guards. - When they're not protected by guards, use of dogs or CCTV is recommended.
Logging and Monitoring
- Logging records events into various logs, and monitoring reviews these events. - Combined, logging and monitoring allow an organization to track, record, and review activity, providing overall accountability. - This helps an organization detect undesirable events that can negatively affect CIA of systems. - also useful in reconstructing activity after an event has occurred to identify what happened and sometimes to prosecute responsible personnel.
Security Logs
- Logs that are considered the primary source of log data. - record access to resources like files, folders, printers, etc. -record info about when a user accessed, modified, deleted a file
Database Recovery
- Mechanism for restoring a database quickly and accurately after loss or damage. - three main techniques used to create offsite copies of database content: 1. electronic vaulting, 2. remote journaling, and 3. remote mirroring.
using RARP or DNS lookup on NIDS
- NIDS can discover the source of an attack by performing Reverse Address Resolution Protocol (RARP) or reverse Domain Name System (DNS) lookups. - However, because attackers often spoof IP addresses or launch attacks by zombies via a botnet, additional investigation is required to determine the actual source. This can be a laborious process and is beyond the scope of the IDS. - However, it is possible to discover the source of spoofed IPs with some investigation.
Full-Interruption Test
- One in which regular operations are stopped and processing is moved to the alternate site. - involve actually shutting down operations at the primary site and shifting them to the recovery site. - are extremely difficult to arrange, and you often encounter resistance from management.
Electronic Vaulting
- Service whereby data changes are automatically transmitted over the Internet on a continuous basis to an off-site server maintained by a third party. - Periodic, automatic and transparent backup of data in bulk to a remote site. - The remote location may be a dedicated alternative recovery site (such as a hot site) or simply an offsite location managed within the company or by a contractor for the purpose of maintaining backup data. - there may be a significant delay between the time you declare a disaster and the time your database is ready for operation with current data.
Mobile Sites
- Sites which are self-contained, transportable shells custom-fitted with specific telecommunications and IT equipment necessary to meet system requirements. - "DRP backup site option that is a ""data centers on wheels,"" towable trailers that contain racks of computer equipment, as well as HVAC, fire suppression, and physical security." - nonmainstream alternatives to traditional recovery sites -usually consist of self-contained trailers or other easily relocated units -include all the environmental control systems needed to maintain a safe computing environment -larger org's sometimes use these on a "fly-away" basis -usually configured as cold or warm sites
Application Logs
- Store actions performed by the application on the system. Often track items such as attempts to access the application, errors generated from the application, etc. - record info about specific applications - application developers can choose what to record
Configuration Management review
- Systems can be audited periodically to ensure that the original configurations are not modified. - use scripting tools to check specific configurations of systems and identify when a change has occurred. - logging can be enabled for many configuration settings to record configuration changes. - can check the logs for any changes and verify that they are authorized.
Honeypots
- Tempting, bogus targets meant to lure hackers - false targets for computer criminals to attack - computers baited with fake data and purposely left vulnerable to study how intruders operate to prepare stronger defenses - look and act like legitimate systems, but they do not host data of any real value for an attacker. Administrators often configure honeypots with vulnerabilities to tempt intruders into attacking them. - may be unpatched or have security vulnerabilities that administrators purposely leave open. - Goal: to grab the attention of intruders and keep the intruders away from the legitimate network that is hosting valuable resources. Legitimate users wouldn't access the honeypot, so any access to a honeypot is most likely an unauthorized intruder.
minimum security requirements for audit data by FIPS 200
- The Minimum Security Requirements for Federal Information and Information Systems (FIPS 200) specifies the following as the minimum security requirements for audit data: 1. Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. 2. Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
Mean time to failure (MTTF)
- The average amount of time expected until the first failure of a piece of equipment. - represented in the number of times it can be reused or the number of years you can expect to keep it. - For example, some tapes include specifications saying they can be reused as many as 250 times or last up to 30 years under ideal conditions. However, many variables affect the lifetime of media and can reduce these estimates.
fail secure or fail open system?
- The choice is dependent on whether security or availability is more important after a failure. - Systems can be designed so that they fail in a fail-secure state or a fail-open state. - A failsecure system will default to a secure state in the event of a failure, blocking all access. - A fail-open system will fail in an open state, granting all access. - For example, firewalls provide a significant amount of security by controlling access in and out of a network. They are configured with an implicit deny philosophy and only allow traffic that is explicitly allowed based on a rule. - are fail secure, supporting the implicit deny philosophy. If a firewall fails, all traffic is blocked. Although this eliminates availability of communication through the firewall, it is secure. - if availability of traffic was more important than security, the firewall could be configured to fail into a fail-open state, allowing all traffic through. This wouldn't be secure, but the network would not lose availability of traffic.
network load-balancing cluster
- The load balancer can be hardware or software based, and it balances the client load across the three servers. - It makes it easy to add additional web servers to handle increased load while also balancing the load among all the servers. - If any of the servers fail, the load balancer can sense the failure and stop sending traffic to that server. - Although network load balancing is primarily used to increase the scalability of a system so that it can handle more traffic, it also provides a measure of fault tolerance.
Vulnerability Management
- The practice of finding and mitigating software vulnerabilities in computers and networks. - The cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. - common elements: routine vulnerability scans and periodic vulnerability assessments.
digital watermarking
- The process of embedding information into a digital signal in a way that makes it difficult to remove. - information embedded into digital audio and video signals that can be used to track when and where the content is delivered. - a secretly embedded marker in a digital file. - For example, some movie studios digitally mark copies of movies sent to different distributors. Each copy has a different mark and the studios track which distributor received which copy. If any of the distributors release pirated copies of the movie, the studio can identify which distributor did so.
Code of Ethics Preamble
- The safety and welfare of society and the common good, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. ■ Therefore, strict adherence to this Code is a condition of certification.
Ping Flood Attack
- floods victim with ping requests - very effective when launched by zombies within a botnet as a DDoS attack. - how to stop: -- blocking ICMP traffic. -- Active intrusion detection systems can detect a ping flood and modify the environment to block ICMP traffic during the attack.
Security Information and Event Management (SIEM), Security Event Management (SEM), and Security Information Management (SIM)
- These tools provide real-time analysis of events occurring on systems throughout an organization. - They include agents installed on remote systems that monitor for specific events known as alarm triggers. When the trigger occurs, the agents report the event back to the central monitoring software. - For example, a SIEM can monitor a group of email servers. Each time of the email servers logs an event, a SIEM agent examines the event to determine if it is an item of interest. If it is, the SIEM agent forwards the event to a central SIEM server, and depending on the event, it can raise an alarm for an administrator. - For example, if the send queue of an email server starts backing up, a SIEM application can detect the issue and alert administrators before the problem is serious.
Fences
- They are perimeter-defining device. - They are used to clearly differentiate between areas that are under a specific level of security protection and those that aren't. - It can include a wide range of components, materials, and construction methods. - It can consist of stripes painted on the ground, chain link fences, barbed wire, concrete walls, and even invisible perimeters using laser, motion, or heat detectors. - Various types of fences are effective against different types of intruders: --- Fences 3 to 4 feet high deter casual trespassers. --- Fences 6 to 7 feet high are too hard to climb easily and deter most intruders, except determined ones. --- Fences 8 or more feet high with three strands of barbed wire deter even determined intruders.
automated recovery without undue loss
- This is similar to automated recovery in that a system can restore itself against at least one type of failure. - it includes mechanisms to ensure that specific objects are protected to prevent their loss. - A method of automated recovery that protects against undue loss would include steps to restore data or other objects. - It may include additional protection mechanisms to restore corrupted files, rebuild data from transaction logs, and verify the integrity of key system and security components.
User Entitlement Audits
- User entitlement refers to the privileges granted to users. - Users need rights and permissions (privileges) to perform their job, but they only need a limited number of privileges. - User entitlement reviews can discover when users have excessive privileges, which violate security policies related to user entitlement.
how to block SYN flood attack?
- Using SYN cookies is one method of blocking this attack. These small records consume very few system resources. When the system receives an ACK, it checks the SYN cookies and establishes a session. Firewalls often include mechanisms to check for SYN attacks, as do intrusion detection and intrusion prevention systems. - to reduce the amount of time a server will wait for an ACK. three minutes by default, - By reducing the time, halfopen sessions are flushed from the system's memory quicker.
Sandboxing
- Using a virtual machine to run a suspicious program to determine if it is malware. - A form of software virtualization that lets programs and processes run in their own isolated virtual environment - An isolated test environment that simulates the production environment but will not affect production components/data. - provides a security boundary for applications and prevents the application from interacting with other applications. - used by Anti-malware applications to test unknown applications.
Mandatory Vacations
- When an organization requires that an employee take a certain amount of days of vacation consecutively. - provides a form of peer review and helps detect fraud and collusion. - ensures that another employee takes over an individual's job responsibilities for at least a week. - If an employee is involved in fraud, the person taking over the responsibilities is likely to discover it. - similar to the benefits of job rotation. - can act as both a deterrent and a detection mechanism, just as job rotation policies can. - Even though someone else will take over a person's responsibilities for just a week or two, this is often enough to detect irregularities.
Whitelisting and Blacklisting
- Whitelisting: allows acceptable software to run Blacklisting: allows everything to run unless it is on the blacklist. - an effective preventive measure blocking users from running unauthorized applications. They can also help prevent malware infections. Whitelisting identifies a list of applications authorized to run on a system, and blacklisting identifies a list of applications that are not authorized to run on a system.
Darknet
- a computer network with restricted access that is used chiefly for illegal peer-to-peer file sharing. - is a portion of allocated IP addresses within a network that are not used. - It includes one device configured to capture all the traffic into the darknet. - Since the IP addresses are not used, the darknet does not have any other hosts and it should not have any traffic at all. - However, if an attacker is probing a network, or malware is attempting to spread, the host in the darknet will detect and capture the activity. - benefit is that there are few false positives. Legitimate traffic should not be in the darknet, so unless there is a misconfiguration on the network, traffic in the darknet is not legitimate. - overlay network that can be accessed only with specific software, configurations, or authorisation
malicious code (malware)
- a computer program that attempts to bypass appropriate authorization safeguards and/or perform unauthorized functions. - includes a variety of threats such as viruses, worms, Trojan horses, and bots. - any script or program that performs an unwanted, unauthorized, or unknown activity on a computer system.
log analysis
- a detailed and systematic form of monitoring in which the logged information is analyzed for trends and patterns as well as abnormal, unauthorized, illegal, and policy-violating activities. - Log analysis isn't necessarily in response to an incident but instead a periodic task, which can detect potential issues. - the process of examining logs to identify evidence of possible attacks.
motion detector or motion sensor
- a device that senses movement or sound in a specific area. - example: infrared, heat, wave pattern, capacitance, photoelectric, and passive audio.
Firewall logs
- a log containing records of all inbound and outbound network traffic that passes through the network firewall. - can record events about any traffic that reaches a firewall - commonly log source/destination IP, source/destination ports, but not the packet contents
Audit Trails
- a passive form of detective security control - Record of all changes and actions performed with a system, for security purposes. - records created when information about events and occurrences is stored in one or more databases or log files. - provide a record of system activity and can reconstruct activity leading up to and during security events. - Security professionals extract information about an incident from an audit trail to prove or disprove culpability, and much more. - allow security professionals to examine and trace events in forward or reverse order. This flexibility helps when tracking down problems, performance issues, attacks, intrusions, security breaches, coding errors, and other potential policy violations.
Penetration Testing
- a preventive measure. - intrusive and can affect the availability of a system - Professional hacking to access data and computing power without being granted access; professional pen-testers are hired to identify and repair vulnerabilities and only work once, given written permission to obtain ungranted access. - A test by an outsider to actually exploit any weaknesses in systems that are vulnerable. - A live test of the effectiveness of security defenses through mimicking the actions of real-life attackers. - may include vulnerability scans, port scans, packet sniffing, DoS attacks, and social-engineering techniques.
Scanning attacks
- a reconnaissance attacks that usually precede another, more serious attack. - They're comparable to a burglar casing a neighborhood for targets, looking for homes with unlocked doors or where nobody is home on guard. - Attackers will gather as much information about your system as possible before launching a directed attack. - Look for any unusual activity on any port or from any single address. For example, a high volume of Secure Shell (SSH) packets on port 22 may point to a systematic scan of your network. - automate evidence collection: Set up your firewall to log rejected traffic and archive your log files. The logs may become large, but storage is cheap, and you should consider it a cost of doing business.
interim report
- a short account that will later be followed by a full report. - a written or verbal report given to the organization about any observed security weaknesses or policy/procedure mismatches that demand immediate attention. Auditors issue interim reports whenever a problem or issue is too important to wait until the final audit report.
Intrusion Detection System (IDS)
- a system that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions. - a computer program that senses when another computer is attempting to scan or access a computer or network. - automates the inspection of logs and real-time system events to detect intrusion attempts and system failures. - to detect DoS and DDoS attacks. - recognize attacks that come from external connections, such as an attack from the Internet, and attacks that spread internally such as a malicious worm. Once they detect a suspicious event, they respond by sending alerts or raising alarms. In some cases, they can modify the environment to stop an attack. - A primary goal of an IDS is to provide a means for a timely and accurate response to intrusions.
distributed reflective denial-of-service (DRDoS) attack
- a variant of a DoS. - uses a reflected approach to an attack. - it doesn't attack the victim directly, but instead manipulates traffic or a network service so that the attacks are reflected back to the victim from other sources. - example: Domain Name System (DNS) poisoning attacks and smurf attacks
Fault Tolerance (FT)
- ability of a system to suffer a fault but continue to operate. - achieved by adding redundant components such as additional disks within a redundant array of inexpensive disks (RAID) array, or additional servers within a failover clustered configuration.
Function Recovery
- able to automatically recover specific functions - ensures system is able to successfully complete the recovery for the functions, or that the system will be able to roll back the changes to return to a secure state.
privileged entities
- accounts that have been granted elevated privileges. - access to special, higher-order capabilities inaccessible to normal users. If misused, these elevated rights and permissions can result in significant harm to the confidentiality, integrity, or availability of an organization's assets. Because of this, it's important to monitor privileged entities and their access. - usually restricted to admin and system operators.
Special privilege operations
- activites that require special access or elevated rights and permissions to perform many adminsitrative and sensitive job tasks. - Examples: creating new user accounts, adding new routes to a router table, altering the configuration of a firewall, and accessing system log and audit files. - Monitoring ensures that users granted these privileges do not abuse them.
advantages and disadvantages of cold site
- advantage - its relatively low cost-there is no computing base to maintain and no monthly telecommunications bill when the site is idle. - drawbacks: 1. lag between the time the decision is made to activate the site and the time when that site is ready to support business operations. 2. Servers and workstations must be brought in and configured. 3. Data must be restored from backup tapes. 4. Communications links must be activated or established. 5. The time to activate a cold site is often measured in weeks, making timely recovery close to impossible and often yielding a false sense of security. 6. It's also worth observing that the substantial time, effort, and expense required to activate and transfer operations to a cold site make this approach the most difficult to test.
Third-generation firewalls
- also called stateful inspection firewalls and dynamic packet filtering firewalls - filter traffic based on its state within a stream of traffic. - monitor network connections between internal and external systems using state tables.
service level agreement (SLA)
- formal contract between customers and their service providers that defines the specific responsibilities of the service provider and the level of service expected by the customer - A negotiated agreement between the customer and the vendor. The SLA may specify the levels of availability, serviceability, performance, operation, or other commitment requirements.
behavior-based detection
- also called statistical intrusion detection, anomaly detection, and heuristics-based detection. - The process of comparing definitions of what activity is considered normal against observed events to identify significant deviations. This approach is used on some intrusion detection systems. - A method of detection used by intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). The IDS/IPS attempts to document normal behavior in the form of a baseline. It then monitors the activity and constantly compares it to the baseline. If the current activity differs significantly from the baseline, the IDS/ IPS will issue an alert on the activity. - Anomaly analysis adds to an IDS's capabilities by allowing it to recognize and react to sudden increases in traffic volume or activity, multiple failed login attempts, logons or program activity outside normal working hours, or sudden increases in error or failure messages. All of these could indicate an attack that a knowledge-based detection system may not recognize. - it can be labeled an expert system or a pseudo-artificial intelligence system because it can learn and make assumptions about events.
Man-in-the-Middle Attack
- an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. - A form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently. - types: 1. copying or sniffing the traffic between two parties, which is basically a sniffer attack. 2. involves attackers positioning themselves in the line of communication where they act as a store and forward or proxy mechanism.
incident
- any event that has a negative effect on the CIA of an organization's assets. - ITILv3 defines an incident as "an unplanned interruption to an IT Service or a reduction in the quality of an IT Service." - Notice that these definitions encompass events as diverse as direct attacks, natural occurrences such as a hurricane or earthquake, and even accidents, such as someone accidentally cutting cables for a live network.
Second-generation firewalls
- application-level firewalls or proxy servers—that is, dedicated systems that are separate from the filtering router and that provide intermediate services for requestors. - add additional filtering capabilities. - For example, an application-level gateway firewall filters traffic based specific application requirements and circuit level gateway firewalls filter traffic based on the communications circuit.
Pseudo flaws
- are false vulnerabilies or apparent loopholes intentionally implanted in a system in an attempt to tempt an attacker. - often used on honeypot systems to emulate well-known operating system vulnerabilities. - while the attacker is exploring the system, monitoring and alerting mechanisms trigger and alert administrators to the threat.
TCP reset attack
- attackers spoofs the source IP in a RST packet and disconnects active sessions. the two systems then need to reestablish the session, then must re-create the data, consuming many more resources than a standard SYN flood. - Disrupt a TCP communication because the reset bit ends a connection. - Sets the reset flag in a TCP header to 1, telling the respective computer to kill the TCP session immediately. - it manipulates the TCP session. - Working: Sessions are normally terminated with either the FIN (finish) or the RST (reset) packet. Attackers can spoof the source IP address in a RST packet and disconnect active sessions. The two systems then need to reestablish the session. - This is primarily a threat for systems that need persistent sessions to maintain data with other systems. - When the session is reestablished, they need to re-create the data so it's much more than just sending three packets back and forth to establish the session.
Grudge attacks
- attacks carried out to damage an org or person - damage could be loss of info, harm to the org, person's reputation, or information processing capabilities - motivation is usually a feeling of resentment - attacker could be current or former employee
segregation of duties control matrix example
- basic segregation of duties control matrix comparing different roles and tasks within an organization. The areas marked with an X indicate potential conflicts to avoid. - For example, consider an application programmer and a security administrator. The programmer can make unauthorized modifications to an application, but auditing or reviews by a security administrator would detect the unauthorized modifications. However, if a single person had the duties (and the privileges) of both jobs, this person could modify the application and then cover up the modifications to prevent detection.
Auxiliary alarm systems
- can be added to either local or centralized alarm systems. - When the security perimeter is breached, emergency services are notified to respond to the incident and arrive at the location. - This could include fire, police, and medical services.
Endpoint-based DLP
- can scan files stored on a system as well as files sent to external devices, such as printers. - For example, an organization endpoint-based DLP can prevent users from copying sensitive data to USB flash drives or sending sensitive data to a printer. Administrators would configure the DLP to scan the files with the appropriate keywords, and if it detects files with these keywords, it will block the copy or print job. I - possible to configure an endpoint-based DLP system to regularly scan files (such as on a file server) for files containing specific keywords or patterns, or even for unauthorized file types, such as MP3 files.
Financial attacks
- carried out to unlawfully obtain money or services. - could be to steal credit card numbers, increase the balance in a bank account, or place 'free' long-distance telephone calls. You have probably heard of individuals breaking into telephone company computers and placing free calls. This type of financial attack is called phone phreaking. - Shoplifting and burglary are both examples of financial attacks.
active response
- changes the environment to block the activity in addition to logging and sending a notification. - collecting additional information about the intrusion, modifying the network environment, taking action against the intrusion
Split knowledge
- combines the concepts of separation of duties and two-person control into a single solution. - The basic idea is that the information or privilege required to perform an operation be divided among two or more users. - ensures that no single person has sufficient privileges to compromise the security of the environment.
lighting
- commonly used form of perimeter security control. - primary purpose: to discourage casual intruders, trespassers, prowlers, or would-be thieves who would rather perform their misdeeds in the dark. - not a strong deterrent. - not be used as the primary or sole protection mechanism except in areas with a low threat level. - not illuminate the positions of guards, dogs, patrol posts, or other similar security elements. - never cause glare or reflective distraction to guards, dogs, and monitoring equipment, which could otherwise aid attackers during break-in attempts. - a de facto standard that lighting used for perimeter protection should illuminate critical areas with 2 candle feet of power. - placement of the lights: Standards seem to indicate that light poles should be placed the same distance apart as the diameter of the illuminated area created by illumination elements. Thus, if a lighted area is 40 feet in diameter, poles should be 40 feet apart.
Destroying Data
- data should be destroyed when no longer needed - deleting files will not be sufficient, so more thorough methods are needed. - When deleting sensitive data, many organizations require personnel to destroy the disk to ensure data is not accessible.
Cloud Computing Security Requirements Guide
- defines specific requirements for U.S. government agencies to follow when evaluating the use of cloud computing assets. - identifies computing requirements for assets labeled Secret and below using six separate information impact levels.
Software as a Service (SaaS)
- delivers applications over the cloud using a pay-per-use revenue model. - Software that is owned, delivered, and managed remotely and delivered over the Internet to contracted customers on a pay-for-use basis or as a subscription based on use metrics. - A form of cloud computing where a firm subscribes to a third-party software and receives a service that is delivered online. - provide fully functional applications typically accessible via a web browser. - For example, Google's Gmail is a SaaS application. - The CSP is responsible for all maintenance of the IaaS services. - Consumers do not manage or control any of the cloud-based assets.
Vulnerability Assessment
- determines the impact-both quantitative and qualitative-of the loss of a critical business function. - A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is a potential harm. - A vulnerability assessment will often include results from vulnerability scans, but the assessment will do more. - For example, an annual vulnerability assessment may analyze all of the vulnerability scan reports from the past year to determine if the organization is addressing vulnerabilities. If the same vulnerability is repeated on every vulnerability scan report, a logical question to ask is, Why hasn't this been mitigated? There may be a valid reason and management chose to accept the risk, or it may be that the vulnerability scans are being performed but action is never taken to mitigate the discovered vulnerabilities. - Vulnerability assessments are often done as part of a risk analysis or risk assessment to identify the vulnerabilities at a point in time. Additionally, vulnerability assessments can look at other areas to determine risks. For example, a vulnerability assessment can look at how sensitive information is marked, handled, stored, and destroyed throughout its lifetime to address potential vulnerabilities.
drawabacks to MAAs
- difficult to enforce - Cooperating organizations should be located in relatively close proximity to each other to facilitate transportation of employees between sites. However, proximity means that both organizations may be vulnerable to the same threats. - Confidentiality and legal concerns
change management review
- ensures that changes are implemented in accordance with the organization's change management policy. - includes a review of outages to determine the cause. - Outages that result from unauthorized changes are a clear indication that the change management program needs improvement.
Separation of Duties and Responsibilities
- ensures that no single person has total control over a critical function or system. - necessary to ensure that no single person can compromise the system or its security. - Instead, two or more people must conspire or collude against the organization, which increases the risk for these people. - creates a checks and-balances system where two or more users verify each other's actions and must work in concert to accomplish necessary work tasks. - This makes it more difficult for individuals to engage in malicious, fraudulent, or unauthorized activities and broadens the scope of detection and reporting
Patch management review
- ensures that patches are evaluated as soon as possible once they are available. - ensures that the organization follows established procedures to evaluate, test, approve, deploy, and verify the patches. - Vulnerability scan reports can be valuable in any patch management review or audit.
Marking (or labeling) data
- ensures that personnel can easily recognize the data's value. - Personnel should mark the data as soon as possible after creating it. - As an example, a backup of Top Secret data should be marked Top Secret. if a system processes sensitive data, the system should be marked with the appropriate label. - In addition to marking systems externally, organizations often configure wallpaper and screen savers to clearly show the level of data processed on the system. - For example, a system processing Secret data would have wallpaper and screen savers clearly indicating the system processes Secret data.
Vulnerability Management review
- ensures that vulnerability scans and assessments are performed regularly in compliance with established guidelines. - For example, an organization may have a policy document stating that vulnerability scans are performed at least weekly, and the review verifies that this is done. - review will verify that the vulnerabilities discovered in the scans have been addressed and mitigated.
intrusion
- entrance by force or without permission or welcome. - occurs when an attacker is able to bypass or thwart security mechanisms and gain access to an organization's resources.
Testimonial Evidence
- evidence consisting of the testimony of a witness, either verbal testimony in court or written testimony in a recorded deposition. - Witnesses must take an oath agreeing to tell the truth, and they must have personal knowledge on which their testimony is based. - what is said in court by a competent witness; - also called direct evidence or prima facie evidence
Traffic Analysis and Trend Analysis
- forms of monitoring that examine the flow of packets rather than actual packet contents. - called network flow monitoring. - It can infer a lot of information, such as primary and backup communication routes, the location of primary servers, sources of encrypted traffic and the amount of traffic supported by the network, typical direction of traffic flow, frequency of communications, and much more. - These techniques can sometimes reveal questionable traffic patterns, such as when an employee's account sends a massive amount of email to others. This might indicate the employee's system is part of a botnet controlled by an attacker at a remote location. - might detect if an unscrupulous insider forwards internal information to unauthorized parties via email. - These types of events often leave detectable signatures.
Badges , identification cards , and security IDs
- forms of physical identification and/or electronic access control devices. -
Full-knowledge Team
- has full access to all aspects of the target environment. - They know what patches and upgrades are installed, and the exact configuration of all relevant devices. - If the target is an application, they would have access to the source code. - perform white-box testing (or crystal-box or clear-box testing). - more efficient and cost effective in locating vulnerabilities because less time is needed for discovery.
Business attacks
- illegally obtaining an organization's confidential information. - goal is solely to extract confidential information. - the use of this information causes more damage than the attack itself. - a policy must be developed that will handle such an intrusion should it occur.
Parallel tests
- involve relocating personnel to the alternate recovery site and implementing site activation procedures. - The employees relocated to the site perform their disaster recovery responsibilities just as they would for an actual disaster. - The only difference is that operations at the main facility are not interrupted. That site retains full responsibility for conducting the day-to-day business of the organization.
Network-based IDS (NIDS)
- it attaches the system to a point in the network where it can monitor and report on all network traffic. - Monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity. - A NIDS device is a network appliance dedicated to the purpose of acting as an IDS sensor. - monitors and evaluates network activity to detect attacks or event anomalies. It cannot monitor the content of encrypted traffic but can monitor other packet details. - A single NIDS can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console. These sensors can monitor traffic at routers, firewalls, network switches that support port mirroring, and other types of network taps.
badge
- it can be as simple as a name tag indicating whether you are a valid employee or a visitor. - Or it can be as complex as a smartcard or token device that employs multifactor authentication to verify and prove your identity and provide authentication and authorization to access a facility, specific rooms, or secured workstations. - They often include pictures, magnetic strips with encoded data, and personal details to help a security guard verify identity. - Identification Using Badge: it is swiped in a device, and then the badge owner must provide one or more authentication factors, such as a password, passphrase, or biological trait (if a biometric device is used). - authentication using badge: the owner provides an ID, username, and so on and then swipes the badge to authenticate.
drawback of knowledge based detection
- it is effective only against known attack methods. New attacks, or slightly modified versions of known attacks, often go unrecognized by the IDS.
benefit of honeypot/honeynets
- keeping the attacker away from a production environment, - gives administrators an opportunity to observe an attacker's activity without compromising the live environment. - sometimes it is designed to delay an intruder long enough for the automated IDS to detect the intrusion and gather as much information about the intruder as possible. - The longer the attacker spends with the honeypot, the more time an administrator has to investigate the attack and potentially identify the intruder. - considered to be an effective countermeasures against zero-day exploits.
zero-knowledge team
- knows nothing about the target site except for publicly available information, such as domain name and company address. - It's as if they are looking at the target as a black box and have no idea what is within the box until they start probing. - attack resembles a real external attack because all information about the environment must be obtained from scratch.
Military and intelligence attacks
- launched primarily to obtain secret and restricted information from law enforcement or military and technological research sources. - disclosure of such information could compromise investigations, disrupt military planning, and threaten national security. - carried out by professionals: very good at covering their tracks
MITRE
- looks like an acronym, but it isn't - MITRE is not a part of MIT. - MITRE receives funding from the U.S. government to maintain the CVE (Common Vulnerability and Exposures) database.
Hardware-based RAID
- more efficient and reliable. - While a hardware RAID is more expensive, the benefits outweigh the costs when used to increase availability of a critical component. - include spare drives that can be logically added to the array. - For example, a hardware-based RAID-5 could include five disks, with three disks in a RAID-5 array and two spare disks. If one disk fails, the hardware senses the failure and logically swaps out the faulty drive with a good spare.
Remote Mirroring
- most advanced database backup solution - a live database server is maintained at the backup time - remote server receives database copies modifications at the same time they are applied to the production server at the primary site - ready to take over instantly - very expensive. - popular database backup strategy for organizations seeking to implement a hot site.
Notification Alarms
- often silent from the intruder/attacker perspective but record data about the incident and notify administrators, security guards, and law enforcement. - A recording of an incident can take the form of log files and/or CCTV tapes. - The purpose is to bring authorized security personnel to the location of the intrusion or attack in hopes of catching the person(s) committing the unwanted or unauthorized acts.
Sampling or Data Extraction
- process of extracting specific elements from a large collection of data to construct a meaningful representation or summary of the whole. - a form of data reduction that allows someone to glean valuable information by looking at only a small sample of data in an audit trail. - Statistical sampling uses precise mathematical functions to extract meaningful information from a very large volume of data. - This is similar to the science used by pollsters to learn the opinions of large populations without interviewing everyone in the population. - There is always a risk that sampled data is not an accurate representation of the whole body of data, and statistical sampling can identify the margin of error.
Logging
- process of recording information about events to a log file or database. - Logging captures events, changes, messages, and other data that describe activities that occurred on a system. - Logs will commonly record details such as what happened, when it happened, where it happened, who did it, and sometimes how it happened. - When you need to find information about an incident that occurred in the recent past, logs are a good place to start.
Monitoring
- process of reviewing information logs looking for something specific. - Personnel can manually review logs, or use tools to automate the process. - necessary to detect malicious actions by subjects as well as attempted intrusions and system failures. - It can help reconstruct events, provide evidence for prosecution, and create reports for analysis.
community cloud deployment model
- provides cloud-based assets to two or more organizations. - Maintenance responsibilities are shared based on who is hosting the assets and the service models.
Terrorist attacks
- purpose is to disrupt normal life and instill fear, whereas a military attack is to extract secret information. - usually preceded by intelligence gathering. - potential targets are systems that regulate power plants, control telecomm, or power distribution.
Entitlement In the context of least privilege
- refers to the amount of privileges granted to users, typically when first provisioning an account. - when administrators create user accounts, they ensure the accounts are provisioned with the appropriate amount of resources, and this includes privileges. - User provisioning processes should follow the principle of least privilege.
Aggregation In the context of least privilege
- refers to the amount of privileges that users collect over time. - For example, if a user moves from one department to another while working for an organization, this user can end up with privileges from each department. - To avoid access aggregation problems such as this, administrators should revoke privileges when users move to a different department and no longer need the previously assigned privileges.
Software-based systems RAID
- require the operating system to manage the disks in the array and can reduce overall system performance. - relatively inexpensive since they don't require any additional hardware other than the additional disk(s).
Sarbanes-Oxley Act of 2002 (SOX)
- requires a segregation of duties policy - commonly used to ensure that security duties are separate from other duties within an organisation - i.e, auditing personnel are not responsible for security - applies to all public companies that have registered equity or debt securities with the Securities and Exchange Commission (SEC).
non-statistical sampling or discretionary sampling
- sampling at the auditor's discretion. - doesn't offer an accurate representation of the whole body of data and will ignore events that don't reach the clipping level threshold. - However, it is effective when used to focus on specific events. - less expensive and easier to implement than statistical sampling.
Network-based DLP
- scans all outgoing data looking for specific data. - Administrators would place it on the edge of the negative to scan all data leaving the organization. - If a user sends out a file containing restricted data, the DLP system will detect it and prevent it from leaving the organization. - The DLP system will send an alert, such as an email to an administrator.
need of DRP
- should be set up so that it can almost run on autopilot. - to reduce decision-making activities during a disaster as much as possible. - Essential personnel should be well trained in their duties and responsibilities in the wake of a disaster and also know the steps they need to take to get the organization up and running as soon as possible.
RAID 4
- similar to RAID 3, but data is not striped on the parity disk - good read throughput and reasonable write throughput - Block-level striping with dedicated parity. Not often used, replaced with RAID 5.
proprietary system
- similar to a central station system, - but the host organization has its own onsite security staff waiting to respond to security breaches.
Two-person control (or Two-man rule)
- similar to segregation of duties. - It requires the approval of two individuals for critical tasks. - For example, safety deposit boxes in banks often require two keys. A bank employee controls one key and the customer holds the second key. Both keys are required to open the box, and bank employees allow a customer access to the box only after verifying the customer's identification. - Using two-person controls within an organization ensures peer review and reduces the likelihood of collusion and fraud.
Fraggle attacks
- similar to smurf attacks - type of DoS attack - uses UDP packets over UDP ports 7 and 19. - will broadcast a UDP packet using the spoofed IP address of the victim. All systems on the network will then send traffic to the victim, just as with a smurf attack.
Read-through test
- simplest type of DRP test - copies of the DRP is distributed to members of the disaster recovery team (DRT) for review. - 3 goals: 1. ensures key personnel are aware of their responsibilities and have knowledge refreshed 2. provides a chance for obsolete info to be updated 3. helps update personnel lists
Job rotation (or rotation of duties)
- simply that employees are rotated through jobs, or at least some of the job responsibilities are rotated to different employees. - provides peer review, reduces fraud, and enables cross-training. - Cross-training helps make an environment less dependent on any single individual. - can act as both a deterrent and a detection mechanism. - If employees know that someone else will be taking over their job responsibilities at some point in the future, they are less likely to take part in fraudulent activities. If they choose to do so anyway, individuals taking over the job responsibilities later are likely to discover the fraud.
Vulnerability Scans
- software tools used to test systems and networks for known security issues. - used by Attackers to detect weaknesses in systems and networks, such as missing patches or weak passwords ad to launch attacks to exploit them. - used by Administrators to detect vulnerabilities on their network to detect the vulnerabilities and mitigate them before an attacker discovers them. - include a database of known security issues and they check systems against this database.
Differential Backups
- store all files that have been modified since the time of the most recent full backup. - Only files that have the archive bit turned on, enabled, or set to 1 are duplicated. - However, unlike full and incremental backups, the differential backup process does not change the archive bit.
Incremental Backups
- store only those files that have been modified since the time of the most recent full or incremental backup. - Only files that have the archive bit turned on, enabled, or set to 1 are duplicated. - Once an incremental backup is complete, the archive bit on all duplicated files is reset, turned off, or set to 0.
Partial knowledge Team
- that has some knowledge of the target performs gray-box testing, but they are not provided access to all the information. - may be given information on the network design and configuration details so that they can focus on attacks and vulnerabilities for specific targets.
Steganography
- the art and science of hiding information by embedding messages within other, seemingly harmless messages. - A technology that makes it possible to embed hidden information in documents, pictures, and music files. - possible to detect steganography attempts using hashing
Infrastructure as a Service (IaaS)
- the cloud hosting of a bare server computer or data storage. - delivers hardware networking capabilities, including the use of servers, networking, and storage, over the cloud using a pay-per-use revenue model. - provide basic computing resources to consumers. - includes servers, storage, and in some cases, networking resources. - Consumers install operating systems and applications and perform all required maintenance on the operating systems and applications. - CSP maintains the cloud-based infrastructure, ensuring that consumers have access to leased systems. - The distinction between IaaS and PaaS models isn't always clear when evaluating public services. However, when leasing cloud-based services, the label the CSP uses isn't as important as clearly understanding who is responsible for performing different maintenance and security actions.
Rotation Cycle
- the frequency of backups and retention length of protected data. - By overseeing these characteristics, you can be assured that valuable data will be retained on serviceable backup media.
Natural Disasters
- these can cause a lot of damage or kill a lot of people, for example, floods or earthquakes. - a natural event such as a flood, earthquake, or hurricane that causes great damage or loss of life.
difference between incremental and differential backups
- time needed to restore data in the event of an emergency. - If you use a combination of full and differential backups, you will need to restore only two backups-the most recent full backup and the most recent differential backup. On the other hand, if your strategy combines full backups with incremental backups, you will need to restore the most recent full backup as well as all incremental backups performed since that full backup. The trade-off is the time required to create the backups-differential backups don't take as long to restore, but they take longer to create than incremental ones.
Access Review Audits
- to ensure that object access and account management practices support the security policy. - These audits verify that users do not have excessive privileges and that accounts are managed appropriately. - ensure that secure processes and procedures are in place, that personnel are following them, and that these processes and procedures are working as expected. - For example, access to highly valuable data should be restricted to only the users who need it. An access review audit will verify that data has been classified and that data classifications are clear to the users
baseline images
- used to create baselines - improve the security of systems by ensuring that desired security settings are always configured correctly. - reduce the amount of time required to deploy and maintain systems, thus reducing the overall maintenance costs. - Deployment of a prebuilt image can require only a few minutes of a technician's time. - when a user's system becomes corrupt, technicians can redeploy an image in minutes, instead of taking hours to troubleshoot the system or trying to rebuild it from scratch. - 3 steps: 1) admin installs OS/app's. config's system sec and test 2) admin captures a system image 3) image is deployed to systems as needed.
Duress systems
- useful when personnel are working alone. - For example, a single guard might be guarding a building after hours. If a group of people break into the building, the guard probably can't stop them on his own. However, a guard can raise an alarm with a duress system. - A simple duress system is just a button that sends a distress call. A monitoring entity receives the distress call and responds based on established procedures.
Central Station System
- usually silent locally, but offsite monitoring agents are notified so they can respond to the security breach. - Most residential security systems are of this type. - a proprietary system is similar, but the host organization has its own onsite security staff waiting to respond to security breaches. - Most central station systems are well-known or national security companies, such as Brinks and ADT.
Platform as a Service (PaaS)
- vendors provide hosted computers, an operating system, and possibly a DBMS. - supports the deployment of entire systems including hardware, networking, and applications using a pay-per-use revenue model. - A cloud service in which consumers can install and run their own specialized applications on the cloud computing network. - provide consumers with a computing platform, including hardware, an operating system, and applications. - consumers install the applications from a list of choices provided by the CSP. - Consumers manage their applications and possibly some configuration settings on the host. - CSP is responsible for maintenance of the host and the underlying cloud infrastructure.
disadvantages of HIDSs
-Must have a process on every system you want to watch. -High cost of ownership and maintenance. -Uses local system resources. -Very focused view and cannot relate to activity around it. -If logging only locally, could be compromised or disabled.
Hybrid cloud model
-a combination of two or more clouds. - Similar to a community cloud model, maintenance responsibilities are shared based on who is hosting assets and service models in use
real evidence
-also known as object evidence. - consists of things that may actually be brought into a court of law. - In common criminal proceedings, this may include items such as a murder weapon, clothing, or other physical objects. - In a computer crime case, real evidence might include seized computer equipment, such as a keyboard with fingerprints on it or a hard drive from a hacker's computer system. - Depending on the circumstances, real evidence may also be conclusive evidence , such as DNA, that is incontrovertible.
Ten Commandments of Computer Ethics
1) Thou shalt not use a computer to harm other people. 2) Thou shalt not interfere with other people's computer work. 3) Thou shalt not snoop around in other people's computer files. 4) Thou shalt not use a computer to steal. 5) Thou shalt not use a computer to bear false witness. 6) Thou shalt not copy or use proprietary software for which you have not paid. 7) Thou shalt not use other people's computer resources without authorization or proper compensation. 8) Thou shalt not appropriate other people's intellectual output. 9) Thou shalt think about the social consequences of the program you are writing or the system you are designing. 10) Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.
basic preventive measures
1) keep systems and applications up-to-date 2) remove/disable unneeded services and protocols 3) use IDS/IPS 4) use up-to-date anti-malware 5) use firewalls
4 types of trusted recovery?
1) manual recovery 2) automated recovery 3) automated recovery without undue loss 4) function recovery
incident response life cycle by SP 800-61
1) preparation, 2) detection and analysis, 3) containment, eradication, and recovery, 4) post-incident recovery.
creating and deploying baseline images in an overall three-step process
1. An administrator starts by installing the OS and all desired applications on a computer (labeled as the baseline system in the figure). The administrator then configures the system with relevant security and other settings to meet the needs of the organization. Next, personnel perform extensive testing to ensure the system operates as expected before proceeding to the next step. 2. Next, the administrator captures an image of the system using imaging software and stores it on a server (labeled as an Image Server) in the figure. It's often possible to store images on external hard drives, USB drives, or DVDs. 3. Personnel then deploy the image to systems as needed. These systems often require additional configuration to finalize them, such as giving them unique names. However, the overall configuration of these systems is the same as the baseline system.
Factors contributing to QoS
1. Bandwidth: The network capacity available to carry communications. 2. Latency: The time it takes a packet to travel from source to destination. 3. Jitter: The variation in latency between different packets. 4. Packet Loss: Some packets may be lost between source and destination, requiring retransmission. 5. Interference: Electrical noise, faulty equipment, and other factors may corrupt the contents of packets. In addition to controlling these factors, QoS systems often prioritize certain traffic types that have low tolerance for interference and/or have high business requirements. - For example, a QoS device might be programmed to prioritize video conference traffic from the executive conference room over video streaming from an intern's computer.
cloud computing disadvantages
1. Cloud Computing is dependent on Internet Access. 2. Documents editors are quite basic so they don't have the range of features available in commercial software. I.e. think about Microsoft Word Vs a Google Doc 3. Not good at memory heavy applications such as Video editing. These have to be done on a desktop Computer. 4. outages (due to too many "clients"), 5. security (service provider has access to business data), 6. switching cloud services is difficult 7. someone else owns your hardware and 8. subject to downtime
goals of a penetration test
1. Determine how well a system can tolerate an attack 2. Identify employee's ability to detect and respond to attacks in real time 3. Identify additional controls that can be implemented to reduce risk
Backup Tape Formats
1. Digital Data Storage (DDS)/Digital Audio Tape (DAT) 2. Digital Linear Tape (DLT) and Super DLT 3. Linear Tape Open (LTO)
steps within an effective patch management program
1. Evaluate patches - check applicability 2. Test patches - test patches on an isolated system to determine if the patch causes any unwanted side effects 3. Approve the patches 4. Deploy the patches 5. Verify that patches are deployed
Response and Reporting of Incidents
1. Isolation and Containment: In the isolation and containment phase of incident response, it is critical that you leave the system in a running state. Do not power down the system. Turning off the computer destroys the contents of volatile memory and may destroy evidence. 2. Gathering Evidence 3. Analysis and Reporting
types of Computer crimes
1. Military and intelligence attacks 2. Business attacks 3. Financial attacks 4. Terrorist attacks 5. Grudge attacks 6. Thrill attacks
management controls to check using security audits
1. Patch management 2. Vulnerability Management 3. Configuration Management 4. Change Management
Implement and Manage Physical Security
1. Perimeter (e.g., Access Control and Monitoring) 1.1. Fences, Gates, Turnstiles, and Mantraps 1.2. Lighting 1.3. Security Guards and Dogs 2. Internal Security (e.g., Escort Requirements/Visitor Control, Keys, and Locks) 2.1. Keys and Combination Locks 2.2. Badges, identification cards, and security IDs 2.3. Motion Detectors 2.4. Intrusion Alarms 2.5. Secondary Verification Mechanisms like CCTV 3. Environment and Life Safety 4. Privacy Responsibilities and Legal Requirements 5. Regulatory Requirements
tasks within a change management process
1. Request the change 2. Review the change 3. Approve/reject the change 4. Schedule and implement the change 5. Document the change.
Recovery and Remediation Incident
1. Restoration: The goal of the restoration process is to remediate any damage that may have occurred to the organization and limit the damage incurred by similar incidents in the future. 2. Lessons Learned
Types of Incidents
1. Scanning 2. Compromises 3. Malicious code 4. Denial of service
Types of logs
1. Security Logs 2. System Logs 3. Application Logs 4. Firewall logs 5. Proxy Logs 6. Change Logs
enticement versus entrapment in honeypots usage
1. enticement: - An organization can legally use a honeypot as an enticement device if the intruder discovers it through no outward efforts of the honeypot owner. - Placing a system on the Internet with open security vulnerabilities and active services with known exploits is enticement. - Enticed attackers make their own decisions to perform illegal or unauthorized actions. 2. Entrapment: which is illegal, - occurs when the honeypot owner actively solicits visitors to access the site and then charges them with unauthorized intrusion. - In other words, it is entrapment when you trick or encourage someone into performing an illegal or unauthorized action. - Laws vary in different countries so it's important to understand local laws related to enticement and entrapment.
methods of IDS
1. knowledge-based detection: uses signatures similar to the signature definitions used by anti-malware software. 2. behavior-based detection: doesn't use signatures but instead compares activity against a baseline of normal performance to detect abnormal behavior. - Many IDSs use a combination of both methods.
4th Code of Ethics Canon
Advance and protect the profession
Two elements of the recovery process are addressed to implement a trusted solution?
1st- failure preparation. This includes system resilience and fault-tolerant methods in addition to a reliable backup solution. 2nd - system recovery. The system should be forced to reboot into a single-user, non-privileged state. This means that the system should reboot so that a normal user account can be used to log in and that the system does not grant unauthorized access to users. System recovery also includes the restoration of all affected files and services actively in use on the system at the time of the failure or crash. Any missing or damaged files are restored, any changes to classification labels corrected, and settings on all security critical files are then verified.
What is the height of fences to deter casual trespassers?
3 to 4 feet
What is the height of fences with three strands of barbed wire deter even determined intruders.
8 or more feet high
Cold Sites (Disaster recovery):
A "recovery" cold site is essentially data center space, with power, and network connectivity that is available when needed. In the event of a disaster, teams can move and install a business's hardware at the cold site in order to get the systems back up and running. - are standby facilities large enough to handle the processing load of an organization and equipped with appropriate electrical and environmental support systems. - may be large warehouses, empty office buildings, or other similar structures. - no computing facilities (hardware or software) preinstalled and also has no active broadband communications links. - have at least a few copper telephone lines, and some sites may have standby links that can be activated with minimal notification. - least expensive option and perhaps the most practical
RAID (redundant array of disks)
A RAID array includes two or more disks, and most RAID configurations will continue to operate even after one of the disks fails.
Protecting Hard Drives
A common way that fault tolerance and system resilience is added for computers is with a redundant array of disks (RAID) array. - A RAID array includes two or more disks, and most RAID configurations will continue to operate even after one of the disks fails.
Padded cell system
A protected honeypot that cannot be easily compromised. - similar to a honeypot, but it performs intrusion isolation using a different approach. - When an IDS detects an intruder, that intruder is automatically transferred to a padded cell. - The padded cell has the look and feel of an actual network, but the attacker is unable to perform any malicious activities or access any confidential data from within the padded cell. - The padded cell is a simulated environment that offers fake data to retain an intruder's interest, similar to a honeypot. - However, the IDS transfers the intruder into a padded cell without informing the intruder that the change has occurred. In contrast, the attacker chooses to attack the honeypot. - Administrators monitor padded cells closely and use them to trace attacks and gather evidence for possible prosecution of attackers.
passive response
A response option in intrusion detection in which the system simply reports and records the problem detected, relying on the user to take subsequent action. - A nonactive response, such as logging. Passive response is the most common type of response to many intrusions. In general, passive responses are the easiest to develop and implement.
Signature-based detection
A type of intrusion detection that compares traffic against preconfigured attack patterns known as signatures. - Also known as knowledge-based detection or misuse detection. - A method of virus detection used to detect known viruses. Viruses have specific characteristics that can be used to identify them uniquely. The signature can be a unique characteristic such as a specific byte pattern within the virus. - Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) can also use signatures to detect known attack methods.
Vulnerability Assessment and Vulnerability Scan
A vulnerability assessment will often include results from vulnerability scans, but the assessment will do more. - For example, an annual vulnerability assessment may analyze all of the vulnerability scan reports from the past year to determine if the organization is addressing vulnerabilities. If the same vulnerability is repeated on every vulnerability scan report, a logical question to ask is, Why hasn't this been mitigated? There may be a valid reason and management chose to accept the risk, or it may be that the vulnerability scans are being performed but action is never taken to mitigate the discovered vulnerabilities. - Vulnerability assessments are often done as part of a risk analysis or risk assessment to identify the vulnerabilities at a point in time. Additionally, vulnerability assessments can look at other areas to determine risks. For example, a vulnerability assessment can look at how sensitive information is marked, handled, stored, and destroyed throughout its lifetime to address potential vulnerabilities.
Heat Based Motion Detector
monitors for significant or meaningful changes in the heat levels and patterns in a monitored area.
access rights vs permissions
Access rights are synonymous with permissions, but rights can also refer to the ability to take action on a system, such as the right to change the system time.
cloud computing advantages
Accessibility Cost Saving Flexibility Reliability Portability Capacity on Demand Backup/Recovery Scalability Availability
2nd Code of Ethics Canon
Act honorably, honestly, justly, responsibly, and legally
Infrared motion detectors
monitors for significant or meaningful changes in the infrared lighting pattern of a monitored area.
Memorandum of Understanding (MOU)
Agreement between two parties establishing a set of principles that govern their relationship on a particular matter. - document the intention of two entities to work together toward a common goal. Although an MOU is similar to an SLA, it is less formal and doesn't include any monetary penalties if one of the parties doesn't meet its responsibilities. - used by countries to govern their sharing of assets in international asset-forfeiture cases or to set out their respective duties in anti-money laundering initiatives. - Financial Intelligence Units (FIUs), with the task of receiving and analyzing suspicious transaction reports on an ongoing basis and maintaining close links with police and customs authorities, share information among themselves informally in the context of investigations, usually on the basis of an MOU. - The Egmont Group of FIUs has established a model for such MOUs. Unlike the Mutual Legal Assistance Treaty (see below), this gateway is ordinarily used not for obtaining evidence, but for obtaining intelligence that might lead to evidence.
Local alarm systems
Alarm systems that broadcast an audible (up to 120 decibel [db]) signal that can be easily heard up to 400 feet away. Additionally, they must be protected from tampering and disablement, usually by security guards. In order for it to be effective, there must be a security team or guards positioned nearby who can respond when the alarm is triggered.
Can NIDS detect the initiation of an attack or ongoing attacks?
An NIDS is usually able to detect the initiation of an attack or ongoing attacks, but they can't always provide information about the success of an attack. - They won't know if an attack affected specific systems, user accounts, files, or applications. - For example, an NIDS may discover that a buffer overflow exploit was sent through the network, but it won't necessarily know whether the exploit successfully infiltrated a system. - However, after administrators receive the alert they can check relevant systems. - investigators can use the NIDS logs as part of an audit trail to learn what happened.
Interconnection Security Agreement (ISA)
An agreement between two organizations that own and operate connected IT systems to document the technical requirements of the interconnection. - An agreement between parties to establish procedures for mutual cooperation and coordination between them with respect to security requirements associated with their joint project. - An agreement between parties intended to minimize security risks for data transmitted across a network. - provides information on how the two parties establish, maintain, and disconnect the connection. - identify the minimum encryption methods used to secure the data.
Principle of Least Privilege
An approach where computer users are classified and the rights assigned are the minimum rights required to do their job. - A security discipline that requires that a particular user, system, or application be given no more privilege than necessary to perform its function or job. -relies on the assumption that all users have a well-defined job description that personnel understand. Without a specific job description, it is not possible to know what privileges users need.
Thrill attacks
An attack launched by crackers with few true skills. The main motivation behind thrill attacks is the "high" of getting into a system. - launched solely for the fun of it - attackers often lack the ability to devise their own attacks and often download programs to do the work "script kiddies" - hacktivism falls into this category
Distributed Denial of Service (DDoS)
An attack that uses multiple zombie computers (even hundreds or thousands) in a botnet to flood a device with requests. - An attack where a firm's computer systems are flooded with thousands of seemingly legitimate requests, the sheer volume of which will slow or shut down the site's use. DDoS attacks are often performed via botnets.
RFC 2350
name - Expectations for Computer Security Incident Response
Documentary Evidence
Anything written or printed which is offered to prove or disprove facts pertaining to a case in court. - Written contracts, sales slips, letters, or affidavits (sworn statements). - evidence consisting of such documents as written contracts, business records, correspondence, wills, and deeds. - includes any written items brought into court to prove a fact at hand. This type of evidence must also be authenticated. - For example, if an attorney wants to introduce a computer log as evidence, they must bring a witness (for example, the system administrator) into court to testify that the log was collected as a routine business practice and is indeed the actual log that the system collected.
full backup
Backup that copies all data from a system. - store a complete copy of the data contained on the protected device. - duplicate every file on the system regardless of the setting of the archive bit. - Once a full backup is complete, the archive bit on every file is reset, turned off, or set to 0.
Baselining
Baselines can be created with checklists that require someone to make sure a system is deployed a certain way or with a specific configuration.
Aaron knows the threats to confidential data firsthand, working as a security officer for a very prominent and highly visible computing enterprise. His chief responsibility is to keep sensitive information from exposure to various elements and entities. Bethany is one of his more troublesome employees because she's constantly taking her notebook computer off site without properly securing its contents. Even a casual smash-and-grab theft attempt could put thousands of client contacts and their confidential business dealings at risk of being leaked and possibly sold to malicious parties. Aaron knows the potential dangers, but Bethany just doesn't seem to care. This poses the question: How might you better inform, train, or advise Bethany so that Aaron does not have to relieve her of her position should her notebook be stolen?
Bethany must come to understand and appreciate the importance of keeping sensitive information secure. It may be necessary to emphasize the potential loss and exposure that comes with losing such data to wrongdoers, competitors, or other unauthorized third parties. It may suffice to point out to Bethany that the employee handbook clearly states that employees whose behavior leads to the unauthorized disclosure or loss of information assets are subject to loss of pay or termination. If such behavior recurs after a warning, Bethany should be rebuked and reassigned to a position where she can't expose sensitive or proprietary information—that is, if she's not fired on the spot.
RAID 2
Bit-level striping with dedicated Hamming-code parity. OBSOLETE.
Software-Defined Networks (SDNs)
Decouple the control plane from the data plane (or forwarding plane). - The control plane uses protocols to decide where to send traffic, and the data plane includes rules that decide whether traffic will be forwarded. - SDN controller handles traffic-routing using simpler network devices that accept instructions from the controller. This eliminates some of the complexity related to traditional networking protocols.
Host-based IDS (HIDS)
Designed to run as software on a host computer system. - A system that looks for computer intrusions by monitoring activity on one or more individual PCs or servers. - monitors activity on a single computer, including process calls and information recorded in system, application, security, and host-based firewall logs. - It can often examine events in more detail than an NIDS can, and it can pinpoint specific files compromised in an attack. - track processes employed by the attacker.
intrusion detection and prevention systems (IDPSs)
Devices that are a combination of intrusion detection systems and intrusion prevention systems.
Segregation of Duties
Different individuals should be responsible for related activities. - example: The responsibility for record-keeping for an asset should be separate from the physical custody of that asset. - to ensure that individuals do not have excessive system access that may result in a conflict of interest. - When duties are properly segregated, no single employee will have the ability to commit fraud or make a mistake and have the ability to cover it up. - similar to separation of duties in that duties are separated, and also similar to a principle of least privilege in that privileges are limited. - relevant for any company that must abide by the Sarbanes-Oxley Act of 2002 (SOX) because SOX specifically requires it. However, it is also possible to apply segregation of duties policies in any IT environment.
types of backup
Full, Incremental, Differential
Computer Incident Response Team (CIRT)
Group of individuals usually consisting of Security Analysts organized to develop, recommend, and coordinate immediate mitigation actions for containment, eradication, and recovery resulting from computer security incidents. Also called a Computer Security Incident Response Team (CSIRT) or a CIRC (Computer Incident Response Center, Computer Incident Response Capability, or Cyber Incident Response Team)
NIST SP 800-144
Guidelines on Security and Privacy in Public Cloud Computing - provides in-depth details on security issues related to cloud-based computing.
benefit of HIDSs over NIDS
HIDSs can detect anomalies on the host system that NIDSs cannot detect. - For example, an HIDS can detect infections where an intruder has infiltrated a system and is controlling it remotely. - this sounds similar to what anti-malware software will do on a computer. It is. Many HIDSs include antimalware capabilities.
why an organisation should keep logs only till the time it's required?
Keeping unnecessary logs can cause excessive labor costs if the organization experiences legal issues. - For example, if regulations require an organization to keep logs for one year but the organization has 10 years of logs, a court order can force personnel to retrieve relevant data from these 10 years of logs. - In contrast, if the organization keeps only one year of logs, personnel need only search a year's worth of logs, which will take significantly less time and effort.
preset locks
Key-based locks, the old school ones
MOU vs SLA
MOU document the intention of two entities to work together toward a common goal. - Although an MOU is similar to an SLA, it is less formal and doesn't include any monetary penalties if one of the parties doesn't meet its responsibilities.
MTTF vs MTBF
MTTF is different from mean time between failures (MTBF). - MTTF is normally calculated for items that will not be repaired when they fail, such as a tape. - MTBF refers to the amount of time expected to elapse between failures of an item that personnel will repair, such as a computer server.
Structured Walk-Through Test
Representatives from each department come together and review/discuss DRP scenarios to ensure accuracy and to make changes if needed. - also called table-top exercise. - members of the disaster recovery team gather in a large conference room and role-play a disaster scenario. Usually, the exact scenario is known only to the test moderator, who presents the details to the team at the meeting. The team members then refer to their copies of the disaster recovery plan and discuss the appropriate responses to that particular type of disaster.
rights
Rights refer to the ability to take actions.
Virtual Storage Area Networks (VSANs)
SAN: dedicated high-speed network that hosts multiple storage devices - used with servers that need high-speed access to data. These have historically been expensive due to the complex hardware requirements of the SAN. - bypass these complexities with virtualization.
Teardrop Attack
Sends overlapping fragmented UDP packets to the target. - Exploits the reassembly of fragmented IP packets in the fragment offset field that indicates the starting position, or offset, of the data contained in a fragmented packet relative to the data of the original unfragmented packet. -A type of DoS that sends mangled IP fragments with overlapping and oversized payloads to the target machine. - in it, an attacker fragments traffic in such a way that a system is unable to put data packets back together. Large packets are normally divided into smaller fragments when they're sent over a network, and the receiving system then puts the packet fragments back together into their original state. However, a teardrop attack mangles these packets in such a way that the system cannot put them back together. - current systems aren't susceptible to teardrop attacks, this does emphasize the importance of keeping systems upto-date. Additionally, intrusion detection systems can check for malformed packets.
Remote Journaling vs electronic vaulting
Similarities: - data is transferred in bulk mode. - transaction logs transferred to the remote site are not applied to a live database server but are maintained in a backup device. When a disaster is declared, technicians retrieve the appropriate transaction logs and apply them to the production database. - entire database backup files are transferred. Differences: - transfer copies of the database transaction logs containing the transactions that occurred since the previous bulk transfer. - data transfers are more frequent in remote journaling
Hypervisor
Software that creates and manages virtual machines on a server or on a local computer. - Also called virtual machine manager (VMM). - primary software component in virtualization - manages the VMs, virtual data storage, and virtual network components. - As an additional layer of software on the physical server, it represents an additional attack surface. - If an attacker is able to compromise a physical host, the attacker can potentially access all of the virtual systems hosted on the physical server. - Administrators often take extra care to ensure virtual hosts are hardened. - each VM still needs to be updated individually. Updating the host system doesn't update the VMs.
Data Loss Prevention (DLP)
Software which works like antivirus programs in reverse, blocking outgoing messages (e-mail, instant messages, etc.) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect. - attempt to detect and block data exfiltration attempts. - can scan data looking for keywords and data patterns. - For example, imagine an organization uses data classifications of Confidential, Proprietary, Private, and Sensitive. - A DLP system can scan files for these words and detect them. - Pattern-matching DLP systems look for specific patterns. For example, US Social Security numbers have a pattern of nnn-nn-nnnn (three numbers, a dash, two numbers, a dash, and four numbers). The DLP can look for this pattern and detect it. - Types: network-based and endpoint-based.
ITIL (Information Technology Infrastructure Library)
The Information Technology Infrastructure Library (ITIL) is a set of concepts and practices for Information Technology Services Management (ITSM), Information Technology (IT) development and IT operations. - ITIL gives detailed descriptions of a number of important IT practices and provides comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs. - The ITIL Core includes five publications addressing the overall life cycle of systems. - ITIL as a whole identifies best practices that an organization can adopt to increase overall availability, and the Service Transition publication addresses configuration management and change management processes. - Even though many of the concepts come from ITIL, organizations don't need to adopt ITIL to implement change and configuration management.
NIST SP 800-145
The NIST Definition of Cloud Computing," provides standard definitions for many cloud-based services. This includes definitions for service models (SaaS, PaaS, and IaaS), and definitions for deployment models (public, private, community, and hybrid).
Remote wipe
The ability to completely erase a mobile device if it is lost or stolen. - security measure that automatically deletes sensitive data from a portable device when unauthorized accesses are attempted. - doesn't provide guaranteed protection. Knowledgeable thieves who want data from a business smartphone often remove the subscriber identity module (SIM) card immediately. Additionally, they have used shielded rooms similar to Faraday cages when putting the SIM back into the phone to get the data. These techniques block the remote wipe signal. If a confirmation message is not received indicating that the remote wipe has succeeded, it's very possible that the data has been compromised.
Security Impact Analysis
The analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.
distinction between IaaS and PaaS models
The distinction between IaaS and PaaS models isn't always clear when evaluating public services. However, when leasing cloud-based services, the label the CSP uses isn't as important as clearly understanding who is responsible for performing different maintenance and security actions.
Incident Response
The initial response to a computer-related event that seeks to verify an incident, triage the incident, and gather necessary evidence while minimizing data and evidence loss. - The response of an organization to a disaster or other significant event that may significantly impact the organization, its people, or its ability to function productively. - Team should consist of: management, IT, legal, human resources, public relations, security etc. -is an ongoing activity and the results of the lessons learned stage are used to improve detection methods or help prevent a repeated incident. - NOT include a counterattack against the attacker.
Consider Kim, who forwarded a seemingly harmless interoffice joke through email to Larry's account. Larry opened the document, which actually contained active code segments that performed harmful actions on his system. Larry then reported a host of "performance issues" and "stability problems" with his workstation, which he'd never complained about before. In this scenario, Kim and Larry don't recognize the harm caused by their apparently innocuous activities. After all, sharing anecdotes and jokes through company email is a common way to bond and socialize. What's the harm in that, right? The real question is how can you educate Kim, Larry, and all your other users to be more discreet and discerning in handling shared documents and executables?
The key is a combination of education, policy, and tools. - Education should inform Kim that forwarding non-work materials on the company network is counter to policy and good behavior. Likewise, Larry should learn that opening attachments unrelated to specific work tasks can lead to all kinds of problems (including those he fell prey to here). - Policies should clearly identify acceptable use of IT resources and the dangers of circulating unauthorized materials. - Tools such as anti-malware software should be employed to prevent and detect any type of malware within the environment.
Incident Response Process
The phases of incident response, including 1. Detection and identification 2. Response and reporting 3. Recovery and remediation
Media Management
The process of collecting, storing, organizing, copying, and moving source media files. - refers to the steps taken to protect media and data stored on media. In this context, media is anything that can hold data. - It includes tapes, optical media such as CDs and DVDs, portable USB or FireWire drives, external SATA (eSATA) drives, internal hard drives, solid-state drives, and USB flash drives
Configuration management
The process of ensuring that only authorized changes are made to a system. - A process that ensures that the descriptions of a project's products are correct and complete. - ensures that systems are configured similarly,
keystroke monitoring
The process used to view or record both the keystrokes entered by a computer user and the computer's response during an interactive session. Keystroke monitoring is usually considered a special case of audit trails. - commonly done via technical means such as a hardware device or a software program known as a keylogger. - compared to wiretapping
best evidence rule
The requirement that the original copy of a written agreement be submitted into evidence. - Copies or descriptions of original evidence (known as secondary evidence ) will not be accepted as evidence unless certain exceptions to the rule apply.
Ping of Death Attack
Type of attack in which a large ICMP packet is sent to overflow the remote host's buffer. This usually causes the remote host to reboot or hang. - A crafted ICMP packet larger than the maximum 65,535 bytes; causes the recipient system to crash or freeze. - attacks victim with an oversized ping packet -pings are usually 32 or 64 bytes, this uses >64 KB pings -can cause buffer overflow or system crashes -rarely used today due to up to date patches
Automated Recovery
Type of common criteria trusted recovery where the system is able to perform trusted recovery activities by itself against at least one type of failure. - For example, a hardware RAID provides automated recovery against the failure of a hard drive but not against the failure of the entire server. - Some types of failures will require manual recovery.
Manual Recovery
admin is required to manually perform the actions necessary to implement a secured/trusted recovery after a failure/system crash -*does not fail in a secure state if a system fails*
cloud deployment model
affects the breakdown of responsibilities of the cloud-based assets. The three cloud models available are public, private, hybrid, and community.
Intrusion Alarms
a separate mechanism that triggers a deterrent, a repellent, and/or a notification. - Whenever a motion detector registers a significant or meaningful change in the environment, it triggers an alarm.
System Resilience
ability of a system to maintain an acceptable level of service during an adverse event -sometimes refers to the ability of a system to return to a previous state after an adverse event. - could be a hardware fault managed by fault-tolerant components, or it could be an attack managed by other controls such as effective intrusion detection and prevention systems. - example, if a primary server in a failover cluster fails, fault tolerance ensures that the system fails over to another server. - cluster can fail back to the original server after the original server is repaired.
Root Cause Analysis (RCA)
determines underlying cause of adverse events; used after incident to uncover primary cause. - process to identify underlying factors that contribute to variation in outcomes in sentinel event
standard that lighting used for perimeter protection?
a de facto standard that lighting used for perimeter protection should illuminate critical areas with 2 candle feet of power.
simulation test
a method of testing a BCP or DRP in which a business interruption is simulated, and the response team responds as if the situation were real. - similar to the structured walk-throughs. - DRP team members are presented with a scenario and asked to develop an appropriate response. some of these response measures are then tested. This may involve the interruption of noncritical business activities and the use of some operational personnel.
Firewalls
a part of a computer system or network that is designed to block unauthorized access while permitting outward communication.
System Compromise
any unauthorized access to the system or information the system stores
Privileges
are the combination of both rights and permissions.
separation of privilege (least privilege)
assures that no individuals or objects (such as programs that make requests of databases) have excessive functions on a system. - builds on the principle of least privilege and applies it to applications and processes. - requires the use of granular rights and permissions. - Administrators assign different rights and permissions for each type of privileged operation. They grant specific processes only the privileges necessary to perform certain functions, instead of granting them unrestricted access to the system. - can also apply to both user and service accounts. - supports a segregation of privilege policy.
how to violate Principle of Least Privilege
by adding all users to the local Administrators group or granting root access to a computer. This gives the users full control over the computer. - if a user logs on with full administrative privileges and inadvertently installs malware, the malware can assume full administrative privileges of the user's account. In contrast, if the user logs on with a regular user account, malware can only assume the limited privileges of the regular account.
legal requirements or Regulatory Requirements
can apply to licensed use of software, hiring restrictions, handling of sensitive materials, and compliance with safety regulations. - are considered a baseline or foundation on which the remainder of the security infrastructure is built.
Proxy Logs
can record details such as what sites users visit, how much time they spend, what time prohibited sites are visited -can control what websites users can visit -(proxy servers improve internet access perf)?
RAID 3 (disk striping with a parity disk)
combines three or more disks with the data distributed across the disks; uses one dedicated disk to store parity information; if a disk fails, the data remaining on the other disks, along with the parity information, allows the data to be recovered.
collusion
conspiracy. - example: Movie theaters use separation of duties to prevent fraud. One person sells tickets. Another person collects the tickets and doesn't allow entry to anyone who doesn't have a ticket. If the same person collects the money and grants entry, this person can allow people in without a ticket or pocket the collected money without issuing a ticket. Of course, it is possible for the ticket seller and the ticket collector to get together and concoct a plan to steal from the movie theater. This is collusion because it is an agreement between two or more persons to perform some unauthorized activity. However, collusion takes more effort and increases the risk to each of them. Policies such as this reduce fraud by requiring collusion to perform the unauthorized activity.
Intrusion Prevention System (IPS) vs Intrusion Detection System (IDS)
difference 1. - the IPS is placed in line with the traffic i.e. all traffic must pass through the IPS and the IPS can choose what traffic to forward and what traffic to block after analyzing it. This allows the IPS to prevent an attack from reaching a target. - an active IDS that is not placed in line can check the activity only after it has reached the target. The active IDS can take steps to block an attack after it starts but cannot prevent it. 2- An IPS can use knowledge-based detection and/or behavior-based detection, just as any other IDS. Additionally, it can log activity and provide notification to administrators just as an IDS would.
Chain of Evidence (Chain of Custody)
documentation of what has happened to evidence from the time it was discovered until it is needed in court, including every person who has had custody of the evidence and why
Patch and Vulnerability Management
ensure systems are up-to-date and protected against known vulnerabilities.
resource protection
ensures the protection of media and other valuable assets throughout the lifetime of the resource.
man-made disasters
events or factors that may include: - Bioterrorism attack - Chemical emergency - Radiation poisoning - Genocide - pandemics and epidemics, - radiation - terrorism - Fires - Bombings/Explosions - Power Outage - Hardware/Software Failures - Strikes/Picketing - Theft/Vandalism
Operational Investigations
examine issues related to the organization's computing infrastucture and have the primary goal of resolving operational issues. - For example, an IT team noticing performance issues on their web servers may conduct an operational investigation designed to determine the cause of the performance problems. - these may quickly transition to another type of investigation.
Basic Firewall
filter traffic based on IP addresses, ports, and some protocols using protocol numbers. - Firewalls include rules within an ACL to allow specific traffic and end with an implicit deny rule. - The implicit deny rule blocks all traffic not allowed by a previous rule. - For example, a firewall can allow HTTP and HTTPS traffic by allowing traffic using TCP ports 80 and 443, respectively
electronic access control (EAC) lock
it incorporates three elements: 1. an electromagnet to keep the door closed, 2. a credential reader to authenticate subjects and to disable the electromagnet, and 3. a sensor to reengage the electromagnet when the door is closed.
drawback of behavior-based IDS
it often raises a high number of false alarms, also called false alerts or false positives. Patterns of user and system activity can vary widely during normal operations, making it difficult to accurately define the boundaries of normal and abnormal activity.
Which two terms describe unlocking Android and iOS mobile devices to allow users full access to the file system and full access to the kernel module? - jailbreaking - sandboxing - rooting - patching - remote wipe
jailbreaking/rooting
passive audio motion detector
listens for abnormal sounds in the monitored area
Types of Alarms based on their location
local, centralized or proprietary, or auxiliary.
Deterrent Alarms
may engage locks, shut doors, etc. -goal is to make further intrusion more difficult
Egress Monitoring
monitoring outgoing traffic to prevent data exfiltration (unauthorized transfer of data outside an organization.) - common methods used to prevent data exfiltration are using data loss prevention techniques, looking for steganography attempts, and using watermarking to detect unauthorized data going out
Need-to-Know Access
requirement to grant users access only to data or resources they need to perform assigned work tasks. The primary purpose is to keep secret information secret. If you want to keep a secret, the best way is to tell no one.
Versioning
saving previous or incremental versions of programs or files. - refers to version control used in software configuration management. - A labeling or numbering system differentiates between different software sets and configurations across multiple machines or at different points in time on a single machine.
capacitance motion detector
senses changes in the electrical or magnetic field surrounding a monitored object.
photoelectric motion detector
senses changes in visible light levels for the monitored area. - they are usually deployed in internal rooms that have no windows and are kept dark.
Private Cloud
serves only one customer or organization and can be located on the customer's premises or off the customer's premises. - a cloud that is owned and operated by an organization for its own benefit. - includes cloud-based assets for a single organization. - Organizations can create and host private clouds using their own resources. If so, the organization is responsible for all maintenance. -However, an organization can also rent resources from a third party and split maintenance requirements based on the service model (SaaS, PaaS, or IaaS).
Espionage
the act of spying, especially a government spy obtaining secrets of another government. - malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization. - Attackers often commit espionage with the intent of disclosing or selling the information to a competitor or other interested organization (such as a foreign government). - Countermeasures: to strictly control access to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities.
Mean Time Between Failures (MTBF)
the average length of time between failures of a product or component. - amount of time expected to elapse between failures of an item that personnel will repair, such as a computer server.
bot herder
the person who creates a botnet by installing software on PCs that responds to the bot herder's electronic instructions. - a criminal who controls all the computers in the botnet via one or more command and control servers. - enters commands on the server and the zombies periodically check in with the command and control server to receive instructions. - use computers within a botnet to launch a wide range of attacks, send spam and phishing emails, or rent the botnets out to other criminals. - protection against a computer's joining a botnet is to ensure anti-malware software is running and the definitions are up-to-date.
wave pattern motion detector
transmits a consistent low ultrasonic or high microwave frequency signal into a monitored area and monitors for significant or meaningful changes or disturbances in the reflected pattern.
Software-defined everything (SDx)
trend of replacing hardware with software using virtualization. - Some of the virtual assets within SDx include the following: 1. Virtual Machines (VMs) 2. Software-Defined Networks (SDNs) 3. Virtual Storage Area Networks (VSANs)
Intrusion Prevention System (IPS)
type of IDS that also takes action against intrusion attempts. - software or hardware that monitors patterns in the traffic flow to identify and automatically block attacks. - A technology that monitors activity like an IDS but will automatically take proactive preventative action if it detects unacceptable activity. - If desired, administrators can disable these extra features of an IPS, essentially causing it to function as an IDS.
Repellant Alarms
usually sound an audio siren/bell and turn on lights - used to discourage intruders or attackers from continuing their malicious or trespassing activities and force them off the premises.
Electronic Discovery Reference Model
was developed to assist in the e-discovery process. - A suggested model for the procedures in electronic discovery. - describes a standard process for conducting eDiscovery with nine steps: 1. Information Governance: ensures that information is well organized for future eDiscovery efforts. 2. Identification: locates the information that may be responsive to a discovery request when the organization believes that litigation is likely. 3. Preservation: ensures that potentially discoverable information is protected against alteration or deletion. 4. Collection: gathers the responsive information centrally for use in the eDiscovery process. 5. Processing: screens the collected information to perform a "rough cut" of irrelevant information, reducing the amount of information requiring detailed screening. 6. Review: examines the remaining information to determine what information is responsive to the request and removing any information protected by attorney-client privilege. 7. Analysis: performs deeper inspection of the content and context of remaining information. 8. Production: places the information into a format that may be shared with others. 9. Presentation displays the information to witnesses, the court and other parties. - Conducting eDiscovery is a complex process and requires careful coordination between information technology professionals and legal counsel.
fail secure system
will default to a secure state in the event of a failure, blocking all access
fail open system
will fail in an open state, granting all access