Test 2

Chapters 4, 8, 11

Chapter 4

Chapter 4

Business Drivers of Information Security

threat analysis

involves identifying and documenting threats to critical resources, which means considering the types of disasters that are possible and what kind of damage they can cause

acceptable use policy (AUP)

employees must abide by all organizational policies and procedures, in particular the organizations AUP.

Risk Management’s importance to the organization

Identifying, assessing, prioritizing and addressing risks is a core business necessary to ensure any organization’s longevity

Risk =

Threat * Vulnerability

An exploited vulnerability results in an

Impact

Risk methodology

a description of how you will manage risk

Risk Register

A list of identified risks

Business impact analysis

an analysis of an organization’s functions and activities that classifies them as critical or noncritical

• identifies the impact to the business if one or more IT function fails

  • Identifies the priority of different critical systems

Recovery point objective (RPO)

The target state of recovered data that allows an organization to continue normal processing; the maximum amount of data loss that is acceptable

Recovery time objective (RTO)

the maximum allowable time in which to recover the function

Business recovery requirements

identify any other business functions that must already be in place for the specified recovery function to occur and help in determining the recovery sequence

Technical recovery requirements

Define the technical prerequisites that are needed to support each critical business function

Business continuity plan (BCP)

a written plan for a structured response to any events that result in an interruption to critical business activities or functions

What are the Order of Priorities?

Safety and well-being of people

Continuity of critical business functions and operations

Continuity of components within the seven domains of an IT infrastructure

What are some elements of a BCP?

Statement defining the policy, standards, procedures, and guidelines for deployment

Project team members with defined roles, responsibilities, and accountabilities

Disaster Recovery Plan

Directs the actions necessary to recover resources after a disaster

Extends and supports the BCP by identifying events that could cause damage to resources that are necessary to support critical business functions

Hot site

has envrionmental utilities, hardware, software, and data like original data center

Warm Site

Has environmental utilities and basic computer hardware

Cold Site

Has basic environmental Utilities but no infrastructure components

Mobile Site

Trailer with necessary environmental utilities that can operate as warm or cold site

Security Gap

difference between the security controls in place and controls you need to address vulnerabilities

Gap Analysis

Comparison of the security controls in place and the controls you need to address all identified threats

FERPA

FFIEC

COPPA

GLBA

Security Reform Act

USA Patriot Act of 2001

FISMA

SOX

HIPPA

SB 1386

FISMA

GDPR

PCI DSS

CCPA

Examples of Authentication Controls

Passwords and PINS

Smart Cards and tokens

Biometric devices

Digital Certificates

Challenge-response handshakes

Kerberos authentication

One-time passwords

Examples of Authorization Controls

Authentication server rules and permissions

Access Control lists

Intrusion detection and prevention

Physical access control

connection and access policy filters

Network traffic filters

Mobility

Allows remote workers and employees to be connected to the IT infrastructure in almost real time

Bring Your Own Device (BYOD)

Employees using their personally owned devices for business and personal use

BYOD Concerns

Data ownership

Support Ownership

Patch Management

Antivirus Management Forensics

Privacy

Acceptable use policy

Onboard camera/video

Endpoint and Device Security

Full Device Encryption

Remote Wiping

Lockout

Screen Locks

Global Positioning systems

Application control

Storage Segmentation

Chapter 8

Malicious Software and Attack Vectors

active content

refers to the components, primarily on websites, that provide functionality to interact with users

Cookies

information that a website puts on a users computer.

Malicious software (malware)

any program that contains instructions that run on a computer system and perform operations that the user does not intend

Malicious code attacks all three information security properties

Confidentiality : malware can disclose your organizations private information

Integrity: Malware can modify database records, either immediately or over a period of time

Availability: Malware can erase or overwrite files or inflict considerable damage to storage media

System infectors

Target computer hardware and software startup functions

File infectors

attack and modify executable programs

Data infectors

attack document files containing embedded macro programming capabilities

Typical life cycle of a computer virus

The virus waits until the user transmits the infected object to another computer

The user transmits an infected object to another computer

The virus locates and infects suitable objects on the new computer

How does a macro virus work ?

infected document attachment arrives in email message

• macro virus

Global Macro Pool infected in application (normal.dot)

Infection spreads to other documents in the internal document folder

Rootkits

Malware that modifies or replaces one or more existing programs to hide the fact that computer has been compromised

Ransonware

attempts to generate funds directly from a computer user

attacks a computer and limits the users ability to access the computers data

Spam

Consumes computing resources bandwidth and central processing unit time

Diverts IT Personnel from activities more critical to network security

Worms

self-contained programs designed to propagate from one host machine to another using the host’s own network communication protocols

Trojan horses

largest class of malware

Programs that masquerade as useful programs while hiding malicious intent

Rely on social engineering to spread and operate

Logic Bombs

Programs that execute a malicious function of some kind when they detect certain conditions

once in place, wait for a specified condition or time, which, when it occurs, causes logic bomb to activate and carry out its taks

Active Content Vulnerabilities

Refers to dynamic objects that do something when the user opens a webpage

Examples of technologies used to create active content: ActiveX, Cascading Style Sheet (CSS), React, Java, Javascript, VBScript

Malicious Add-On (Browser)

add-ons are companion programs that extend the web browser; can decrease security

• contain some type of malware; once installed, perform malicious actions

Injection

Cross-site (XSS)

SQL injection

Lightweight Directory Access Protocol injection

Command Injection

Extensible Markup Language (XML) injection

Botnets

Robotically controlled networks

Attackers infect vulnerable machines with agents that perform various functions at the command of the bot-herder or controller

DoS Attacks

Overwhelm a server or network segment to the point that the server or network becomes unusable

Crash a server or network device or create so much network congestion that authorized users cannot access network resources

SYN flood attacks

attacker users Internet Protocol spoofing to send a larger number of packets requesting connections to the victim computer

Smurf attack

attackers forge internet control message protocol echo request packets to IP broadcast addresses from remote locations to generate DoS attacks

Spyware

Any unsolicited background process that installs itself on a user’s computer and collects information about he user’s browsing habits and website activities

Adware

Triggers nuisances as popup ads and banners when user visits certain websites

affects productivity and may combine with active background activities

Phishing

Tricks users into providing logon information on what appears to be a legitimate website but is actually a website set up by an attacker to obtain this information

Keystroke Loggers

Capture Keystrokes or user entries and forwards information to attacker

• enable the attacker to capture logon information, banking information, and other sensitive data

Guidelines for Recognizing Hoaxes

Did a legitimate entity send the alert ?

Is there a request to forward the alert to others ?

Are there detailed explanations or technical terminology in the alert?

Does the alert follow the generic format of a chain letter ?

Webpage Defacements

Someone gaining unauthorized access to a web server and altering the index page of a site on the server

the attacker replaces the original pages on the site with altered versions

Threats to a business organizations

Attacks against confidentiality and privacy

attacks against data integrity

attacks against availability of services and resources

attacks against productivity and performance

attacks that create legal liability

attacks that damage reputation

What motivates attackers ?

Money

Fame

Political beliefs or systems

Anger or revenge

Cyberwarfare or espionage

The purpose of an attack

Denial of availability

Data Modification

Data export (exfiltration)

Launch point

What are the 4 types of attacks ?

unstructured attacks

structured attacks

direct attacks

Indirect attacks

What are the phases of an attack ?

Reconnaissance and Probing

Gaining access

Maintaining Access

Covering Your Tracks

Reconnaissance and Probing

Attacker collects all information to conduct the attack

Domain Name System and ICMP tools within the Transmission Control

Access and Privilege Escalation

Establish the initial connection to a target host (typically a server platform)

Gain administrative rights to the system

Covering Traces of the Attack

Remove any traces of the attack

• Remove files created and restore as many files to their preattack condition as possible

Attack Prevention Tools and Techniques

Defense in Depth

• practice of layering into zones to increase the overall protection level and provide more reaction time to respond to incidents

Goal of defense in depth

• should be layers of security and detection, even on single systems.

• attackers must break through or bypass each layer undetected

  • other layers can cover a flaw in one layer

Application Defenses

Operating system defenses

Network infrastructure defenses

Application Defenses

Implementing regular antivirus screening on all host systems

Ensuring that virus definition files are up to date

Requiring scanning all of removable media

Installing firewall and intrusion detection software on hosts

Deploying change-detection software and integrity-checking software and maintaining logs

Operating system defenses

Deploying change-detection and integrity-checking software and maintaining logs

Deploying or enabling change-detection and integrity-checking software on all servers

Ensuring that all operating systems are consistent and have been patched with the latest updates

Network Infrastructure Defenses

Creating chokepoints in the network

Using proxy services and bastion hosts to protect critical services

using content filtering at chokepoints to screen traffic

Ensuring that only trusted sources are used when installing and upgrading operating system code

Disabling any unnecessary network services and processes that may pose a security vulnerability

Incident Detection Tools and Techniques

Antivirus scanning software

Network monitors and analyzers

Content/context filtering and logging software

Honeypots and honeynets

Safe Recovery Techniques and Practices

Store OS and data file backup images on external media to ease recovering from potential malware infection

Chapter 11

Chapter 11 Contingency Planning

Business continuity Plan

Contains the actions needed to keep critical business processes running after a disruption

Disaster recovery plan (DRP)

Details the steps to recover from a disruption and restore the infrastructure

necessary for normal business operations

Disruption

a sudden unplanned event

Upsets an organizations ability to provide critical business functions and causes great damage or loss

Major Disruptions include extreme weather, criminal activity, civil unrest/terrorist acts, operational and applications failure disruptions, and pandemics

Emerging threats

new technology

changes in the culture of the organization or environment

Unauthorized use of technology

Changes in regulations and laws

Reliability of cloud or virtualization services

Cloyd service provider (CSP) lock-in

Static Environment

Supervisory Control and data acquisition

Embedded systems

Mobile devices

Mainframes

Gaming consoles

IoT devices

Vehicle systems

Critical Business function

A business function that, if it fails, causes normal operations to cease

Business impact analysis (BIA)

An analysis of CBFs to determine what kinds of event could interrupt normal operation

Maximum tolerable downtime (MTD)

the most time a business can survive without a specific CBF

Recovery time objective (RTO)

the timeframe for restoring a CBF; must be shorter than or equal to the MTD

Recovery point objective (RPO)

the point to which data must be recovered

defines the amount of tolerable data loss

can come from different regulators

Emergency operations center (EOC)

the place where the recovery team will meet and work during a disruption

maximum tolerable allowance

by business requirements, associated with RTO

Conduct BIA for what reasons ?

Set value of each business unit or resource as it relates to how the entire organization operates

Identify critical needs to develop a business recovery plan

set order or priority for restoring the organization’s functions after a disruption