Exam Essentials: Chapter 17

Posted byChrisPosted inUncategorized

Chapter 17: Preventing & Responding To Incidents

Know incident response steps

  • The Security Operations domain lists incident response steps as:
    • detection
    • response
    • mitigation
    • reporting
    • recovery
    • remediation
    • lessons learned
  • After detecting & verifying an incident, the first response is to limit or contain the scope of the incident while protecting evidence.
  • Based on governing laws, an organisation may need to report an incident to official authorities, and if PII is involved, individuals need to be informed.
  • The remediation & lessons learned stages include root cause analysis to determine the cause and recommend solutions to prevent a reoccurrence.

Know basic preventive measures

  • Basic preventive measures can prevent many incidents from occurring.
  • These include:
    • keeping systems up-to-date
    • removing/disabling unneeded protocols & services
    • using intrusion detection & prevention systems
    • using anti-malware software with up-to-date signatures
    • enabling both host-based & network-based firewalls

Know what denial-of-service attacks are

  • DoS attacks prevent a system responding to legitimate requests for service.
  • A common DoS attack is the SYN flood attack, which disrupts the TCP three-way handshake.
  • Even though older attacks are not as common today because basic precautions block them, many newer attacks are often variations on older methods.
  • Smurf attacks employ an amplification network to send numerous response packets to a victim.
  • Ping-of-death attacks send numerous oversized ping packets to the victim, causing it to freeze, crash or reboot.

Understand botnets, botnet controllers & bot herders

  • Botnets represent significant threats due to the massive number of computers that can launch attacks, so it’s important to know what they are.
  • A botnet is a collection of compromised computing devices (often called bots or zombies) organised in a network controlled by a criminal known as a bot herder.
  • Bot herders use a command-and-control server to remotely control the zombies, and often use the botnet to launch attacks on other systems or to send spam or phishing emails.
  • Bot herders also rent botnet access out to other criminals.

Understand zero-day exploits

  • A zero-day exploit is an attack that uses a vulnerability that is either unknown to anyone but the attacker, or known only to a limited number of people.
  • On the surface, it seems that you can’t protect against an unknown vulnerability, but basic security practices go a long way toward preventing 0-days.
  • Removing or disabling unneeded protocols & services reduces the attack surface, enabling firewalls blocks many access points, and using IDS/IPS systems helps detect & block potential attacks.
  • Additionally, using tools such as honeypots and padded cells helps protect live networks.

Understand man-in-the-middle attacks

  • A man-in-the-middle attack occurs when a malicious user is able to gain a logical position between the two endpoints of a comms link.
  • Although it takes a significant amount of sophistication on the part of an attacker to complete a MITM attack, the amount of data obtained from the attack can be significant.

Understand sabotage & espionage

  • Malicious insiders can perform sabotage against an organisation if they become disgruntled for some reason.
  • Espionage is when a competitor tries to steal information, and they may use an internal employee.
  • Basic security principles, such as implementing the principle of least privilege and immediately disabling accounts for terminated employees, limits the damage from these attacks.

Understand intrusion detection & prevention

  • IDSs and IPSs are important detective & preventive measures against attacks.
  • Know the difference between knowledge-based detection (using a database similar to anti-malware signatures) and behaviour-based detection.
  • Behaviour-based detection starts with a baseline to recognise normal behaviour, and compares activity with the baseline to detect abnormal activity.
  • The baseline can be outdated if the network is modified, so it must be updated when the environment changes.
  • An IDS can respond passively by logging and sending notifications, or actively by changing the environment, Some people refer to an active IDS as an IPS. However, it’s important to recognise that an IPS is placed in line with the traffic, and includes the ability to block malicious traffic before it reaches the target.
  • Host-based IDSs (HIDs) can monitor activity on a single system only.
  • A network-based IDS (NIDS) can monitor activity on a network, and a NIDS isn’t as visible to attackers.

Understand honeypots, padded cells & pseudo flaws

  • A honeypot is a system that often has pseudo flaws and fake data to lure intruders.
  • Administrators can observe the activity of attackers while they are in the honeypot, and as long as attackers are in the honeypot, they are not in the live network.
  • Some IDSs have the ability to transfer attackers into a padded cell after detection.
  • Although a honeypot & padded cell are similar, note that a honeypot lures the attacker, but the attacker is transferred into the padded cell.

Understand methods to block malicious code

  • Malicious code is thwarted with a combination of tools.
  • The obvious tool is anti-malware software with up-to-date definitions installed on each system, at the boundary of the network, and on email servers.
  • However, policies that enforce basic security principles, such as the principle of least privilege, prevent regular users from installing potentially malicious software.
  • Additionally, educating users about the risks and the methods attackers commonly use to spread viruses helps users understand & avoid dangerous behaviours.

Understand penetration testing

  • Pen tests start by discovering vulnerabilities and then mimic an attack to identify what vulnerabilities can be exploited.
  • It’s important to remember that pen testing should not be done without express consent & knowledge of management.
  • Additionally, since pen tests can result in damage, they should be done on isolated systems whenever possible.
  • You should also recognise the difference between black-box (zero knowledge), white-box (full knowledge) & grey-box (partial knowledge) testing.

Know the types of log files

  • Log data is recorded in databases and different types of log files.
  • Common log files include:
    • security logs
    • system logs
    • application logs
    • firewall logs
    • proxy logs
    • change management logs
  • Log files should be protected by centrally storing them and using permissiosn to restrict access, and archived logs should be set to read-only to prevent modifications.

Understand monitoring & uses of monitoring tools

  • Monitoring is a form of auditing that focuses on active review of the log file data.
  • Monitoring is used to hold subjects accountable for their actions and to detect abnormal or malicious activities.
  • It is also used to monitor system performance.
  • Monitoring tools such as IDSs or SIEMs automate monitoring and provide real-time analysis of events.

Understand audit trails

  • Audit trails are the records created by recording information about events & occurrences into one or more databases or log files.
  • They are used to reconstruct an event, to extract information about an incident, and to prove or disprove culpability.
  • Using audit trails is a passive form of detective security control, and audit trails are essential evidence in the prosecution of criminals.

Understand sampling

  • Sampling, or data extraction, is the process of extracting elements from a large body of data to construct a meaningful representation or summary of the whole.
  • Statistical sampling uses precise mathematical functions to extract meaningful information from a large volume of data.
  • Clipping is a form of non-statistical sampling that records only events that exceed a threshold.

Understand how to maintain accountability

  • Accountability is maintained for individual subjects through the use of auditing.
  • Logs record user activities and users can be held accountable for their logged actions.
  • This directly promotes good user behaviour & compliance with the organisation’s security policy.

Understand the importance of security audits & reviews

  • Security audits & reviews help ensure that management programs are effective and being followed. They are commonly associated with account management practices to prevent violations with least privilege or need-to-know principles.
  • However, they can also be performed to oversee patch management, vulnerability management, change management & configuration management programs.

Understand auditing and the need for frequent security audits

  • Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorised occurrences, or outright crimes.
  • Secure IT environments rely heavily on auditing.
  • Overall, auditing serves as a primary type of detective control used within a secure environment.
  • The frequency of an IT infrastructure security audit or security review is based on risk.
  • An organisation determines whether sufficient risk exists to warrant the expense & interruption of a security audit.
  • The degree of risk also affects how often an audit is performed. It is important to clearly define and adhere to the frequency of audit reviews.

Understand that auditing is an aspect of due care

  • Security audits & effectiveness reviews are key elements in displaying due care.
  • Senior management must enforce compliance with regular periodic security reviews, or they will likely be held accountable & liable for any asset losses that occur.

Understand the need to control access to audit reports

  • Audit reports typically address common concepts such as the purpose of the audit, the scope of the audit, and the results discovered or revealed by the audit.
  • They often include other details specific to the environment and can include sensitive information such as problems, standards, causes & recommendations.
  • Audit reports that contain sensitive information should be assigned a classification label and handled appropriately.
  • Only people with sufficient privilege should have access to them.
  • An audit report can be prepared in various versions for different target audiences to include only the details needed by a specific audience. For example, senior security administrators might have a report with all the relevant details, whereas a report for executives would provide only high-level information.

Understand access review & user entitlement audits

  • An access review audit ensures that object access & account management practices support the security policy.
  • User entitlement audits ensure that the principle of least privilege is followed and often focus on privileged accounts.

Audit access controls

  • Regular reviews and audits of access control processes help assess the effectiveness of access controls.
  • For example, auditing can track logon successes & failures of any account.
  • An IDS can monitor these logs and easily identify attacks and notify administrators.

Leave a comment

Design a site like this with WordPress.com
Get started