Firewall | Filters network connections based on source, destination, and port |
Decompiler | Attempts to recover source code from binary code |
Antivirus | Scans a system for malicious software |
NAC | Determines what clients may access a wired or wireless network |
GPO | Deploys configuration settings to multiple Windows systems |
Hash | Creates a unique fingerprint of a file |
Honeypot | System intentionally created to appear vulnerable |
WAF | Protects against SQL injection attacks |
Requirements gathering | Assess missing controls from a recent breach |
Threat data collection | Download data via STIX |
Threat data analysis | Convert manually gathered threat data to STIX format |
Threat intelligence dissemination | Provide information about a threat to an IPS administrator |
Gathering feedback | Update requirements for your intelligence gathering program |
Route to a system | traceroute |
Open services via a network | Nmap |
IP traffic flow and volume | netflow |
Organizational contact information associated with domain registration | Whois |
Connections listed by protocol | netstat |
Zone transfer | Dig |
Packet capture | Wireshark |
Social media geotagging | Creepy |
The CVSS vector for the IKE vulnerability shown in Figure 5.23 is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. Breaking this down piece by piece gives us the following:
Based on this CVSS analysis, the first vulnerability in Figure 5.22 is more serious. They have identical CVSS vectors except for the integrity metric, which is higher for the SSL vulnerability.
Air gap | A physical separation between devices or networks to prevent access. |
Containerization | A technology that bundles together an application and the files, libraries, and other dependencies it needs to run, allowing the application to be deployed to multiple platforms or systems. |
VPC | A logically isolated segment of a cloud that provides you with control of your own environment. |
Cloud access security broker | Software or service that enforces security for cloud applications. |
Blacklisting | An access control mechanism that permits all things to pass through except those that are specifically blocked. |
Asset tagging | Labeling or otherwise identifying systems, devices, or other items. |
NAC | A system that validates systems and sometimes users before they connect to a network. |
Data loss prevention | A system that scans outbound traffic and prevents it from being transmitted if it contains specific content types. |
Part 1: You should identify two major problems: use of HTTP, rather than HTTPS, and the development team's creation of their own OAuth libraries.
Part 2: Answers may vary but should include detail similar to:
The implementation team should use open source or Facebook-provided libraries and code and should follow recommended best practices for implementation. Secure connections should be required for all authentication and authorization traffic.
A strong answer might also reference the OWASP Facebook development guide at www.owasp.org/index.php/Facebook
.
Responses will vary but should take into account the fact that Example Corp. will now be relying on a third party and will need to know how to contact Facebook, what they will do if Facebook is compromised, and how individual account issues will be handled.
Responses will vary but should take into account use of a third-party authentication service and lack of control of accounts versus the utility of a third-party service provider.
Part 1: You should suggest solutions involving local authentication with appropriate monitoring, logging, and management to ensure that local accounts are secure.
Part 2: You should suggest a central identity and access management system to centrally manage credentials and rights, and administrative policies and controls that ensure that roles and rights are updated when users change positions or roles.
Part 3: Answers are left to your own analysis of your work.
TACACS+ | A Cisco-designed authentication protocol. |
Identity | The set of claims made about an account holder. |
ADFS | Microsoft's identity federation service. |
Privilege creep | This issue occurs when accounts gain more rights over time due to role changes. |
Directory service | LDAP is deployed in this role. |
OAuth 2.0 | An open standard for authorization used for websites and applications. |
SAML | An XML-based protocol used to exchange authentication and authorization data. |
RADIUS | A common AAA system for network devices. |
Privilege management | The practice of managing and controlling identities and rights. |
Multifactor authentication (MFA) | The combination of multiple means of proving an identity to authenticate. |
Single sign-on (SSO) | A technical system that allows access to many different systems or services with a single authentication event. |
Federation | The linking of an individual's identity across multiple identity management systems. |
Role-based | An access control scheme based on an individual's job duties or other position in an organization. |
Attribute-based | Access control based on elements like things that describe the user (role, title), what action is being attempted, or other similar data |
Mandatory | An access control scheme where the operating system constrains the ability of the user or subject to take action. |
Manual review | Checking rights without an automated system. |
Subversion | A source control management tool |
Agile | An SDLC model that relies on sprints to accomplish tasks based on user stories |
Dynamic code analysis | A code analysis that is done using a running application |
Fuzzing | A code analysis done using a running application that relies on sending unexpected data to see if the application fails |
Fagan inspection | A formal code review process that relies on specified entry and exit criteria for each phase |
Over-the-shoulder | A code review process that requires one developer to explain their code to another developer |
Waterfall | The first SDLC model, replaced in many organizations but still used for very complex systems |
Backlog | An Agile term that describes the list of features needed to complete a project |
Heuristics | A technique used to find previously unknown malware by observing behaviors common to malicious software |
DMARC | An email authentication, policy, and reporting protocol |
Reverse engineering | The process of disassembling or decompiling a malware package to understand what it does |
Digital signature | A means of providing assurance that an email has not been modified and that it was sent by the correct sender that relies on a certificate and public key cryptography |
UEBA | A technology designed to monitor end user behavior to prevent targeted attacks and insider threats |
DKIM | An email authentication method designed to detect forged sender addresses |
SOAR | A technique used to find previously unknown malware by observing behaviors common to malicious software |
SPF | An email authentication technique that detects forged sender addresses |
The functional impact of this incident is high because the organization has lost the ability to sell products to customers. This fits the definition of the “organization is no longer able to provide some critical services to any users.”
The economic impact of this incident is high. The organization expects to lose $2 million per day. This fits the definition of the high category: “The organization expects to experience a financial impact of $500,000 or more.”
The recoverability effort of this incident is extended. The organization has exhausted all internal resources and is seeking a consultant to assist. This fits the extended category definition of “Time to recovery is unpredictable; additional resources and outside help are needed.”
The information impact of this incident is none. The attack described in this scenario is a denial-of-service attack, and there is no indication of the compromise of sensitive information. This fits the none category definition of “No information was exfiltrated, changed, deleted or otherwise compromised.”
Activity | Phase |
Conducting a lessons learned review session | Postincident Activity |
Receiving a report from a staff member about a malware infection | Detection and Analysis |
Upgrading the organization's firewall to block a new type of attack | Preparation |
Recovering normal operations after eradicating an incident | Containment, Eradication, and Recovery |
Identifying the attacker(s) and attacking system(s) | Containment, Eradication, and Recovery |
Interpreting log entries using a SIEM to identify a potential incident | Detection and Analysis |
Assembling the hardware and software required to conduct an incident investigation | Preparation |
Flows | A Linux command that displays processes, memory utilization, and other details about running programs |
Resmon | Traffic sent to a command and control system by a PC that is part of a botnet |
iPerf | A Windows tool that monitors memory, CPU, and disk usage |
PRTG | A protocol for collecting information like status and performance about devices on a network |
Beaconing | A set of packets passing from a source system to a destination in a given time interval |
SNMP | A network management and monitoring tool that provides central visibility into flows and SNMP data for an entire network |
top |
A Windows tool that monitors a wide range of devices and services, including energy, USB, and disk usage |
Perfmon | A tool for testing the maximum available bandwidth for a network |
You can find a complete answer to the NIST Rhino hunt from Activity 13.2 at www.cfreds.nist.gov/dfrws/DFRWS2005-answers.pdf
.
dd | A Linux tool used to create disk images |
md5sum | Used to determine whether a drive is forensically sound |
Volatility Framework | A memory forensics and analysis suite |
FTK | A full-featured forensic suite |
Eraser | A drive and file wiping utility sometimes used for anti-forensic purposes |
Write blocker | A device used to prevent forensic software from modifying a drive while accessing it |
WinDbg | A tool used to review Windows memory dumps |
Forensic drive duplicator | A device used to create a complete forensic image and validate it without a PC |
Wireshark | A GUI network traffic sniffer |
tcpdump | A command-line network packet sniffer |
Network segmentation
Network isolation
Network removal
Response activity | CompTIA category |
Patching | Validation |
Sanitization | Eradication |
Lessons learned | Postincident Activities |
Reimaging | Eradication |
Secure disposal | Eradication |
Isolation | Containment |
Scanning | Validation |
Removal | Containment |
Reconstruction | Eradication |
Permission verification | Validation |
User account review | Validation |
Segmentation | Containment |
Risk avoidance | Changing business activities to eliminate a risk |
Risk transference | Shifting the impact of a risk to another organization |
Risk mitigation | Implementing security controls that reduce the probability and/or magnitude of a risk |
Risk acceptance | Choosing to continue operations as normal despite the potential risk |
Policy | Provides high-level requirements for a cybersecurity program |
Standard | Offers detailed requirements for achieving security control objectives |
Guideline | Includes advice based on best practices for achieving security goals that are not mandatory |
Procedure | Outlines a step-by-step process for carrying out a cybersecurity activity |
The testing procedures for PCI DSS requirement 8.2.3 instruct auditors to inspect system configuration settings and verify that the user password/passphrase requirements are set to require a minimum length of at least seven characters and to require that passwords contain both alphabetic and numeric characters.