IPS Log Analysis and Security Risk Management

Questions and Answers

What can be determined from the security log information?

The alert was generated from an embedded script (correct)

The attacker’s IP address is 222.43.112.74 (correct)

The alert was generated from a malformed User Agent header

The attacker’s IP address is 64.235.145.35

ALE stands for Annual Loss Expectancy.

True

What type of attack is demonstrated in the search field input 'USER77' OR '1'='1?

SQL injection

The log information indicates a possible _______________ attack.

Cross-Site Scripting

Which of the following is a measure of the cost of recovering from a disaster?

RTO

CSRF is a type of injection attack.

False

Match the security concepts with their descriptions:

ALE = Annualized Loss Expectancy RTO = Recovery Time Objective SLE = Single Loss Expectancy CSRF = Cross-Site Request Forgery

What is the primary concern in Key Management?

Secure key storage and distribution

What type of vulnerability is MOST associated with a database being available for anyone to query without providing any authentication?

Open permissions

A whaling attack is a type of phishing attack targeted at high-level executives.

True

What is the primary purpose of an NGFW in risk management?

To mitigate risks by providing advanced security features such as intrusion prevention and antivirus protection

A ______________ attack is a type of phishing attack that targets users through SMS or text messages.

Smishing

What type of authentication method involves sending a code to a user's phone to verify their identity?

SMS

Which of the following risk management strategies involves transferring risk to a third party?

Transference

Match the following types of phishing attacks with their descriptions:

Whaling = Targets high-level executives Vishing = Targets users through phone calls Smishing = Targets users through SMS or text messages Phishing = Targets users through email or messaging

A security team should prioritize incident response over risk assessment.

False

Which of the following would be the BEST way to confirm the secure baseline of a deployed application instance?

Perform an integrity measurement

Split knowledge would have prevented the delay in financial transfer due to an employee's absence.

True

What is the best description of the log information showing sessions from a single IP address with a TTL equal to zero?

Someone is performing a vulnerability scan against the firewall and DMZ server.

The attack where an attacker sends more information than expected in a single API call, allowing the execution of arbitrary code, is known as a _________ attack.

Buffer Overflow

Match the following security controls with their primary purposes:

Least Privilege = Limit access to sensitive resources Job Rotation = Reduce dependence on individual employees Dual Control = Ensure accountability in sensitive transactions Split Knowledge = Prevent unauthorized access to sensitive information

What is the primary purpose of security logging in incident response?

To detect and respond to security incidents

Web application security is primarily concerned with protecting against network-based attacks.

False

What is the primary goal of risk assessment in security?

To identify and evaluate potential security threats to an organization.

Study Notes

IPS Log Analysis

• A security log from an IPS shows an alert for Cross-Site Scripting in JSON Data on 2018-06-01 13:07:29.
• The log includes a User Agent string indicating the use of curl/7.21.3.
• The detail section shows a token with an empty value and a key "key7" with a value "alert(2)".
• From this log, it can be determined that the attacker's IP address is 222.43.112.74 and the target IP address is 64.235.145.35.

Risk Management and Security

• ALE (Annualized Loss Expectancy) is a monetary loss if one event occurs.
• SLE (Single Loss Expectancy) is the expected monetary loss of a single event.
• RTO (Recovery Time Objective) is a measure of the time taken to recover from an outage or incident.

SQL Injection

• A user with restricted access submitted a search query "USER77' OR '1'='1" which returned all database records.
• This is an example of SQL injection.

Authentication

• TOTP (Time-Based One-Time Password) is a type of authentication mechanism.

Cloud Security

• An open database instance in a cloud service is vulnerable to unauthorized access due to improper permissions.

Phishing

• An email offering a cash bonus for completing an internal training course is an example of phishing.
• The email requires users to login with their Windows Domain credentials on an external server.

Risk Management Strategies

• The purchase and installation of an NGFW (Next-Generation Firewall) is an example of a mitigation strategy.

Secure Baseline

• Comparing a production application to a secure baseline instance is the best way to confirm its security.

Separation of Duties

• A delay in an important financial transfer due to the absence of a team member could have been prevented by implementing separation of duties.

Log Analysis

• A log showing multiple sessions from a single IP address with a TTL equal to zero is indicative of a vulnerability scan.

Buffer Overflow

• An attacker sending more information than expected in a single API call, allowing the execution of arbitrary code, is an example of a buffer overflow attack.

Description

Analyze IPS log for Cross-Site Scripting attack and understand risk management concepts like ALE (Annualized Loss Expectancy).