IPS Log Analysis and Security Risk Management

Questions and Answers

What can be determined from the security log information?

• The alert was generated from an embedded script (correct)
• The attacker’s IP address is 222.43.112.74 (correct)
• The alert was generated from a malformed User Agent header
• The attacker’s IP address is 64.235.145.35

ALE stands for Annual Loss Expectancy.

True (A)

What type of attack is demonstrated in the search field input 'USER77' OR '1'='1?

SQL injection

The log information indicates a possible _______________ attack.

Cross-Site Scripting

Which of the following is a measure of the cost of recovering from a disaster?

RTO (A), RTO (B)

CSRF is a type of injection attack.

False (B)

Match the security concepts with their descriptions:

ALE = Annualized Loss Expectancy RTO = Recovery Time Objective SLE = Single Loss Expectancy CSRF = Cross-Site Request Forgery

What is the primary concern in Key Management?

Secure key storage and distribution

What type of vulnerability is MOST associated with a database being available for anyone to query without providing any authentication?

Open permissions (A)

A whaling attack is a type of phishing attack targeted at high-level executives.

True (A)

What is the primary purpose of an NGFW in risk management?

To mitigate risks by providing advanced security features such as intrusion prevention and antivirus protection

A ______________ attack is a type of phishing attack that targets users through SMS or text messages.

Smishing

What type of authentication method involves sending a code to a user's phone to verify their identity?

SMS (A)

Which of the following risk management strategies involves transferring risk to a third party?

Transference (C)

Match the following types of phishing attacks with their descriptions:

Whaling = Targets high-level executives Vishing = Targets users through phone calls Smishing = Targets users through SMS or text messages Phishing = Targets users through email or messaging

A security team should prioritize incident response over risk assessment.

False (B)

Which of the following would be the BEST way to confirm the secure baseline of a deployed application instance?

Perform an integrity measurement (B)

Split knowledge would have prevented the delay in financial transfer due to an employee's absence.

True (A)

What is the best description of the log information showing sessions from a single IP address with a TTL equal to zero?

Someone is performing a vulnerability scan against the firewall and DMZ server.

The attack where an attacker sends more information than expected in a single API call, allowing the execution of arbitrary code, is known as a _________ attack.

Buffer Overflow

Match the following security controls with their primary purposes:

Least Privilege = Limit access to sensitive resources Job Rotation = Reduce dependence on individual employees Dual Control = Ensure accountability in sensitive transactions Split Knowledge = Prevent unauthorized access to sensitive information

What is the primary purpose of security logging in incident response?

To detect and respond to security incidents (C)

Web application security is primarily concerned with protecting against network-based attacks.

False (B)

What is the primary goal of risk assessment in security?

To identify and evaluate potential security threats to an organization.

Flashcards

IPS Log Analysis

Reviewing security logs to detect suspicious activities or attacks.

Cross-Site Scripting (XSS)

A security vulnerability that allows attackers to inject scripts into trusted websites.

User Agent String

A line of text that identifies the browser and operating system to the web server.

TOTP (Time-Based One-Time Password)

An authentication method that generates a temporary password based on the current time.

Annualized Loss Expectancy (ALE)

The expected monetary loss for an event occurring in a year.

Single Loss Expectancy (SLE)

Expected monetary loss resulting from a single event or risk.

Recovery Time Objective (RTO)

The target time for restoring systems after a disruption.

SQL Injection

A code injection technique that exploits security vulnerabilities in the database layer of applications.

Vulnerability Scan

An assessment that identifies weaknesses in a system or network.

Buffer Overflow

A program error that occurs when data exceeds the allocated buffer, potentially allowing code execution.

Phishing

A fraud method to steal sensitive information using deceptive emails or websites.

Risk Management

The process of identifying, assessing, and prioritizing risks, followed by coordinated efforts to minimize them.

Next-Generation Firewall (NGFW)

Advanced firewall technology for deeper inspection of network traffic and threats.

Cloud Security

Measures to protect data, applications, and infrastructures involved in cloud computing.

Secure Baseline

A benchmark used to compare a system's security configuration and compliance.

Separation of Duties

An internal control mechanism that prevents fraud by dividing responsibilities among different people.

Log Analysis

The process of examining logs to uncover security incidents and anomalies.

Curl

A command-line tool to transfer data using various protocols, often used for testing APIs.

User Access Control

Policies that manage who has rights to access resources in a system.

Token

A piece of data used for authentication and maintaining a user session.

Improper Permissions

Misconfigurations that allow unauthorized access to systems or data.

Team Member Absence

A situation where a crucial team member is unavailable, leading to operational issues.

API Call

A request made by a client to a server for data or functionality.

Study Notes

IPS Log Analysis

• A security log from an IPS shows an alert for Cross-Site Scripting in JSON Data on 2018-06-01 13:07:29.
• The log includes a User Agent string indicating the use of curl/7.21.3.
• The detail section shows a token with an empty value and a key "key7" with a value "alert(2)".
• From this log, it can be determined that the attacker's IP address is 222.43.112.74 and the target IP address is 64.235.145.35.

Risk Management and Security

• ALE (Annualized Loss Expectancy) is a monetary loss if one event occurs.
• SLE (Single Loss Expectancy) is the expected monetary loss of a single event.
• RTO (Recovery Time Objective) is a measure of the time taken to recover from an outage or incident.

SQL Injection

• A user with restricted access submitted a search query "USER77' OR '1'='1" which returned all database records.
• This is an example of SQL injection.

Authentication

• TOTP (Time-Based One-Time Password) is a type of authentication mechanism.

Cloud Security

• An open database instance in a cloud service is vulnerable to unauthorized access due to improper permissions.

Phishing

• An email offering a cash bonus for completing an internal training course is an example of phishing.
• The email requires users to login with their Windows Domain credentials on an external server.

Risk Management Strategies

• The purchase and installation of an NGFW (Next-Generation Firewall) is an example of a mitigation strategy.

Secure Baseline

• Comparing a production application to a secure baseline instance is the best way to confirm its security.

Separation of Duties

• A delay in an important financial transfer due to the absence of a team member could have been prevented by implementing separation of duties.

Log Analysis

• A log showing multiple sessions from a single IP address with a TTL equal to zero is indicative of a vulnerability scan.

Buffer Overflow

• An attacker sending more information than expected in a single API call, allowing the execution of arbitrary code, is an example of a buffer overflow attack.

Description

Analyze IPS log for Cross-Site Scripting attack and understand risk management concepts like ALE (Annualized Loss Expectancy).