Security Technology Week 8 Quiz

Questions and Answers

What is the primary focus of week 8 in the curriculum?

Security Technology

Incident Response and Contingency Planning (correct)

Access Controls and Firewalls

Personnel Management

In which week is the topic of Security Technology introduced?

Week 11 (correct)

Week 10

Week 8

Week 9

Which topic is likely to be addressed in week 10?

Contingency Planning

Security Technology

Access Controls (correct)

Incident Response

What could be a potential outcome of effective incident response planning covered in week 8?

Enhanced security compliance (B)

Which of the following aspects is NOT explicitly mentioned in the provided weeks?

Personnel training (A)

Study Notes

Week 8 - Incident Response and Contingency Planning

• Incident response and contingency planning are plans for unexpected adverse events that disrupt technology and business operations.
• An organization's ability to recover from an adverse event depends on proper planning and execution of a contingency plan.
• Over 40% of businesses without a disaster plan go out of business after a major loss (Hartford Insurance).
• Contingency Planning (CP) is the overall planning for unexpected adverse events.
• CP aims to restore normal operations with minimal cost and disruption after an unexpected adverse event.
• CP consists of four major components:
  • Business impact analysis (BIA)
  • Incident response plan (IR plan)
  • Disaster recovery plan (DR plan)
  • Business continuity plan (BC plan)

Fundamentals of Contingency Planning (1 of 2)

• Contingency planning (CP) prepares organizations for, detects, reacts to, and recovers from events threatening information resources and assets.

Fundamentals of Contingency Planning (2 of 2)

• CP has four major components:
  • Business impact analysis (BIA)
  • Incident response plan (IR plan)
  • Disaster recovery plan (DR plan)
  • Business continuity plan (BC plan)
• Organizations can consolidate these components into a single plan or create separate plans.

Knowledge Check Activity 1

• Business loss analysis is not a major component of contingency planning.
• BIA is a broader assessment of impact to the organization and its relationships.

NIST CP Methodology

• The contingency planning management team (CPMT) follows these steps:
  • Develop the CP policy statement
  • Conduct business impact analysis (BIA)
  • Identify preventive controls
  • Create contingency strategies
  • Develop a contingency plan
  • Ensure plan testing, training, and exercises
  • Ensure plan maintenance

Contingency Planning Hierarchies

• Contingency Planning is the main category.
• This is followed by Business Impact Analysis, which has components:
  • Incident Response Planning
  • Disaster Recovery Planning
• Business Resumption Planning
• Crisis Management Planning
• Business Continuity Planning

Business Impact Analysis (BIA) (1 of 2)

• BIA is the initial phase.
• It prioritizes threats and vulnerabilities, enhancing the list with recovery information.
• BIA considers: scope, plan, balance, objective, and follow-up.

Business Impact Analysis (BIA) (2 of 2)

• The CPMT conducts the BIA in three stages:
  • Determining mission/business processes and recovery criticality.
  • Identifying resource requirements.
  • Identifying recovery priorities for system resources.

Incident Response (1 of 2)

• Incident response (IR) involves detecting, reacting to, and recovering from attacks, errors, outages, and small-scale disasters.
• It's crucial for quick and effective containment and resolution of incidents.

Incident Response (2 of 2)

• Adverse events or incident candidates are those events with the potential for loss.
• An incident occurs when an event becomes a real threat to information.

NIST Incident Response Life Cycle

• The NIST Incident Response Life Cycle (Figure 5-6) stages include preparation, identification and detection, containment and recovery, and post-incident activity.

NIST Cybersecurity Framework

• The framework (Figure 5-7) relates to incident response and includes the tactical and strategic recovery phases, with a guide for cybersecurity event recovery.

Incident Response Policy

• NIST SP 800-61 identifies key policy components like management commitment, policy scope, and severity ratings.

IR Planning (1 of 3)

• Creating an incident response plan (IRP) is usually the CISO's responsibility.
• IRP includes mission, strategies, senior management approval, and more.

IR Planning (2 of 3)

• For each incident scenario, the planning team develops three sets of incident handling procedures (during, after, and before the incident).

IR Planning (3 of 3)

• The Computer Security Incident Response Team (CSIRT) executes the IR plan.
• The CSIRT is made up of technical and managerial InfoSec professionals.

IR Actions

• Incident response is organized into three phases:
  • Detection: identifying the incident.
  • Reaction: quickly responding and limiting impact.
  • Recovery: restoring normal operations.

Data Protection in Preparation for Incidents

• Organizations protect information with traditional backups, electronic vaulting, remote journaling, and database shadowing. Recommended industry practices include 3-2-1 backup rule (3 copies on 2 media, 1 off-site), daily on-site, and weekly off-site backups.

Detecting Incidents

• Routine events are distinguished from actual incidents.
• Failure to accurately detect incidents can lead to wasted resources and increased damage from delayed responses to actual incidents.

Incident Indicators (1 of 2)

• Incident candidates are events flagged by monitoring tools or users.
• Possible indicators include unfamiliar files, unknown programs, unusual system crashes, and unusual consumption of resources.

Incident Indicators (2 of 2)

• Probable indicators include new accounts, activities at unexpected times, reported attacks and notifications from IDS. Definite indicators include user of dormant accounts, changes in logs, presence of hacker tools, and notification from peers or hackers.

Knowledge Check Activity 2

• Unusual system crashes are not definitive indicators of incidents, while use of dormant accounts, changes to logs, and hacker tools presence are definitive.

Recovering from Incidents (1 of 2)

• Incident Recovery begins after containment and system control are regained.
• The appropriate human resources are informed during this process.

Recovering from Incidents (2 of 2)

• The CSIRT assesses the extent of damage to information assets and determines how to restore systems.
• Incident damage assessment identifies breaches of confidentiality, integrity, and availability.

Common Mistakes CSIRTs make

• CSIRTs often fail to appoint a clear chain of command with a designated individual in charge, establish a central operations center, "know their enemy," develop a comprehensive incident response plan with containment strategies, record incident activities, distinguish incident containment from remediation, secure and monitor networks and devices, establish log management systems, and establish anti-virus and anti-malware protections.

NIST Recommendations for Incident Handling (1 of 2)

• NIST recommends maintaining a knowledge base, recording information as soon as possible, safeguarding incident data, prioritizing incident handling, establishing incident response policies, developing containment strategies, and capturing volatile data.

NIST Recommendations for Incident Handling (2 of 2)

• NIST also recommends gathering evidence through full forensic backups, holding lessons learned meetings after incidents, and continuing to improve the process through continuous improvement.

Digital Forensics (1 of 2)

• Digital forensics determine what happened and how an incident occurred through traditional forensics concepts and techniques.
• The focus is on preservation, identification, extraction, documentation, and interpretation of digital evidence, which can be evidentiary or for root-cause analysis

Digital Forensics (2 of 2)

• Digital forensics are used for investigating digital malfeasance and performing root-cause analysis.
• Organizations may choose either protect-and-forget (patch and proceed) or apprehend-and prosecute (pursue and prosecute) approaches.
• Digital forensics methodology follows preservation, identification, collection, analysis, and documentation phases, leading to a final report that is submitted for appropriate action.

The Digital Forensics Process

• The digital forensic process includes archival, security incident identification, investigation authorizations, collecting evidence for investigation, analyzing evidence, and finally producing and submitting a disposition report.

Disaster Recovery (1 of 2)

• Disaster recovery planning (DRP) is a critical aspect of disaster preparedness.
• A disaster occurs when an incident cannot be contained or the damage is so severe that immediate recovery is impossible.

Disaster Recovery (2 of 2)

• The key role of a Disaster Recovery Plan is to define how to reestablish operations at a primary location.
• Disaster recovery response teams (DRRTs) are created and managed to implement the DR plan in a disaster.

Disaster Recovery Process

• NIST methodology applies to DRP by organizing the DR team, developing a DR policy, reviewing the BIA, identifying preventive controls, creating recovery strategies, developing a DR plan, testing and exercising the plan, and maintaining it.

Disaster Recovery Policy

• A DRP policy has specific elements such as purpose, scope, roles, resources, and training considerations.

Disaster Classifications

• Disaster classifications include natural and human-made disasters, categorized by rapid-onset or slow-onset events, such as fires, floods, earthquakes, and other events.

Planning to Recover

• Scenario development and impact analysis categorize the threat level.
• In planning, the most important asset is people first, followed by crucial considerations like roles, responsibilities, actions, mitigation steps, and contingency strategies.

Knowledge Check Activity 3

• When generating a disaster scenario for planning, the most important asset to start with is people.

Business Continuity (1 of 2)

• Business Continuity (BC) strategies ensure that critical business functions continue during a disaster.
• BC planning is usually managed by the CEO or COO and is typically executed concurrently with DRP.

Business Continuity (2 of 2)

• BC planning maintains critical functions at an alternate site while DRP focuses on recovery at the primary site.
• BC policies should address purpose, scope, roles/responsibilities, resource requirements, training, exercise/testing, maintenance schedules, and special considerations.

Crisis Management (1 of 3)

• Crisis management (CM) focuses on the human impact of disasters.
• The priority is maintaining human safety and the organization's image.

Crisis Management (2 of 3)

• The Crisis Management Planning Team (CMPT) is responsible for managing crises from an enterprise perspective.
• Its roles include supporting personnel and their families, informing the public about the crisis, and keeping communication channels with key stakeholders open.

Crisis Management (3 of 3)

• CMPT establishes disaster base operations near disaster site.
• CMPT members include personnel from different departments to facilitate communication and cooperation.
• CMPT priorities include verifying personnel status, engaging the alert roster, and coordinating with emergency services.

Knowledge Check Activity 4

• The initial focus in a crisis management response should be on the safety of staff, visitors, and the public.

Testing Contingency Plans

• Contingency plans often need to be tested because they rarely work as originally written.
• Four strategies for testing include desk checks, structured walk-throughs, simulations, and full interruptions.

Final Thoughts on CP

• Frequent testing and iteration improve contingency plans through continuous process improvement (CPI).

Week 10 - Security and Personnel

• Security related issues arise when employees leave the organization.
• Important considerations include ensuring all information access is properly secured.

Introduction to Security and Personnel

• Key human resource issues include job positioning, staffing changes, assessing impact, integrating concepts into management practices, and addressing employee concerns during program creation/enhancement.

Positioning the Security Function

• Information Security (IT) is the most common placement for the department.
• Other organizational placements include physical security, administrative services, insurance, risk management, and legal departments.
• InfoSec duties should balance compliance monitoring with education, training, awareness, and customer service.

Staffing the Information Security Function

• Selecting personnel should consider both internal supply/demand and external market factors.
• Many professionals gain skills/experience and become credentialed in the security field.

Knowledge Check Activity 1

• There is a high demand for information security staff compared to the overall average.

Qualifications and Requirements (1 of 3)

• Security professionals are frequently those with a solid understanding of IT and general management principles, including budgetary needs.

Qualifications and Requirements (2 of 3)

• Security positions need individuals knowing IT and information security terminology, understanding various threats, and how business solutions can address them.

Qualifications and Requirements (3 of 3)

• Organizations seek candidates with an understanding of organizational structure, the fact that information security is often a management issue, the importance of communication and collaboration, the role of policy in security efforts, and broader IT technology concepts.

Positions in Information Security

• Positions such as Chief Information Security Officer (CISO), Information Security Manager, Information Security Analyst/Engineer, Information Security Administrator, and Information Security Consultant are typical of a well-rounded security position hierarchy.

Employment Policies and Practices

• Employment policies should document InfoSec responsibilities, include concepts of security in organizational policy, and address personnel concerns related to implementing/enhancing security concepts.

Job Descriptions

• Job descriptions should include all aspects of required security responsibilities.
• Job descriptions should be reviewed and updated regularly, including security concepts within them and avoided prospective access privileges.

Interviews

• InfoSec departments should educate HR on the certifications, experience, expertise and qualifications of security staff.
• Candidate behavior should be tested in safe environments, such as facility tours.

Employment Contracts

• Agreements should be established for employee behavior monitoring and access policies, including nondisclosure agreements and employee consent to such actions.

New Hire Orientation

• New hires should be informed about relevant information security policies, procedures, and access levels to help ensure they understand their rights and responsibilities.

On-the-Job Security Training

• Job orientation should entail security awareness training and seminars to minimize errors.
• This training should be aimed at all employees and particularly at security employees.

Evaluating Performance

• Security elements should be incorporated into employee performance evaluations.
• Security mistakes and violations should be documented to help reinforce the importance of security in the employee evaluations and overall operations.

Termination (1 of 3)

• When an employee leaves, organizations need to secure information access.

Termination (2 of 3)

• Employee belongings should be collected with attention to securing office spaces, data, files, and keys.
• Terminations due to cause, downsizing, layoffs, and quitting should have strict procedures for handling data access and properties

Termination (3 of 3)

• Organizations must protect data by either inventorying data or destroying it.
• Potential breach of policy should prompt a thorough investigation and prompt enforcement of company policies.

Knowledge Check Activity 4

• Tasks when an employee is leaving include disabling system access, returning removable media, securing hard drives, modifying/changing office locks and keycard access, and removing personal effects.

Personnel Control Strategies (1 of 2)

• Separation of duties limits an employee's ability to compromise multiple areas.
• Two-person control (dual control) involves multiple employees reviewing work.

Personnel Control Strategies (2 of 2)

• Job rotation and mandatory vacations enable audits of employee performance and work.
• "Need-to-know" and least privilege principles limit access based on specific needs for tasks.

Security Considerations for Temporary Employees

• Temporary employees are not necessarily governed by the same policies, access restrictions, and reporting requirements as full-time employees.
• Specific security practices need to be implemented to address potential vulnerabilities concerning the temporary workers.

Week 11 - Security Technology: Access Controls, Firewalls, and VPNs

• Security technology includes access controls to enforce policies in situations requiring minimal human control;
• Firewalls combine hardware and software to filter and improve how information is controlled and managed;
• VPNs secure remote access through encryption.

Introduction to Access Controls

• Technical controls are critical for enforcing policies when human control isn't direct and ensure that information is available while maintaining confidentiality and integrity.
• Access controls are essential security mechanisms for regulating interactions between subjects (users, systems, or processes) and objects (resources like files, databases, devices, or applications).

Access Control (1 of 2)

• Access control refers to selective methods for regulating system resource usage by specifying user permissions and constraints.
• Mandatory Access Controls (MACs) use mandatory data classification schemes to manage and rate collections of information.

Access Control (2 of 2)

• Discretionary Access Controls (DACs) give data owners control over access settings.
• Nondiscretionary Access Controls (such as lattice-based access control (LBAC)) are centralized and manage authorization matrices for specific areas of access.

Access Controls

• Identification validates an entity's identity.
• Authentication verifies that the claimed identity is indeed correct.
• Authorization defines permitted actions.
• Accountability involves tracking and monitoring actions.

Biometrics

• Biometric systems use measurable human characteristics for authentication. Common examples include fingerprints, retina/iris scans, and DNA.
• Biometrics are assessed by false reject rate (FRR), false accept rate (FAR), and their crossover point (CER).

Knowledge Check Activity 1

• The effectiveness of biometric-based controls is evaluated by observing where the rate of false rejections and false acceptances intersect (CER).

Firewall Technologies

• Firewalls combine hardware and software to filter information flowing between internal (trusted) and external (untrusted) networks.
• Common firewall types such as packet-filtering, application layer proxies, and MAC layer firewalls combine hardware and software to protect networks.

Packet-Filtering Firewalls (1 of 2)

• Packet-filtering firewalls examine packet headers to filter data based on factors like IP addresses, port numbers, and the direction of the traffic (inbound or outbound).

Packet-Filtering Firewalls (2 of 2)

• The three subsets of packet-filtering firewalls are static, dynamic, and stateful.
• Static firewalls have pre-programmed rules.
• Dynamic firewalls adapt to changing conditions.
• Stateful firewalls track ongoing connections to prevent unauthorized access.

Application Layer Proxy Firewall

• Application layer proxy firewalls combine firewall and application functions.
• They typically are placed outside the trusted network (like the DMZ) and offer added security control.

MAC Layer Firewalls

• MAC layer firewalls control access based on media access control (MAC) addresses.
• MAC layer firewalls are designed to operate at the MAC layer and can filter access based on specific MAC addresses or protocols.

Knowledge Check Activity 2

• Stateful inspection firewalls monitor each network connection to track each packet exchange between internal and external network systems.

Hybrid Firewalls

• Hybrid firewalls integrate various firewall technologies, combining filtering, proxy, and gateway functions.
• They provide security improvement through combining different technologies' strengths.

Selecting the Right Firewall

• Critical factors when selecting a firewall include appropriate protection level at a reasonable cost, ease of configuration, capacity for adaptation to network growth, and support to prevent organizational security loses. Business requirements and organizational needs need to be considered.

Configuring and Managing Firewalls

• Organizations need configuration and ongoing management for firewalls in various situations.
• Understanding Firewall policies as an art or science that can help resolve security conflicts with business objectives is crucial.

Content Filters

• Content filters restrict network traffic based on rules, like scripts, programs, or specific locations.
• Common uses of content filters include preventing access to inappropriate sites or blocking incoming spam.

Protecting Remote Connections

• Remote network connections need security solutions like leased lines or service agreements to meet organizational requirements.
• VPNs are an option to provide flexible network access over public connections.

Remote Access

• Unsecured dial-up connections pose a significant security risk due to their vulnerability to attacks.
• Security technologies like Kerberos, RADIUS, Diameter, and TACACS offer improvements in remote authentication.

SESAME

• SESAME is an access control system with features like authentication to a privilege attribute server, public key encryption, and access control. This system has improved manageability and auditing capabilities.

Virtual Private Networks (VPNs)

• VPNs create secure connections over public networks, extend internal networks to remote locations, and support various configurations.

Tunnel Mode VPNs

• Tunnel mode VPNs encrypt entire IP packets to create secure connections over shared networks, where the internal structure of the IP packet header/data is encrypted.

Knowledge Check Activity 3

• Transport mode utilizes VPNs to create a secure link between a user device and VPN server without encrypting packet header information.

Description

This quiz focuses on the key topics addressed in week 8 of the curriculum, specifically about Security Technology and Incident Response Planning. Test your knowledge about what was covered during this week and the implications for effective security practices. Prepare to identify which concepts were not explicitly mentioned in the provided weeks.