Answer Description

The Health Insurance Portability and Accountability Act (HIPAA) is a regulatory act in the United States that sets requirements for companies that store sensitive health data. It applies to hospitals, insurance companies, etc. as well as any companies that store health related data in HR systems (one example could be if an employee in a warehouse cannot lift above a certain weight).

Wikipedia

The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy–Kassebaum Act) is a United States federal statute enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It modernized the flow of healthcare information, stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed some limitations on healthcare insurance coverage. It generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient's authorized representatives without their consent. With limited exceptions, it does not restrict patients from receiving information about themselves. It does not prohibit patients from voluntarily sharing their health information however they choose, nor – if they disclose medical information to family members, friends, or other individuals not a part of a covered entity – legally require them to maintain confidentiality. The act consists of five titles. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title III sets guidelines for pre-tax medical spending accounts, Title IV sets guidelines for group health plans, and Title V governs company-owned life insurance policies.

Answer Description

An anomaly-based Network Intrusion Detection System (NIDS) detects unusual network traffic after first being 'trained' on normal network traffic. Theses systems use data mining and artificial intelligence to classify traffic as normal or anomaly/potentially malicious.

Wikipedia

An anomaly-based intrusion detection system, is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.In order to positively identify attack traffic, the system must be taught to recognize normal system activity. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and testing phase (where current traffic is compared with the profile created in the training phase). Anomalies are detected in several ways, most often with artificial intelligence type techniques. Systems using artificial neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection. Other techniques used to detect anomalies include data mining methods, grammar based methods, and Artificial Immune System.Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network. Host-based anomalous intrusion detection

Answer Description

Using a Hash or Hashing data converts information using a one way function. This means it cannot be converted back into it's original format. This is ideal for storing things like passwords so even if the list of hashed passwords is lost they cannot be easily "decrypted."

Wikipedia

A cryptographic hash function (CHF) is a mathematical algorithm that maps data of an arbitrary size (often called the "message") to a bit array of a fixed size (the "hash value", "hash", or "message digest"). It is a one-way function, that is, a function for which it is practically infeasible to invert or reverse the computation. Ideally, the only way to find a message that produces a given hash is to attempt a brute-force search of possible inputs to see if they produce a match, or use a rainbow table of matched hashes. Cryptographic hash functions are a basic tool of modern cryptography. A cryptographic hash function must be deterministic, meaning that the same message always results in the same hash. Ideally it should also have the following properties: it is quick to compute the hash value for any given message it is infeasible to generate a message that yields a given hash value (i.e. to reverse the process that generated the given hash value) it is infeasible to find two different messages with the same hash value a small change to a message should change the hash value so extensively that a new hash value appears uncorrelated with the old hash value (avalanche effect) Cryptographic hash functions have many information-security applications, notably in digital signatures, message authentication codes (MACs), and other forms of authentication. They can also be used as ordinary hash functions, to index data in hash tables, for fingerprinting, to detect duplicate data or uniquely identify files, and as checksums to detect accidental

Answer Description

The attack described is called a Replay or Playback attack. The attacker is able to eavesdrop on network data (through some other method) and is resending the collected network data to gain access to confidential data or to hijack a users session. Aside from ensuring network data is not intercepted, the easiest way to defend against a replay attack is to use encrypted connections (e.g. HTTPS for a website).

Wikipedia

A replay attack (also known as a repeat attack or playback attack) is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a spoofing attack by IP packet substitution. This is one of the lower-tier versions of a man-in-the-middle attack. Replay attacks are usually passive in nature. Another way of describing such an attack is: "an attack on a security protocol using a replay of messages from a different context into the intended (or original and expected) context, thereby fooling the honest participant(s) into thinking they have successfully completed the protocol run."

Answer Description

A wildcard domain applies to the domain and any subdomains. For example a certificate for *.google.com could be used on mail.google.com, photos.google.com, etc. This way it is not necessary to create and manage individual certificates for all of these sub domains.

Wikipedia

In computer networking, a wildcard certificate is a public key certificate which can be used with multiple sub-domains of a domain. The principal use is for securing web sites with HTTPS, but there are also applications in many other fields. Compared with conventional certificates, a wildcard certificate can be cheaper and more convenient than a certificate for each sub-domain. Multi-domain wildcard certificates further simplify the complexity and reduce costs by securing multiple domains and their sub-domains.

Answer Description

A generator is the best option here because it can operate for as long as there is fuel and can power entire buildings at once. It is also the most expensive solution. An Uninterruptible Power Supply (UPS) will provide temporary power (a few minutes to a few hours) to electronic devices in the event of a power outage, so while helpful it is not enough to meet the 24 hour requirement.

Answer Description

Defense-in-depth is a concept that covers security from many different angles. The idea is to apply security measures wherever possible including physical controls like fences, technical controls like firewalls and administrative concepts like policies and user training. Defense-in-depth is a concept meant to ensure all possible security measures are taken into account.

Wikipedia

Defense In Depth is a concept used in Information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical security for the duration of the system's life cycle.

Answer Description

The term Trusted Operating System (TOS) refers to an operating system that has been certified to have a certain level of security. The requirement of this certification are defined in the Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC). Many organizations (especially governments) may only use operating systems certified as Trusted OS's.

Wikipedia

Trusted Operating System (TOS) generally refers to an operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements. The most common set of criteria for trusted operating system design is the Common Criteria combined with the Security Functional Requirements (SFRs) for Labeled Security Protection Profile (LSPP) and mandatory access control (MAC). The Common Criteria is the result of a multi-year effort by the governments of the U.S., Canada, United Kingdom, France, Germany, the Netherlands and other countries to develop a harmonized security criteria for IT products.

Answer Description

This is a Structured Query Language (SQL) injection. SQL is a standard language for relational database management. It's common for an application to take data from a user, create a SQL script and pass this to the underlying database. When an application has a SQL injection vulnerability the application is not validating user input to check for SQL. This allows a malicious user to send SQL commands through the application and into the database for execution.

Wikipedia

SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. In a 2012 study, it was observed that the average web application received four attack campaigns per month, and retailers received twice as many attacks as other industries.

Answer Description

3DES or Triple DES applies the DES algorithm three times. DES uses 16 rounds so we can conclude that 3 DES performs 48 (3 * 16 = 48)

Wikipedia

In cryptography, Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The Data Encryption Standard's (DES) 56-bit key is no longer considered adequate in the face of modern cryptanalytic techniques and supercomputing power. A CVE released in 2016, CVE-2016-2183 disclosed a major security vulnerability in DES and 3DES encryption algorithms. This CVE, combined with the inadequate key size of DES and 3DES, NIST has deprecated DES and 3DES for new applications in 2017, and for all applications by 2023. It has been replaced with the more secure, more robust AES. While the government and industry standards abbreviate the algorithm's name as TDES (Triple DES) and TDEA (Triple Data Encryption Algorithm), RFC 1851 referred to it as 3DES from the time it first promulgated the idea, and this namesake has since come into wide use by most vendors, users, and cryptographers.

Answer Description

Elliptic Curve Diffie-Hellman (ECDH) is a key exchange protocol used in Public Key Infrastructure (PKI). It allows for establishing shared secrets between two parties.

Wikipedia

Answer Description

WiFi Protected Access 2 (WPA2) is the strongest encryption currently available for wireless networks. WPA and Wired Equivalent Privacy (WEP) are both options available on the market but are less secure and have known vulnerabilities. WIFI-S is not a real protocol.

Wikipedia

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access II (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP)WPA (sometimes referred to TKIP standard) became available in 2003 The Wi-Fi Alliance intended it as an intermediate measure in anticipation of the availability of the more secure and complex WPA2, which became available in 2004 and is a common shorthand for the full IEEE 80211i (or IEEE 802

Answer Description

A Self Encrypting Drive (SED) is a type of hard drive that automatically encrypted all data saved to the disk. It is a hardware based encryption meaning that a circuit built in the disk drive controller handles the encrypted/decryption itself. All contents of the drive are encrypted including the operating system and any user files or documents.

Answer Description

As you are scanning the live/production system a non-intrusive scan is best. Non-intrusive means security issues will be identified but not exploited as to not negatively impact the system. The issue with this is some vulnerabilities cannot be found without trying an exploit (e.g. a SQL injection to delete data can't be tested without actually deleting data). Due to this the scenario described in the question is not ideal and it's possible vulnerabilities that exist will not be found.

Answer Description

Most likely this was a Distributed Denial of Service (DDOS) attack using bots to create large amounts of malicious web requests. With enough requests the web server's capacity will be exhausted and no one will be able to access the website.

Wikipedia

In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. More sophisticated strategies are required to mitigate against this type of attack, as simply attempting to block a single source is insufficient.Criminal perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such as banks or credit card payment gateways. Revenge, blackmail and activism can motivate these attacks.

Answer Description

This type of WiFi network is called Guest WiFi. Guest WiFi's are intended for external users like subcontractors or 3rd party partners. It could also be permitted for employees personnel devices. In some cases the Guest WiFi may also allow restricted access to internal resources, but this needs to be properly secured to ensure access is limited as much as possible.

Answer Description

A SYN Flood sends a large number of SYN requests (the first step in creating a new TCP connection). After this the attacker ignores the ACK which is sent back from the server and simply sends another SYN. The goal is to overload the server with huge number of open TCP connections. By doing so the server will not be able to respond to valid traffic from normal users - thus resulting in a Denial of Service (DOS).

Wikipedia

A SYN flood is a form of denial-of-service attack in which an attacker rapidly initiates a connection to a server without finalizing the connection. The server has to spend resources waiting for half-opened connections, which can consume enough resources to make the system unresponsive to legitimate traffic.The packet that the attacker sends is the SYN packet, a part of TCP's three-way handshake used to establish a connection.

Answer Description

This type of system is called a honeypot or honeynet. A honeypot is a system created specifically to attract hackers and act as a decoy system. Most likely it will have some obvious vulnerability like a misconfigured proxy or firewall to attract attackers. You can think of it as the digital equivalent of a string operation. By creating an easy target you can avoid attacks on the productive network and also learn what types of vulnerabilities and attack types exist in the honeypot/net to better protect the productive network.

Wikipedia

In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site and contain information or resources of value to attackers. It is actually isolated, monitored, and capable of blocking or analyzing the attackers. This is similar to police sting operations, colloquially known as "baiting" a suspect.

Answer Description

syslog is a vendor neutral standard for message logging. It includes a standard format for logs as well as a network protocol for sending log data to another device. Common uses of syslog are on Unix and Linux operating systems and network devices like routers, switches and firewalls.

Wikipedia

In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the type of system generating the message, and is assigned a severity level. Computer system designers may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms use the syslog standard. This permits the consolidation of logging data from different types of systems in a central repository. Implementations of syslog exist for many operating systems. When operating over a network, syslog uses a client-server architecture where a syslog server listens for and logs messages coming from clients.

Answer Description

The malware found is a Keylogger. It records the input typed by the user and in this case recorded user account credentials (username and password). Situations like this are common when companies allow Bring Your Own Device (BYOD) as network administrators have very limited control over devices not owned by the company.

Wikipedia

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keystroke recorder or keylogger can be either software or hardware. While the programs themselves are legal, with many designed to allow employers to oversee the use of their computers, keyloggers are most often used for stealing passwords and other confidential information.Keylogging can also be used to study keystroke dynamics or human-computer interaction. Numerous keylogging methods exist, ranging from hardware and software-based approaches to acoustic cryptanalysis.