Answer Description

Answer Description

This type of warning is a deterrent. Deterrents is anything intended to warn a (potential) malicious user that they should not access a system, area or conduct a certain action. Examples are warning messages, signs, posted notices, etc.

Answer Description

Security Information and Event Management (SIEM) systems are used to centralize logging and alerting from various types of network devices. Common functionalities include data aggregation, alerting, forensic analysis and data retention/compliance. They are most commonly found in mid-size to larger networks where there are too many devices to monitor separately.

Wikipedia

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes. The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005.

Answer Description

WiFi Protected Access 2 (WPA2) is the strongest encryption currently available for wireless networks. WPA and Wired Equivalent Privacy (WEP) are both options available on the market but are less secure and have known vulnerabilities. WIFI-S is not a real protocol.

Wikipedia

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access II (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP)WPA (sometimes referred to TKIP standard) became available in 2003 The Wi-Fi Alliance intended it as an intermediate measure in anticipation of the availability of the more secure and complex WPA2, which became available in 2004 and is a common shorthand for the full IEEE 80211i (or IEEE 802

Answer Description

Network Address Translation (NAT) allows many devices to share an IP when accessing another network. Most commonly it is used to allow internal devices to share public IP addresses when accessing the internet. Benefits of NAT include minimizing the number of public IP addresses required (they cost money and for IPv4 there is a limited number available) as well as masking the origin of the request which provides security benefits. Generally NAT is used on a router or firewall.

Wikipedia

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.As network address translation modifies the IP address information in packets, NAT implementations may vary in their specific behavior in various addressing cases and their effect on network traffic. The specifics of NAT behavior are not commonly documented by vendors of equipment containing NAT implementations.

Answer Description

tcpdump is a packet analyzer or packet sniffer available on many Linux operating systems. It can be used to record all packets being sent to/from a server and reviewed in real time or saved to a file for later review/analysis.

Wikipedia

tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software. Tcpdump works on most Unix-like operating systems: Linux, Solaris, FreeBSD, DragonFly BSD, NetBSD, OpenBSD, OpenWrt, macOS, HP-UX 11i, and AIX. In those systems, tcpdump uses the libpcap library to capture packets. The port of tcpdump for Windows is called WinDump; it uses WinPcap, the Windows version of libpcap.

Answer Description

Layer 2 addresses (also called physical address) are MAC addresses. Using MAC filtering you can disallow any devices that are not explicitly granted access. While this can help increase security, it is not fool proof and advanced attackers can easily spoof the MAC address to gain access. MAC filtering alone is not sufficient to protect a network.

Wikipedia

In computer networking, MAC address filtering is a security access control method whereby the MAC address assigned to each network interface controller is used to determine access to the network. MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists. While the restriction of network access through the use of lists is straightforward, an individual person is not identified by a MAC address, rather a device only, so an authorized person will need to have a whitelist entry for each device that they would like to access the network. While giving a network some additional protection, MAC filtering can be circumvented by using a packet analyzer to find a valid MAC and then using MAC spoofing to access the network using that address. MAC address filtering can be considered as security through obscurity because the effectiveness is based on "the secrecy of the implementation or its components".

Answer Description

A full-scale test is exactly what it sounds like, a full test of disaster recovery. This type of test simulates a real-life disaster scenario as closely as possible and will require extensive resources and manpower.

Wikipedia

Disaster recovery is the process of maintaining or reestablishing vital infrastructure and systems following a natural or human-induced disaster, such as a storm or battle. It employs policies, tools, and procedures. Disaster recovery focuses on the information technology (IT) or technology systems supporting critical business functions as opposed to business continuity. This involves keeping all essential aspects of a business functioning despite significant disruptive events; it can therefore be considered a subset of business continuity. Disaster recovery assumes that the primary site is not immediately recoverable and restores data and services to a secondary site.

Answer Description

A generator is the best option here because it can operate for as long as there is fuel and can power entire buildings at once. It is also the most expensive solution. An Uninterruptible Power Supply (UPS) will provide temporary power (a few minutes to a few hours) to electronic devices in the event of a power outage, so while helpful it is not enough to meet the 24 hour requirement.

Answer Description

When a user or system wants to make a request to another system without revealing it's identity a proxy can be used. Proxies act as intermediaries to transmit data between systems. The most common use case is to route web requests from internal users and devices through a reverse proxy so that external web servers cannot tell which internal user or device made the original request.

Wikipedia

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.Instead of connecting directly to a server that can fulfill a request for a resource, such as a file or web page, the client directs the request to the proxy server, which evaluates the request and performs the required network transactions. This serves as a method to simplify or control the complexity of the request, or provide additional benefits such as load balancing, privacy, or security. Proxies were devised to add structure and encapsulation to distributed systems. A proxy server thus functions on behalf of the client when requesting service, potentially masking the true origin of the request to the resource server.

Answer Description

Wired Equivalent Privacy (WEP) was a commonly used security protocol for encrypted wireless networks. It has been deprecated and is outdated with known vulnerabilities. WEP should not be used, instead a newer and more robust option like WPA2 should be implemented.

Wikipedia

Wired Equivalent Privacy (WEP) was a security algorithm for 802.11 wireless networks. Introduced as part of the original IEEE 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wired network. WEP, recognizable by its key of 10 or 26 hexadecimal digits (40 or 104 bits), was at one time widely used, and was often the first security choice presented to users by router configuration tools.In 2003, the Wi-Fi Alliance announced that WEP had been superseded by Wi-Fi Protected Access (WPA). In 2004, with the ratification of the full 802.11i standard (i.e. WPA2), the IEEE declared that both WEP-40 and WEP-104 have been deprecated.WEP was the only encryption protocol available to 802.11a and 802.11b devices built before the WPA standard, which was available for 802.11g devices. However, some 802.11b devices were later provided with firmware or software updates to enable WPA, and newer devices had it built in.

Answer Description

Mean time to recovery (MTTR) is the estimated amount of time between a failure and recovery of a device. Mean time between failures (MTBF) is the average amount of time between failures of a device (generally provided by the manufacturer). Mean time to failure (MTTF) is the length of time a device lasts in operation. MRTR is something we made up.

Wikipedia

Mean time to recovery (MTTR) is the average time that a device will take to recover from any failure. Examples of such devices range from self-resetting fuses (where the MTTR would be very short, probably seconds), to whole systems which have to be repaired or replaced. The MTTR would usually be part of a maintenance contract, where the user would pay more for a system MTTR of which was 24 hours, than for one of, say, 7 days. This does not mean the supplier is guaranteeing to have the system up and running again within 24 hours (or 7 days) of being notified of the failure. It does mean the average repair time will tend towards 24 hours (or 7 days). A more useful maintenance contract measure is the maximum time to recovery which can be easily measured and the supplier held accountably. Note that some suppliers will interpret MTTR to mean 'mean time to respond' and others will take it to mean 'mean time to replace/repair/recover/resolve'. The former indicates that the supplier will acknowledge a problem and initiate mitigation within a certain timeframe. Some systems may have an MTTR of zero, which means that they have redundant components which can take over the instant the primary one fails, see RAID for example. However, the failed device involved in this redundant configuration still needs to be returned to service and hence the device itself has a non-zero MTTR even if the system as a whole (through redundancy) has an MTTR of zero.

Answer Description

Network diagnostic tools like ping and tracert use the Internet Control Message Protocol (ICMP) to function. Using a firewall to block external systems from using this protocol to contact internal solutions will ensure ping cannot be used against the servers discussed in the question.

Wikipedia

The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address, for example, an error is indicated when a requested service is not available or that a host or router could not be reached. ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications (with the exception of some diagnostic tools like ping and traceroute). ICMP for IPv4 is defined in RFC 792. A separate ICMPv6, defined by RFC 4443, is used with IPv6.

Answer Description

A hash value, hashed value or just a hash is the result of a one-way cryptographic function. Hashes are used to verify the integrity of data (e.g. a file download) as well as to store sensitive data such like passwords.

Wikipedia

A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n {\displaystyle n} bits) that has special properties desirable for a cryptographic application:the probability of a particular n {\displaystyle n} -bit output result (hash value) for a random input string ("message") is 2 − n {\displaystyle 2^{-n}} (as for any good hash), so the hash value can be used as a representative of the message; finding an input string that matches a given

Answer Description

The steps of the incident response process are: Preparation, Identification, Containment, Eradication, Recovery, Lessons learned.

Answer Description

Exculpatory evidence is evidence in an investigation the proves the innocence of a suspected person or party. Inculpatory evidence is the opposite and proves guilt. Demonstrative evidence is evidence that helps explain facts, common examples are charts, graphs, videos, etc.

Wikipedia

Exculpatory evidence is evidence favorable to the defendant in a criminal trial that exonerates or tends to exonerate the defendant of guilt. It is the opposite of inculpatory evidence, which tends to present guilt. In many countries, including the United States, police and prosecutors are required to disclose to the defendant exculpatory evidence they possess before the defendant enters a plea (guilty or not guilty). In some countries such as Germany, the prosecutor has to actively search for both exculpatory and inculpatory circumstances and evidence before filing of action.Per the Brady v. Maryland decision, prosecutors in the United States have a duty to disclose exculpatory evidence even if not requested to do so. While the prosecution is not required to search for exculpatory evidence and must disclose only the evidence in its possession, custody, or control, the prosecution's duty is to disclose all information known to any member of its team, e.g., police, investigators, crime labs, et cetera. In Brady v. Maryland, the U.S. Supreme Court held that such a requirement follows from constitutional due process and is consistent with the prosecutor's duty to seek justice. The Brady doctrine is a pretrial discovery rule that was established by the United States Supreme Court in Brady v. Maryland (1963). The rule requires that the prosecution must turn over all exculpatory evidence to the defendant in a criminal case. Exculpatory evidence is evidence that might exonerate the defendant.

Answer Description

An anomaly-based Network Intrusion Detection System (NIDS) detects unusual network traffic after first being 'trained' on normal network traffic. Theses systems use data mining and artificial intelligence to classify traffic as normal or anomaly/potentially malicious.

Wikipedia

An anomaly-based intrusion detection system, is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.In order to positively identify attack traffic, the system must be taught to recognize normal system activity. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and testing phase (where current traffic is compared with the profile created in the training phase). Anomalies are detected in several ways, most often with artificial intelligence type techniques. Systems using artificial neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection. Other techniques used to detect anomalies include data mining methods, grammar based methods, and Artificial Immune System.Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network. Host-based anomalous intrusion detection

Answer Description

syslog is a vendor neutral standard for message logging. It includes a standard format for logs as well as a network protocol for sending log data to another device. Common uses of syslog are on Unix and Linux operating systems and network devices like routers, switches and firewalls.

Wikipedia

In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the type of system generating the message, and is assigned a severity level. Computer system designers may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms use the syslog standard. This permits the consolidation of logging data from different types of systems in a central repository. Implementations of syslog exist for many operating systems. When operating over a network, syslog uses a client-server architecture where a syslog server listens for and logs messages coming from clients.

Answer Description

An Acceptable Use Policy (AUP) will outline how users can use an IT system or group of IT systems. They are generally used by businesses and organisations to ensure users are aware of what actions are acceptable and what actions could warrant administrative actions. For example an acceptable use policy could state that pirating movies using company resources is not permitted.

Wikipedia

An acceptable use policy (AUP), acceptable usage policy or fair use policy is a set of rules applied by the owner, creator or administrator of a computer network website, or service that restricts the ways in which the network, website or system may be used and sets guidelines as to how it should be used. AUP documents are written for corporations, businesses, universities, schools, internet service providers (ISPs), and website owners, often to reduce the potential for legal action that may be taken by a user, and often with little prospect of enforcement. Acceptable use policies are an integral part of the framework of information security policies; it is often common practice to ask new members of an organization to sign an AUP before they are given access to its information systems. For this reason, an AUP must be concise and clear. While at the same time covering the most important points about what users are, and are not allowed to do with the IT systems of an organization, it should refer users to the more comprehensive security policy where relevant. It should also, and very notably define what sanctions will be applied if a user breaks the AUP. Compliance with this policy should as usual, be measured by regular audits. In some cases a fair usage policy applied to a service allowing nominally unlimited use for a fixed fee simply sets a cap on what may be used. This is intended to allow normal usage but, prevent what is considered

Answer Description

When a wireless network broadcasts it includes the network name, called a Service Set Identifier (SSID). Most commonly the SSID will be a user-friendly name to help people identify which network they want to connect to (e.g. Smith WiFi, Friendly's Guest, etc.). Disabling SSID broadcast will still allow the network to be visible to nearby devices but in order to connect to the network they will need to know the SSID (as well as a password/key if configured).

Wikipedia