Its About Company Quiz

The risk of unplanned seiver outages is reduced

Using documentation provided to them, the pen-test organization can quickly determine areas to focus on.

The results will show an in-depth view of the network and should help pin-point areas of internal weakness.

The results should reflect what attackers may be able to learn about the company.

Spiral model

Incremental model

Waterfall model

Agile model

Meet the two key VPs and request a signature on the original assessment.

Include specific case studies from other organizations in an updated report.

Schedule a meeting with key human resource application stakeholders.

Craft an RFP to begin finding a new human resource application.

Cloud-based ant ivirus solut ion, running as local admin. with push technology for definition updates.

Implementation of an offsite data center hosting all company data, as well as deployment of VOi for all client computing needs.

Host based heuristic IPS, segregated on a management VLAN, with direct control of the perimeter firewall ACLs.

Behavior based IPS with a communication lank to a cloud based vulnerabthty and threat feed

TOTP

PAP

CHAP

HOTP

ISA

BIA

MOU

SOA

BPA

Update the blog page to HTTPS

Filter metacharacters

Install HIDS on the server

Patch the web application

Perform client side input validation

Implement an Acceptable Use Policy which addresses malware downloads

Deploy a network access control system with a persistent agent.

Enforce mandatory security awareness training for all employees and contractors.

Block cloud-based storage software on the company network

The data may not be in a usable format.

The new storage array is not FCoE based.

The data may need a file system check.

The new storage array also only has a single controller.

Capture process ID data and submit to anti-virus vendor for review.

Reboot the Linux servers, check running processes, and install needed patches.

Remove a single Linux server from production and place in quarantine.

Notify upper management of a security breach.

Conduct a bit level image, including RAM, of one or more of the Linux servers.

Remote access to the ERP tool introduces additional security vulnerabilities and should not be allowed .

Allow VNC access to corporate desktops from personal computers for the users working from home.

Allow terminal services access from personal computers after the CFO provides a list of the users working from home.

Work with the executive management team to revise policies before allowing any remote access.

Require each Company XYZ employee to use an IPSec connection to the required systems

Require Company XYZ employees to establish an encrypted VDI session to the required systems

Require Company ABC employees to use two-factor authentication on the required systems

Require a site-to-site VPN for intercompany communications

Interview candidates, attend training, and hire a staffing company that specializes in technology jobs

Interview employees and managers to discover the industry h ct topics and trends

Attend meetings with staff, internal training, and become certified in software management

Attend conferences, webinars, and training to remain current with the industry and job requirements

Social media is an effective solution because it is easily adaptable to new situations.

Social media is an ineffective solution because the policy may not align with the business.

Social media is an effective solution because it implements SSL encryption.

Social media is an ineffective solution because it is not primarily intended for business applications.

LUN masking

Snapshots

VSAN

Dynamic disk pools

Multipath

Deduplication

Issue a RFQ for vendors to quote a complete vulnerability and risk management solution to the company.

Issue a policy that requires only the most stringent security standards be implemented throughout the company

Issue a policy specifying best practice security standards and a baseline to be implemented across the company.

Issue a RFI for vendors to determine which set of security standards i s best for the company

SSL certificate revocation

SSL certificate pinning

Mobile device root-kit detection

Extended Validation certificates

$6,000

$24,000

$30,000

$96,000

Meet the two key VPs and request a signature on the original assessment.

Include specific case studies from other organizations in an updated report.

Schedule a meeting with key human resource application stakeholders.

Craft an RFP to begin finding a new human resource application.

$2,000

$8,000

$12,000

$32,000

Web cameras

Email

Instant messaging

BYOD

Desktop sharing

Presence

Static and dynamic analysis is run as part of integration

Security standards and training is performed as part of the project

Daily stand-up meetings are held to ensure security requirements are understood

For each major iteration penetration testing is performed

Security requirements are story boarded and make it into the build

A security design is performed at the end of the requirements phase

Automated workflow

Procedure

Corporate standard

Guideline

Policy

What are the protections against MITM?

What accountability is built into the remote support application?

What encryption standards are used in tracking database?

What snapshot or "undo" features are present in the application?

What encryption standa1ds are used in remote desktop and file transfer functionality?

$0

$7,500

$10,000

$12,500

$15,000

Deploy a branch location Read-Only Domain Controller in the DMZ at the main campus with a two-way trust.

Deploy a corporate Read-Only Domain Controller to the branch location.

Deploy a corporate Domain Controller in the DMZ at the maim campus.

Deploy a branch location Read-Only Domain Controller to the branch office location with a one-way trust.

Deploy a corporate Domain Controller to the branch location.

Deploy a branch location Domain Controller to the branch location with a one-way trust.

After the senior engineer used a network analyzer to identify an active Fraggle attack, the company's ISP should be contacted and instructed to block the malicious packets packets.

After the senior engineer used the above IPS logs to detect the ongoing DDOS attack, an IPS filter should be enabled to block the attack and restore communication.

After the senior engineer used a mirror port to capture the ongoing amplification attack. a BGP sinkhole should be configured to drop traffic at the source networks

After the senior engineer used a packet capture to identify an active Smurf attack, an ACL should be placed on the company's external router to block incoming UDP port 19 traffic.

Insider threat

Network reconnaissance

Physical security

Industrial espionage

A man-in-the-middle attack is underway on the network

An ARP flood attack is targeting at the router.

The default gateway is being spoofed on the network.

A denial of service attack is targeting at the router.

A separate physical interface placed on a private VLAN should be configured for live host operations.

Database record encryption should be used when storing sensitive information on virtual servers.

Full disk encryption should be enabled across the enterprise to ensure the confidentiality of sensitive data.

Sensitive data should be stored on a backend SAN which uses an isolated fiber channel network.

Least privilege

Job rotation

Mandatory vacation

Separation of duties

Test password complexity of all login fields and input validation of form fields

Reverse engineering any thick client software that has been provided for the test

Undertaking network-based denial of service attacks in production environment

Attempting to perform blind SOL injection and reflected cross-site scripting attacks

Running a vulnerability scanning tool to assess network and host weaknesses

Establish a list of users that must work with each regulation

Establish a list of devices that must meet each regulation

Centralize management of all devices on the network

Compartmentalize the network

Establish a company framework

Apply technical controls to meet compliance with the regulation

RAS

Vulnerability scanner

HTTP intercept

HIDS

Port scanner

Protocol analyzer

WAF

Input validation

SIEM

Sandboxing

DAM

Background checks

Job rotation

Least privilege

Employee termination procedures

L2TP VPN over TLS for remote connectivity, SAML for federated authentication, firewalls between each lab segment

SSL VPN for remote connectivity directory services groups for each lab group, ACLs on routing equipment

IPSec VPN with mutual authentication for remote connectivity , RADIUS for authentication, ACLs on network equipment

Cloud service remote access tool for remote connectivity, OAuth for authentication, ACL on routing equipment

Penetration test, perform social engineering and run a vulnerability scanner

Perform dynamic code analysis, penetration test and run a vulnerability scanner

Conduct network analysis, dynamic code analysis, and static code analysis

Run a protocol analyzer perform static code analysis and vulnerability assessment

Purchase new hardware to keep the malware isolated.

Develop a policy to outline what will be required in the secure lab

Construct a series of VMs to host the malware environment.

Create a proposal and present it to management for approval.

The user's certificate private key must be installed on the VPN concentrator.

The CA's certificate private key must be installed on the VPN concentrator.

The user certificate private key must be signed by the CA.

The VPN concentrator's certificate private key must be signed by the CA and installed on the VPN concentrator.

The VPN concentrator's certificate private key must be installed on the VPN concentrator.

The CA's certificate public key must be installed on the VPN concentrator.

Generate a one-time key as part of the device registration process.

Require SSL between the mobile application and the web services gateway.

The jsession cookie should be stored securely after authentication.

Authentication assertion should be stored securely on the client.

Online password testing

Rainbow tables attack

Dictionary attack

Brute force attack

Add a permit statement to allow traffic from 192.168.5.0/24 to the VPN network

Add a permit statement to allow traffic to 192.168.5.1 from the VPN network

IPS is blocking traffic and needs to be reconfigured

Configure the traffic shaper to limit DMZ traffic

Increase bandwidth limit on the VPN network

Linux

Windows

Solaris

OSX

Manufacturing

Legal

Sales

Quality assurance

Human resources

Discuss the issue with the software product's user groups

Consult the company's legal department on practices and law

Contact senior finance management and provide background information

Seek industry outreach for software practices and law

Sign a MOU with a marketing firm to preserve the company reputation and use in-house resources for random testing.

Sign a SPA with a small software consulting firm and use the firm to perform Black box testing and address all findings.

Sign a NDA with a large security consulting firm and use the firm to perform Grey box testing and address all findings.

Use the most qualified and senior developers on the project to perform a variety of White box testing and code reviews.

Most of company XYZ's customers are willing to accept the risks of unauthorized disclosure and access to information by outside users.

The availability requirements in SLAs with each hosted customer would have to be re-written to account for the transfer of virtual machines between physical platforms for regular maintenance.

Company XYZ could be liable for disclosure of sensitive data from one hosted customer when accessed by a malicious user who has gained access to the virtual machine of another hosted customer.

Not all of company XYZs customers require the same level of security and the administrative complexity of maintaining multiple security postures on a single hypervisor negates hardware cost savings.

Ensure the SaaS provider supports dual factor authentication.

Ensure the SaaS provider supports encrypted password transmission and storage.

Ensure the SaaS provider supports secure hash file exchange.

Ensure the SaaS provider supports role-based access control.

Ensure the SaaS provider supports directory services federation.

The ISO is evaluating the business implications of a recent telephone system failure within the BIA.

The ISO is investigating the impact of a possible downtime of the messaging system within the RA.

The ISO is calculating the budget adjustment needed to ensure audio/video system redundancy within the RFQ.

The ISO is assessing the effect of a simulated downtime involving the telecommunication system within the AAR.

Implement data analytics to try and correlate the occurrence times.

Implement a honey pot to capture traffic during the next attack.

Configure the servers for high availability to handle the addition al bandwidth.

Log all traffic coming from the competitor's public IP addresses.

XML injection

Command injection

Cross-site scripting

SQL injection

Virtualize the system and migrate it to a cloud provider.

Segment the device on its own secure network.

Install an antivirus and HIDS on the system.

Hire developers to reduce vulnerabilities in the code

Both VMs were left unsecured and an attacker was able to exploit network vulnerabilities to access each and move the data.

A stolen two factor token was used to move data from one virtual guest to another host on the same network segment.

A hypervisor server was left un-patched and an attacker was able to use a resource exhaustion attack to gain unauthorized access.

An employee with administrative access t o the virtual guests was able to dump the guest memory onto a mapped disk.

An administrative control

Dual control

Separation of duties

Least privilege

Collusion

Spiral model

Incremental model

Waterfall model

Agile model

Risk: Shared hardware caused data leakage Mitigation: Strong encryption at rest

Risk: Offsite replication Mitigation: Multi-site backups

Risk: Data loss from de-duplication Mitigation: Dynamic host bus addressing

Risk: Combined data archiving Mitigation: Two-factor administrator authentication

In the middle of the project

At the end of the project

At the inception of the project

At the time they request

Begin a chain-of-custody on for the user's communication. Next. place a legal hold on the user's email account.

Perform an e-discover using the applicable search terms. Next, back up the user's email for a future investigation.

Place a legal hold on the user's email account Next, perform e-discovery searches to collect applicable emails.

Perform a back up of the user's email account. Next, export the applicable emails that match the search terms.

The devices are being modified and settings are being overridden in production.

The patch management system is causing the devices to be noncompliant after issuing the latest patches.

The desktop applications were configured with the default username and password.

40 percent of the devices use full disk encryption.

This information can be found in global routing tables, and is valuable because backup connections typically do not have perimeter protection as strong as the primary connection.

This information can be found by calling the regional Internet registry, and is valuable because backup connections typically do not require VPN access to the network.

This information can be found by accessing telecom billing records and is valuable because backup connections typically have much lower latency than primary connections.

This information can be found by querying the network's DNS servers, and is valuable because backup DNS servers typically allow recursive queries from Internet hosts.

Memorandum of Agreement

Interconnection Security Agreement

Non-Disclosure Agreement

Operating Level Agreement

1

2

3

4

Configure a firewall with deep packet inspection that restricts traffic to the systems

Configure a separate zone for the systems and restrict access to known ports

Configure the systems to ensure only necessary applications are able to run

Configure the host firewall to ensure only the necessary applications have listening ports

Deduplication

Data snapshots

LUN masking

Storage multipaths

Implement a URL filter to block the online forum

Implement NIDS on the desktop and DMZ networks

Security awareness compliance training for all employees

Implement DLP on the desktop, email gateway, and web proxies

Review of security policies and procedures

Remove all of the post data and change the request to /login aspx from POST to GET.

Attempt to brute force all usernames and passwords using a password cracker

Remove the txtPassword post data and change alreadyLoggedln from false to true

Remove the txtUsername and txtPassword post data and toggle submit from true to false

NIPS

HSM

HIPS

NIDS

WAF

Fingerprinting

Cross-site scripting

SQL injection

Privilege escalation

Implement an IPS to block the application on the network

Implement the remote application out to the rest of the servers

Implement SSL VPN with SAML standards for federation

Implement an ACL on the firewall with NAT for remote access

Encryption of each individual partition

Encryption of the SSD at the file level

FDE of each logical volume on the SSD

FDE of the entire SSD as a single disk

Allow the sales staff to shadow the developers and engineers to see how their sales impact the deliverables.

Allow the security engineering team to do application development so they understand why rt takes so long.

Allow the application developers to attend a sales conference so they understand how business is done.

Allow the sales staff to learn application programming and security engineering so they understand the whole lifecycle.

Install GSM tracking on each product for end-to-end delivery visibility.

Implement geo-fencing to track products.

Require drivers to geo-tag documentation at each delivery location.

Equip each truck with an RFID tag for location seMces.

Jailbroken mobile device

Reconnaissance tools

Network enumerator

HTTP interceptor

Vulnerability scanner

Password cracker

Remove contact details from the domain name registrar to prevent social engineering attacks.

Test external interfaces to see how they function when they process fragmented IP packets.

Enable a honeynet to capture and facilitate future analysis of malicious attack vectors.

Filter all internal ICMP message traffic. forcing attackers to use full -blown TCP port scans against external network interfaces

Implementing federated network access with the third party.

Using a HSM at the network perimeter to handle network device access.

Using a VPN concentrator which supports dual factor via hardware tokens.

Implementing 802.1x with EAP-TTLS across the infrastructure.

The devices use EUl-64 format

The routers implement NDP

The network implements 6to4 tunneling

The router IPv6 advertisement has been disabled

The administrator must disable IPv6 tunneling

The administrator must disable the mobile IPv6 router flag

The administrator must disable the IPv6 privacy extensions

The administrator must disable OHCPv6 option code 1

Require cloud storage on corporate servers and disable access upon termination

Whitelist access to only non-confidential information

Utilize an MDM solution with containerization

Require that devices not have local storage

Notify senior management, secure the scene, capture volatile storage, capture non-volatile storage, implement chain of custody, and analyze original media.

Take inventory, secure the scene, capture RAM, capture hard drive, implement chain of custody, document, and analyze the data.

Implement chain of custody, take inventory, secure the scene, capture volatile and non-volatile storage, and document the findings.

Secure the scene, take inventory, capture volatile storage, capture non-volatile storage, document, and implement chain of custody.

Source code vulnerability scanning

Time-based access control lists

ISP to ISP network jitter

File-size validation

End to end network encryption

BPA

BIA

MOU

OLA

Cloud-based antivirus solution, running as local admin, with push technology for definition updates.

Implementation of an offsite data center hosting all company data, as well as deployment of VDI for all client computing needs.

Host based heuristic IPS, segregated on a management VLAN, with direct control of the perimeter firewall ACLs.

Behavior based IPS with a communication link to a cloud based vulnerability and threat feed.

The web server iSCSI initiator was down.

The web server was not multipathed.

The SAN snapshots were not up-to-date.

The SAN replication to the backup site failed.

A public laaS

A public PaaS

A public SaaS

A private SaaS

A private laaS

A private PaaS

LDAP/S

SAML

NTLM

OAUTH

Kerberos

Geographical regulation issues, loss of intellectual property and interoperability agreement issues

Improper handling of client data, interoperability agreement issues and regulatory issues

Cultural differences, increased cost of doing business and divestiture issues

Improper handling of customer data, loss of intellectual property and reputation damage

Spending on SCADA protections should stay steady; application control spending should increase substantially and spending on PC boot loader controls should increase substantially.

Spending on SCADA security controls should stay steady; application control spending should decrease slightly and spending on PC boot loader protections should increase substantially.

Spending all controls should increase by 15% to start: spending on application controls should be suspended, and PC boot loader protection research should increase by 100%.

Spending on SCADA security controls should increase by 15%; application control spending should increase slightly, and spending on PC boot loader protections should remain steady

Agile and Waterfall approaches have the same effective level of security posture. They both need similar amounts of security effort at the same phases of development.

Agile development is fundamentally less secure than Waterfall due to the lack of formal up- front design and inability to perform security reviews.

Agile development is more secure than Waterfall as it is a more modern methodology which has the advantage of having been able to incorporate security best practices of recent years.

Agile development has different phases and timings compared to Waterfall. Security activities need to be adapted and performed within relevant Agile phases.

The corporate network is the only network that is audited by regulators and customers.

The aggregation of employees on a corporate network makes it a more valuable target for attackers.

Home networks are unknown to attackers and less likely to be targeted directly.

Employees are more likely to be using personal computers for general web browsing when they are at home.

SAN

NAS

Virtual SAN

Virtual storage

Removable media

Passwords written on scrap paper

Snapshots of data on the monitor

Documents on the printer

Volatile system memory

System hard drive

Deploy custom HIPS signatures to detect and block the attacks.

Validate and deploy the appropriate patch.

Run the application in terminal services to reduce the threat landscape.

Deploy custom NIPS signatures to detect and block the attacks.

Offload some data processing to a public cloud

Aligning their client intake with the resources available

Using a community cloud with adequate controls

Outsourcing the service to a third party cloud provider

Code review

Penetration testing

Grey box testing

Code signing

White box testing

The CFO is at fault because they are responsible for patching the systems and have already been given patch management and SOE hardening products.

The audit findings are invalid because remedial steps have already been applied to patch servers and the remediation takes time to complete.

The CISO has not selected the correct controls and the audit findings should be assigned to them instead of the CFO.

Security controls are generally never 100% effective and gaps should be explained to stakeholders and managed accordingly.

Use PAP for secondary authentication on each RADIUS seiver

Disable unused EAP methods on each RADIUS seiver

Enforce TLS connections between RADIUS servers

Use a shared secret for each pair of RADIUS seivers

GRC

IPS

CMDB

Syslog-ng

IDS

The tool could show that input validation was only enabled on the client side

The tool could enumerate backend SQL database table and column names

The tool could force HTTP methods such as DELETE that the server has denied

The tool could fuzz the application to determin: where memory leaks occur

Virtualize the web servers locally to add capacity during registration

Move the database servers to an elastic private cloud while keeping the web servers local.

Move the database servers and web servers to an elastic private cloud

Move the web servers to an elastic public cloud while keeping the database servers local.

Use OpenlD and allow a third party to authenticate users.

Use TLS with a shared client certificate for all users.

Use SAML with federated directory services.

Use Kerberos and browsers that support SAML.

Determining how to install HIPS across all server platforms to prevent future incidents

Preventing the ransomware from reinfecting the server upon restore

Validating the integrity of the deduplicated data

Restoring the data will be difficult without the application configuration

Perform penetration testing over the HR solution to identify technical vulnerabilities

Perform a security risk assessment with recommended solutions to close off high-rated risks

Secure code review of the HR solution to identify security gaps that could be exploited

Perform access control testing to ensure that privileges have been configured correctly

Determine if the information security standards have been complied with by the project

Ensure web services hosting the event use TCP cookies and deny_hosts.

Configure an intrusion prevention system that blocks IPs after detecting too many incomplete sessions.

Contract and configure scrubbing services with third-party DDoS mitigation providers.

Purchase additional bandwidth from the company's Internet service provider.

Survey threat feeds from services inside the same industry.

Purchase multiple threat feeds to ensure diversity and implement blocks for malicious traffic.

Conduct an internal audit against industry best practices to perform a qualitative analysis.

Deploy a UTM solution that receives frequent updates from a trusted industry vendor.

Block traffic from the ISP's networks destined for blacklisted IPs.

Prevent the ISP's customers from querying DNS servers other than those hosted by the ISP.

Scan the ISP's customer networks using an up-to-date vulnerability scanner.

Notify customers when services they run are involved in an attack.

Block traffic with an IP source not allocated to customers from exiting the ISP's network.

Commercially available software packages are typically well known and widely available. Information concerning vulnerabilities and viable attack patterns are never revealed by the developer to avoid lawsuits.

Commercially available software packages are often widely available. Information concerning vulnerabilities is often kept internal to the company that developed the software.

Commercially available software packages are not widespread and are only available in limited areas. Information concerning vulnerabilities is often ignored by business managers.

Commercially available software packages are well known and widely available Information concerning vulnerabilities and viable attack patterns are always shared within the IT community.

Business or technical justification for not implementing the requirements.

Risks associated with the inability to implement the requirements.

Industry best practices with respect to the technical implementation of the current controls.

All sections of the policy that may justify non-implementation of the requirements.

A revised DRP and COOP plan to the exception form.

Internal procedures that may justify a budget submission to implement the new requirement.

Current and planned controls to mitigate the risks.

Review settings in the SELinux configuration files

Reset root permissions on systemd files

Perform all administrative actions while logged in as root

Disable any firewall software before making changes

Develop an information classification scheme that will properly secure data on corporate systems.

Implement database views and constrained interfaces so remote users will be unable to access Pll from personal equipment.

Publish a policy that addresses the security requirements for working remotely with company equipment.

Work with mid-level managers to identify and document the proper procedures for telecommuting.

SAML

WAYF

LDAP

RADIUS

Shibboleth

PKI

Review the flow data against each server's baseline communications profile.

Configure the server logs to collect unusual activity including failed logins and restarted services.

Correlate data loss prevention logs for anomalous communications from the server.

Setup a packet capture on the firewall to collect all of the server communications.

The malware file's modify, access, change time properties.

The timeline analysis of the file system.

The time stamp of the malware in the swap file.

The date/time stamp of the malware detection in the antivirus logs.

Establish the security control baseline

Build the application according to software development security standards

Review the results of user acceptance testing

Consult with the stakeholders to determine which standards can be omitted

The companies should federate, with the parent becoming the SP, and the subsidiaries becoming an ldP

The companies should federate, with the parent becoming the ldP, and the subsidiaries becoming an SSP.

The companies should federate, with the parent becoming the ldP, and the subsidiaries becoming an SP

The companies should federate, with the parent becoming the ASP, and the subsidiaries becoming an ldP.

Passive banner grabbing

Password cracker

Http://www.company.org/documents_privateflndex.php? search=string#&topic=windows&tcp=packet %20capture&cookie=wokdjwalkj

443/tcp open http

Dig host.company.com

09:18:16.262743 IP (tos OxO, ttl 64, id 9870, offset 0, flags I none], proto TCP (6), length 40) 192.168.1.3.1051 > 10.46.3.7.80: Flags [none], cksum Ox1800 (correct), win 512, length 0

Nmap

Log 1

Log 2

Log 3

Log 4

Buffer overflow

ACL

XSS

SQL inject ion

Integer overflow

Click-jacking

Race condition

SQL injection

Use after free

Input validation

OLA

BPA

SLA

SOA

MOU

Isolate the system on a secure network to limit its contact with other systems

Implement an application layer firewall to protect the payroll system interface

Monitor the system's security log for unauthorized access to the payroll application

Perform reconciliation of all payroll transactions on a daily basis

-45 percent

5.5 percent

45 percent

82 percent

The three companies should agree on a single SSID and configure a hierarchical RADIUS system which implements trust delegation.

The three companies should implement federated authentication through Shibboleth connected to an LDAP backend and agree on a single SSID.

The three companies should implement a central portal-based single sign-on and agree to use the same CA when issuing client certificates.

All three companies should use the same wireless vendor to facilitate the use of a shared cloud based wireless controller.

The risk of unplanned server outages is reduced.

Using documentation provided to them. the pen-test organization can quickly determine areas to focus on.

The results will show an in-depth view of the network and should help pin-point areas of internal weakness.

The results should reflect what attackers may be able to learn about the company.

Key= NULL ; for (int i=O; i

Password= NULL ; for (int i=O; i

Password= password + sha(password+salt) + aes256(password+salt)

Key= aes128(sha256(password), password))

Back office database

Asset tracking

Geo-fencing

Barcode scanner

Subjective and based on an individual's experience.

Requires a high degree of upfront work to gather environment details.

Difficult to differentiate between high, medium, and low risks.

Allows for cost and benefit analysis.

Calculations can be extremely complex to manage.

Ensure hypervisor layer firewalling between all VM hosts regardless of security zone.

Maintain a separate virtual switch for each security zone and ensure VM hosts bind to only the correct virtual NIC(s).

Organize VM hosts into containers based on security zone and restrict access using an ACL.

Require multi-factor authentication when accessing the console at the physical VM host.

Synchronous copy of data

RAID configuration

Data de-duplication

Storage pool space allocation

Port scanning

LUN masking/mapping

Port mapping

Input validation

SQL injection

TOCTOU

Session hijacking

Targets use CHAP authentication

IPSec using AH with PKI certificates for authentication

Fiber channel should be used with AES

Initiators and targets use CHAP authentication

Fiber channel over Ethernet should be used

IPSec using AH with PSK authentication and 3DES

Targets have SCSI IDs for authentication

RDP server

Client-based VPN

IPSec

Jump box

SSL VPN

Add guests with more memory to increase capacity of the infrastructure.

A backup is running on the thin clients at 9am every morning.

Install more memory in the thin clients to handle the increased load while booting.

Booting all the lab desktops at the same time is creating excessive I/0.

Install 10-Gb uplinks between the hosts and the lab to increase network capacity.

Install faster SSD drives in the storage system used in the infrastructure.

The lab desktops are saturating the network while booting.

The lab desktops are using more memory than is available to the host systems.

Physical penetration test of the datacenter to ensure there are appropriate controls.

Penetration testing of the solution to ensure that the customer data is well protected.

Security clauses are implemented into the contract such as the right to audit.

Review of the organizations security policies, procedures and relevant hosting certifications.

Code review of the solution to ensure that there are no back doors located in the software.

Update company policies and procedures

Subscribe to security mailing lists

Lmplement security awareness training

Ensure that the organization vulnerability management plan is up-to-date

Create a separate SSID and require the use of dynamic encryption keys.

Create a separate SSID with a pre-shared key to support the legacy clients and rotate the key at random intervals

Create a separate SSID and pre-shared WPA2 key on a new network segment and only allow required communication paths.

Create a separate SSID and require the legacy clients to connect to the wireless network using certificate-based 802 1x

Level 1: Requirements 1 and 4, Level 2. Requirements 2, 3, and 5

Level 1: Requirements 1 and 4, Level 2. Requirements 2 and 3 under 1, Requirement 5 under

Level 1: Requirements 1 and 4, Level 2. Requirement 2under1, Requirement 5 under 4; Level 3: Requirement 3 under 2

Level 1: Requirements 1, 2, and 3; Level 2: Requirements 4 and 5

Implement hashing of data in transit

Session recording and capture

Disable cross session cut and paste

Monitor approved credit accounts

User access audit reviews

Source IP whitelisting

Establish a policy that only allows filesystem encryption and disallows the use of individual file encryption

Require each user to log passwords used for file encryption to a decentralized repository

Permit users to only encrypt individual files using their domain password and archive all old user passwords.

Allow encryption only by tools that use public keys from the existing escrowed corporate PKI

The age variable stored the large number and filled up disk space which stopped the application from continuing to function. Improper error handling prevented the application from recovering.

The age variable has had an integer overflow and was assigned a very small negative number which led to unpredictable application behavior. Improper error handling prevented the application from recovering.

Computers are able to store numbers well above "billions" in size. Therefore, the website issues are not related to the large number being input.

The application has crashed because a very large integer has lead to a "divide by zero". Improper error handling prevented the application from recovering.

Client side input validation

Stored procedure

Encrypting credit card details

Regular expression matching

Secure storage and transmission of API keys

Secure protocols for transmission of log files and search results

At least two years retention of log files in case of e-discovery requests

Multi-tenancy with RBAC support

Sanitizing filters to prevent upload of sensitive log file contents

Encryption of logical volumes on which the customers' log files reside

Perform unit testing of the binary code

Perform code review over a sampling of the front end source code

Perform black box penetration testing over the solution

Perform grey box penetration testing over the solution

Perform static code review over the front end source code

Deploying a radio frequency identification tagging asset management system

Designing a business resource monitoring system

Hiring a property custodian

Purchasing software asset management software

Facility management participation on a change control board

Rewriting the change board charter

Implementation of change management best practices

Check log files for logins from unauthorized IPs.

Check /proc/kmem for fragmented memory segments.

Check for unencrypted passwords in /etc/shadow.

Check timestamps for files modified around time of compromise.

Use lsof to determine files with future timestamps.

Use gpg to encrypt compromised data files.

Verify the MD5 checksum of system binaries.

Use vmstat to look for excessive disk I/0 .

Privacy could be compromised as patient records can be viewed in uncontrolled areas.

Device encryption has not been enabled and will result in a greater likelihood of data loss.

The guest WiFi may be exploited allowing non-authorized individuals access to confidential patient data

Malware may be on BYOD devices which can extract data via key logging and screen scrapes.

Remote wiping of devices should be enabled to ensure any lost device is rendered inoperable.

Deploy new perimeter firewalls at all stores with UTM functionality.

Change antivirus vendors at the store and the corporate office.

Move to a VDI solution that runs offsite from the same data center that hosts the new POS solution.

Deploy a proxy server with content filtering at the corporate office and route all traffic through it.

PING

NESSUS

NSLOOKUP

NMAP

Code review

Sandbox

Local proxy

Fuzzer

Port scanner

Establish a cloud-based authentication service that supports SAML.

Lmplement a new Diameter authentication server with read-only attestation.

Install a read-only Active Directory server in the corporate DMZ for federation.

Allow external connections to the existing corporate RADIUS server.

Missing input validation on some fields

Vulnerable to SQL injection

Sensitive details communicated in clear-text

Vulnerable to XSS

Vulnerable to malware file uploads

JSON/REST is not as secure as XML

Race condition

Click-jacking

Integer overflow

Use after free

SQL injection

The newly implemented security controls are in place to ensure that NFS encryption can only be controlled by the root user.

Removing the no_root_squash directive grants the root user remote NFS read/write access to important files owned by root on the NAS.

Users with root access on remote NFS client computers can always use the SU command to modify other user's files on the NAS.

Adding the nosuid directive disables regular users from accessing files owned by the root user over NFS even after using the SU command.

Investigate the network traffic and block UDP port 3544 at the firewall

Remove the system from the network and cisable IPv6 at the router

Locate and remove the unauthorized 6to4 relay from the network

Disable the switch port and block the 2001::/32 traffic at the firewall

HIPS

UTM

Antivirus

NIPS

DLP

Contact the local authorities so an investigation can be started as quickly as possible.

Shut down the production network interfaces on the server and change all of the DBMS account passwords.

Disable the front-end web server and notify the customer by email to determine how the customer would like to proceed.

Refer the issue to management for handling according to the incident response process.

Perform a penetration test for the current state of the company. Perform another penetration test after the de-merger. Identify the gaps between the two tests

Duplicate security-based assets should be sold off for commercial gain to ensure that the security posture of the company does not decline.

Explain that security consultants are not trained to offer advice on company acquisitions or demergers This needs to be handled by legal representatives well versed in corporate law.

Identify the current state from a security viewpoint Based on the demerger, assess what the security gaps will be from a physical, technical, DR and policy/awareness perspective.

Avoid

Accept

Mitigate

Transfer

SMB

NFS

FCoE

ISCSI

File system information, swap files, network processes, system processes and raw disk blocks.

Raw disk blocks, network processes, system processes, swap files and file system information.

System processes, network processes, file system information, swap files and raw disk blocks.

Raw disk blocks, swap files, network processes, system processes, and file system information.

SIM's PIN

Remote wiping

Chargeback system

MDM software

Presence software

Email profiles

Ldentity attestation

GPS tracking

$60,000

$100,000

$140.000

$200,000

Implement change control practices at the organization level.

Adjust the firewall ACL to prohibit development from directly accessing the production server farm.

Update the vulnerability management plan to address data discrepancy issues.

Change development methodology from strict waterfall to agile

One time pads

PKI

Quantum cryptography

Digital rights management

An authorized administrator has logged into the root account remotely.

The administrator should disable remote root logins.

Isolate the system immediately and begin forensic analysis on the host.

A remote attacker has compromised the root account using a buffer overflow in sshd.

A remote attacker has guessed the root password using a dictionary attack.

Use iptables to immediately DROP connections from the IP 198.51.100.23.

A remote attacker has compromised the private key of the root account.

Change the root password immediately to a password not found in a dictionary.

Single sign-on

Identity propagation

Remote attestation

Secure code review

Software-based root of trust

Continuous chain of trust

Chain of trust with a hardware root of trust

Software-based trust anchor with no root of trust

Use the pass the hash technique

Use rainbow tables to crack the passwords

Use the existing access to change the password

Use social engineering to obtain the actual password

Use fuzzing techniques to examine application inputs

Run nmap to attach to application memory

Use a packet analyzer to inspect the strings

Initiate a core dump of the application

Use an HTTP interceptor to capture the text strings

Insecure direct object references, CSRF, Smurf

Privilege escalation, Application DoS, Buffer overflow

SQL injection, Resource exhaustion, Privilege escalation

CSRF, Fault injection, Memory leaks

Install IDS/IPS systems on the network

Force all SIP communication to be encrypted

Create separate VLANs for voice and data traffic

Implement QoS parameters on the switches

Residual Risk calculation

A cost/benefit analysis

Quantitative Risk Analysis

Qualitative Risk Analysis

Access control lists

SELinux

IPtables firewall

HIPS

First quote

Second quote

Third quote

Accept the risk

VTPM

HSM

TPM

INE

/etc/passwd

/etc/shadow

/etc/security

/etc/password

/sbin/logon

/bin/bash

92 24 percent

98.06 percent

98 34 percent

99.72 percent

Research new technology vendors to look for potential products. Contribute to an RFP and then evaluate RFP responses lo ensure that the vendor product meets all mandatory requirements. Test the product and make a product recommendation.

Evaluate relevant RFC and ISO standards to choose an appropriate vendor product. Research industry surveys, interview existing customers of the product and then recommend that the product be purchased.

Consider outsourcing the product evaluation and ongoing management to an outsourced provider on the basis that each of the requirements are met and a lower total cost of ownership (TCO) is achieved.

Choose a popular NIPS product and then consider outsourcing the ongoing device management to a cloud provider. Give access to internal security employees so that they can inspect the application payload data.

Ensure that the NIPS platform can also deal with recent technological advancements, such as threats emerging from social media, BYOD and cloud storage prior to purchasing the product.

Use AES in Electronic Codebook mode

Use RC4 in Cipher Block Chaining mode

Use RC4 with Fixed IV generation

Use AES with cipher text padding

Use RC4 with a nonce generated IV

Use AES in Counter mode

Refuse LM and only accept NTLM-12

Accept only LM

Refuse NTLMv2 and accept LM

Accept only NTLM

-$30,000

$120,000

$150,000

$180,000

Provide free email software for personal devices.

Encrypt data in transit for remote access.

Require smart card authentication for all devices.

Implement NAC to limit insecure devices access.

Enable time of day restrictions for personal devices.

Identify the origination point for malicious activity on the unauthorized mail server.

Block port 25 on the firewall for all unauthorized mail servers.

Disable open relay functionality.

Shut down the SMTP service on the unauthorized mail server.

Enable STARffiS on the spam filter.

Availability

Authentication

Integrity

Confidentiality

Encryption

The X509 V3 certificate was issued by a non trusted public CA.

The client-server handshake could not negotiate strong ciphers.

The client-server handshake is configured with a wrong priority.

The client-server handshake is based on TLS authentication.

The X509 V3 certificate is expired.

The client-server implements client-server mutual authentication with different certificates.

Privilege escalation

Brute force attack

SQL injection

Cross-site scripting

Using input validation, ensure the following characters are sanitized:

Update crontab with: find /\( -perm -4000 \) type f print() I xargs -0 Is l | email.sh

Implement the following PHP directive: $clean_user_input = addslashes($user_input)

Set an account lockout policy

During asset disposal

While reviewing the risk assessment

While deploying new assets

Before asset repurposing

After the media has been disposed of

During the data classification process

When installing new printers

When media fails or is unusable

Memorandum of Understanding

Information System Security Agreement

Interconnection Security Agreement

Interoperability Agreement

Operating Level Agreement

Agile

Waterfall

Scrum

Spiral

They should logon to the system using the username concatenated with the 6-digit code and their original password.

They should logon to the system using the newly assigned global username: first.lastname#### where#### is the second factor code.

They should use the username format: LAN\first.lastname together with their original password and the next 6-digit code displayed when the token button is depressed.

They should use the username format: [email protected], together with a password and their 6-digit code.

Facilities management

Human resources

Research and development

Programming

Data center operations

Marketing

Information technology

Managed security service

Memorandum of understanding

Quality of service

Network service provider

Operating level agreement

The security administrator is concerned with nonprintable characters being used to gain administrative access, and the developer should strip all nonprintable characters.

The security administrator is concerned with XSS and the developer should normalize Unicode characters on the browser side.

The security administrator is concerned with SQL injection, and the developer should implement server side input validation.

The security administrator is concerned that someone may log on as the administrator, and the developer should ensure strong passwords are enforced.

NDA

RFI

RFP

RFQ

HIGH, MEDIUM, LOW

MEDIUM, MEDIUM, LOW

HIGH, HIGH. HIGH

MEDIUM, MEDIUM, MEDIUM

Retrieve source system image from backup and run file comparison analysis on the two images.

Parse all images to determine if extra data is hidden using steganography.

Calculate a new hash and compare it with the previously captured image hash.

Ask desktop support if any changes to the images were made.

Check key system files to see if date/time stamp is in the past six months.

The transport layer between the RADIUS servers should be secured

WPA Enterprise should be used to decrease the network overhead

The RADIUS servers should have local accounts for the visiting students

Students should be given certificates to use for authentication to the network

Lower the SLA to a more tolerable level and perform a risk assessment to see if the solution could be met by another solution. Reuse the firewall infrastructure on other projects.

Perform a cost benefit analysis and implement the solution as it stands as long as the risks are understood by the business owners around the availability issues. Decrease the current SLA expectations to match the new solution.

Engage internal auditors to perform a review of the project to determine why and how the project did not meet the security requirements. As part of the review ask them to review the control effectiveness.

Review to determine if control effectiveness is in line with the complexity of the solution. Determine if the requirements can be met with a simpler solution.

The company's IDS signatures were not updated.

The company's custom code was not patched.

The patch caused the system to revert to http.

The software patch was not cryptographically signed.

The wrong version of the patch was used.

Third-party plug-ins were not patched.

Compliance standards

User requirements

Data elements

Data storage

Acceptance testing

Information digest

System requirements

Replicate NAS changes to the tape backups at the other datacenter.

Ensure each seiver has two HBAs connected through two routes to the NAS.

Establish deduplication across diverse storage paths.

Establish a SAN that replicates between datacenters.

Aggressive patch management on the host and guest OSs.

Host based IDS sensors on all guest OSs.

Different antivirus solutions between the host and guest OSs.

Unique Network Interface Card (NIC) assignment per guest OS.

Revise the corporate policy to include possible termination as a result of violations

Increase the frequency and distribution of the USB violations report

Deploy PKI to add non-repudiation to login sessions so offenders cannot deny the offense

Lmplement group policy objects

$4,800

$24,000

$96,000

$120,000

Create a custom standard to define the data

Use well formed standard compliant XML and strict schemas

Only document the data format in the parsing application code.

Implement a de facto corporate standard for all analyzed data.

Annual Loss Expectancy (ALE) x Value of Asset

Potential Loss x Event Probability x Control Failure Probability

Impact x Threat x Vulnerability

Risk Likelihood x Annual Loss Expectancy (ALE)

Agile

SDL

Waterfall

Joint application development

Deploy inline network encryption devices

Install an SSL acceleration appliance

Require all core business applications to use encryption

Add an encryption module to the router and configure IPSec

Assess the reliability of the information source, likelihood of exploitability, and impact to hosted data. Attempt to exploit via the proof-of-concept code. Consider remediation options.

Hire an independent security consulting agency to perform a penetration test of the web servers. Advise management of any 'high' or 'critical' penetration test findings and put forward recommendations for mitigation.

Review vulnerability write-ups posted on the Internet. Respond to management with a recommendation to wait until the news has been independently verified by software vendors providing the web application software.

Notify all customers about the threat to their hosted data. Bring the web servers down into "maintenance mode" until the vulnerability can be reliably mitigated through a vendor patch.

A full-system backup should be implemented to a third-party provider with strong encryption for data in transit.

A DLP gateway should be installed at the company border.

Strong authentication should be implemented via external biometric devices.

Full-tunnel VPN should be required for all network communication.

Full-drive file hashing should be implemented with hashes stored on separate storage.

Split-tunnel VPN should be enforced when transferring sensitive data.

Guest users could present a risk to the integrity of the company's information

Authenticated users could sponsor guest access that was previously approved by management

Unauthenticated users could present a risk to the confidentiality of the company's information

Meeting owners could sponsor guest access if they have passed a background check

BGP route hijacking attacks

Bogan IP network traffic

IP spoofing attacks

Man-in-the-middle attacks

Amplified DDoS attacks

Group policy to limit web access

Restrict VPN access for all mobile users

Remove full-disk encryption

Remove administrative access to local users

Restrict/disable TELNET access to network resources

Perform vulnerability scanning on a daily basis

Restrict/disable USB access

The company should develop an in-house solution and keep the algorithm a secret.

The company should use the CEO's encryption scheme.

The company should use a mixture of both systems to meet minimum standards.

The company should use the method recommended by other respected information security organizations.

Install a HIPS on the SIP servers

Configure 802.1X on the network

Update the corporate firewall to block attacking addresses

Configure 802.11 e on the network

Configure 802.1 q on the network

Company A must install an SSL tunneling software on the financial system.

Company /\s security administrator should use an HTTPS capable browser to transfer the data.

Company A should use a dedicated MPLS circuit to transfer !he sensitive data to company B.

Company A and B must create a site-to-site IPSec VPN on their respective firewalls.

A dual firewall DMZ with remote logging where each firewall is managed by a separate administrator.

A single firewall DMZ where each firewall interface is managed by a separate administrator and logging to the cloud.

A SaaS based firewall which logs to the company's local storage via SSL, and is managed by the change control team.

A virtualized firewall, where each virtual instance is managed by a separate administrator and logging to the same hardware.

Provide a report of all the IP addresses that are connecting to the systems and their locations

Establish alerts at a certain threshold to notify the analyst of high activity

Provide a report showing the file transfer logs of the servers

Compare the current activity to the baseline of normal activity

Demonstration of IPS system

Review vendor selection process

Calculate the ALE for the event

Discussion of event timeline

Assigning of follow up items

Based on cost alone, having an outsourced solution appears cheaper.

Based on cost alone, having an outsourced solution appears to be more expensive.

Based on cost alone, both outsourced an in-sourced solutions appear to be the same.

Based on cost alone, having a purchased product solution appears cheaper.

Establish a risk matrix

Inherit the risk for six months

Provide a business justification to avoid the risk

Provide a business justification for a risk exception

Apply a hidden field that triggers a SIEM alert

Cross site scripting attack

Resource exhaustion attack

Input a blacklist of all known BOT malware IPs into the firewall

SQL injection

Lmplement an inline WAF and integrate into SIEM

Distributed denial of service

Lmplement firewall rules to block the attacking IP addresses

Remove local admin permissions from all users and change anti-virus to a cloud aware, push technology.

Implement an application whitelist at all levels of the organization.

Deploy a network based heuristic IDS, configure all layer 3 switches to feed data to the IDS for more effective monitoring.

Update router configuration to pass all network traffic through a new proxy server with advanced malware detection.

Independent verification and validation

Security test and evaluation

Risk assessment

Ongoing authorization

0

1

3

6

Enable multipath to increase availability

Enable deduplication on the storage pools

Lmplement snapshots to reduce virtual disk size

Lmplement replication to offsite datacenter

The external party providing the hosting and website development should be obligated under contract to provide a secure service which is regularly tested (vulnerability and penetration). SLAs should be in place for the resolution of newly identified vulnerabilities and a guaranteed uptime.

The use of external organizations to provide hosting and web development services is not recommended as the costs are typically higher than what can be achieved internally. In addition, compliance with privacy regulations becomes more complex and guaranteed uptimes are difficult to track and measure.

Outsourcing transfers all the risk to the third party. An SLA should be in place for the resolution of newly identified vulnerabilities and penetration I vulnerability testing should be conducted regularly.

Outsourcing transfers the risk to the third party, thereby minimizing the cost and any legal obligations. An MOU should be in place for the resolution of newly identified vulnerabilities and penetration / vulnerability testing should be conducted regularly.

A partition-based software encryption product with a low-level boot protection and authentication

A container-based encryption product that allows the end users to select which files to encrypt

A full-disk hardware-based encryption product with a low-level boot protection and authentication

A file-based encryption product using profiles to target areas on the file system to encrypt

The binary files used by the application have been modified by malware.

The application is unable to perform remote attestation due to blocked ports.

The restored image backup was encrypted with the wrong key.

The hash key summary of hardware and installed software no longer match.

During the Identification Phase

During the Lessons Learned phase

During the Containment Phase

During the Preparation Phase

Review switch and router configurations

Review the security policies and standards

Perform a network penetration test

Review the firewall rule set and IPS logs

Static code analysis

Memory dumping

Manual code review

Application sandboxing

Penetration testing

Black box testing

The company should mitigate the risk.

The company should transfer the risk.

The company should avoid the risk.

The company should accept the risk.

A review of the mitigations implemented from the most recent audit findings of the smaller company should be performed.

An ROI calculation should be performed to determine which company's application should be used.

A security assessment should be performed to establish the risks of integration or co-existence.

A regression test should be performed on the in-house software to determine security risks associated with the software.

Intermediate Root Certificate

Wildcard Certificate

EV x509 Certificate

Subject Alternative Names Certificate

Accept the risk in order to keep the system within the company's standard security configuration.

Explain the risks to the data owner and aid in the decision to accept the risk versus choosing a nonstandard solution.

Secure the data despite the need to use a security control or solution that is not within company standards.

Do not allow the connection to be made to avoid unnecessary risk and avoid deviating from the standard security configuration.

Asset management

IT governance

Change management

Transference of risk

Increase the frequency of antivirus downloads and install updates to all workstations.

Deploy a cloud-based content filter and enable the appropriate category to prevent further infections.

Deploy a WAF to inspect and block all web traffic which may contain malware and exploits.

Deploy a web based gateway antivirus server to intercept viruses before they enter the network.