QUESTION NUMBER 127-131
127. What are the control objectives of ISO 17799 standard?
ISO 17799 is an information security code of practice. It includes a number of sections, covering a wide range of security issues. Broadly (very) the objectives of these are as follows:
1. Risk Assessment and Treatment
This section was an addition to the latest version, and deals with the fundamentals of security risk analysis..
2. System Policy
Objective: To provide management direction and support for information security
3. Organizing Information Security
Objectives:
a) To manage information security within the organization
b) Maintain the security of information and processing facilities with respect to external parties.
4. Asset Management
Objectives:
a) Achieve and maintain appropriate protection of organizational assets.
b) Ensure that information receives an appropriate level of protection.
5. Human Resources Security
Objectives:
a) Ensure that employees, contractors and third parties are suitable for the jobs they are considered for, understand their responsibilities, and to reduce the risk of abuse (theft, misuse, etc).
b) Ensure that the above are aware of IS threats and their responsibilities, and able to support the organization's security policies
c) Ensure that the above exit the organization in an orderly and controlled manner.
6. Physical and Environmental Security
Objectives:
a) Prevent unauthorized physical access, interference and damage to the organization's information and premises.
b) Prevent loss, theft and damage of assets
c) Prevent interruption to the organization's activities.
7. Communications and Operations Management
Objectives:
a) Ensure the secure operation of information processing facilities
b) Maintain the appropriate level of information security and service delivery, aligned with 3rd party agreements
c) Minimize the risk of systems failures
d) Protect the integrity of information and software
e) Maintain the availability and integrity of information and processing facilities
f) Ensure the protection of information in networks and of the supporting infrastructure
g) Prevent unauthorized disclosure, modification, removal or destruction of assets.
h) Prevent unauthorized disruption of business activities.
i) Maintain the security of information and/or software exchanged internally and externally.
j) Ensure the security of e-commerce services
k) Detect unauthorized information processing activities
8. Access Control
Objectives:
a) Control access to information
b) Ensure authorized user access
c) Prevent unauthorized access to information systems
d) Prevent unauthorized user access and compromise of information and processing facilities
e) Prevent unauthorized access to networked services
f) Prevent unauthorized access to operating systems
g) Prevent unauthorized access to information within application systems
h) Ensure information security with respect to mobile computing and teleworking facilities
9. Information Systems Acquisition, Development and Maintenance
Objectives:
a) Ensure that security is an integral part of information systems
b) Prevent loss, errors or unauthorized modification/use of information within applications
c) Protect the confidentiality, integrity or authenticity of information via cryptography
d) Ensure the security of system files
e) Maintain the security of application system information and software
f) Reduce/manage risks resulting from exploitation of published vulnerabilities
10. Information Security Incident Management
Objectives:
a) Ensure that security information is communicated in a manner allowing corrective action to be taken in a timely fashion
b) Ensure a consistent and effective approach is applied to the management of IS issues
11. Business Continuity Management
Objectives:
a) Counteract interruptions to business activities and protect critical processes from the effects of major failures/disasters
b) Ensure timely resumption of the above
12. Compliance
Objectives:
a) Avoid the breach of any law, regulatory or contractual obligation and of any security requirement.
b) Ensure systems comply with internal security policies/standards
c) Maximize the effectiveness of and minimize associated interference from and to the systems audit process
128. What is the functionality of NMAP tool?
Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich) used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.
The software provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection,[2] and other features. Nmap is also capable of adapting to network conditions including latency and congestion during a scan. Nmap is under development and refinement by its user community.
Nmap was originally a Linux-only utility, but it was ported to Microsoft Windows, Solaris, HP-UX, BSD variants (including Mac OS X), AmigaOS, and SGI IRIX.[4] Linux is the most popular platform, followed closely by Windows.
Provide nmap with a TCP/IP address, and it will identify any open "doors" or ports that might be available on that remote TCP/IP device. The real power behind nmap is the amazing number of scanning techniques and options available! Each nmap scan can be customized to be as blatantly obvious or as invisible as possible. Some nmap scans can forge your identity to make it appear that a separate computer is scanning the network, or simulate multiple scanning decoys on the network! This document will provide an overview of all nmap scanning methods, complete with packet captures and real-world perspectives of how these scans can be best used in enterprise networks.
Nmap is a very powerful utility that can be used to:
- Detect the live host on the network (host discovery)
- Detect the open ports on the host (port discovery or enumeration)
- Detect the software and the version to the respective port (service discovery)
- Detect the operating system, hardware address, and the software version
- Detect the vulnerability and security holes (Nmap scripts)
129. State the features of NMAP.
Nmap features include :
Host discovery
– Identifying hosts on a network. For example, listing the hosts that respond to TCP and/or ICMP requests or have a particular port open.
Port scanning
– Enumerating the open ports on target hosts.
Version detection
– Interrogating network services on remote devices to determine application name and version number.
OS detection
– Determining the operating system and hardware characteristics of network devices.
Scriptable interaction with the target
– using Nmap Scripting Engine (NSE) and Lua programming language.
Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses.
Typical uses of Nmap:
• Auditing the security of a device or firewall by identifying the network connections which can be made to, or through it.
• Identifying open ports on a target host in preparation for auditing.
• Network inventory, network mapping, maintenance and asset management.
• Auditing the security of a network by identifying new servers.
• Generating traffic to hosts on a network.
130. What are the basic phases of forensic process? Give a brief overview of it.
The most common goal of performing forensics is to gain a better understanding of an event of interest by finding and analyzing the facts related to that event.
forensics may be needed in many different situations, such as evidence collection for legal proceedings and internal disciplinary actions, and handling of malware incidents and unusual operational problems. Regardless of the need, forensics should be performed using the four-phase process shown in figure.
The exact details of these steps may vary based on the specific need for forensics; the organization’s policies, guidelines, and procedures should indicate any variations from the standard procedure.
During collection, data related to a specific event is identified, labeled, recorded, and collected, and its integrity is preserved. .
In the second phase, examination, forensic tools and techniques appropriate to the types of data that were collected are executed to identify and extract the relevant information from the collected data while protecting its integrity. Examination may use a combination of automated tools and manual processes. .
The next phase, analysis, involves analyzing the results of the examination to derive useful information that addresses the questions that were the impetus for performing the collection and examination. .
The final phase involves reporting the results of the analysis, which may include describing the actions performed, determining what other actions need to be performed, and recommending improvements to policies, guidelines, procedures, tools, and other aspects of the forensic process
Data Collection
The first step in the forensic process is to identify potential sources of data and acquire data from them. Identifying Possible Sources of Data describes the variety of data sources available and discusses actions that organizations can take to support the ongoing collection of data for forensic purposes. Section
Acquiring the Data describes the recommended steps for collecting data, including additional actions necessary to support legal or internal disciplinary proceedings.
Incident Response Considerations discusses incident response considerations, emphasizing the need to weigh the value of collected data against the costs and impact to the organization of the collection process.
Examination
After data has been collected, the next phase is to examine the data, which involves assessing and extracting the relevant pieces of information from the collected data. This phase may also involve bypassing or mitigating OS or application features that obscure data and code, such as data compression, encryption, and access control mechanisms. An acquired hard drive may contain hundreds of thousands of data files; identifying the data files that contain information of interest, including information concealed through file compression and access control, can be a daunting task. In addition, data files of interest may contain extraneous information that should be filtered. For example, yesterday’s firewall log might hold millions of records, but only five of the records might be related to the event of interest.
Once the relevant information has been extracted, the analyst should study and analyze the data to draw conclusions from it.The foundation of forensics is using a methodical approach to reach appropriate conclusions based on the available data or determine that no conclusion can yet be drawn. The analysis should include identifying people, places, items, and events, and determining how these elements are related so that a conclusion can be reached. Often, this effort will include correlating data among multiple sources. For instance, a network intrusion detection system (IDS) log may link an event to a host, the host audit logs may link the event to a specific user account, and the host IDS log may indicate what actions that user performed. Tools such as centralized logging and security event management software can facilitate this process by automatically gathering and correlating the data. Comparing system characteristics to known baselines can identify various types of changes made to the system.
Reporting
The final phase is reporting, which is the process of preparing and presenting the information resulting from the analysis phase. Many factors affect reporting, including the following:
• Alternative Explanations.
When the information regarding an event is incomplete, it may not be possible to arrive at a definitive explanation of what happened. When an event has two or more plausible explanations, each should be given due consideration in the reporting process. Analysts should use a methodical approach to attempt to prove or disprove each possible explanation that is proposed.
• Audience Consideration.
Knowing the audience to which the data or information will be shown is important. An incident requiring law enforcement involvement requires highly detailed reports of all information gathered, and may also require copies of all evidentiary data obtained. A system administrator might want to see network traffic and related statistics in great detail. Senior management might simply want a high-level overview of what happened, such as a simplified visual representation of how the attack occurred, and what should be done to prevent similar incidents.
• Actionable Information.
Reporting also includes identifying actionable information gained from data that may allow an analyst to collect new sources of information. For example, a list of contacts may be developed from the data that might lead to additional information about an incident or crime. Also, information might be obtained that could prevent future events, such as a backdoor on a system that could be used for future attacks, a crime that is being planned, a worm scheduled to start spreading at a certain time, or a vulnerability that could be exploited.
131. Write a short note on File Systems.
Before media can be used to store files, the media must usually be partitioned and formatted into logical volumes. Partitioning is the act of logically dividing a media into portions that function as physically separate units. A logical volume is a partition or a collection of partitions acting as a single entity that has been formatted with a filesystem. Some media types, such as floppy disks, can contain at most one partition (and consequently, one logical volume). The format of the logical volumes is determined by the selected filesystem.
A filesystem defines the way that files are named, stored, organized, and accessed on logical volumes. Many different filesystems exist, each providing unique features and data structures. However, all filesystems share some common traits. First, they use the concepts of directories and files to organize and store data. Directories are organizational structures that are used to group files together. In addition to files, directories may contain other directories called subdirectories. Second, filesystems use some data structure to point to the location of files on media. In addition, they store each data file written to media in one or more file allocation units. These are referred to as clusters by some filesystems (e.g., File Allocation Table [FAT], NT File System [NTFS]) and as blocks by other filesystems (e.g., UNIX and Linux). A file allocation unit is simply a group of sectors, which are the smallest units that can be accessed on media.
Some commonly used filesystems are as follows:
FAT12.
FAT12 is used only on floppy disks and FAT volumes smaller than 16 MB. FAT12 uses a 12-bit file allocation table entry to address an entry in the filesystem.
FAT16.
MS-DOS, Windows 95/98/NT/2000/XP, Windows Server 2003, and some UNIX OSs support FAT16 natively. FAT16 is also commonly used for multimedia devices such as digital cameras and audio players. FAT16 uses a 16-bit file allocation table entry to address an entry in the filesystem. FAT16 volumes are limited to a maximum size of 2 GB in MS-DOS and Windows 95/98. Windows NT and newer OSs increase the maximum volume size for FAT16 to 4 GB.
FAT32.
Windows 95 Original Equipment Manufacturer (OEM) Service Release 2 (OSR2), Windows 98/2000/XP, and Windows Server 2003 support FAT32 natively, as do some multimedia devices. FAT32 uses a 32-bit file allocation table entry to address an entry in the filesystem. The maximum FAT32 volume size is 2 terabytes (TB).
NTFS.
Windows NT/2000/XP and Windows Server 2003 support NTFS natively. NTFS is a recoverable filesystem, which means that it can automatically restore the consistency of the filesystem when errors occur. In addition, NTFS supports data compression and encryption, and allows user and group-level access permissions to be defined for data files and directories.The maximum NTFS volume size is 2 TB.
High-Performance File System (HPFS).
HPFS is supported natively by OS/2 and can be read by Windows NT 3.1, 3.5, and 3.51. HPFS builds on the directory organization of FAT by providing automatic sorting of directories. In addition, HPFS reduces the amount of lost disk space by utilizing smaller units of allocation. The maximum HPFS volume size is 64 GB.
Second Extended Filesystem (ext2fs).
ext2fs is supported natively by Linux. It supports standard UNIX file types and filesystem checks to ensure filesystem consistency. The maximum ext2fs volume size is 4 TB.
Third Extended Filesystem (ext3fs).
ext3fs is supported natively by Linux. It is based on the ext2fs filesystem and provides journaling capabilities that allow consistency checks of the filesystem to be performed quickly on large amounts of data. The maximum ext3fs volume size is 4 TB.
ReiserFS.
ReiserFS is supported by Linux and is the default filesystem for several common versions of Linux. It offers journaling capabilities and is significantly faster than the ext2fs and ext3fs filesystems. The maximum volume size is 16 TB.
Hierarchical File System (HFS).
HFS is supported natively by Mac OS. HFS is mainly used in older versions of Mac OS but is still supported in newer versions. The maximum HFS volume size under Mac OS 6 and 7 is 2 GB. The maximum HFS volume size in Mac OS 7.5 is 4 GB. Mac OS 7.5.2 and newer Mac OSs increase the maximum HFS volume size to 2 TB.
HFS Plus.
HFS Plus is supported natively by Mac OS 8.1 and later and is a journaling filesystem under Mac OS X. It is the successor to HFS and provides numerous enhancements, such as long filename support and Unicode filename support for international filenames. The maximum HFS Plus volume size is 2 TB.
UNIX File System (UFS).
UFS is supported natively by several types of UNIX OSs, including Solaris, FreeBSD, OpenBSD, and Mac OS X. However, most OSs have added proprietary features, so the details of UFS differ among implementations.
Compact Disk File System (CDFS).
As the name indicates, the CDFS filesystem is used for CDs.
International Organization for Standardization (ISO) 9660 and Joliet.
The ISO 9660 filesystem is commonly used on CD-ROMs. Another popular CD-ROM filesystem, Joliet, is a variant of ISO 9660. ISO 9660 supports filename lengths of up to 32 characters, whereas Joliet supports up to 64 characters. Joliet also supports Unicode characters within filenames.
Universal Disk Format (UDF).
UDF is the filesystem used for DVDs and is also used for some CDs.
No comments:
Post a Comment