CYSE 445 Final Exam 2024 Graded A+
NIST Incident Response Life Cycle
PREPARATION
DETECTION AND ANALYSIS
CONTAINMENT, ERADICATION, and RECOVERY
POST-INCIDENT ACTIVITY
PREPARATION
involves establishing and training an incident response team, and acquiring the
necessary tools and resources. During preparation, the organization also attempts to
limit the number of incidents that will occur by selecting and implementing a set of
controls based on the results of risk assessments.
DETECTION AND ANALYSIS
Detection of security breaches is necessary to alert the organization whenever incidents
occur.
CONTAINMENT, ERADICATION, and RECOVERY
In keeping with the severity of the incident, the organization can mitigate the impact of
the incident by containing it and ultimately recovering from it. During this phase, activity
often cycles back to detection and analysis—for example, to see if additional hosts are
infected by malware while eradicating a malware incident.
POST-INCIDENT ACTIVITY
After the incident is adequately handled, the organization issues a report that details the
cause and cost of the incident and the steps the organization should take to prevent
future incidents.
Threat Modeling: four steps and four key questions
What is being protected? Model system
What can go wrong with security? Apply model of security threats to system model to
identify threats
What should be done about threats? Address threats
.Is this model complete and correct? Check model
Approaches to Identifying Threats
•Informal, unstructured consideration of security issues
•Brainstorming or unstructured discussions of security threats in response to system
architecture
•Structured discussions using STRIDE mnemonic (or variant)
•Structured discussions using attack libraries
STRIDE
•SPOOFING: pretending to be something or someone else
•TAMPERING: modifying something
•REPUDIATION: claiming you didn't do something
•INFORMATION DISCLOSURE: exposing information to people who are not authorized
to see it
•DENIAL OF SERVICE: attacks designed to present a system from providing service
, •ELEVATION OF PRIVILEGE: enabling a program, device, or user to technically do
things that they are not allowed to do
Secure Coding
reducing the number of vulnerabilities in software to a degree that can be mitigated by
operational controls (aspirational)
Secure Software Development: Testing
•(Automated) Static and Dynamic Code Analysis to identify security policy violations,
such as not validating user input
•(Manual) Peer code Reviews by developer other than the author
•Testing by security team (in addition to business functional testing)
•Web Application vulnerability scanning
•Interception proxy software that logs and examines communications between two
endpoints to check for (i) input validation, (ii)parameter validation, (iii) plaintext
credentials, and (iv) session tokens that aren't pseudo-random to prevent attacker
guessing
•"Fuzzing" that sends large amounts of malformed and unexpected data to a program to
trigger failures
•Stress testing by placing extreme demands well beyond planning thresholds to
determine degree of robustness (simulating Denial of Service attacks)
Top Ten Secure Coding Practices
1.Validate all inputs
2.Don't ignore compiler warnings
3.Architect for security
4.Avoid unnecessary complexity
5.Deny by default
6.Use least privilege
7.Don't share data you don't have to
8.Defend in depth
9.Strive for quality
10.Use specific secure coding standards (SEI has developed standards for C, C++,
Perl, Java, Android)
Ways to protect IoT devices:
Know the governance
Private networks must establish policies on usage, data retention, surveillance, and
communicate those to employees/users
Awareness of known and suspected vulnerabilities
Good practices on configuration, limitation of attack surfaces
Research and communication to ensure continuous reevaluation of risk
Penetration testing, analysis of traffic and potential mitigations
Code of Practice for Consumer IoT Security:
1.No default passwords
2.Implement a vulnerability disclosure policy
NIST Incident Response Life Cycle
PREPARATION
DETECTION AND ANALYSIS
CONTAINMENT, ERADICATION, and RECOVERY
POST-INCIDENT ACTIVITY
PREPARATION
involves establishing and training an incident response team, and acquiring the
necessary tools and resources. During preparation, the organization also attempts to
limit the number of incidents that will occur by selecting and implementing a set of
controls based on the results of risk assessments.
DETECTION AND ANALYSIS
Detection of security breaches is necessary to alert the organization whenever incidents
occur.
CONTAINMENT, ERADICATION, and RECOVERY
In keeping with the severity of the incident, the organization can mitigate the impact of
the incident by containing it and ultimately recovering from it. During this phase, activity
often cycles back to detection and analysis—for example, to see if additional hosts are
infected by malware while eradicating a malware incident.
POST-INCIDENT ACTIVITY
After the incident is adequately handled, the organization issues a report that details the
cause and cost of the incident and the steps the organization should take to prevent
future incidents.
Threat Modeling: four steps and four key questions
What is being protected? Model system
What can go wrong with security? Apply model of security threats to system model to
identify threats
What should be done about threats? Address threats
.Is this model complete and correct? Check model
Approaches to Identifying Threats
•Informal, unstructured consideration of security issues
•Brainstorming or unstructured discussions of security threats in response to system
architecture
•Structured discussions using STRIDE mnemonic (or variant)
•Structured discussions using attack libraries
STRIDE
•SPOOFING: pretending to be something or someone else
•TAMPERING: modifying something
•REPUDIATION: claiming you didn't do something
•INFORMATION DISCLOSURE: exposing information to people who are not authorized
to see it
•DENIAL OF SERVICE: attacks designed to present a system from providing service
, •ELEVATION OF PRIVILEGE: enabling a program, device, or user to technically do
things that they are not allowed to do
Secure Coding
reducing the number of vulnerabilities in software to a degree that can be mitigated by
operational controls (aspirational)
Secure Software Development: Testing
•(Automated) Static and Dynamic Code Analysis to identify security policy violations,
such as not validating user input
•(Manual) Peer code Reviews by developer other than the author
•Testing by security team (in addition to business functional testing)
•Web Application vulnerability scanning
•Interception proxy software that logs and examines communications between two
endpoints to check for (i) input validation, (ii)parameter validation, (iii) plaintext
credentials, and (iv) session tokens that aren't pseudo-random to prevent attacker
guessing
•"Fuzzing" that sends large amounts of malformed and unexpected data to a program to
trigger failures
•Stress testing by placing extreme demands well beyond planning thresholds to
determine degree of robustness (simulating Denial of Service attacks)
Top Ten Secure Coding Practices
1.Validate all inputs
2.Don't ignore compiler warnings
3.Architect for security
4.Avoid unnecessary complexity
5.Deny by default
6.Use least privilege
7.Don't share data you don't have to
8.Defend in depth
9.Strive for quality
10.Use specific secure coding standards (SEI has developed standards for C, C++,
Perl, Java, Android)
Ways to protect IoT devices:
Know the governance
Private networks must establish policies on usage, data retention, surveillance, and
communicate those to employees/users
Awareness of known and suspected vulnerabilities
Good practices on configuration, limitation of attack surfaces
Research and communication to ensure continuous reevaluation of risk
Penetration testing, analysis of traffic and potential mitigations
Code of Practice for Consumer IoT Security:
1.No default passwords
2.Implement a vulnerability disclosure policy
