Security Plus SY0-701: Section 4

Secure Baselines

Establishing, deploying, and maintaining hardened targets to ensure a secure starting point for systems

Establish Baselines

Creating a reference set of data against which operational data is compared.

Deploy Baselines

• We now have established detailed security baselines

- How do we put those baselines into action?

• Deploy the baselines

- Usually managed through a centrally

administered console

• May require multiple deployment mechanisms

- Active Directory group policy, MDM, etc.

• Automation is the key

- Deploy to hundreds or thousands of devices

EDR

Endpoint detection and response, A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats.

Embedded Systems

Special-purpose software designed and included inside physical products

Site Survey

In the context of wireless networking, an assessment of client requirements, facility characteristics, and coverage areas to determine an access point arrangement that will ensure reliable wireless connectivity within a given area.

MDM

Mobile Device Management, A group of applications and/or technologies used to manage mobile devices. MDM tools can monitor mobile devices and ensure they are compliance with security policies.

COPE

Corporate-owned, personally enabled. A mobile device deployment model. The organization purchases and issues devices to employees. Compare with BYOD and CYOD.

PSK

Pre-Shared Key

GCMP

Galois/Counter Mode Protocol. Used in WPA3. Confidentiality with AES. Integrity thru MIC with Galois Message Authentication Code (GMAC)

SAE

(Simultaneous Authentication of Equals) Personal authentication mechanism for Wi-Fi networks introduced with WPA3 to address vulnerabilities in the WPA-PSK method.

802.1X

A port-based authentication protocol. Wireless can use 802.1X. For example, WPA2-Enterprise mode uses an 802.1X server (implemented as a RADIUS server) to add authentication.

RADIUS server

A server that offers centralized authentication services to a network's access server, VPN server, or wireless access point via the RADIUS protocol.

AAA Framework

Authentication, Authorization, and Accounting

EAP

Extensible Authentication Protocol that is a framework and 802.1X uses EAP to provide authentication

SAST

Static Application Security Testing for code vulnerabilities by using a static analyzer

Sandboxing

An isolated test environment that simulates the production environment but will not affect

production components/data

Acquisition

The purchasing process for obtaining goods and services

Assignment/accounting

In asset management, processes that ensure each physical and data asset have an identified owner, and are appropriately tagged and classified within an inventory.

Monitoring/asset tracking

Inventory every asset, associate a support ticket with a device make and model and enumeration: list all parts of an asset. Add asset Tag

Media Sanitization

System disposal or decommissioning

-Completely remove data

Different use cases

-Clean a hard drive for future use

-Permanently delete a single file

A one-way trip

-once it's gone it's really gone

-No recovery with forensics tools

Reuse the storage media

-Ensure nothing is left behind

Physical destruction

Shredder or pulverizer

Drill or hammer

Degaussing (using electromagnet)

Incineration

Vulnerability Scanning

A technique that identifies threats on the network without exploiting them. Looking for open ports or services

OSINT

Open Source Intelligence; gathered from publicly available sources

CTA

Cyber Threat Alliance, members upload information about threat intelligence and other members validate the data

Bug bounty

A monetary reward given for uncovering a software vulnerability.

CVSS

Common Vulnerability Scoring System; Open protocol for scoring new vulnerabilities

CVE

Common Vulnerabilities and Exposures (CVE). A dictionary of publicly known security vulnerabilities and exposures.

SIEM

Security Information and Event Management. A security system that attempts to look at security events throughout the organization.

SCAP

Security Content Automation Protocol. A method with automated vulnerability management, measurement, and policy compliance evaluation tools

Software Agent

receives keystrokes, file contents, and network packets as sensory inputs and acts on the environment by displaying on the screen, writing files, and sending network packets to monitor a device

DLP

Data loss prevention. A network-based DLP system can examine and analyze network traffic. It can detect if confidential company data or any PII data is included in email and reduce the risk of internal users emailing sensitive data outside the organization. End-point DLP systems can prevent users from copying or printing sensitive data.

SNMP

Simple Network Management Protocol. Used to collect system information from a remote computer

MIB

Management Information Base

A data set that defines the criteria that can be retrieved and set on a device using SNMP

SNMP Trap

Sets a threshold for alerts on the monitored system back to the monitoring station using UDP 162

NetFlow

Gather traffic statistics from all traffic flows

- Shared communication between devices

• NetFlow

- Standard collection method

- Many products and options

• Probe and collector

- Probe watches network communication

- Summary records are sent to the collector

• Usually a separate reporting app

- Closely tied to the collector

SPAN

Switched Port Analyzer (Mirror Port) - access traffic moving through a SPAN-supporting network switch. Configuration is done by mirroring traffic from selected ports or VLANs to the SPAN port. Analyzes how much data is going through a switch

Vulnerability scanner

Generic term for a range of products that look for vulnerabilities in networks or systems. Usually minimally invasive like port scans or identifying systems

Network-Based Firewalls

• Filters traffic by port number

• Can encrypt and proxy traffic across the network

• Most firewalls can be layer 3 devices (routers) and often site on the ingress/egress of the network, manage Network address Translation, and dynamic routing

NGFW

Next generation firewall, Advances in firewall technology, from app awareness, user-based filtering, and intrusion prevention to cloud inspection. Also known as layer 7 firewall.

Firewall Rules

• A logical path

- Usually top-to-bottom

• Can be very general or very specific

- Specific rules are usually at the top

• Implicit deny

- Most firewalls include a deny at the bottom

- Even if you didn't put one

• Access control lists (ACLs)

- Allow or disallow traffic

- Groupings of categories of firewalls - Source IP, Destination IP, port number, time of day, application, protocol, etc.

Screened Subnet

A segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports. Keeps public data public while private data remains inaccessible

IPS Rules

Intrusion prevention system which is usually integrated into a NGFW. Different ways to look at malicious traffic as it passes by: Signature-based (look for a perfect match) and Anomaly-based (build a baseline of "normal" activity), determines what happens when unwanted traffic appears. Had thousands of rules or more which can be customized by a group

Content Filtering

Control traffic based on data within the content: URL filtering, website category filtering

URL Scanning

Uniform Resource Locator. Allow list / Block list, can be managed by category, can have limited control, often integrated into NGFW

Agent Based Firewall

• Install client software on the user's device

- Usually managed from a central console

• Users can be located anywhere

- The local agent makes the filtering decisions

- Always-on, always filtering

• Updates must be distributed to all agents

- Cloud-based updates

- Update status shown at the console

Uses software installed on clients which authenticates the client to the NAC before scanning and allowing network access

Proxies

Sits between the users and the external network. Receives the user requests and sends the request on their behalf (the proxy). Proxy then analyzes what was received from the website and can allow or disallow content.

Useful for caching info, access control, URL filtering, and content scanning

Explicit Proxy

requires the client software to be configured to use the proxy server.

Transparent Proxy

A proxy that does not require any configuration on the user's computer.

Forward Proxy

A computer or an application program that intercepts user requests from the internal secure network and then processes those requests on behalf of the users to the internet

Reputation

Filter URLs based on perceived risk. Credit score for a website. Sites are scanned and automatically assigned a reputation or can be manually assigned

DNS Filtering

Technique used to block access to certain websites by preventing the translation of specific domain names to their corresponding IP addresses. Therefore harmful sites are not resolved

Active Directory

The Windows directory service that enables administrators to create and manage users and groups, set network-wide user and computer policies, manage security, and organize network resources.. Managed authentication using centralized access control.

Group Policy

A centralized configuration management

feature available for Active Directory on

Windows Server systems.

SELinux

Security-Enhanced Linux. A trusted operating system platform that prevents malicious or suspicious code from executing on both Linux and UNIX systems. It is one of the few operating systems that use the MAC model.

MAC

Mandatory Access Control. Access control model that uses sensitivity labels assigned to objects (files and folders) and users. SELinux (deployed in both Linux and UNIX platforms) is a trusted operating system platform using the MAC model

DAC

Discretionary Access Control. An access control model where all objects have owners and owners can modify permissions for the objects (files and folders). Microsoft's NTFS uses the DAC model

Unencrypted Network Data Protocols

FTP, SMTP, IMAP, Telnet

Mail Gateway

A system that monitors emails for unwanted content and prevents these messages from being delivered.

SPF

Sender Policy Framework, An email authentication method designed to detect forging sender addresses during the delivery of the email. Sender configures a list of all servers authorized to send emails for a specific domain. receiving mail server perform a check to see if incoming mail really did come from an authorized host

SPF protocol

Sender configures a list of all servers authorized to send emails for a specific domain

DKIM

Domain keys identified mail, digitally sign your outgoing mail

validated by the mail server, not usually seen by the end user

put your public key in the DKIM TXT record. Not a digital signature of the message but a digital signature for the transport process of an email

DMARC

Domain Message Authentication Reporting and Conformance, An extension of SPF and DKIM. The domain owner decides what receiving email servers should do with emails not validating using SPF and DKIM. Policy is written into a DNS TXT record. Can accept all, reject all, or send to spam.

FIM

File Integrity Monitoring, Some files change all the time while other files never change. Monitor important operating system and application files. Identify when changes occur. Windows uses SFC (system file checker) and Linux uses Tripwire. Many host-based IPS

Host-Based IPS

A software package installed on a host or server. Monitors activity on the server and reports intrusions to the IPS management console.

DLP

Data loss prevention. A group of technologies used to prevent data loss. They can block the use of USB devices, monitor outgoing email to detect and block unauthorized data transfers, and monitor data stored in the cloud. Prevents data "leakage"

Cloud-based DLP

• Located between users and the Internet

• Watch every byte of network traffic

• No hardware, no software

• Block custom defined data strings

• Unique data for your organization

• Manage access to URLs - Prevent file transfers to cloud storage

• Block viruses and malware - Anything traversing the network

Edge of the Network

Where internal network meets the WAN. Managed primarily through firewall rules.

Access Control

Regulating who can view or use resources. Affects users inside and out, and access can be revoked or changed

Posture Assessment

A thorough examination of each aspect of the network to determine how it might be compromised

Persistent Agents

Permanently installed onto a system • Periodic updates may be required

Dissolvable Agents

No installation is required • Runs during the posture assessment • Terminates when no longer required

Agentless NAC

Integrated with Active Directory.

Checks are made during login and logoff.

Can't be scheduled

EDR

(endpoint detection and response) A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats. Uses signatures, machine learning, and process monitoring to determine threat. Can automatically respond to the threat

XDR

Extended Detection Response - system that delivers intelligent, automated, and integrated security across an org's domain

Prevents, detects, and responds to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms

Can be run on more than just one system across endpoint, network, and cloud data to improve detection and simplify security events (unlike EDR and much more inclusive than IDS)

IAM

Identity and Access Management, granting and revoking access. manages authentication and authorization along with access control. The biggest part of this is provisioning and de-provisioning access

SSO

Single sign-on. Authentication method where users can access multiple resources on a network using a single account. SSO can provide central authentication against a federated database for different operating systems.

LDAP

Lightweight Directory Access Protocol. A protocol used to communicate with directories over an IP network. It's a networks phone book. Uses X.500

X.500 Distinguished Names

• attribute=value pairs

• Most specific attribute is listed first

• This may be similar to the way you already think

Hierarchical structure is a tree and the leaves are the services of an organization

SAML

Security Assertions Markup Language. An XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications. (does not work with mobile devices)

OAuth

Open authorization, An open source standard used for authorization with Internet-based single sign-on solutions and is supported by mobile devices. Provides authentication between applications (using Facebook to log into Instagram)

Federation

Allows network access without a centralized database. Not just to employees but also to partners, suppliers, and more. Provides SSO and more.

Think about using Google to sign into GeeksForGeeks. Authenticate and Authorize between two organizations

Interoperability

the capability of two or more computer systems to share data and resources, even though they are made by different manufacturers. Many different ways to communicate with an authentication server.

DAC

Discretionary Access Control. An access control model where all objects have owners and owners can modify permissions for the objects (files and folders). Used in most operating systems. Flexible access control as responsibility falls on each user

RBAC

Role-based access control. An access control model that uses roles to define access and it is often implemented with groups. A user account is placed into a role, inheriting the rights and permissions of the role

ABAC

Attribute-based access control. An access control model that grants access to resources based on attributes assigned to subjects and objects. Could be resources info, IP address, time of day, desired action, etc. Complicated access control method

Time-of-day Restrictions

Limitations imposed as to when a user can log on to a system.

Authentication Factors

Something you know -> Password or PIN

Something you have -> Smart Card or ID

Something you are -> Biometric Authentication

Somewhere you are -> Factor based on location or IP address

Just-in-time Permissions

Access control permissions that are immediately elevated to higher-level permissions to perform a specific function before dropping back to normal levels.

NIST SP800-61

National Institute of Standards and Technology

- NIST Special Publication 800-61

- Computer Security Incident Handling Guide

The incident response lifecycle:

- Preparation

- Detection and Analysis

- Containment, Eradication, and Recovery

- Post-incident Activity

Incident Response Lifecycle

Pizza Delivery Apps Create Easy Routes Logistically

Preparation Detection Analysis Containment Eradication and Recovery Post-Incident activity

Tabletop Exercise

A discussion-based exercise where participants talk through an event while sitting at a table or in a conference room. It is often used to test business continuity plans.

threat hunting

Cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring.

Digital Forensics

the discovery, collection, and analysis of evidence found on computers and networks

ESI

Electronically Stored Information

Legal Hold

A process designed to preserve all relevant information when litigation is reasonably expected to occur.

Endpoint

Any physical device that connects to a network and exchanges data with it