security+ 2.5

Segmenting the network

• Physical, logical, or virtual segmentation

– Devices, VLANs, virtual networks

• Performance

– High-bandwidth applications

• Security

– Users should not talk directly to database servers

– The only applications in the core are SQL and SSH

• Compliance

– Mandated segmentation (PCI compliance)

– Makes change control much easier

Access control lists (ACLs)

– Groupings of categories

– Source IP, Destination IP, port number, time of day,

application, etc.

• Restrict access to network devices

– Limit by IP address or other identifier

– Prevent regular user / non-admin access

• Be careful when configuring these

– You can accidentally lock yourself out

• Allow or disallow traffic

Access control lists

• List the permissions

– Bob can read files

– Fred can access the network

– James can access network 192.168.1.0/24 using tcp

ports 80, 443, and 8088

• Many operating systems use ACLs to provide access to files

– A trustee and the access rights allowed

– Application allow list / deny list

Examples of allow and deny lists

• Decisions are made in the operating system

– Often built-in to the operating system management

• Application hash

– Only applications with this unique identifier

• Certificate

– Allow digitally signed apps from certain publishers

• Path

– Only run applications in these folders

• Network zone

– The apps can only run from this network zone

Patching

• Incredibly important

– System stability, security fixes

• Monthly updates

– Incremental (and important)

• Third-party updates

– Application developers, device drivers

• Auto-update

– Not always the best option

• Emergency out-of-band updates

– Zero-day and important security discoveries

Encryption 1

• Prevent access to application data files

– File system encryption

• Full disk encryption (FDE)

– Encrypt everything on the drive

– BitLocker, FileVault, etc.

• File level encryption

– Windows EFS

• Application data encryption

– Managed by the app

– Stored data is protected

Monitoring

• Aggregate information from devices

– Built-in sensors, separate devices

– Integrated into servers, switches, routers, firewalls, etc.

• Sensors

– Intrusion prevention systems, firewall logs,

authentication logs, web server access logs, database

transaction logs, email logs

• Collectors

– Proprietary consoles (IPS, firewall),

– SIEM consoles, syslog servers

– Many SIEMs include a correlation engine to compare

diverse sensor data

Least privilege

• Rights and permissions should be set to the bare

minimum

– You only get exactly what’s needed to complete

your objective

• All user accounts must be limited

– Applications should run with minimal privileges

• Don’t allow users to run with administrative privileges

– Limits the scope of malicious behavior

Configuration enforcement

• Perform a posture assessment

– Each time a device connects

• Extensive check

– OS patch version

– EDR (Endpoint Detection and Response) version

– Status of firewall and EDR

– Certificate status

• Systems out of compliance are quarantined

– Private VLAN with limited access

– Recheck after making corrections

Decommissioning

• Should be a formal policy

– Don’t throw your data into the trash

– Someone will find this later

• Mostly associated with storage devices

– Hard drive

– SSD

– USB drives

• Many options for physical devices

– Recycle the device for use in another system

– Destroy the device

System hardening

• Many and varied

– Windows, Linux, iOS, Android, et al.

• Updates

– Operating system updates/service packs, security

patches

• User accounts

– Minimum password lengths and complexity

– Account limitations

• Network access and security

– Limit network access

• Monitor and secure

– Anti-virus, anti-malware

The endpoint

• The user’s access - Applications and data

• Stop the attackers - Inbound attacks, outbound attacks

• Many different platforms - Mobile, desktop

• Protection is multi-faceted - Defense in depth

Endpoint detection and response (EDR)

• A different method of threat protection

– Scale to meet the increasing number of threats

• Detect a threat

– Signatures aren’t the only detection tool

– Behavioral analysis, machine learning,

process monitoring

– Lightweight agent on the endpoint

• Investigate the threat - Root cause analysis

• Respond to the threat

– Isolate the system, quarantine the threat,

rollback to a previous config

– API driven, no user or technician

intervention required

Host-based firewall

• Software-based firewall

– Personal firewall, runs on every endpoint

• Allow or disallow incoming or outgoing

application traffic

– Control by application process

– View all data

• Identify and block unknown processes

– Stop malware before it can start

• Manage centrally

Finding intrusions

• Host-based Intrusion

– Prevention System (HIPS) Recognize and block known

attacks

– Secure OS and application configs, validate incoming

service requests

– Often built into endpoint protection software’

• HIPS identification

– Signatures, heuristics, behavioral

– Buffer overflows, registry updates, writing files to the

Windows folder

– Access to non-encrypted data

Open ports and services

• Every open port is a possible entry point

– Close everything except required ports

• Control access with a firewall

– NGFW would be ideal

• Unused or unknown services

– Installed with the OS or from other applications

• Applications with broad port ranges

– Open port 0 through 65,535

• Use Nmap or similar port scanner to verify

– Ongoing monitoring is important

Default password changes

• Every network device has a management interface

– Critical systems, other devices

• Many applications also have management or

maintenance interfaces

– These can contain sensitive data

• Change default settings

– Passwords

• Add additional security

– Require additional logon

– Add 3rd-party authentication

Removal of unnecessary software

• All software contains bugs

– Some of those bugs are security vulnerabilities

• Every application seems to have a completely different

patching process

– Can be challenging to manage ongoing updates

• Remove all unused software

– Reduce your risk

– An easy fix