2.4 Given a scenario, analyze and interpret output from security technologies. Flashcards
HIDS/HIPS
A host-based intrusion detection system or host-based intrusion prevention system displays notifications within the application (or sends them to a designated e-mail address). You review the notification events to identify any suspicious activity on the system. When looking at the output, review the date and time of the event, the source of the event (most HIDS/HIPS products review logs from many sources), and the account that caused the event to occur. Using this information, you can decide whether a configuration change is needed
Antivirus
Antivirus software provides logs and notifications. Review these logs and notifications for information such as the result of a scheduled scan, which will report if malware was found and, if so, the name of the malware and the names of the files infected. You will also receive information on any corrective action taken, such as if an infected file was removed from the system or moved to a quarantine area.
File Integrity Check
When running file integrity checking tools, they will let you know if there have been changes to the file since the hash value of the file was calculated. You may receive output from file integrity checks such as “hash mismatch” or “signature mismatch,” both of which mean the file has been altered. Output such as “hash
match,” “hash valid,” or “signature verified” lets you know that the file
has not changed.
Host-based Firewall
Host-based firewalls typically write to logs or display alerts if they drop traffic due to rules configured on the system. Look for output containing information such as “dropped packet src=24.35.45.3:63378 TCP dst=32.46.58.62:80 TCP.” Within this information, you should see the source and destination IP addresses (24.35.45.3 and 32.46.58.62), the port numbers used by the source and destination systems (:63378 and :80), and the protocol (TCP).
Application Whitelisting
Application whitelisting is configuring a system for a list of approved software that is allowed to be used on the system. If someone tries to install or run an application not on the list, they will receive an error message stating that the application is not authorized. You can use AppLocker in Windows to create a list of applications that are authorized to run on the system.
Removable Media Control
Removable media control is when you control what media can be accessed on a system such as DVD drives, or removable media such as external USB drives. When users try to connect or access a drive that they are not allowed to use, they typically see a notification appear on the screen that states they are not authorized to access the drive. You can configure removable media control via Group Policies in Windows
Advanced Malware Tools
Advanced malware tools notify you of malware that was detected and provide detailed information about the malware. They also report whether the malware was successfully removed or moved to a quarantine area.
Patch Management Tools
Patch management tools are designed to aid in the deployment of patches to systems on the network. With patch management tools, you should see output such as which patches are required by a system and status updates when you deploy a patch to a system. If for some reason a patch was not applied to one or more systems, you will be notified of that as well.
UTM
A unified threat management system is a device that combines a number of security functions such as a firewall, IDS/IPS, gateway antivirus and gateway anti-spam, content filtering, and data loss prevention, to name a few security technologies built in. UTM systems output an array of information, such as alerts to suspicious traffic, reports on the number of viruses and spam messages blocked, and summaries of the number of content filter violations.
DLP
Data loss prevention solutions prevent users from being able to send sensitive information outside the company. When a user tries to copy data to a USB drive, they may receive an error message from the DLP solution stating they do not have permissions, or if a user attempts to send an e-mail that contains sensitive information blocked by DLP, the user will typically receive an e-mail stating that the content was not sent due to DLP violation.
Data Execution Prevention
Data execution prevention (DEP) is a feature that can be enabled that prevents application code from executing in areas of memory used to store data (known as data pages). With DEP, blocks of memory not used for executing a program are flagged as nonexecutable pages by the system so that malicious software does not run in that block of memory. You can verify that DEP is enabled on your system by going to a command prompt and typing
wmic OS Get DataExecutionPrevention_SupportPolicy.
You will receive output of 0 (always off), 1 (always on), 2 (on for Windows binary files), or 3 (on for all programs and services).
Web Application Firewall
A web application firewall is designed to protect web servers from malicious traffic and only allow traffic to the web application to pass through the firewall. Traffic blocked by the firewall is written to a log file so that the systems administrator can review blocked traffic.