2.5 Segmentation and Access Control

Question 1

Segmenting the network

Answer 1

Physical, logical, or virtual segmentation
– Devices, VLANs, virtual networks
* Performance
– High-bandwidth applications
* Security
– Users should not talk directly to database servers
– The only applications in the core are SQL and SSH
* Compliance
– Mandated segmentation (PCI compliance)
– Makes change control much easier

Question 2

Access control lists (ACLs)

Answer 2

Allow or disallow traffic
– Groupings of categories
– Source IP, Destination IP, port number, time of day,
application, etc.
* Restrict access to network devices
– Limit by IP address or other identifier
– Prevent regular user / non-admin access
* Be careful when configuring these
– You can accidentally lock yourself out

Question 3

Access control lists

Answer 3

List the permissions
– Bob can read files
– Fred can access the network
– James can access network 192.168.1.0/24 using tcp
ports 80, 443, and 8088
* Many operating systems use ACLs to provide access to files
– A trustee and the access rights allowed
– Application allow list / deny list

Question 4

Examples of allow and deny lists

Answer 4

Decisions are made in the operating system
– Often built-in to the operating system management
* Application hash
– Only allows applications with this unique identifier
* Certificate
– Allow digitally signed apps from certain publishers
* Path
– Only run applications in these folders
* Network zone
– The apps can only run from this network zone

Question 5

Mitigation Techniques
Patching

Answer 5

Incredibly important
– System stability, security fixes
* Monthly updates
– Incremental (and important)
* Third-party updates
– Application developers, device drivers
* Auto-update
– Not always the best option
* Emergency out-of-band updates
– Zero-day and important security discoveries

Question 6

Encryption

Answer 6

Prevent access to application data files
– File system encryption
* Full disk encryption (FDE)
– Encrypt everything on the drive
– BitLocker, FileVault, etc.
* File level encryption
– Windows EFS
* Application data encryption
– Managed by the app
– Stored data is protected

Question 7

Monitoring

Answer 7

Aggregate information from devices
– Built-in sensors, separate devices
– Integrated into servers, switches, routers, firewalls, etc.
* Sensors
– Intrusion prevention systems, firewall logs,
authentication logs, web server access logs, database
transaction logs, email logs
* Collectors
– Proprietary consoles (IPS, firewall),
– SIEM consoles, syslog servers
– Many SIEMs include a correlation engine to compare
diverse sensor data

Question 8

Least privilege

Answer 8

Rights and permissions should be set to the bare
minimum
– You only get exactly what’s needed to complete
your objective
* All user accounts must be limited
– Applications should run with minimal privileges
* Don’t allow users to run with administrative privileges
– Limits the scope of malicious behavior

Question 9

Configuration enforcement

Answer 9

Perform a posture assessment
– Each time a device connects
* Extensive check
– OS patch version
– EDR (Endpoint Detection and Response) version
– Status of firewall and EDR
– Certificate status
* Systems out of compliance are quarantined
– Private VLAN with limited access
– Recheck after making corrections

Question 10

Decommissioning

Answer 10

Should be a formal policy
– Don’t throw your data into the trash
– Someone will find this later
* Mostly associated with storage devices
– Hard drive
– SSD
– USB drives
* Many options for physical devices
– Recycle the device for use in another system
– Destroy the device

Question 11

Hardening Techniques
System hardening

Answer 11

Many and varied
– Windows, Linux, iOS, Android, et al.
* Updates
– Operating system updates/service packs, security
patches
* User accounts
– Minimum password lengths and complexity
– Account limitations
* Network access and security
– Limit network access
* Monitor and secure
– Anti-virus, anti-malware

Question 12

Encryption

Answer 12

Prevent access to application data files
– File system encryption
– Windows Encrypting File System (EFS)
* Full disk encryption (FDE)
– Encrypt everything on the drive
– Windows BitLocker, Apple FileVault, etc.
* Encrypt all network communication
– Virtual Private Networking (VPN)
– Application encryption

Question 13

The endpoint

Answer 13

The user’s access - Applications and data
* Stop the attackers - Inbound attacks, outbound attacks
* Many different platforms - Mobile, desktop
* Protection is multi-faceted - Defense in depth

Question 14

Endpoint detection and response (EDR)

Answer 14

A different method of threat protection
– Scale to meet the increasing number of threats
* Detect a threat
– Signatures aren’t the only detection tool
– Behavioral analysis, machine learning,
process monitoring
– Lightweight agent on the endpoint
* Investigate the threat - Root cause analysis
* Respond to the threat
– Isolate the system, quarantine the threat,
rollback to a previous config
– API driven, no user or technician
intervention required

Question 15

Host-based firewall

Answer 15

Software-based firewall
– Personal firewall, runs on every endpoint
* Allow or disallow incoming or outgoing
application traffic
– Control by application process
– View all data
* Identify and block unknown processes
– Stop malware before it can start
* Manage centrally

Question 16

Finding intrusions

Answer 16

Host-based Intrusion
– Prevention System (HIPS) Recognize and block known
attacks
– Secure OS and application configs, validate incoming
service requests
– Often built into endpoint protection software
* HIPS identification
– Signatures, heuristics, behavioral
– Buffer overflows, registry updates, writing files to the
Windows folder
– Access to non-encrypted data

Question 17

Open ports and services

Answer 17

Every open port is a possible entry point
– Close everything except required ports
* Control access with a firewall
– NGFW would be ideal
* Unused or unknown services
– Installed with the OS or from other applications
* Applications with broad port ranges
– Open port 0 through 65,535
* Use Nmap or similar port scanner to verify
– Ongoing monitoring is important

Question 18

Default password changes

Answer 18

Every network device has a management interface
– Critical systems, other devices
* Many applications also have management or
maintenance interfaces
– These can contain sensitive data
* Change default settings
– Passwords
* Add additional security
– Require additional logon
– Add 3rd-party authentication

Question 19

Removal of unnecessary software

Answer 19

All software contains bugs
– Some of those bugs are security vulnerabilities
* Every application seems to have a completely different
patching process
– Can be challenging to manage ongoing updates
* Remove all unused software
– Reduce your risk
– An easy fix