2.5 Segmentation and Access Control Flashcards

1
Q

Segmenting the network

A

Physical, logical, or virtual segmentation
– Devices, VLANs, virtual networks
* Performance
– High-bandwidth applications
* Security
– Users should not talk directly to database servers
– The only applications in the core are SQL and SSH
* Compliance
– Mandated segmentation (PCI compliance)
– Makes change control much easier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Access control lists (ACLs)

A

Allow or disallow traffic
– Groupings of categories
– Source IP, Destination IP, port number, time of day,
application, etc.
* Restrict access to network devices
– Limit by IP address or other identifier
– Prevent regular user / non-admin access
* Be careful when configuring these
– You can accidentally lock yourself out

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Access control lists

A

List the permissions
– Bob can read files
– Fred can access the network
– James can access network 192.168.1.0/24 using tcp
ports 80, 443, and 8088
* Many operating systems use ACLs to provide access to files
– A trustee and the access rights allowed
– Application allow list / deny list

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Examples of allow and deny lists

A

Decisions are made in the operating system
– Often built-in to the operating system management
* Application hash
– Only allows applications with this unique identifier
* Certificate
– Allow digitally signed apps from certain publishers
* Path
– Only run applications in these folders
* Network zone
– The apps can only run from this network zone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Mitigation Techniques
Patching

A

Incredibly important
– System stability, security fixes
* Monthly updates
– Incremental (and important)
* Third-party updates
– Application developers, device drivers
* Auto-update
– Not always the best option
* Emergency out-of-band updates
– Zero-day and important security discoveries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Encryption

A

Prevent access to application data files
– File system encryption
* Full disk encryption (FDE)
– Encrypt everything on the drive
– BitLocker, FileVault, etc.
* File level encryption
– Windows EFS
* Application data encryption
– Managed by the app
– Stored data is protected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Monitoring

A

Aggregate information from devices
– Built-in sensors, separate devices
– Integrated into servers, switches, routers, firewalls, etc.
* Sensors
– Intrusion prevention systems, firewall logs,
authentication logs, web server access logs, database
transaction logs, email logs
* Collectors
– Proprietary consoles (IPS, firewall),
– SIEM consoles, syslog servers
– Many SIEMs include a correlation engine to compare
diverse sensor data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Least privilege

A

Rights and permissions should be set to the bare
minimum
– You only get exactly what’s needed to complete
your objective
* All user accounts must be limited
– Applications should run with minimal privileges
* Don’t allow users to run with administrative privileges
– Limits the scope of malicious behavior

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Configuration enforcement

A

Perform a posture assessment
– Each time a device connects
* Extensive check
– OS patch version
– EDR (Endpoint Detection and Response) version
– Status of firewall and EDR
– Certificate status
* Systems out of compliance are quarantined
– Private VLAN with limited access
– Recheck after making corrections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Decommissioning

A

Should be a formal policy
– Don’t throw your data into the trash
– Someone will find this later
* Mostly associated with storage devices
– Hard drive
– SSD
– USB drives
* Many options for physical devices
– Recycle the device for use in another system
– Destroy the device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Hardening Techniques
System hardening

A

Many and varied
– Windows, Linux, iOS, Android, et al.
* Updates
– Operating system updates/service packs, security
patches
* User accounts
– Minimum password lengths and complexity
– Account limitations
* Network access and security
– Limit network access
* Monitor and secure
– Anti-virus, anti-malware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Encryption

A

Prevent access to application data files
– File system encryption
– Windows Encrypting File System (EFS)
* Full disk encryption (FDE)
– Encrypt everything on the drive
– Windows BitLocker, Apple FileVault, etc.
* Encrypt all network communication
– Virtual Private Networking (VPN)
– Application encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The endpoint

A

The user’s access - Applications and data
* Stop the attackers - Inbound attacks, outbound attacks
* Many different platforms - Mobile, desktop
* Protection is multi-faceted - Defense in depth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Endpoint detection and response (EDR)

A

A different method of threat protection
– Scale to meet the increasing number of threats
* Detect a threat
– Signatures aren’t the only detection tool
– Behavioral analysis, machine learning,
process monitoring
– Lightweight agent on the endpoint
* Investigate the threat - Root cause analysis
* Respond to the threat
– Isolate the system, quarantine the threat,
rollback to a previous config
– API driven, no user or technician
intervention required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Host-based firewall

A

Software-based firewall
– Personal firewall, runs on every endpoint
* Allow or disallow incoming or outgoing
application traffic
– Control by application process
– View all data
* Identify and block unknown processes
– Stop malware before it can start
* Manage centrally

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Finding intrusions

A

Host-based Intrusion
– Prevention System (HIPS) Recognize and block known
attacks
– Secure OS and application configs, validate incoming
service requests
– Often built into endpoint protection software
* HIPS identification
– Signatures, heuristics, behavioral
– Buffer overflows, registry updates, writing files to the
Windows folder
– Access to non-encrypted data

17
Q

Open ports and services

A

Every open port is a possible entry point
– Close everything except required ports
* Control access with a firewall
– NGFW would be ideal
* Unused or unknown services
– Installed with the OS or from other applications
* Applications with broad port ranges
– Open port 0 through 65,535
* Use Nmap or similar port scanner to verify
– Ongoing monitoring is important

18
Q

Default password changes

A

Every network device has a management interface
– Critical systems, other devices
* Many applications also have management or
maintenance interfaces
– These can contain sensitive data
* Change default settings
– Passwords
* Add additional security
– Require additional logon
– Add 3rd-party authentication

19
Q

Removal of unnecessary software

A

All software contains bugs
– Some of those bugs are security vulnerabilities
* Every application seems to have a completely different
patching process
– Can be challenging to manage ongoing updates
* Remove all unused software
– Reduce your risk
– An easy fix