4.4 Flashcards
What is the endpoint
The end user device
What is an application approved list. What is an application deny list.
Application approval list
- Nothing will run unless approved
Application deny list
- Nothing on the bad list can be executed
Give an example of approval lists
Only allow application with a certain identifier
Certificate
Path
Network Zone
What are some configuration changes you would want to keep track of
Firewall rules Mobile Device Management Data Loss Prevention Content filter/ URL filter Updating or revoking certificates
Why would you want to isolate a compromised device
Prevent the spread of malicious software
Prevent remote access or Command & Control
Does a network isolation include isolating to a non remedial VLAN
No, It includes isolation to a remediation VLAN and includes no communication to other devices
Promise Isolation includes:
Limit application execution
Preventing malicious activity but allow device management
Application Containment is Disabling admin sharing, remote management, and local account access?
No,
It is running each application in its own sandbox
Limiting interaction with the host operating system and other applications
How would you contain the spread of a multi-device security event for example ransomware
Disable administrative sharing, remote management, local account access and change local administrator password
True or False segmentation is separating the network so you can prevent unauthorized movement and limit the scope of a breach
True
What is SOAR
Security Orchestration Automation and Response
SOAR Runbooks
Linear checklist of steps to perform
Step by step approach to automation
SOAR Playbooks
Conditional steps to follow; a broad process
Investigate a data breach, recover from ransomware
