4.4 Flashcards
Reconfigure endpoint security solutions
Endpoint security solutions are controls that can mitigate risk at the endpoint. Endpoint solutions must recognize the threat and then trigger a specific action to mitigate the risk. Antivirus/antimalware solutions are the typical endpoint protection most users think of, as are elements such as firewalls and intrusion protection elements.
Application Approved List
The application approved list consists of a list of allowed applications. If an application is not on the allowed list, it is blocked. Both whitelisting and blacklisting have advantages and disadvantages. Using a application approved list is easier to employ from the aspect of the identification of applications that are allowed to run, and hash values can be used to ensure the executables are not corrupted.
Application Blocklist/Deny List
The process of detailing that an application or data is explicitly not allowed on the network or host. Can include software, executables, disallowed Web sites, and even specific types of data. Traditionally called blacklisting.
Quarantine
quarantine network An isolated network in which non-secure hosts that do not meet network standards are placed until they meet security standards and can be connected to the normal network.
Configuration Changes
Protecting a system from configuration changes is essential to secure the system in the specific configuration that the implementation intended. Alterations to configurations can add functionality, remove functionality, even completely change system functionality by altering elements of a program to include outside code. Protecting a system from unauthorized configuration changes is important for security.
Firewall Rules
This set of firewall rules, also called the firewall ruleset, is a mirror of the policy constraints at a particular point in the network. Thus, the ruleset will vary from firewall to firewall, as it is the operational implementation of the desired traffic constraints at each point. Firewall rules state whether the firewall should allow particular traffic to pass through or block it.
MDM
MDM began as a marketing term for a collective set of commonly employed protection elements associated with mobile devices. When viewed as a comprehensive set of security options for mobile devices, every corporation should have and enforce an MDM policy. The policy should require the following:
- Device locking with a strong password
- Encryption of data on the device
- Device locking automatically after a certain period of inactivity
- The capability to remotely lock the device if it is lost or stolen
- The capability to wipe the device automatically after a certain number of failed login attempts
- The capability to remotely wipe the device if it is lost or stolen
DLP
Data loss prevention (DLP) refers to technology employed to detect and prevent transfers of data across an enterprise. Employed at key locations, DLP technology can scan packets for specific data patterns. This technology can be tuned to detect account numbers, secrets, specific markers, or files. When specific data elements are detected, the system can block the transfer. The primary challenge in employing DLP technologies is the placement of the sensor
Content filter/URL Filter
Content filters/URL filters are used to limit specific types of content across the Web to users. A common use is to block sites that are not work related, and to limit items such as Google searches and other methods of accessing content determined to be inappropriate. Like all other policy enforcement devices, content filters rely on a set of rules, and rule maintenance is an issue. One of the most common issues with content filters is blocking that is too broad.
Update or revoke Certificates
Errors in this element can cause certificates to be rejected. Failure to maintain valid certificates is another cause of failures. Many of these failures can go unnoticed, as was demonstrated in automated COVID-19 counts in the state of California. A certificate error with one of the state’s laboratory vendors caused a significant undercounting of results, and the cause was an expired certificate.
Certificates remain valid for a specific duration of time. When a certificate is about to expire, it should be renewed if needed. However, sometimes certificates are revoked because the owner is no longer trusted, the encryption keys have been compromised, or there are changes or other errors with the certificate.
Isolation
Isolation is the use of networking protocols and resultant connectivity to limit access to different parts of a network. This limit can be partial or it can be complete, as offered by an air gap, and this method of separation is used to enforce different trust boundaries. More details about the role of networks is presented in the section “Segmentation,” which follows shortly.
Isolation can also be employed as part of an incident response strategy, where affected systems are isolated from the rest of the network. This is done to limit the risk caused by systems that are no longer functioning in a desired manner. In the case of a ransomware infection, this is a key mitigation element if it can be employed early in the incident.
Containment
Containment is the act of performing specific actions that limit the damage potential of an incident, keeping the damage limited, and preventing further damage. Containment can be done using a variety of mechanisms, including network segmentation, quarantining of unauthorized elements, or changing of system configurations.
Segmentation
Segmenting a network is useful for containment and also allows as a natural mitigation of damage from malware intruding into more important networks like a SCADA, for example.
Segmentation, as it applies to networking security, is a broad term. VLANs, firewalls, and even storage segmentation and containerization can be used for segmentation purposes.
SOAR
SOAR software integrates all of these elements of data(network appliances, intrusion detection systems, firewalls, and other security devices) into manageable solutions for the security operations center personnel, integrating both raw and processed data into actionable steps based on approved procedures.
SOAR systems are extremely valuable when it comes to incident mitigation of severe threats because they can automate data gathering and initiate threat response.
SOAR Runbooks
A runbook consists of a series of action-based conditional steps to perform specific actions associated with security automation. These actions might involve data harvesting and enrichment, threat containment, alerts and notifications, and other automatable elements of a security operations process. The primary purpose of a runbook is to accelerate the incident response process by automating a series of approved steps and processes. Runbooks typically are focused on the systems and services and how they are actively managed.