4.5 Given a scenario, modify enterprise capabilities to enhance security Flashcards
1
Q
Ports and Protocols - CRITICAL
A
-
Port Classifications (managed by IANA):
- Well-Known Ports (0-1023): Common protocols (e.g., HTTP).
- Registered Ports (1024-49151): Vendor-specific.
- Dynamic/Private Ports (49152-65535): Temporary outbound connections.
- Port 21: FTP (File Transfer Protocol) - TCP
- Port 22: SSH, SCP, SFTP - TCP
- Port 23: Telnet - TCP
- Port 25: SMTP - TCP
- Port 53: DNS - TCP/UDP
- Port 69: TFTP (Trivial File Transfer Protocol) lightweight file transfer for sending config files or network booting of an operating system - UDP
- Port 80: HTTP - TCP
- Port 88: Kerberos - network auth protocol UDP
- Port 110: POP3 - TCP
- Port 119: NNTP (Network News Transfer Protocol - accessing newsgroups) - TCP
- Port 135: RPC (Remote Procedure Call) communication between different system processes - TCP/UDP
- Ports 137-139: NetBIOS - used in Win to share files, printers names TCP/UDP
- Port 143: IMAP - TCP
- Port 161: SNMP (Simple Network Management Protocol) - manages network devices- UDP
- Port 162: SNMPTrap - UDP
- Port 389: LDAP (Lightweight Directory Access Protocol) - directory services- TCP
- Port 443: HTTPS - TCP
- Port 445: SMB (Server Message Block) - file and printer sharing - TCP
- Ports 465, 587: SMTPS (SMTP Secure, see smtp) - TCP
- Port 514: Syslog - sending log messages UDP
- Port 636: LDAPS (LDAP Secure) - TCP
- Port 993: IMAPS (IMAP over SSL/TLS) - TCP
- Port 995: POP3S (POP3 over SSL/TLS) - TCP
- Port 1433: Microsoft SQL - TCP
- Ports 1645, 1646: RADIUS (Remote Authentication) remote auth, authorization and accounting - TCP
- Ports 1812, 1813: RADIUS (for UDP) - UDP
- Port 3389: RDP (Remote Desktop Protocol) - TCP
- Port 6514: Syslog TLS - TCP
2
Q
Network Access Control (NAC)
A
-
NAC: Ensures only secure devices access the network, scanning for threats before granting access. Inspects clients for health, such as having up-to-date antivirus software
- Applies to both internal and remote devices (e.g., VPN connections)
- Implemented as hardware or software
-
NAC Agent Types:
- Persistent Agent: Installed on corporate-owned devices
- Dissolvable
- Agentless
-
802.1x Standard:
- Port-based access control; foundation for modern NAC
-
Rule-Based Access Control (NAC Enhancements):
- Time-Based
- Location-Based
- Role-Based: Adjust access based on device role (adaptive NAC)
- Logical Rules: Use conditions to define complex admission policies
3
Q
Web and DNS Filtering
A
-
Types of Web Filtering:
- Agent-Based: Installed on devices; enforces policies for remote workers
- Centralized Proxy
- URL Scanning: Blocks known malicious URLs
- Content Categorization: Allows or blocks sites by category (e.g., social media)
- Block Rules: Custom rules to prevent access to risky websites
- Reputation-Based Filtering: Uses reputation scores to block sites hosting malware or phishing
- DNS Filtering: Prevents access by blocking domain name resolution to IP addresses
4
Q
Email Security
A
-
Key Email Security Techniques:
-
SPF (Sender Policy Framework):
- Verifies sender’s IP matches authorized IPs in DNS records
-
DKIM (DomainKeys Identified Mail):
- Adds digital signatures to verify email source and integrity
-
DMARC (Domain-based Message Authentication, Reporting, and Conformance):
- Sets policies for failed DKIM/SPF checks
- Works with DKIM, SPF, or both
-
Examples:
- Policy set to “p=none”: Monitors email but takes no action
- Policy set to “p=quarantine”: Suspicious emails go to the spam folder
- Policy set to “p=reject”: Blocks emails that fail authentication
-
SPF (Sender Policy Framework):
- Email Gateway Configuration: on-premises, cloud, hybrid
-
Spam Filtering: Detects unwanted emails and moves them to the spam folder
- Techniques:
- Content analysis and Bayesian filtering
- DNS-based sinkhole lists and email filtering rules
- Techniques:
5
Q
Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR)
A
-
How EDR Works:
- Data Collection: Gathers data from processes, registry changes, memory, and network traffic
- Data Consolidation: Sends data to a central security system
- Threat Detection: Uses signature-based and behavioral detection
- Alerts and Response: Creates alerts and initiates remediation actions
- Investigation Tools: Provides detailed timelines and forensic insights
- Remediation: Removes malware and restores systems to normal
-
Extended Detection and Response (XDR):
- Security strategy!
- Integrates across email, endpoints, cloud, servers, and networks
- Provides multi-layer threat detection for quicker response
-
File Integrity Monitoring (FIM) (part of both EDR and XDR):
- Compares files with a known baseline to detect unauthorized changes
-
EDR vs. XDR, IDS, and IPS:
- EDR: Focuses on endpoint monitoring
- XDR: Expands beyond endpoints to include networks, cloud, and email, providing a unified security platform
- IDS (Intrusion Detection System): Monitors network traffic but takes no action
- IPS (Intrusion Prevention System): Detects and blocks malicious traffic in real-time
-
Key Differences:
- EDR: Endpoint-focused with detection and response tools
- XDR: Comprehensive solution for multi-layer threat correlation
- IDS/IPS: Focuses mainly on network traffic
6
Q
User Behavior Analytics (UBA)
A
-
UBA: Uses big data and machine learning to analyze user behavior for security threats
- Identifies patterns and anomalies in user activity to detect potential risks
-
UEBA: Extends UBA to monitor entities (e.g., routers, servers, endpoints) along with user accounts
- Detects anomalies across both users and systems
-
Key Aspects:
- Behavior Baselines: UBA establishes normal behavior baselines to identify deviations
- Machine Learning: Detects unusual behavior that may indicate a threat
- Data Sources: Processes data from network traffic, devices, and logs
- Alerts: Generates alerts for anomalies for investigation by security teams
-
Benefits of UBA/UEBA:
- Early Threat Detection
- Insider Threat Detection
- Improved Incident Response
