7 - 1: Host Security Flashcards
Security baselines
Limit administrative access
GPO
Group Policy Object
Patch Management
Policy to ensure patches are issued in a timely manner, critical for security issues. Analyze the outcomes of patching
System Hardening
Remove unnecessary software and OS components, lockdown host firewall, disable default credentials, verify sysconfig settings
Viruses
Spread because of human activity
Worms
Spread by themselves
Trojan horses
Act as wanted/expected software while carrying malware
Spyware
Gathers information and user activity
Antivirus mechanisms
Signature detection and behavior/heuristic
Signature detection
Watches for known patterns of activity. Requires updating signature files.
Behavior/Heuristic detection
Model normal behavior, then alerts when there is deviant behavior
EDR
Endpoint Detection and Response, goes deeper than regular antivirus software, real-time protection using endpoint agents and automated responses
Sandboxing
Isolates malicious content when it runs, sending it off for monitoring
Spam filtering
Blocks unwanted mail
Malware logging
Keep a centralized reporting location to review security incidents
Application control
Restricts the software that runs on endpoints, typically reported to SIEMs
Whitelisting
For tightly controlled environments, its what software can only be used
Blacklisting
For looser environment, it is a list of prohibited applications
Host Software Baselining
Standard list of software expected on endpoints, then reports deviations to identify unwanted software
Firewalls
Restrict traffic and only allow devices that meet security policy to proceed
Default Deny Rule
Firewalls, by default, block any network connection not explicitly allowed
Firewall Types
Network firewalls and host firewalls. Network access requires BOTH to be configured
Network firewalls
Hardware devices that regulate connections between two networks
Host firewalls
Software components of an operating system that limit connections to a server
Next Generation Firewalls
Designed to use behavioral information to decide network traffic in real time
Intrusion Detection Systems
Monitor for suspicious activity and alert sysadmins
Intrusion Prevention Systems
Intervene to block suspicious activity once it’s detected
File Integrity Monitoring
Watch for unexpected file changes and report on them using cryptographic hashing
FIM tuning
Some file changes are expected, so it’s important to tune detection capabilities so as to not over or under alert
Data loss prevention
Technology that searches systems and monitors networks for unsecured sensitive information, and provides the ability to block, remove, or encrypt it
DLP types
Host-based and network-based
Host-based
Detects sensitive information stored on endpoints
Network-based
Scans and monitors network transmissions for sensitive information
Pattern matching
A detection method analyzing patterns to indicate what data is being moved. Can also be based on a repository of key terms
Watermarking
Uses electronic tags to mark sensitive information
Linux command to apply database updates
yum
