CH04 Security Applications and Devices Flashcards
What is IDS ?
IDS = Intrusion Detection System.
device or software application that monitors a system or network and analyzes the data passing through it in order to identify an incident or attack
IDS can only alert and log suspicious activity, they won’t be able to stop it.
What are the 2 varieties of IDS ?
IDS = Intrusion Detection System.
It has 2 varieties :
HIDS - Host-based IDS
NIDS - Network-based IDS
What is HIDS ?
HIDS = Host-based IDS
It is a software installed on a computer or server to protect it. It will log everything that seems suspicious.
HIDS logs are used to recreate the events after an attack has occurred
What is NIDS ?
NIDS = Network-based IDS
hardware installed on your network and all the traffic goes through that switch, and then it will get a copy of that sent down to the Network Instruction Detection System. If suspicion is found, it will log it and alert on it.
What is Signature-based detection method?
system is looking for a specific string of bytes that’ll trigger the alert
What is Policy-based detection method?
rely on a specific declaration of the security policy. For example, if company has a policy that no one is allowed to use Telnet, any time this system sees somebody trying to connect on port 23, which is the port for Telnet, it’s going to flag it, log it, and alert on it
What is Anomaly-based detection method ?
Analyzes the current traffic patterns against an established baseline and any time it sees something that goes outside the statistical norm, triggers an alert
What are :
True positive alert
False positive alert
True negative alert
False negative alert
▪ True positive - Malicious activity is identified as an attack
▪ False positive - Legitimate activity is identified as an attack
▪ True negative - Legitimate activity is identified as legitimate traffic
▪ False negative - Malicious activity is identified as legitimate traffic
What is IPS ?
IPS = Intrusion Prevention System
IPS can stop malicious activity from being executed
What is DLP ?
DLP = Data Loss Prevention
monitors the data of a system to detect attempts to steal the data.
What is Endpoint DLP system ?
DLP = Data Loss Prevention
Software-based client that monitors the data in use on a computer and can stop a file transfer or alert an admin of the occurrence
What is Network DLP System ?
DLP = Data Loss Prevention
Software or hardware-based solution that is installed on the perimeter of the network to detect data in transit
What is Storage DLP System ?
DLP = Data Loss Prevention
Software installed on servers in the datacenter to inspect the data at rest
What is Cloud DLP System ?
DLP = Data Loss Prevention
Cloud software as a service that protects data being stored in cloud services
What is BIOS ?
BIOS = Basic Input Output System
Firmware that provides the computer instructions for how to accept input and send output
What is UEFI ?
UEFI = Unified Extensible Firmware Interface
More updated and robust version of BIOS
What are the ways that we can secure BIOS ?
BIOS = Basic Input Output System
- Flash the BIOS – ensures that it has the most up to date software on that chip.
- Use a BIOS Password – this will prevent anyone from being able to log into the BIOS and change the boot order or other settings without having this administrative password.
- Configure the BIOS boot order – only enable boot from the internal hard disk and then from the network card. This protects me from somebody putting in a bootable distribution OS on a CD and take control of my computer.
- Disable external ports and devices that you do not use.
- Enable the secure boot option - When secure boot option is enabled, your computer goes through additional processes as it boots up. When the BIOS is loaded, it’s going to go through and load the public key from the trusted platform module chip, known as the TPM, that’s sitting inside your processor. It’s going to use this to verify the code of the operating system that’s being loaded and ensure that it’s been digitally signed by the manufacturer and that it hasn’t been modified since. This ensures that you have a trusted boot device, and ensures that you have a protected boot process, and your system is going to be much more secure.
What is NAS?
NAS = Network Attached Storage
▪ Storage devices that connect directly to your organization’s network
▪ NAS systems often implement RAID arrays to ensure high availability
How do you secure SAN ?
SAN = Storage Area Network
- Use Data encryption
- Use proper authentication
- Log NAS (Network Attached Storage) access
What is SAN?
SAN = Storage Area Network
Network designed specifically to perform block storage functions that may consist of NAS (Network Attached Storage) devices connected together
What is SED ?
SED = Self-Encrypting Drive
Storage device that performs whole disk encryption by using embedded hardware
What are the encryption software most commonly used ?
FileVault (MAC)
BitLocker (Windows)
What is TPM ?
TPM = Trusted Platform Module
Chip residing on the motherboard that contains an encryption key
What is Advanced Encryption Standard ?
Symmetric key encryption that supports 128-bit and 256-bit keys
What is HSM ?
HSM = Hardware Security Module
Physical devices that act as a secure cryptoprocessor during the encryption process
What is HIDS / HIPS ?
HIDS = Host Intrusion Detection Systems
HIPS = Host Intrusion Prevention Systems
A type of IDS (Intrusion Detection Systems) or IPS (Intrusion Prevention Systems) that monitors a computer system for unexpected behavior or drastic changes to the system’s state on an endpoint
What is EPP ?
EPP = Endpoint Protection Platform
A software agent and monitoring system that performs multiple security tasks such as anti-virus, HIDS/HIPS (Host Intrusion Detection Systems / Host Intrusion Prevention Systems), firewall, DLP (Data Loss Prevention), and file encryption
What is EDR ?
EDR = Endpoint Detection and Response
A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats
EDR focuses more on behavioral and anomaly analysis. It starts logging the endpoint’s observables and indicators and combines that with analysis and tries to figure out what’s wrong.
EDR does not prevent initial execution, but instead, provides runtime and historical visibility into a compromise, and once you’ve been detected, it can start responding to that and it helps you as an incident responder to gather more information and facilitate your remediation to get it back to its original state.
What is UEBA ?
UEBA = User and Entity Behavior Analytics
A system that can provide automated identification of suspicious activity by user accounts and computer hosts
It is heavily dependent on advanced computing techniques like artificial intelligence (AI) and machine learning
