Chapter 6 - Security App & Devices

Question 1

What is IDS?

Answer 1

Intrusion Detection System is a device or a piece of software that’s installed on a system or a network, & it will analyze all of the data that passes through it.

Question 2

Intrusion Detection Systems come in two different varieties, what are they?

Answer 2

• HIDS (Host-based IDS)

* NIDS (Network-based IDS)

Question 3

What is HIDS & What does it do?

Answer 3

HIDS=

This usually takes the form as a piece of software that’s installed on ur computer or on a server & it will protect it.

(Now, the host-based Intrusion Detection System will sit there and log everything that it thinks is suspicious.)

Question 4

What is NIDS & What does it do?

Answer 4

NIDS=

This is a piece of hardware that’s installed on ur network. & all the traffic goes through that switch, & then it will get a copy of that sent down to the Network Intrusion Detection System. If it’s suspicious, it’ll log it and it’ll alert on it.

Question 5

How do we know what HIDS & NIDS will alert on?

Answer 5

They’re going to use detection methods. There are 3

(1) Signature-based,
(2) Policy-based
(3) Anomaly-based detection.

Question 6

What is the Signature-based detection method do?

Answer 6

Signature-based detection is where the system is looking for a specific string of bytes that’ll trigger the alert. This works like any other signature-based product.

This computer is going to continually search over & over for a known specific key. & any time it sees that combination of letters or bytes, it knows that it’s malicious. It’ll flag it and it will alert on it.

Question 7

What is the Policy-based detection method do?

Answer 7

This is going to rely on a specific declaration of the security policy. 4 example, if ur company has a policy that no one is allowed to use Telnet, any time this system sees somebody trying to connect on port 23, which is the port for Telnet, it’s going to flag it, log it, & alert on it.

Question 8

What is the Anomaly-based detection method do?

Answer 8

Often, this is referred to as just anomaly-based detection or statistical-based detection. This is going to analyze all of the current traffic patterns against an established baseline, & anytime it sees something that goes outside the statistical norm, it’s going to alert on it. So, if I’ve been watching ur network for a while & I know what normal looks like, & everybody always works from nine in the morning until five in the afternoon, & now I start seeing somebody downloading large amounts of data around two o’clock in the morning, that’s outside our normal baseline & we would flag that and alert on that.

Question 9

What are the types of Alerts that HIDS & NIDS can give?

Answer 9

(1) True Positive= Malicious activity is identified as an attack (means something bad happened & the system flagged it & alerted on it)
(2) False Positive= Legitimate activity is identified as an attack (if the system thought that was malicious & flagged it and alerted on it)
(3) True Negative= Legitimate activity is identified as legitimate traffic (means something good or normal happened & the system didn’t flag it.)
(4) False Negative= Malicious activity is identified as legitimate traffic (This is when something bad happens but it’s identified as legitimate activity. In other words, it isn’t flagged and it wasn’t alerted on)

Question 10

What can and can’t IDSs do? & what can be done to improve that?

Answer 10

(1) Can alert but won’t stop it

* If you want an IDS to stop you need to invest in an IPS(Intrusion Prevention System)

Question 11

What is an IPS?

Answer 11

They work very similarly to an IDS except they have the ability to stop malicious activity from being executed

Question 12

____ logs are used to recreate the events after an attack has occurred?

Answer 12

HIDS (host-based IDS)

Question 13

What are some Pop-up Blockers?

Answer 13

• Malicious attackers could purchase ads (pay per click) through various networks
  (1) Content Filters= Blocking of external files containing JavaScript, images, or web pages from loading in a browser.
• ensure browser & extensions are updated regularly

Question 14

What are DLP?

Answer 14

Date Loss Prevention (DLP) are systems that are either software or hardware solutions

*In summary, these data loss prevention solutions are made to be accurate in a way that they stop data from leaving your network. They’re going to go through and look at data at rest, data in use, and data in transit, to ensure that it’s following the policies you’ve set up as a security administrator, so u could protect that asset of your company.

Question 15

What are the different DLPs?

Answer 15

(1) Endpoint DLP System= An endpoint system is usually a piece of software that’s installed on a workstation or a laptop, & it’s going to monitor the data that’s in use on that computer. & if someone tries to do a file transfer, it’ll either stop that file transfer, or it’ll alert the admin of the occurrence based on certain rules and policies. Very much like an IDS or an IPS would, but focused on data.
(2) Network DLP System= This is a piece of software or hardware that’s a solution placed at the perimeter of your network. It’s sole function in life is to check all of the data going into & out of your network, w/ a special focus on things going out of the network. They want to detect data in transit that shouldn’t be leaving the building.
(3) Storage DLP System= This is a software that’s installed on a server in the data center & inspects the data while its at rest on the server. This is usually because they’ve encrypted it or watermarked it, & we want to make sure that nobody’s accessing the data at times that the shouldn’t be. For example, if someone starts downloading large amounts of data at two in the morning, that’s probably against your policy & the DLP could catch it.
(4) Cloud DLP System= These systems are usually offered as software-as-a-service, & it’s part of your cloud service and storage needs. They’re going to protect your data when it’s stored inside those cloud services. For example, my company uses Google Drive & we have data loss prevention as part of a cloud service, offered by Google.

Question 16

What is BIOS?

Answer 16

BIOS is a type of firmware which is software on a chip.

The BIOS stands for the basic input output system. It’s firmware that provides the computer’s instructions for how it’s going to accept input and send output.

So, anytime the motherboard is going to talk to a keyboard, a mouse, a network card, a hard drive, a video card, whatever it is, it has to have instructions on how to do that.

Question 17

What does BIOS do on your computer?

Answer 17

When your computer boots up, it loads the BIOS, & the BIOS tells it how it’s going to check the hard drive & figure out what the boot order is. Should it boot from the hard drive, the floppy disk, the CD, or the USB drive first? The BIOS controls that. Then, it’s going to load the machine. Once it does that, it loads the operating system. & then, Windows is going to start taking over & be able to do a lot of the functions for the BIOS. The BIOS is very low level. As such, it only deals with very basic tasks. Once the operating system has loaded, it gives you a ton of additional capability to your computer.

Question 18

How do we secure BIOS?

Answer 18

(1) The first thing we want to do is what’s called flashing the BIOS. Flashing the BIOS is simply ensuring that it has the most up-to-date software on that chip. Bc it’s firmware, you have to do a process called flashing the BIOS to upgrade the BIOS.
* This allows you to remove what’s currently on the chip & replace it with a newer, more updated version. Any time there’s going to be a new update to the BIOS, the manufacturer releases it on their website. Generally, they’ll give you a process that you can install it to a thumb drive, boot from that thumb drive, & then run a program to flash the BIOS.
(2) The next thing we want to do to help secure the BIOS is ensuring that you’ve set a BIOS password.
* This’ll prevent anyone from being able to log into the BIOS & change the boot order or other settings w/o having this administrative password.
(3) Next, you want to configure your BIOS’s boot order.
* I’ve deselected the disk drive, the CD drive, and the USB drive. I only want to be able to boot from the internal hard disk & then from the network card. This helps me protect somebody from putting in a bootable distribution of a Linux CD or something like that & taking control of my computer. If I control the boot order, I control what’s loaded.
(4) Disable any external ports and devices that you’re not going to need.
* For example, do you still use a parallel port? Most people don’t, and so you should disable it. The same thing happens with a serial port. No one really uses them anymore. We use USB, so you can disable it.
(5) Enable secure boot. When you enable the secure boot option, ur computer is going to go through additional processes as it boots up.
* When the BIOS or the UEFI is loaded, it’s going to go through and load the public key from the trusted platform module chip, known as the TPM, that’s sitting inside your processor. It’s going to use this to verify the code of the operating system that’s being loaded & ensure that it’s been digitally signed by the manufacturer and that it hasn’t been modified since. This ensures that you have a trusted boot device, & ensures that you have a protected boot process, & your system is going to be much more secure.

**************************************
o 1. Flash the BIOS
o 2. Use a BIOS password
o 3. Configure the BIOS boot order
o 4. Disable the external ports and devices
o 5. Enable the secure boot option

Question 19

You should always _____ files on removable media?

Answer 19

encrypt

Question 20

What are Removable Media Controls?

Answer 20

These controls are technical limitations that are placed on a system in regards to the way the USB storage devices & other media can be accessed.

*For example, this can be done using technical controls inside your group policies by denying read access from USB drives or denying write access to a CD or DVD. In addition to these technical controls, u also need to consider which administrative controls, such as policies, you want to create & guide those technical controls that are going to be used inside your organization.

Question 21

When storing our data on our networks, we might do something called a NAS, what does that do?

Answer 21

Network Attached Storage (NAS)= These storage devices connect directly into your organization’s network. They often look like a big rack of hard drives w/ a network cable coming out of the back of them.

*Most of the time, NAS systems are going to implement some form of a RAID array that gives you high availability. Because these devices need to be accessed at all times because they’re acting as file servers for your organization, this high availability is important.

Question 22

What is a SAN?

Answer 22

Oftentimes, we’ll take different NASs & we’ll connect them together into what’s known as a Storage Area Network or a SAN. A SAN is a network designed specifically to perform block storage functions & it may consist of many NAS devices connected together.

Question 23

What is Encryption?

Answer 23

Encryption is a process that scrambles data into unreadable information. It does this to ensure that nobody can read it except the person who holds the secret key.

Question 24

What are the two types of Encryption? & details?

Answer 24

(1) Hardware-Based

2) Software-Based= Self-Encrypting Drive (SED

Question 25

What is a Self-Encrypting Drive (SED)?

Answer 25

It looks like an external hard drive, & it has embedded hardware that performs full disk or whole disk encryption. These are very fast, unfortunately, they’re also very expensive, so they’re not commonly used.

Question 26

There are whole disk encryption already embedded into our operating systems if we are using Mac or Windows. What are these commonly used Encryption software?

Answer 26

(1) FileVault (Mac)

2) BitLocker (Windows

Question 27

What is TPM?

Answer 27

Trusted Platform Module= As I said previously, encryption requires a key. & when you’re using BitLocker specifically, u’re actually going to be using a hardware key that resides on your motherboard.

**This is what BitLocker is going to use to encrypt your drive. So, if you’re going to take that hard drive out and put it into another system, you have to decrypt that drive first, otherwise, you’re not going to be able to decrypt it on the other system because it has a different TPM module and different secret key.

Question 28

Both BitLocker and FileVault use the same type of encryption. They use ______?

Answer 28

Advanced Encryption Standard, also known as AES= is a symmetric key encryption that supports 128-bit & 256-bit keys & is considered unbreakable as of the time of this recording.

Question 29

Encryption adds security BUT ___________ ?

Answer 29

comes w/ a lower performance for your system

*If I’m doing whole disk encryption, that means before I can even boot up the computer & read things from that drive, I have to decrypt it, & that takes time and processing. SO INSTEAD PEOPLE RELY ON file-level encryption like EFS

Question 30

What is EFS?

Answer 30

Encrypting File System (EFS)= For example, if I have a hard drive w/ a folder called finances in it, & I wanted to make sure nobody could read that particular folder but me, I could go in, right-click that folder, and set up the EFS to be enabled on it.

Question 31

Benefits of Hardware-based encryptions vs software-based encryptions?

Answer 31

There is a way that we can speed up encryption. We can use hardware-based encryption. It’s much faster than using software-based encryption bc we have dedicated hardware to do the processing for us. One of the ways we do that is using a hardware security module, or HSM

Question 32

What is an HSM?

Answer 32

Hardware Security Module (HSM) is a physical device that acts as a secure cryptoprocessor during the encryption process or during digital signing, which is also an encryption process.

*Most organizations still rely on software-based encryption. BC it is expensive.

Question 33

What is Endpoint Analysis?

Answer 33

An endpoint is simply any device that we may use to connect to our network.

*for example, your desktop or your laptop at the office, that’s considered an endpoint, so is ur smartphone or ur tablet. As a cybersecurity analyst, you must be able to use tools to identify behavioral anomalies & then identify the techniques used by malware to achieve privilege escalation & persistence on your host.

Question 34

When is an Endpoint Analysis used?

Answer 34

Endpoint analysis is used when we’re conducting monitoring, logging, & analysis of our endpoints.

Question 35

What are the 5 Endpoint Security Capabilities that we use for analysis?

Answer 35

(1) Anti-virus (AV)= Antivirus is a software that’s capable of detecting & removing virus infections. & in most cases, other types of malware, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, denial of service tools, and others. Often, you’ll hear this called antivirus or anti-malware. At this point in your career, you should be pretty familiar w/ what antivirus and anti-malware is.
(2) Host-based IDS/IPS (HIDS/HIPS)= This is a type of IDS or IPS that monitors a computer system for unexpected behavior and drastic changes to the system state on a given endpoint. Now, most of these are going to use signature-based detection using log or file monitoring systems to figure out if something bad is trying to happen to your endpoint. They may use file system integrity monitoring too to see if your operating system files have been changed, or drivers have been changed, or an application has been changed. All of these things are things that a host-based intrusion detection system or intrusion prevention system can help you with that a network-based intrusion detection or intrusion prevention system really can’t see.
(3) Endpoint Protection Platform (EPP)= This is a software agent and monitoring system that performs multiple security tasks. They can do things like antivirus. They can do host intrusion detection or prevention systems. It can have a firewall. It can have data loss prevention, or DLP, & it can have file encryption, all of this in a single product. Essentially, it’s your Swiss army knife of security tools. We call this an EPP. Now, there are a lot of EPPs on the market and every year, there’s a thing called the Magic Quadrant that’s put out by Gartner. Gartner goes and rates all the different systems to see who’s the best, which ones are the leaders, who are the challengers, who of them are niche players, & who of them are visionaries. & you can see that here on the screen. As you can see, the top three is Microsoft, CrowdStrike, and Symantec, & all three of them have great endpoint protection platforms that you can choose from.
(4) Endpoint Detection & Response (EDR)= which is endpoint detection and response. Now, where EPP is mostly based on signature detection, EDR is focused more on behavioral and anomaly analysis. It starts logging the endpoint’s observables and indicators & combines that with analysis & tries to figure out what’s wrong. So, this is a software agent that’s going to collect system data and logs for analysis by monitoring the system to provide early detection of threats. Now, because of that, the aim of EDR is not to prevent an initial execution, but instead, to provide runtime and historical visibility into a compromise, and once you’ve been detected, it can start responding to that & it helps you as an incident responder to gather more information and facilitate ur remediation to get it back to its original state.
(5) User & Entity Behavior Analytics (UEBA)= which is user and entity behavior analytics. This is a system that can provide automated identification of suspicious activity by user accounts and computer hosts. Now, this solution is less about endpoint data collection & more about the actual process of analyzing the data you’re getting. The idea here is to have a baseline of good knowledge, & then we’re going to compare anything that goes outside that baseline & start thinking that might be suspicious & look into it further. Now, a lot of UEBA is focused on the analytics & because of that, there’s a lot of data that has to be processed. So, UEBA solutions are heavily dependent on advanced computing techniques, things like artificial intelligence and machine learning.