Domain 4: Security Operations Flashcards
Security techniques
Objective 4.1
Secure baselines
• Baseline
- A documented and reviewed specification for system configuration. Serve as basis for secure configurations by only having necessary software installed-all unnecessary software has been removed and unnecessary features disabled
• established baseline
- create system configuration for organization with only vital components included, security controls in place, services and ports disabled, and only secure protocols use utilized
• deploy baseline
- Utilizing baseline configuration to build various systems images from
• maintain baseline
- updating, patching and modifying configuration as organizational needs require
Hardening endpoints
• servers and workstations
• adhering to baseline security configuration
- disabling a necessary services, ports
- Closing unnecessary port
- removing unused software
- use of secure protocols
- use of application allow list/block list
• patch management
• Regular backups
Hardening endpoints (continued)
• Anti-virus
- A program specifically designed to detect many forms of malware and prevent them from infecting computers
- The output of a specific ant bars program will vary. Every malicious software is detected, steps should be taken to investigate mitigate as needed.
- anti-malware is a form of antivirus that focuses on polymorphic malware and malware that is delivered by zero day exploits
• Endpoint Detection and Response (EDR)
- and integrated monitoring and collection of endpoint data with continuous monitoring and collection of endpoint data with rule based automated response and analysis capability 
Hardening endpoint (continued)
• Data Loss Prevention (DLP) solutions
- using a system or application to identify, monitor and protect confidential data within a centralized management framework
- DLP products can send alerts, block users for moving files and quarantine files away from users
Hardening endpoints (continued)
• full disk encryption (FDE) / self-encrypting drive (SED)
- Full disc encryption, FDE: the process of encrypting all the data on the hard drive used to boot a computer, including the computers, operating system, and permitting access to the data only after successful often authentication with the full disk description product
- Self encrypting drive SED this that uses built-in hardware to encrypt/encrypt data stored on the drive
• file integrity monitoring (FIM)
- software that generates, stores and compares message digest for files to detect changes made to the files
- An unexpected change is detected in a file, the file and is changes should be inspected
- Especially crucial with installation media, as it is possible to install a Trojan taken, and it is benign program. If the file integrity, check fails, the insulation is not what it seems.
Network devices
• use of encryption were possible on infrastructure devices, such as switches and routers
• use of encrypted protocols network management, consuls, and administrative task
• being able to control what traffic can go where on a network is vital for both the performance and security of the network 
Cloud infrastructure
• monitor axis through use of a Cloud Access Security Broker (CASB)
• utilize secure protocols
• limit number of unused VM‘s
Mobile device management 
Mobile device management
• Mobile device management (MDM)
- mobile devices may contain sensitive information and information needs protection in case of loss/theft
- mobile devices used for both personal and business purposes have additional management concerns
- Application management:
- Determining what applications and applications installation sources will be allowed, often using an application whitelist
- Monitor application behaviors in a secure environment before adding to the whitelist. Even applications from an official App Store can turn out to be malicious.
- Content management:
- ensure mobile devices in environments use company data securely
- Used to label files as being confidential or company-only information, preventing them from being transferred or shared against the DLP guidelines
Mobile device management (continued)
• Geofencing
- using a devices location to enable or disable software in hardware on the device. Can also be used to trigger events or alerts.
- Maybe used to ensure that sensitive data can only be assessed on site or to disable video/picture taking capabilities in a secure area
• Push notifications services
- Notifications sent by applications on the device to the user, usually to notify/remind them of something applications specific
• Remote wipe
- Ability to remotely insecurely remove all data from a mobile device
- can be used in the event a device is stolen or a source of data theft/leakage is found 
Mobile device management (continued)
• Screen locks
- A password, pin, pattern or biometric that needs to be entered before a mobile device can be unlocked
- In conjunction with data encryption, this can help secure, sensitive data on mobile devices
- No authentication method is used, anyone who picks up the device has access to the data
• Passwords and PINs
- Passwords and pins rely on complexity to be effective. A short or non-complex pin may be easily brute-forced
• Biometrics
- Typically include fingerprint or face scanning
- Generally more secure than a password- or pin-based lock, though false positives can occur
Mobile device and management (continued)
• Context-aware authentication
- using data such as the users, location, time, and type of data being access to make a decision if the user trying to authenticate is actually the user
- Rules can be simple or complex to incorporate multiple data points to make a decision
• Containerization
- Running a separate virtual environment on a mobile device
- container can have its own security policies separate from the users device itself 
Mobile device management (continued)
• Storage segmentation
- Separating out segments of storage to be used for specific purposes by designating different areas of memory for each data type
- Provide a similar functionality to that of containerization, but does not create a separate virtual environment
• Full device encryption (FDE)
- Everything on the device is encrypted, except for the master boot record, resulting in the need for authentication before accessing any data on the device
- insures data will be protected if it advice is loss/stolen 
ICS / SCADA
• industrial control systems are embedded systems
• Supervisory control and data acquisition systems interface with ICS devices
• typically, part of specialized network known as Operational Technology (OT) network
- separate from typical data network
- Access should be airgapped or heavily monitored
Mobile device administration
• ownership concerns
• Legal concerns.
• Connectivity
- cellular
- Wi-Fi
- Bluetooth
• Deployment models
- Bring-your-own-device
- Corporate-owned, Personally-enabled (COPE)
- Choose-your-own-device (COYD)
Bring-your-own-device
• policy where employees are allowed or encouraged to use their personal devices for business purposes. Poses the most security issues.
• things to consider:
- Privacy
- Data ownership
- Support
- On boarding/off boarding
- legal concerns 
Choose-your-own-device
• policy, where an organization offers a selection of devices for an employee to choose from
• very simple similar to COPE, with all the same issues involved
• Corporate-owned
- Policy where the organization buys and maintains control over a device that the organization chooses
- often referred to as corporate-owned, business only (COBO),as devices are to be used only for business purposes 
Applications security
Input validation and sanitization
• the way applications handle input is important to prevent attacks such as SQL injection, directory transversal and cross-site scripting (XSS)
• feels that take a specific type of input can be more easily validated
• example: a phone number field should only except numerical strings up to the length of a phone number and has no reason to be excepting letters or other special characters 
Secure cookies
• a type of HTTP cookie that have secure attribute set, which limits the scope of the cookie to “secure” channels
• when a cookie has a secure attribute, the user agent will include the cookie in an HTTP request. Only if the request is transmitted over HTTPS
Code analysis
• Static code analysis
- used to analyze code before it is packaged into your application
- static analysis does not actually execute the code itself
- static analysis can help find certain types of vulnerability such as code injection flaws, and failure to sanitize inputs
• Dynamic code analysis
- testing the code by simulating a real world environment, and attempting to provide it with all possible inputs to determine if there are any undesirable outcomes
- An application may perform in ways the developers did not predict
- to verify that input validation is working, pentesters may use a technique called fuzzing. Fuzzing is an automated process that repeatedly enters random input strings to see if some type of input abuse may be possible.
- fuzzy tools, provide an application with random inputs to test the limits of input validation 
Code signing
• insure and application has not been modified and confirms the author of an application
• accomplished through hashing file and signing this hash with the developers private key (asymmetric encryption) to provide a certificate-based digital signature
• provides integrity and non-repudiation
Asset management
Objective 4.2