Endpoint Security Flashcards
What are the three stages to desktop security?
- people
- processes
- Technology
What are the risks associated with BYOD?
Some risks associated with BYOD include:
- Loss of company data, whether accidental or intentional.
- Data exploitation due to poorly configured devices.
- Outdated software, which can be exploited by attackers.
- Insufficient monitoring (such as lack of antivirus protection), increasing the risk of malware spreading.
- Unauthorised data transfer to third-party recipients.
- Use of devices in insecure environments, potentially exposing sensitive information.
What are three examples of malware signatures?
- Byte Streams: These signatures are unique patterns or sequences of bytes found in the code of known malware. Byte streams are used to identify specific, previously discovered malware by matching these patterns against files on a system.
- Checksums: Checksums are used to detect unknown or modified malware by analysing code behaviour and characteristics. They involve calculating a value based on the content of a file and comparing it to a known value to identify changes or suspicious patterns that could indicate malware.
- Hashing: Hashing focuses on creating a unique hash value from a file or piece of data. If a file’s hash matches a known malicious hash, the file is flagged as malware. Hashing is also used to detect malware by comparing the actions or behaviours exhibited by a program to known malicious behaviour patterns, even if the exact code is not recognised.
These techniques help in identifying both known and emerging malware threats through different methods of analysing and comparing data.
What are the different levels in a group policy hierarchy?
In a Windows environment, Group Policy is applied at various levels within a hierarchy. The different levels in a Group Policy hierarchy are:
- Local Group Policy: This is the most basic level of Group Policy and applies to the individual computer or user. Each Windows machine has its own Local Group Policy settings, which are applied regardless of domain membership. Local Group Policy settings are overridden by settings applied at higher levels in the hierarchy.
- Site-Level Group Policy: This applies to all computers and users within a specific site in a Windows domain. A site represents a physical location within the network, often associated with specific geographic locations. Site-level policies are less commonly used but can be useful for applying policies that need to be consistent across a particular location.
- Domain-Level Group Policy: Domain-level Group Policies apply to all users and computers within the entire domain. These are widely used to enforce security settings, software deployment, and other policies that need to be consistent across the entire organisation. Domain policies override any settings configured at the site or local levels.
- Organisational Unit (OU)-Level Group Policy: This is the most granular level of Group Policy. Organisational Units (OUs) are subgroups within a domain, typically representing different departments, teams, or functions within an organisation. Policies applied at the OU level affect only the users and computers within that specific OU. OU-level policies take precedence over domain, site, and local policies.
When multiple Group Policies are applied, the settings are processed in the following order, with each subsequent level overriding the previous:
- Local
- Site
- Domain
- Organisational Unit (OU)
This hierarchy ensures that more specific policies (like those at the OU level) can override broader ones (like those at the domain or site level), allowing for fine-grained control over policy application.
What attacks can a HIDS (host intrusion detection system) identify?
- Modified system configuration files
- Applications installed without authorisation
- Brute-force attempts to log in
- Alterations to critical or system services
- Unauthorised or suspicious processes
What are the topics are usually covered in security awareness training? (PEOPLE)
- password management
- software using unencrypted methods
- social engineering
- viruses
- spam
- untrusted software and websites
- unattended desktops (not using screen locks)
• outdated antivirus.
What are the various methods of providing security education?
- running security seminars and roadshows
- promotional material such as posters
- publishing security notices as desktop information
- taking time to explain (in a friendly manner) when staff have unwittingly committed a security breach.
What are the two types of audit records used to detect unauthorised intrusion on a host system?
Brooks et al. (2018) explain that two primary types of audit records are typically used to detect unauthorised intrusions on a system:
- Native audit records: These are event logs generated by most modern multi-user operating systems. Since they are automatically produced by the operating system, they are always available; however, they may not capture the specific events needed or may not be in a readily usable format.
- Detection-specific audit records: These records are created to capture specific information about targeted actions or events. The actions or events may involve operating system activities, application events, or security incidents.
Additionally, auditing systems comprise two key components:
- Auditing rules (or policies): These define which types of events should be monitored and recorded in the system’s security log.
- Audit entries: These are the individual log entries added to the security log whenever a specified event occurs.
What information can the Linux auditing daemon (auditd) record?
- Timestamps and event-specific details
- Information exchanged with the system
- Access attempts to the system
- Changes to sensitive files and services
- All authentication events
- Modifications to configuration files (especially in the /etc directory)
- Triggered events and the user who is responsible
