Mitigation Techniques Flashcards
IPS signature management
• You determine what happens when unwanted traffic
appears
• Block, allow, send an alert, etc.
• Thousands of rules - Or more
- Rules can be customized by group
- Or as individual rules
- This can take time to find the right balance
- Security / alert “noise” / false positives
Device hardening
- No system is secure with the default configurations
- You need some guidelines to keep everything safe
• Hardening guides are specific to the software or
platform
• Get feedback from the manufacturer or Internet
interest group
• Other general-purpose guides are available online
The native VLAN
• This is different than the “default VLAN”
• The default VLAN is the VLAN assigned to an
interface by default
- Each trunk has a native VLAN
- The native VLAN doesn’t add an 802.1Q header
- Non-trunked frames
- Native VLAN defaults to VLAN 1
- But some Cisco management protocols use VLAN 1
• Change the native VLAN number (e.g., VLAN 999)
• Management protocols will continue to use VLAN 1
(even if it’s not formally configured on the trunk)
• Non-trunked traffic will use the native VLAN number
(VLAN 999)
Privileged accounts
- Elevated access to one or more systems
- Administrator, Root
• Complete access to the system
• Often used to manage hardware, drivers, and
software installation
- Needs to be highly secured
- Strong passwords, 2FA
- Scheduled password changes
• User accounts should have limited control
• Role separation with different access rights
• More difficult for a single limited account to breach
security
FIM (File Integrity Monitoring)
- Some files change all the time
- Some files should NEVER change
• Monitor important operating system &
application files
• Identify when changes occur
- Windows - SFC (System File Checker)
- Linux - Tripwire
- Many host-based IPS options
Restricting access via ACLs
Use device ACLs to limit access to important
infrastructure devices
• Only admins should be able to login
- Drop all other traffic
- Define the subnets for the technology teams
- This is a bit different than setting an application ACL
- You’re dropping traffic for non-authorized users
- Used mostly for access to management interfaces
Honeypots
- Attract the bad guys - and trap them there
- The bad guys are probably a machine
- Makes for interesting recon
- Honeypots / Honeynet - a network of honeypots
- Many different options
- http://www.projecthoneypot.org/, honeyd
• Constant battle to discern the real from the fake
Penetration testing
- Pentest
- Simulate an attack
- Similar to vulnerability scanning
- Except we actually try to exploit the vulnerabilities
- Often a compliance mandate
- Regular penetration testing by a 3rd-party
• National Institute of Standards and Technology
Technical Guide to Information Security Testing and
Assessment