Mitigation Techniques

Question 1

IPS signature management

Answer 1

• You determine what happens when unwanted traffic
appears
• Block, allow, send an alert, etc.

• Thousands of rules - Or more

• Rules can be customized by group
  
  • Or as individual rules
• This can take time to find the right balance
  
  • Security / alert “noise” / false positives

Question 2

Device hardening

Answer 2

• No system is secure with the default configurations
• You need some guidelines to keep everything safe

• Hardening guides are specific to the software or
platform
• Get feedback from the manufacturer or Internet
interest group

• Other general-purpose guides are available online

Question 3

The native VLAN

Answer 3

• This is different than the “default VLAN”
• The default VLAN is the VLAN assigned to an
interface by default

• Each trunk has a native VLAN
  
  • The native VLAN doesn’t add an 802.1Q header
  • Non-trunked frames
• Native VLAN defaults to VLAN 1
  
  • But some Cisco management protocols use VLAN 1

• Change the native VLAN number (e.g., VLAN 999)
• Management protocols will continue to use VLAN 1
(even if it’s not formally configured on the trunk)
• Non-trunked traffic will use the native VLAN number
(VLAN 999)

Question 4

Privileged accounts

Answer 4

• Elevated access to one or more systems
  
  • Administrator, Root

• Complete access to the system
• Often used to manage hardware, drivers, and
software installation

• Needs to be highly secured
  
  • Strong passwords, 2FA
  • Scheduled password changes

• User accounts should have limited control
• Role separation with different access rights
• More difficult for a single limited account to breach
security

Question 5

FIM (File Integrity Monitoring)

Answer 5

• Some files change all the time
  
  • Some files should NEVER change

• Monitor important operating system &
application files
• Identify when changes occur

• Windows - SFC (System File Checker)
  
  • Linux - Tripwire
  • Many host-based IPS options

Question 6

Restricting access via ACLs

Answer 6

Use device ACLs to limit access to important
infrastructure devices
• Only admins should be able to login

• Drop all other traffic
  
  • Define the subnets for the technology teams
• This is a bit different than setting an application ACL
  
  • You’re dropping traffic for non-authorized users
  • Used mostly for access to management interfaces

Question 7

Honeypots

Answer 7

• Attract the bad guys - and trap them there
  
  • The bad guys are probably a machine
  • Makes for interesting recon
• Honeypots / Honeynet - a network of honeypots
  
  • Many different options
  • http://www.projecthoneypot.org/, honeyd

• Constant battle to discern the real from the fake

Question 8

Penetration testing

Answer 8

• Pentest
• Simulate an attack
• Similar to vulnerability scanning
• Except we actually try to exploit the vulnerabilities
• Often a compliance mandate
• Regular penetration testing by a 3rd-party

• National Institute of Standards and Technology
Technical Guide to Information Security Testing and
Assessment