Securing an Environment Flashcards
When we refer to an endpoint what exactly are we talking about?
The devices we use day to day to do our jobs.
Desktop PCs, laptops, tablets, phones, etc.
Where is the ability to run or not to run an application typically decided?
This is typically built into the core functionality of the Operating System.
A security team can enable or disable different parameters to allow certain software to run.
When adding an application to an allow or deny list you would typically take a hash of the whole application and add this to the list.
You can also apply use certificates for this process. like applying a parameter that anything that is digitally signed by Microsoft is trusted.
You can also set parameters that apps can only be executed from a certain file path or from a certain folder.
What is a content filter/URL filter?
This is limiting access to untrusted or malicious sites, as well as just unwanted sites(in a company).
There are large blocklists that are used to share suspicious site URLs.
What is isolation?
This is to administratively isolate a compromised/vulnerable device from everything else.
Used to prevent the spread of malicious software, or to prevent remote access or C2(command and control).
This is also used if someone tries to connect to a network and they don’t have the correct security posture. They would be isolated to a remediation VLAN until they correct the issues with their security posture.
You can also isolate just a process on a computer without needing to isolate an entire device.
What is containment?
This can mean multiple things, but the word containment speaks for itself.
Application containment is when every application that runs on your system is running in its own sandbox. Every application has no knowledge of the other applications and also has limited access to the operating system. If you enabled this RANSOMWARE would have no method of infecting everything, it would just infect that application.
This can also mean containing the spread of a multi device security event like ransomware. This would look something like disabling administrative shares, disabling remote management, disabling local account access and changing the local administrator password.
What is segmentation?
To separate the network.
This is done to prevent unauthorized movement and limit the scope of a breach.
What is SOAR?
Security orchestration automation and response
In SOAR you would be integrating multiple third party tools and data sources and having them all work together with automation.
This automation is based around a “runbook” which is a linear checklist of steps to perform an action. These will be things that are automated in the SOAR solution.
These runbooks can be combined together to be parts of a playbook.
Playbooks are way more big picture.
Like the playbook for recovering from ransomware.