Security Applications and Devices Flashcards
Software Firewalls
Personal Firewalls - software application that protects a single computer from unwanted Internet traffic; host-based firewalls; Windows Firewall; PF and IPFW (OS X); iptables (Linux)
Many anti-malware suites also contain software firewalls.
Intrusion Detection System
Device of software application that monitors a system or network and analyzes the data passing through it in order to identify an incident or attack.
Host-Based IDS (HIDS)
Network-Based IDS (NIDS)
Signature-Based - a specific string of bytes triggers an alert.
Policy-Based - relies on specific declaration of the security policy (no Telnet authorized).
Anomaly-Based - analyzes the current traffic against an established baseline and triggers an alert if outside the statistical average.
Types of Alerts
True Positive - malicious activity is identified as an attack.
False Positive - legitimate activity is identified as an attack.
True Negative - legitimate activity is identified as legitimate traffic.
False Negative - malicious activity is identified as legitimate traffic.
IDS can only alert and log suspicious activity
IPS can also stop malicious activity from being executed
HIDS logs are used to recreate the events after an attack has occurred
Pop-Up Blockers
Most web-browsers have the ability to block JavaScript created pop-ups.
Users may enable pop-ups because they are required for a website to function.
Malicious attackers could purchase ads (pay per click) through various networks.
Content Filters - blocking of external files containing JavaScript, images, or web pages from loading in a browser.
Ensure your browser and its extensions are update regularly.
Data Loss Prevention (DLP)
Monitors the data of a system while in use, in transit, or at rest to detect attempts to steal the data.
Software or hardware solutions.
Endpoint DLP system - software-based client that monitors the data in use on a computer and can stop a file transfer or alert an admin of the occurrence.
Network DLP System - software or hardware-based solution that is installed on the perimeter of the network to detect data in transit.
Storage DLP System - software installed on servers in the datacenter to inspect the data at rest.
Cloud DLP System - cloud software as a service that protects data being stored in cloud services.
Securing the Basic Input Output System (BIOS)
Firmware that provides the computer instructions for how to accept input and send output.
Unified Extensible Firmware Interface (UEFI)
BIOS and UEFI are used interchangeably in this lesson.
1. Flash the BIOS
2. Use a BIOS password
3. Configure the BIOS boot order
4. Disable the external ports and devices
5. Enable the secure boot option
Securing Storage Devices
Removable media comes in many different formats - you should always encrypt files on removable media.
Remove media controls - technical limitations placed on a system in regards to the utilization of USB storage devices and other removable media; create admin controls such as policies.
Network Attached Storage (NAS) - storage devices that connect directly to your organization’s network; NAS systems often implement RAID arrays to ensure high availability.
Storage Area Network (SAN) - network designed specifically to perform block storage functions that may consist of NAS devices
1. Use data encryption
2. Use proper authentication
3. Log NAS access
Disk Encryption
Encryption scrambles data into unreadable information
Self-Encrypting Drive (SED) - storage device that performs whole disk encryption by using embedded hardware.
Encryption software is most commonly used - FileVault; BitLocker.
Trusted Platform Module (TPM) - chip residing on the motherboard that contains an encryption key; if your motherboard doesn’t have TPM, you can use an external USB drive as a key.
Advanced Encryption Standard (AES) - symmetric key encryption that supports 128-bit and 256-bit keys.
Encryption adds security but has lower performance.
Hardware Security Module (HSM) - physical devices that act as a secure cryptoprocessor during the encryption process.
Endpoint Analysis
Anti-virus (AV) - software capable of detecting and removing virus infections and (in most cases) other types of malware, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools, and others.
Host-Based IDS/IPS (HIDS/HIPS) - type of IDS or IPS that monitors a computer system for unexpected behavior or drastic changes to the system’s state on an endpoint.
Endpoint Protection Platform (EPP) - a software agent and monitoring system that performs multiple security tasks such as anti-virus, HIDS/HIPS, firewall, DLP, and file encryption.
Endpoint Detection and Response (EDR) - a software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats.
User and Entity Behavior Analytics (UEBA) - a system that can provide automated identification of suspicious activity by user accounts and computer hosts; UEBA solutions are heavily dependent on advanced computing techniques like artificial intelligence and machine learning; Many companies are now marketing advanced threat protection (ATP), advanced endpoint protection (AEP), and NextGen AV (NGAV) which is a hybrid of EPP, EDR, and UEBA.