Security Applications and Devices Flashcards
Software Firewalls
Software application that protects a single computer from unwanted Internet traffic. Examples of these types of host-based firewalls are: Windows Firewall (Windows), PF and IPFW (OS X), and iptables (Linux). Many anti-malware suites also contain software firewalls
Intrusion Detection System (IDS)
A device or software application that monitors a system or network and analyzes the data passing through it in order to identify an incident or attack. Two types are a HIDS or Host-based IDS, and NIDS or Network based IDS.
NIDS can identify an attacker before he can perform a breach, while HIDS acts as a second layer of defense and take action at the endpoint level if the system is breached.
HIDS
Host-based IDS looks at particular host-based behaviors (at the endpoint level) including what apps are utilized, what files are accessed, and what information is stored in the kernel logs.
HIDS analyzes logged files for signs of malicious activity, and allows you to examine historical data in order to determine activity patterns which are useful particularly to detect activity from experienced hackers who often vary their methods of intrusion to be more unpredictable and therefor less easily traced.
NIDS
Network-based IDS examines the data flow between computers for unusual activity. Allows for a fast response as real-time data monitoring can trigger alerts.
Security Information and Even Management - SEIM
A subsection of computer security services that brings together both NIDS and HIDS solutions that provide real-time analysis of security alerts generated by applications and network hardware.
Signature-based Detection Method
A specific string of bytes triggers an alert.
Policy-based Detection Method
Relies on a specific declaration of the security policy (i.e. “No Telnet Authorized”)
Anomaly-based Detection Method
Analyzes the current traffic against an established baseline and trigger an alert if outside the statistical average.
True Positive Alert
Malicious activity is identified as an attack.
False Positive
Legitimate activity is identified as an attack.
True Negative
Legitimate activity is identified as legitimate traffic
False Negative Alert
Malicious activity is identified as legitimate traffic.
IDS vs. IPS
Intrusion Detection Systems can only alert and log suspicious activity whereas an Intrusion Protection System can also stop malicious activity from being executed.
Pop Up Blockers
Most web browsers have the ability to block Java Script created pop-ups.
Sometimes to allow a website to function, pop-ups need to be enabled.
Malicious actors could purchase ads through various networks.
Data Loss Prevention - DLP
Monitors the data of a system while in use, in transit, or at rest to detect attempts to steal the data.
DLP can be in the form of software or hardware solutions.
Endpoint DLP System
Software-based client that monitors the data in use on a computer and can stop a file transfer or alert an admin of the occurrence.
Network DLP System
Software or hardware-based solution that is installed on the perimeter of the network to detect data in transit.
Storage DLP System
Software installed on servers in the datacenter to inspect the data at rest.
Cloud DLP System
Cloud software as a service that protects data being stored in cloud services.
BIOS and UEFI
Firmware that provides the computer instructions for how to accept input and send output.
BIOS - Basic Input Output Settings
UEFI - Unified Extensible Firmware Interface
BIOS and UEFI are used to reference similar things.
Securing the BIOS
- Flash the BIOS.
- Use a BIOS password.
- Configure the BIOS boot order, removing any unneeded devices.
- Disable the external ports and devices.
- Enable the secure boot option.
Securing Removable Media Storage
Encrypt files on removable media.
Use technical limitations on computer systems and their use of USB and other removable media (e.g. disable USB ports).
Create administrative controls such as policies (e.g. company policy prohibiting copy/export of data to removable storage devices).
Securing Network Attached Storage (NAS) and Storage Area Network (SAN)
Use data encryption.
Use proper authentication.
Log NAS access.
Disk Encryption
Encryption adds security, but has lower performance.
Self-Encrypting Drive - Performs whole disk encryption by using embedded hardware.
Software encryption - Most commonly used type of encryption.
Trusted Platform Module (TPM) - Chip residing on the motherboard that contains an encryption key. If your motherboard doesn’t have TPM, you can use an external USB drive as a key.
Hardware Security Module (HSM) - Physical device that acts as a secure crypto-processor during the encryption process.