Security Operations: Examining Baselines Flashcards
What are the common methods for using security baselines?
A common method for using security baselines is:
Establish
Deploy
Maintain
How are baseline set?
Baselines are set by Regulations, standards and compliance
Industry Guidance
Vendor recommendations
Such as GPO’s
Cloud: MDM (Microsoft Device Management)
What are some categories we need to look at for hardening?
Mobile devices
Workstations
Servers
Routers, switches, and network-based firewalls
Cloud infrastructure
Specialized Systems
RTOS
IoT devices
What do all categories have in common in terms of hardening?
They all need to change defaults and minimize attack surfaces
Vendor specific Patches
Monitoring and maintenance
Zero trust model
What are some of the considerations we need to take in account for mobile devices?
Trusted operating system (OS) (not rooted or jailbroken).
Installing approved software from trusted locations.
Vendor security patches and firmware updates.
Secure OS configuration:
Authentication required.
Device-level encryption.
Session timeouts.
Application and data sandboxing.
What are some of the considerations we need to take in account for Work Stations?
The following is hardening information with respect to workstations:
Installing OS from approved sources.
Installing approved software from trusted locations.
Vendor security patches and firmware updates.
Secure OS configuration:
Authentication required.
Drive-level encryption.
Host-based firewall.
Anti-virus.
Application and data sandboxing.
What are some of the considerations we need to take in account for Servers?
The following is hardening information with respect to servers:
Installing OS from approved sources.
Installing approved software from trusted locations.
Vendor security patches and firmware updates.
Secure OS configuration
Authentication required
Drive-level encryption
Host-based firewall
Anti-virus
Application and data sandboxing
Domain environment
What are some of the considerations we need to take in account for Routers, switches, and network-based firewalls ?
Routers, switches, and network-based firewalls
The following is hardening information with respect to routers and switches, and also for network-based firewalls:
Change defaults
Virtual local area network (VLAN) creation: no default VLAN.
Secure communications: not just encrypted, but securely encrypted:
Secure shell 2.0 (SSHv2)
Transport layer security (TLS) 1.3
Disable Internet Control Message Protocol (ICMP).
Disable legacy protocols:
FTP (unsecured)
Telnet
Limit or disable discovery protocols
Loop meditation:
STP.
Poison Reverse and Split Horizon.
What are some of the considerations we need to take in account for Cloud Infrastructure?
Cloud infrastructure
The following is hardening information with respect to cloud infrastructures:
Identity management
Access control (include conditional access and policy-driven access control).
Data governance: classification, data loss prevention (DLP), policy.
Hardening all resources, including workstations, services, and network devices such as firewalls and web application firewalls (WAFs).
Data encryption: in rest, in transit.
Auditing and logging.
Disable legacy and unsecure protocols, such as TLS 1.0. /1.2
What are some of the considerations we need to take in account for Specialized systems SCADA?
Specialized systems
The following is hardening information with respect to specialized systems:
Industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems:
Documented system architecture, connection points, and controls.
Reoccuring authentication and logging of all connection and access points.
Disable or remove unnecessary connections and services.
Proprietary protocols: this intellectual property can have a veil of secrecy or undisclosed backdoors.
Identify, document, and control all administrative backdoors.
Implement an intrusion detection system (IDS) or intrusion prevention system (IPS).
Air gap systems.
Physical security.
What are some of the considerations we need to take in account for Embedded systems?
Embedded systems:
Often proprietary, patch management, specifically security patching, can be problematic or challenging.
Air gap.
Retire, decommission, replace.
What are some of the considerations we need to take in account for RTOS?
RTOS: Deals with predictability and anticipation to guarantee availability for processing – general OS do not do that.
Real-time OS (RTOS) respond under extremely time-sensitive conditions.
Partition of the system. -UEFI secure boot needed or TPM
Enable secure boot for Unified Extensible Firmware Interface (UEFI)-based systems.
Disable all unnecessary communications and services.
Secure all communications.
Implement firewall.
Principle of least privilege or, in this context, principle of least execution privileges for applications.
What are some of the considerations we need to take in account for IoT’s?
IoT devices:
“Single pane of glass” view that identifies all Internet of Things (IoT) devices across an organization.
Centralized administration
Change all defaults.
Implement security patches and firmware updates.
Authentication and reauthentication.
Access control.
Data logging.
Configuration management and configuration sprawl.
Non-repudiation and accountability
