Topic 10A Flashcards
Many security concepts apply to operating system security, including
access controls
authentication mechanisms
secure configurations
application security
secure coding
patch management
endpoint protection
user awareness training
monitoring.
least functionality
that a system should run only the protocols and services required by legitimate users and no more. This reduces the potential attack surface.
Example: Interfaces that are not required on a machine will be disabled rather than left unused
Unused services should be disabled
Workstation security
Due to the varied tasks and numerous applications associated with workstation use, they generally have a large attack surface.
Use hardening practices like removing unnecessary software, limiting administrative privileges, strictly managing application installations and updates, and many other changes.
regular training and awareness activities to educate users about threats
the need to secure peripheral devices like USB ports is unique to workstations
configuration baselines
On a Windows domain network, each domain-joined computer will receive policy settings from one or more group policy objects (GPOs). These policy settings are applied to the registry each time a computer boots.
Rights to modify the registry should only be issued to user and service accounts on a least privilege basis. A host-based intrusion detection system can be configured to alert suspicious registry events.
Baseline deviation deviation
means testing the actual configuration of hosts to ensure that their configuration settings match the baseline template. On Windows networks, the Microsoft Baseline Security Analyzer (MBSA) tool was popularly used to validate the security configuration.
Endpoint security solutions
Segmentation
Device isolation
Antivirus and Antimalware
Full disk encryption
Patch management
Full device encryption draw back
because the OS performs the cryptographic operations, performance is reduced. This issue is mitigated by self-encrypting drives (SED)
self-encrypting drives (SED)
the cryptographic operations are performed by the drive controller. The SED uses a symmetric data/media encryption key (DEK/MEK) for bulk encryption and stores the DEK securely by encrypting it with an asymmetric key pair called either the authentication key (AK) or Key Encryption Key (KEK).
enterprise patch management suite
Used to manage patches so incompatibilities with other applications do not become an issue.
Testing patches before deploying them into the production environment is crucial for maintaining the stability and security of software.
Patches can affect availability of critical systems
endpoint detection and response (EDR)
aims to provide real-time and historical visibility into the compromise, contain the malware within a single host, and facilitate remediation of the host to its original state.
focuses on protecting endpoint devices like computers, laptops, and mobile devices by collecting and analyzing data from endpoints to detect, investigate, and respond to advanced threats that may bypass traditional security measures.
detects and responds to advanced persistent threats and ransomware, and it provides valuable forensic insight after a breach
file integrity monitoring (FIM)
One of the core features of HIDS
When software is installed from a legitimate source (using signed code in the case of Windows or a secure repository in the case of Linux), the OS package manager checks the signature or fingerprint of each executable file and notifies the user if there is a problem
Protection service runs automatically and the System File Checker (SFC) tool can be used manually to verify OS system files.
user and entity behavior analytics (UEBA)
is a cybersecurity approach based on monitoring and analyzing the behavior of users within an organization to detect anomalies indicative of potential threats, such as insider threats, compromised accounts, or fraud
Once baseline profiles have been established, the UBA system continuously monitors and compares new behavior against the established baseline, alerting security personnel to unusual or suspicious activities.
When endpoint security is a concern, there are several classes of vector to consider for mitigation:
Social Engineering
Vulnerabilities
Lack of security controls
Configuration drift - attacks often exploit undocumented configuration change (shadow IT software or an unauthorized system change, for instance). Implement mechanisms that reapply secure baseline configurations
Weak configuration
Access control lists (ACLs)
used to enforce access control policies. An ACL is a list of rules or entries that specify which users or groups are allowed or denied access to specific resources or perform certain actions. In networks, ACLs are associated with routers, firewalls, or similar devices
Each access control entry (ACE) typically contains a user or group identifier and associated permissions controlling actions that are allowed or denied
An allow list (or approved list) denies execution unless the process is explicitly authorized.
A block list (or deny list) generally allows execution but explicitly prohibits listed processes.
