What are endpoints?
Devices such as desktops, mobile devices, servers, etc. anything that is the literal end point of a network.
Boot Integrity
- What are the two firmware options?
- What are the two boot techniques and what do they do?
- UEFI and BIOS (Unified Extensible Firmware Interface and Basic Input/Output System)
- Secure boot ensures the system boots using only OEM trusted software, and Measured Boot processes measure each component and hashes everything involved in the boot process. The data is then stored in the TPM and can be compared against known good states.
Boot integrity begins with the hardware root of trust, which contains cryptographic keys that secure the boot process. This means the system inherently trusts the hardware root of trust.
- What is a common implementation of hardware root of trust? (frequently provides built-in encryption)
- What are its three major functions?
- TPM chip
- Remote attestation, binding which encrypts data, and sealing which sets requirements for the TPM chip before decryption.
HSMs are another related technology that are frequently used in high security environments.
Anti-malware methods
- Signature-based detection - uses signature detection (like a thumbprint) of common attacks.
- Heuristic, or behavior based detection - looks at the actions taken by malicious software and identifies them that way.
- AI and ML systems - leverage large amounts of data to find ways to identify malware.
- Sandboxing - sandbox is a protected environment for testing unknown (possibly malicious code) so it can be observed.
Anti-malware packages are a last line of defense against systems being infected or compromised.
What are Allow and Deny Lists?
Which provides more security?
Allow lists are a set list of software, apps, etc. that are allowed to exist/run on a system. anything not on the list will be removed or disabled.
Deny lists (block lists) are a set list of software, apps, etc. that are NOT allowed on the system and they will be removed or disabled.
Allow lists provide a greater level of security.
What is EDR?
Endpoint Detection and Response tools monitor devices to collect data and analyze events. Key features of EDR systems is the ability to search collected data to investigate or delete suspicious data.
EDR systems look for IoCs.
What is DLP?
Data Loss Prevention tools are used to protect organizational data from theft or inadvertent exposure.
DLPs classify and label data and can be set to notify admins under certain conditions. Some can encrypt data when it’s sent outside of internal network.
Like antimalware and EDR systems, DLPs can track questionable behavior.
Always implement data classification scheme before using DLP.
What is a HIPS? How is it different from a HIDS?
Host Intrusion Prevention Systems analyze traffic before services on the host process it. HIPS can take direct action against requests. Misidentifying traffic as malicious is a problem and can cause outages.
Host Intrusion Detection Systems do the same thing as a HIPS, but cannot block traffic. They can only report issues to admins.
What is a NGFW?
Next Generation Firewalls go beyond traditional firewall capabilities:
- Built in IPS/IDS functionality.
- Antimalware/antivirus (am/av)
- Geo IP/geolocation capabilities
- Proxying
- Webapp firewall capabilities
- sandboxing
- You are likely to deploy a NGFW to protect a network rather than as an advanced host firewall.
Service Hardening
Common Ports and services
- always reduce the number of open ports to only those required for necessary services. 22/TCP - SecureShell (SSH) 53/TCP and UDP - DNS 125-139/TCP and UDP 389/TCP and UDP - LDAP 443/TCP - HTTPS 3389/TCP and UDP
What is OS hardening?
Using system settings to reduce the attack surface of your operating system.
How can you harden the Windows Registry?
registry is the core of how Windows tracks what is happening, and is thus a target for attackers.
- configure permissions
- disallow remote registry access
- limit registry tools like regedit
What roles do standard naming conventions play?
- identify systems based on purpose, location, etc.
- make systems more anonymous (examplecorp123 is less meaningful than sqlserver123)
- make scripting and management easier
Why might an organization adopt standardized IP schema?
- ensure you are managing IP address space to avoid collisions
- Identify systems that shouldn’t be using a given address
Patch management
common practice is to delay the installation of a patch for a few days. That allows the patch to be installed around the world and hopefully any issues will surface so the company can decide whether to install the patch or not.
What is FDE?
Full Disk Encryption encrypts the disk and requires that the bootloader or hardware device provide a decryption key and software or hardware to decrypt the drive for use.
What is transparent encryption? (also called on the fly or realtime encryption)
Transparent encryption is usually invisible to the user, with the drive appearing unencrypted during use. This means that an attacker can simply gain access to the system while the drive is unlocked.
What is an SED and what is it used for?
Self Encrypting Drives implement encryption on their hardware and firmware. These systems require a key to boot.
Disk encryption downfalls
- if the key is lost, then the system with the data is fucked.
What is Sanitation?
Wiping the drive or destroying the media.
- degaussers work on tapes and magnetic media, but SSDs and other requires other options. Degaussed devices can be reused!
Solid state stuff requires destruction or overwrite, but overwrites can miss data on SSDs.
- Built in secure erase command can be used and is secure, but an even better option is full disk encryption.
Command-Line Tools: head
Shows you first part of a file, by default first 10 lines. Handy to quickly see whats in a file. can change the number of lines shown by using the -n flag.
Command-Line Tools: tail
displays last 10 lines of a file, used to view recent log entries. -n flag can still be used to change number of lines shown. As with head, tail can monitor multiple files at a time.
Command-Line Tools: cat
Cat, short for concatenate, is used to output files to standard output or append files to other files.
Command-Line Tools: grep
grep is a search command that allows you to search for patterns that match provided text or regular expressions.
- grep command has -A and -B options which when provided with a number as an input, will print that many lines before or after the matching pattern.
Command-Line Tools: chmod
chmod lets you set permissions on files and directories, either using a symbol or a numeric representation of the permissions you wish to set.
-
Chapter 1 & 2 Todays Security Professional & CyberSecurity Threat Landscape7
-
Chapter 3 Malicious Code27
-
Chapter 4 Social Engineering, Physical, and Password Attacks23
-
Chapter 5 Security Assessment and Testing26
-
Chapter 6 Secure Coding48
-
Chapter 7 Cryptography and the Public Key Infrastructure63
-
Chapter 8 Identity and Password Management45
-
Chapter 9 Resilience and Physical Security21
-
Chapter 10 Cloud and Virtualization Security38
-
Chapter 11 Endpoint Security48
-
PORT/PROTOCOL21
-
NETWORK TOOLS24
-
Chapter 12 Network Security124
-
Chapter 13 Wireless and Mobile Security54
-
Chapter 14 Incident Response18
-
Chapter 15-17 Forensics, Policies/Standards/Compliance, Risk Management46
