Security Technologies

Host Technologies - Firewalls

  • Firewalls
    • Windows: type 'wf.msc' at cmd.
    • Linux Uncomplicated Firewall: 'ufw' or 'iptables'.
  • Firewall Configuration
    • End users shouldn't be allowed to disable the firewall.
    • Monitor both incoming and outgoing network traffic.
  • Output depends on the FW applications and OS:
    • Windows Event Viewer
    • Linux logging: /var/log

Host Technologies - HIDS/HIPS

  • Sensors on each host relay to a centralized management console.
    • Compiles data to identify distributed trends.
  • May be included with Host Firewall or AV solution.
  • Consult Documentation.
  • Issues:
    • False positives - legit traffic labelled as an attack.
    • False negatives - attacks labelled as legit traffic.
    • Matching traffic identified as an attack with the actual network traffic.
  • NIST SP 800-94 - Guide to Intrusion Detection and Prevention Systems (IDPS)

Antivirus & Anti-Malware

  • Windows Defender
  • End-user pop-up warning.
  • Centralized management console warning.
  • Quarantine vs Removal.
  • Issues:
    • AV not updated or has outdated signatures.
    • False positives.
    • May be ignored or not seen.
    • Incorrect decision.
    • Malware may still be present.
  • Solutions:
    • Auto-update (need network connectivity).
    • Detach system from the network.
    • Use multiple AV products.
    • Manual removal - hunting malware with SysInternals
    • Reimage the system.

File Integrity Checker

  • Computers a cryptographic hash for all selected files and creates a database of the hashes.
  • Hashes are periodically recalculated and compared to the hashes in the database, to check for modification.
  • Output to a centralized server.
  • For alerts, determined what changed and why.
  • Example: Tripwire

Application Whitelisting

  • Organization approves software apps. All others are not allowed.
  • Example: Windows AppLocker
  • Based on conditions:
    • Publisher, for digitally signed files.
    • Path, which identifies an application by its location.
    • File hash, which uses a system-computed cryptographic hash.

Data Loss Prevention (DLP)

  • Prevent sensitive info from physically or logically leaving corporate systems.
  • Designed to detect and prevent unauthorized use and transmission of confidential info.
  • Should include corporate data stored in the cloud.
  • Network: Content-filtering (proxy).
  • System: Application white-listing.
  • Hardware: USB blocking.

Removable Media Control

  • Detects or prevents the use of removable media.
  • Local or network.
  • Set by corporate policy.
  • Exception handling.
  • Use only corporate owned / secured devices.
  • Scan removable media on each use.
  • Encryption.

Patch Management

  • Automate updates when possible.
  • Patching process:
    • Vendor notification.
    • Testing.
    • Staged deployment.
    • Reporting.
  • Alerting on failed patches.
  • Patching all apps / systems.

Patch Management Services

  • Microsoft System Center Configuration Manager (SCCM) formerly Systems Management Server (SMS)
  • Linux RPM (Red Hat Package Manager)

Data Execution Prevention (DEP)

  • Hardware or Software.
  • Prevents malware from executing in memory space that is reserved for operating system processes.
  • Both Advanced Micro Devices (AMD) and Intel platforms have DEP hardware capabilities.
  • Available on Windows 10.
Copy link
On this page
Host Technologies - Firewalls
Host Technologies - HIDS/HIPS
Antivirus & Anti-Malware
File Integrity Checker
Application Whitelisting
Data Loss Prevention (DLP)
Removable Media Control
Patch Management
Patch Management Services
Data Execution Prevention (DEP)