By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective 3.2 Given a scenario, implement configuration changes to existing controls to improve security By now, you should remember that security controls are measures taken to protect a system and its data. Controls are applied to a system, to data, to the operating and physical environment, and the organization as a whole to reduce risk, ensure privacy, and increase protection for sensitive assets. In this module, we’re going to discuss several controls you need to know for the CYSA+ exam. We don’t just limit our discussion to configuring and implementing controls in this objective, however.
Cybersecurity is heavily concerned with implementing and managing controls in some form or another, whether they are technical controls such as encryption, managerial controls such as policy, or physical controls such as gates and guards. In this module, we will look at some more of the technical controls, including permissions, access control, firewalls and IPS, data loss prevention, endpoint security, network access control, malware rules, sandboxing, and port security. Before we get into these topics, however, we will also review some basic control concepts to refresh your memory and put you in the right frame of mind for addressing controls. KEY TERM: A control is a security measure or mechanism that is implemented to address a specific vulnerability and protect systems, data, and the organization. Review of Control Concepts In this section, we will briefly recap control concepts, including control categories, functions, and how controls are implemented with regard to risk. Control Categories and Functions Security controls typically fall under one or more of three categories: managerial or administrative controls, logical or technical controls, and physical or operational controls. Keep in mind that different texts may refer to these control categories and functions differently, but the meanings are still essentially the same. Also, remember that there are types of controls that are categorized by function: deterrent, preventative, detective, corrective, recovery, and compensating.
The below tables describe the three basic categories of controls and control functions, respectively. The Three Basic Control Categories Control Function Descriptions and Examples A few items to note about control functions: Most controls do not cleanly fit into one control function or even a control category. Most of them overlap in some way. For example, a CCTV can be a deterrent control and a detective control at the same time. It can deter users from committing a policy violation because they know they are being observed, and it can also detect malicious events or policy violations after the fact since it records video that can be reviewed later. Sometimes people get confused about the difference between deterrent and preventative controls. A deterrent control is, in fact, also a preventative control; however, the chief difference is that in order to be effective, a deterrent control must also be known about. A warning banner on the screen can deter a user from committing a malicious act, as can a CCTV camera because the user knows they are being monitored. This requires the user to make a choice between committing the act or not. A preventative control, on the other hand, does not have to be known to be effective. A firewall rule that prevents the user from going to a malicious website will work regardless of whether or not the user knows about it. Both examples are preventative in nature, but only one is also a deterrent control. One more item to note is the difference between recovery, corrective, and compensating controls. They all sound very similar; in fact, they can also overlap as well. A recovery control can be both a preventative control and a recovery control; consider a system backup, for example. It is a preventative control because it can help prevent data loss; however, in the event of an equipment failure, it can be used to restore lost data to a system, making it a recovery control as well. A corrective control is temporary in nature; it is used to immediately correct an unsafe or insecure condition, possibly after an attack or some other negative event. With a corrective control, you know that the security issue is only temporary, and the deficient or missing control it is used to correct will either be back online soon, or a more permanent solution will be implemented. Expanding one of the examples listed in Table 3.2-1, suppose a fence has been cut or temporarily damaged due to weather. You know the fence will be fixed within a week or so, but for the moment, you must put a guard near it to make sure that no one goes in or out of the hole in the fence. That makes it both corrective and temporary. This is different from a compensating control, which is more long-term in nature. A compensating control is used as an alternative control when the preferred or desired control is not available or is infeasible to implement due to technical, environmental, or resource constraints. A longer-term approach may be needed; in the example where a guard is temporarily placed near the hole in the fence until the fence can be repaired, suppose the organization doesn’t have the budget to fix it and knows that it will be quite a while before the fence is repaired. It’s also not cost-effective or practical to permanently make a guard stand near the hole, so the organization may close off or barricade that entire area to prevent anyone from even approaching the fence. It also may set up CCTVs on a long-term basis to ensure that no one goes in or out of the whole in the fence. Note that compensating controls could still be temporary, as are corrective controls, but they are usually more long-term, of indefinite duration, and often consist of more resilient solutions. Control Implementation and Risk As mentioned before, security is in delicate balance with functionality and resources. Often you want more security, but it will come at the expense of functionality, and you may not have the resources to have as much protection as you want. This is where risk management comes in. You must decide if the impact of a negative event is more costly than the controls it would take to prevent the incident or lessen its impact. Consider this scenario: if all the controls necessary to protect a server from being stolen or damaged cost $10,000, for example, and the server and its data have been valued at $5000, then obviously the cost of security outweighs the value of the resource. This is where the balancing act comes in. Controls must be implemented that are cost-effective; in other words, they must be of a cost that is less than the value of the resource they are trying to protect. When considering cost-effectiveness, you should look at the entire aggregate list of controls you must implement to protect an asset from a specific vulnerability or negative event. On the other hand, when considering the value of an asset, you should consider not only its replacement cost, but also the amount of revenue it generates for the organization, as well as intangible value, such as consumer confidence or business reputation. For example, the physical server may only cost $5000, and the data may be valued at $3000. However, if this server processes transactions that generate $5000 in revenue per week, you can quickly see that the value of this server is far more than its replacement cost. These are factors that must be considered when estimating the value of an asset. Then, you must determine if the cost for implementing controls to protect an asset is below, equal to, or exceeds the value of the asset. In addition to the initial purchase of the control, you also have to look at longer-term issues, such as support contracts, upgrade costs, labor hours, personnel, and other costs involved in implementing and maintaining the control on a long-term basis. In the end, you simply must weigh whether the control is worth it or not. If it is, you should consider implementing it; if not, you should consider other (possibly less expensive) compensating controls that can help mitigate or lower the risk an asset incurs to an acceptable level. These can be controls that reduce vulnerabilities, add additional protection, or even reduce the likelihood or impact of the negative event. Exam tip: Understand the balance that must be achieved in implementing controls; you must consider the cost of the control, the value of the asset it is protecting, and the risk the control mitigates. Permissions We’ve discussed the process of identification and authentication, and you already know that just because someone is authenticated to a network doesn’t necessarily mean they have the authorization to perform any actions on a network resource, such as a file, folder, or printer. This is where rights, privileges, and permissions come in. These are assigned to a user (or, preferably, a group of users) to grant them the ability to access resources and perform actions with them. Without going into the more subtle differences between rights, privileges, and permissions, you should know that permissions are generally given to grant access to and determine actions that can be performed with resources. These include both local (on the host) and networked resources. Permissions to resources are based on individual identity and business needs; an identified, authenticated user should have a valid business need (and sometimes clearance level) to access and interact with a resource. Permissions are routinely granted to users; however, it is a much better administrative practice to grant permissions to groups with similar requirements and then add users to the group. In addition to granting permissions to resources to groups, you can also impose other restrictions on members of the group as well, giving you even more flexibility to manage users. Most operating systems manage permissions a bit differently; there are differences in the way Windows permissions work and the way permissions in Linux and other UNIX-based operating systems work. In the two following sections, we will discuss the permission structure of each. Windows Permissions Permissions for the Windows operating system have traditionally consisted of two types: file system permissions, which control access to local files and folders on a Windows box, and share permissions, which control access to a Windows share over the network. These are not mutually exclusive; you can implement both at the same time, which can sometimes have unintended consequences. File system and share permissions can often conflict; a person who has the Full Control file system permission for a file yet is explicitly denied access through a share permission will find that they are denied access to the file if attempting to access it remotely. For a user interactively logging in to the local box, share permissions are not an issue, however.
The following are the Windows file system permissions: - Full control - Modify - Read and execute - List folder contents (folders only) - Read - Write - Special permissions Note that special permissions aren’t different from the permissions listed above it; they allow you to take additional actions such as change the creator/owner of a file or folder, view permissions, audit access to the file or folder, and view the effective permissions for the user, taking into consideration the groups they belong to.
Remember that Windows share permissions apply to folders, not files, and are only for users accessing the shared folder remotely across the network. Share permissions do not affect a user logged in interactively (locally) to the system.
The share permissions for Windows folders are as follows: - Full Control - Change - Read
Effective permissions are the actual permissions you have to a resource, after taking into account any individual permissions that have been assigned to you by the creator/owner of a file or folder, combined with any permissions you have as a member of a Windows group that may have permissions to that resource. Effective permissions also consider file system permissions versus share permissions you have been assigned. For example, if you are in a group that has been assigned only Read and Execute permissions, but the folder owner has assigned your user account with Full Control permission, you effectively have full control over the folder, including the ability to assign other users permissions. However, if you are assigned a deny for a permission, it takes precedence over other permissions. Denying you write access to a file for your individual user account means that you cannot write or change the file, even if you are in a Windows group that has been allowed write permission to the file. File and share permissions combined work in a similar manner. Permissions are accumulative except in the case of a deny permission for either type.
The figure below shows an example of Windows permissions for a file FIGURE: Example of Windows file system permissions
Figure shows share permissions for a Windows folder shared across the network. FIGURE: Example of Windows share permissions Linux Permissions Linux and other UNIX-like operating systems have a different permission structure than Windows. In some ways, it’s not as complicated, but in other ways can be equally difficult to determine. There are only three basic permissions for Linux: read, write, and execute. However, these permissions can be assigned in different combinations to three entities: User, Group, and Others. Linux can use either alphabetic designations for its permissions (such as r, w, and x for read, write, execute, respectively) or octal numerals. The octal numerals representing the read, write, and execute permissions are 4, 2, and 1, respectively. The different combinations, when assigned to the different entities, can represent the total effective permissions for a file or directory. Permissions are additive, using the octal numerical representations. For example, the user who has read and write permissions but no execute (symbolized by the “-” for the execute permission, in this case) has permissions that, when added together, equal the octal number 6 (since read is 4 and write is 2, so the combination of read/write is 4+2, which equals 6). Note that the dash symbol (-) means there is no permission assigned and represents a numerical 0. Table 3.2-3 shows how this works. Alphabetic Versus Octal Notation for Linux Permissions Using this representation, the most permissions any particular entity can get are read, write, and execute, which is represented by either rwx or the octal number 7. Permissions less than that are indicated by their respective alphabetic or numerical designators. In the example from the table, you may see permissions to this file listed as 764. You will frequently see these permissions listed together, such as 777, which means that all three entities have full read, write, and execute permissions, and 664 would mean that the user has read and write, groups that have been assigned permissions to the file or directory have read and write, and any others only have read permission.
The figure below illustrates an example of Linux permissions. Note that the “d” at the start of a permissions entry means that the entry is a directory versus a single file. FIGURE: Example of Linux permissions Note: macOS, while not specifically mentioned in our discussion of operating system permissions, is originally based on BSD UNIX, so it uses UNIX-style permissions as well.
Remember that permissions, regardless of the operating system in use, should follow the principle of least privilege; users should only get the permissions they need to perform their assigned functions, and no more. This is especially important to watch for in a complex network where users may be explicitly assigned permissions to their user accounts, but at the same time, they are members of groups that may also have different permissions assigned. In such an environment, it can be difficult to monitor effective permissions and ensure that users get only the cumulative permissions they need. Permission creep, where a user may get increasingly more (and excessive) permissions over time, can happen easily in complex environments. Exam tip: You will likely not be expected to know the specifics of Windows and Linux/UNIX permissions for the exam, but as a cybersecurity analyst, you should be familiar with these concepts. Access Control Lists Many security mechanisms use access control lists (ACLs). Access control lists essentially dictate rules for access to a particular resource or device. Access control lists can be found in different contexts. A resource, such as a folder, can have an access control list that lists users as well as their permissions to that resource. A network device can also have access control lists, which can dictate which ports, protocols, and services are allowed inbound to or outbound from the device, traversing the network. Regardless of the context, the concept is essentially the same. Access control lists permit or deny actions based on a ruleset. Normally, each entry in the list is considered a rule, which establishes the item that is allowed or denied, the action to be taken (allow or deny), and a specific set of conditions that rule must meet in order to be implemented. Normally, in most access control lists, rules are read by the system sequentially. Once a rule is matched by a particular piece of traffic, content, or another item, rule processing for that particular content stops. ACLs can be used to control network traffic, actions performed on a resource, applications that users can run or install, and even access to a website. Regardless of the way ACLs are implemented, they all work in a similar fashion, but how it is implemented depends on the resource, the technology used, and what the overall goal is in implementing the ACL.
One use for access control lists that you must be familiar with for the exam is the use of default deny and default allow lists. Previously widely known as whitelisting and blacklisting, this security paradigm involves creating lists of allowed actions, network traffic, or content and then implementing those lists into a set of rules that specifically either allows everything that is on the list or denies everything that is on the list. We are going to talk about each one of these next. Note: As with everything in technology, concepts and terms change from time to time, based on newer technologies, the environment we live and work in, and even social change. And so it goes for, the terms whitelist and blacklist, which have been deprecated and are decreasing in use within our professional security community.
However, be aware that because the exam objectives may not have caught up with social change at the time of this writing, you may still see whitelist and blacklist on the exam. Allow Lists An allow list is a list created that will be implemented into a ruleset that permits everything in the list to be used, transmitted, or accessed. Again, this can depend on context. For example, if you are centrally controlling applications a user is allowed to install or run (previously known as application whitelisting) on the system, then you would create a list of allowed applications and implement a security rule or mechanism that allows only those applications to run and no others. This process is preferred because then you have a known list of good applications that are allowed. Any application not on the list, is, by default, denied. This reduces the number of applications you must worry about controlling since only a small, finite number of applications are allowed to run and no others are allowed. In the context of a network traffic allow list, the ACL would indicate only the network traffic that is permitted to traverse inbound to or outbound from a network interface. Deny Lists A deny list is the exact opposite of an allow list; in this list, all actions or content are prohibited. In the case of applications, any applications on the list are explicitly denied from being installed or executed. In the case of network traffic, the listed ports, protocols, and services are denied inbound or outbound through the network interface. There are situations where a deny list would be preferred; however, if you only rely upon deny lists, then you are limiting the number of actions or applications denied to a very small list. That means that anything not explicitly included in the list would be implicitly allowed, which is likely far too permissive for most environments. Exam tip: Although it appears to be a counterintuitive explanation, an allow list explicitly allows only items in the list and denies everything else (effectively a default-deny condition, where you only allow by exception). A deny list explicitly denies only items in its list, implicitly allowing everything else, making it a default-allow condition where you only deny items by exception. You may have also heard the terms implicit and explicit allow or deny. These essentially mean that any items in a list are explicitly stated, and any items not in the list are implicit (understood to be not included, without stating it). This can cause a lot of confusion between terms, such as allow or deny lists, default deny or allow, and implicit or explicit allow or deny.
Explicit/Implicit and Default Deny/Allow Terms One point that’s worth mentioning is that you don’t always have two separate lists—an allow and deny list—for security mechanisms. Most ACLs, in fact, include entries (rules) for both allowed items and denied items; the difference is that there is an action located within the rule for the list that specifically states whether the item is allowed or denied. It also often has qualifiers that further define the rule. For instance, in a router ACL, you could have rules for both allowed and denied ports and protocols. One of the rules in the access control list might be that all traffic inbound on port 80 is allowed, but only for a specific IP address, and denied to all other addresses. This would send all inbound HTTP traffic to a web server, and not to any other devices on the network. You may also have heard of an explicit deny-all rule placed in access control lists, usually seen in network security devices such as firewalls or even routers. This is used as a catch-all just in case there is no rule written for a particular type of network traffic, application, or another context. Many cybersecurity analysts will place these in an ACL to prevent any unknown content from being allowed. However, use this type of rule with caution. In most ACLs, rules are processed sequentially until a match is made between the rule and the conditions it is processing. This means that if a particular type of network traffic is encountered, all rules will be examined in order until a rule is found matching the traffic and conditions that apply to it. If a rule is found that matches these conditions, the rule is processed, and no other rules are examined. In the case of a deny-all rule, all traffic would match. Therefore, as soon as this rule is processed, no traffic would be allowed to pass. This could have very undesirable consequences if the rule were placed before other valid rules since they would never get examined for processing. Therefore, if you use one of these rules, remember that it should be placed as the last entry in the list and should serve as a final arbiter for any traffic not matching an existing rule, where it will be denied.
Caution: Remember that deny-all types of rules should be the last rule in an ACL so that any allowed content will not be inadvertently blocked. Firewalls A firewall can be a dedicated network security device, or it can be integrated into other devices, such as routers, which may include firewall functions. In its most basic form, a firewall filters traffic. That means, based on its configuration through a series of rules, it receives traffic into an inbound interface, examines that traffic for particular criteria, and then makes a decision, based on its rules, whether the traffic should be allowed to exit another interface, usually going into another network or out to the Internet. There are network-based firewalls that are dedicated appliances; some are all-in-one types of security devices that include firewall, proxy, VPN, and even DLP solutions, and there are also host-based firewalls, which focus primarily on traffic entering or leaving a single host. In any case, no matter whether it is a powerful dedicated network appliance or a host-based firewall, its job is to filter network traffic. Firewalls can come in a variety of basic flavors. There are hardware firewalls, which are typically dedicated network appliances, as well as software firewalls, which are implemented as a software program on the host. Many people think of a firewall as something that is only a parameter device; however, firewalls can also be used internally to segment sensitive areas of an organization’s network away from the general population of users.
Firewalls also aren’t typically the only device at the border in any event; usually, there are several security devices, including firewalls, VPNs concentrators, proxy servers, and border routers, that are deployed in layers and are responsible for inspecting and taking action on certain types of traffic. There are also many firewalls that, in addition to network appliances, are part of enterprise-level applications such as e-mail servers that could be deployed as part of an organization’s e-mail services.
Firewalls operate their access control lists and rulesets just as described previously; there are entries that are written to handle a specific type of network traffic. The rule can specify what type of traffic and its characteristics, such as source and destination IP addresses, port, protocol, and service. There can be exceptions listed as part of the rule, and the rule will usually also dictate a default action, such as allow or deny. Firewall deployment and architecture are very important; obviously, firewalls are usually placed at the perimeter of a network, but they can also be layered in different security zones, such as a DMZ, providing protection for different sensitive areas of an organization’s internal network, or even an extranet set aside for business partners. The proper placement of firewalls can affect network security and performance, so careful network security design is important. Packet-Filtering Firewalls Basic firewalls are simple packet inspection devices; these packet-filtering firewalls use very simple criteria to allow network traffic to pass. These criteria include the protocol, port, source and destination IP addresses, and domain names. For example, a simple packet-filtering firewall could decide whether to allow or deny FTP traffic inbound to a particular destination IP address, which originates from a particular source address. Simple packet-filtering firewalls, however, aren’t sufficient to stop attacks. You may use the packet-filtering functions of a border router to inspect and block basic undesirable traffic, but higher-level functions that would prevent modern, sophisticated attacks, such as maintaining state information or deep packet inspection, can usually be handled only by a more complex firewall. Circuit-Level Gateways A circuit-level gateway is also a simpler, older firewall type. In addition to packet filtering capabilities, it filters based on the TCP handshake between two hosts. This can help eliminate handshake attacks such as a TCP SYN flood. Although very efficient for allowing or denying traffic based on packet filtering criteria and TCP handshake, it has very few other capabilities and is therefore not in wide use any longer. Even most modern border routers can perform circuit-level filtering, in addition to other basic firewall functions. Stateful Inspection Firewalls Many types of traffic (HTTP traffic, for example) are stateless. This means that there is no built-in method for the protocol to keep track of the state of communications between two hosts. From a performance perspective, this can increase the efficiency of communications between a client and a server, for example. From a security standpoint, however, it could present some issues in that there is no way to track a back-and-forth communications session effectively. This could enable unsolicited communications from an untrusted network, like the Internet, to an internal host, disguised as an established communications session that was initiated by the client. A stateful inspection firewall eliminates this issue by keeping track of different communication sessions and their states. It can track whether a connection originating from the Internet, for instance, was part of an already established communications session and then pass that response back onto the client. A stateful inspection firewall can also halt unsolicited communications that may be efforts to attack a system. It works by maintaining an internal table in memory that keeps track of communication sessions that pass through it, by the internal client source IP address, the destination address, and the ports and protocols in use during that communications session. The table contains information about all requests and responses during the session until the session is terminated. It uses this information to allow requests and responses to flow inbound through and outbound from its interfaces, in addition to the other basic criteria that packet filtering firewalls use. One disadvantage to using stateful inspection firewalls is that they introduce some delay into the communications process because of the requirement to store and maintain session information and verify that before allowing traffic to pass. Application-Level Gateways Application-level gateways, sometimes referred to as proxy firewalls, work at the application layer. They filter traffic based on application and content. In addition to having the same capabilities as a stateful inspection firewall, an application-level gateway is able to perform deep packet inspection on traffic, checking the actual content of the traffic to ensure that it is legitimate and contains no malware or other suspicious content. Web Application Firewalls (WAFs) A web application firewall (WAF) is a more recent development that serves a particular purpose; it is designed to stand in front of web applications and their platforms to prevent various web-based attacks, such as cross-site scripting, injection, overflow attacks, and so on. WAFs can also perform authentication services for web applications and can connect to various authentication services, such as Active Directory, and third-party identity providers. Next-Generation Firewalls There’s a bit of disagreement on what exactly constitutes a next-generation firewall. However, the consensus from the security community is that it includes all the basic functions that we previously described about other firewalls. It can do deep packet inspection, application-level inspection, content filtering, URL filtering, and stateful inspection, in addition to packet-filtering capabilities. Next-generation firewalls are also characterized by the fact that they are often integrated with intrusion detection and prevention systems, proxy servers, data loss prevention (DLP) solutions, network load balancers, and unified threat management systems (UTMSs). They use active threat intelligent monitoring capabilities and dynamically adjust their behavior based on that threat intelligence. Cloud-Based Firewalls Firewall services are now included in the service offerings from cloud-based providers. Many organizations, particularly smaller businesses, cannot afford the expense of network appliances or the personnel to maintain them. Firewall as a Service (FaaS) enables these organizations to minimize infrastructure and expense while at the same time providing resilient, robust, effective firewall solutions for both the cloud-based applications and their on-premises infrastructure. Cloud-based firewall services are especially effective for organizations that already have a significant presence with the cloud service provider and use service offerings such as Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). Another advantage of a cloud-based firewall service is that it is easily scalable with the needs of the organization as it grows. Disadvantages of FaaS are the same disadvantages inherent to other cloud-based services: the organization is typically not in control of its own firewall and must rely on the cloud provider for rapid response for incidents and configuration changes. These concerns would need to be addressed in the agreement between the organization and the cloud service provider. Exam tip: You likely will not be expected to know the different types of firewalls; however, you should be familiar with the basic functions of a firewall, such as packet-level filtering, stateful inspection, and so on. Intrusion Prevention System (IPS) Rules We discussed intrusion detection and prevention systems in Objectives 1.3 and 3.1. In this objective, we will specifically talk about rulesets for intrusion detection and prevention systems. Since we’ve already discussed default allow and deny rules, you’ve already learned some of the core concepts of rulesets for network devices. Most network devices follow a standard convention for rules. Rules are elements of an access control list and can be found on firewalls, routers, and intrusion prevention/detection systems.
The basics of network security device rulesets are essentially the same: rules are read from top to bottom, sequentially. When traffic matches a rule, processing stops and then actions are taken based on the content of the rule. If traffic does not match a rule, it continues to be examined down the list. If there is no match for the traffic, the default configuration of allow or deny is invoked. Typically, there is a rule at the very bottom of the ruleset that specifies that anything else not explicitly allowed is specifically denied. This is called a deny-all rule and, as mentioned previously, should be placed at the very end of the rule processing for network security devices. In other words, if all else fails, and the traffic matches no other rule, then the device should invoke the deny-all rule.
Some rulesets can be very complex, as is the syntax of the rule. Intrusion detection system rules, particularly in the popular Snort IDS/IPS, require a little bit of knowledge to write and deploy. Simplistic rules are relatively easy to implement, but of course there are more complex rules that can be written.
Here is an example of a Snort rule syntax: Examining the syntax for the rule, we can see the rule designates an action, such as an alert, the protocol in use, the source IP address and port, direction (inbound or outbound, for example), the destination IP import, the rule description, the class type, and other optional parameters.
A complete Snort rule may look something like this: In this example, the rule is alerting the administrator if there is an ICMP (ping) scan from any source IP address and port to any destination IP address on the administrator’s internal network. This rule would tell you if you are being scanned via ICMP. The sid:1000003 value is the Snort rule ID; this can be assigned by the cybersecurity analyst for rules over 1,000,000 since all rule numbers below that are reserved by Snort. The classtype:icmp-event value is a predefined Snort event type. This is an extremely simple rule; Snort rules can be written to be very complex and handle all types of network traffic based on port, protocol, source and destination IP address, and other criteria. Exam tip: Understand the basics of intrusion detection systems as well as how rules are implemented. Data Loss Prevention (DLP) Data loss prevention (DLP) is the name given to a group of technologies and processes designed to prevent the exfiltration of sensitive data from an organization. DLP solutions are installed on hosts and network exit points, and they even can be used to prevent exfiltration of data through physical media devices such as USB memory sticks. DLP solutions can be installed as part of firewall solutions, proxy servers, and e-mail servers. For example, e-mails can be scanned to determine if they are being used to send predefined sensitive data outside of the organization. Any attempt to e-mail a Social Security number (SSN) or a credit card number, for instance, would be thwarted since DLP can identify and recognize patterns of data prohibited from leaving the confines of the organization’s network. Beyond simple pattern recognition, however, DLP works by labeling sensitive data with metadata that describes its sensitivity levels, as well as what can be done with the data. Data labeling enables specially configured network security devices and policies to flag sensitive data as it attempts to leave the network and prevent it from doing so. Of course, even before a DLP solution is implemented, the organization must determine its data sensitivity levels and designate data types appropriately in the policy. These written data sensitivity policies are then translated using DLP software integrated with network devices and host-based security. The software tags data with labels corresponding to the data sensitivity policy and can also be integrated with a variety of other line-of-business applications and databases. DLP is particularly essential in environments where there is a great deal of personal or medical information, such as hospitals. Endpoint Detection and Response (EDR) We have discussed many security controls and mechanisms focused on the network portion of the infrastructure. However, up until recently, one of the more neglected areas of security was the endpoint. Of course, we have antimalware solutions and host-based intrusion detection systems and host-based firewalls. These are all part of endpoint security. However, most of those solutions are designed to actively protect the host. They don’t do much more in terms of discovering important information, such as what exactly happened to the host, how it happened, what indicators of compromise were present, and so on. That’s why cybersecurity analysts began to look at more rigorous analysis of security information coming from the host. Now there is a growing trend in treating the endpoint with the same depth and fidelity of analysis that we treat the network.
Endpoint detection and response (EDR) is focused on enhanced monitoring and detection of activities that occur on the host. Like we do with networks, EDR brings in-depth data collection and aggregation facilities to the various endpoints. We can integrate all manner of data collected from the host into our network-based security information and event management (SIEM) system and look at more than just what type of traffic is coming into the host. Endpoint security is critical because that’s where most of our security issues happen, whether it is a malicious event, user complacency, or malware. Since we know that a lot of malicious activity starts on the host, the idea is to collect data that could be an indicator of compromise early on and combine this with network data so that we get a more complete picture of what is going on in the infrastructure.
The types of data we can collect and analyze include the following: - Operating system and application logs - Real-time memory usage - Real-time process activity - Registry settings - Detailed user interaction data - File and disk space data - Enhanced network traffic data
All this information we collect from an endpoint, whether it is a desktop, server, or mobile device, may indicate malicious activity such as the following: - Unusual network traffic activity - Changes to the registry and file system by potentially damaging applications - Excessive memory, CPU, network, and other resource usage - Application and operating system configuration information, often as it changes
Data is typically collected through an agent-based solution and sent to a central collection server, such as a SIEM. As you can see, EDR collects a massive amount of data that must be considered in terms of storage and processor capability since it can create an additional workload for those resources. Fully functional, robust EDR solutions are sold by vendors, but some of the major network analysis and monitoring systems also include EDR modules. Almost any strong network-based solution that purports to be a SIEM system has the capability to include EDR in its toolset. Exam tip: Be able to understand the function of endpoint detection and response as well as how it enables in-depth data collection and analysis from various hosts. Network Access Control (NAC) Network access control (NAC) is a network-based security solution that protects the infrastructure from untrusted hosts connecting to the network. Most often, these hosts are connecting via VPN or wireless connections, or even may plug into a switch port. When they connect, their security status is generally unknown, even if they are corporate machines and have connected before. They may have malware or other issues that can harm other hosts. They might also not conform to the organization’s baseline security configuration policy. NAC serves as a gateway when an unknown or untrusted host connects, and it ensures that the host is secure before it is allowed to connect. There are several aspects of network access control you should be familiar with. A NAC is usually implemented as a network device, or as part of a larger integrated security solution. Many VPN servers and wireless access points have built-in NAC solutions. The idea behind NAC is that when the host joins, it receives a very limited connection to the network, usually only to the NAC device. The NAC initiates a series of health checks on the client, determining if it has antimalware software, if its signatures are up to date, its patch level, and other security configuration checks. Based on the security policies configured the NAC, the host may be denied a connection into the network, or the NAC may initiate remediation on the host, such as updating its antimalware signatures or its patch levels or reconfiguring its security settings. Note that updates and reconfiguration are typically only possible with a managed device; if an unmanaged device connects to the network, it will likely be denied a connection. In addition to handling remotely connecting devices, NAC can also be integrated into the infrastructure as a system covering all connected devices, even the ones that are persistently connected to the network. There are integrated solutions that can provide NAC services to all hosts, including vulnerability scanning, patch management, and application deployment. These solutions can routinely scan all hosts on the network for security health and remediate issues whenever necessary. Most NAC solutions require an agent-based implementation, so all devices are centrally managed. NACs can be configured to handle many different types of hosts and can create different policies for different groups of hosts, such as servers, user workstations, and mobile devices. Additionally, a NAC can further define network access control rules using factors such as time of day, the role the machine or user has on the network, the host’s logical or physical location, and other specific rules that can be configured in the NAC policies. NAC solutions can be resource intensive; scanning and remediating can take up a lot of network resources, so it’s a good idea to have a strong, resilient network with plentiful bandwidth when implementing NAC. As with all network-based security solutions, any data collected by the NAC can be forwarded on to a centralized SIEM to be added to all other collected data for aggregation and analysis. This data can be used for historical or trend analysis regarding the health of client machines. Exam tip: Understand the purpose of a NAC and how it protects the network from untrusted or unknown hosts connecting to the infrastructure. Be able to distinguish it from other types of network security devices. Sinkholing Sinkholing is a technique used most often to redirect traffic that could potentially be malicious to a different IP address. For example, let’s say that one of your hosts is compromised and is trying to send data to a malicious command-and-control server on the Internet. Once you determine that this is the case, you could take the host offline or clean it of any malicious software. However, you could also leave the host up to determine the exact details of the malware that is causing it to send data to the remote server, without allowing it to do so. A simple way to do this would be to create an entry in your DNS server that redirects all traffic destined for the remote IP address to a local IP address or server, effectively keeping the traffic from going out on the Internet so that the host can’t respond to instructions from the command-and-control server. KEY TERM: Sinkholing is the process of diverting potentially harmful network traffic to a designated internal server or IP address, thus preventing it from exiting the network to a malicious entity. Malware Signatures Malware is a piece of software running on a machine with malicious intent. By malicious, we mean that it has the intent to disrupt the operation of the host and potentially compromise the confidentiality of data, making it available to unauthorized persons, changing the integrity of data or the operating system, and making the host unavailable for use by authorized personnel. Malware can do all these things. Malware is transmitted via network traffic, over e-mail, and through infected files on removable media. Antimalware products are designed first to detect any instances of malware on systems, but also to eradicate that malware. Most antimalware products are very good at this, particularly for the well-known types of malware.
It is the unknown types of malware that are of concern to us. These are the pieces of malware that may contain zero-day exploits, where there is no detection signature for them, and we don’t know anything about their characteristics or how to eliminate them.
Even without signatures, malware can be detected through behavior analysis. Some antimalware and host-based intrusion detection products can look at system behavior that is out of the ordinary and flag certain behaviors as suspect. This could be indicators such as excessive CPU or memory usage, high-bandwidth utilization, and so on. Users may also help detect potential malware through reporting inconsistencies in how the host operates, particularly if it is behaving out of the norm. In any case, malware detection is not an exact science; there is so much malware out on the Internet and on our systems that we still are unable to detect since malware authors are far more sophisticated than we may believe. They are constantly finding new and different ways every day to hide malware, change its signatures, and cause it to dynamically morph while running on a system. In the following section, we will discuss some of the particulars of creating malware signatures and how rules can be written for them. Development/Rule Writing Malware signatures are still the most used method for detecting malware. Most antimalware products are signature based, although most also perform some type of heuristic or behavioral analysis as well. Most malware signatures are written by the malware vendors, but cybersecurity analysts can also write their own custom signatures for their own environments. One such tool to write malware signatures is called YARA.
YARA is a popular open-source tool used to identify and classify malware. It can be used to perform rule-based detection of malicious files. YARA rules are made up of two parts: a string’s definition and a condition. The string’s definition defines patterns that will be used to search for in a potentially malicious file. The string consists of an identifier, a “$”, and the name. The condition portion defines the conditions of the rule, using Boolean expressions.
You can use an open source Python rule generation script created for YARA called yarGen, which can help create YARA rules by searching for strings found in malware files. Essentially, you call the Python script and specify the directory you would like to search in, and yarGen will search for potential strings that could be considered malicious. You can then add these rules to a database.
In addition to YARA, there is also an open-source project from Cisco’s Talos threat intelligence group called BASS, which can generate antimalware signatures if you have the potentially malicious samples. BASS is a framework for developing a database of pattern-based signatures. Sandboxing Sandboxing is used to protect a system from unknown or untrusted software that could have malicious properties. Although antimalware is very good at detecting known malicious software and, to a degree, conducting a behavioral-based analysis of untrusted software to determine if it presents a threat to the system, it is not perfect. Sandboxing is a technique that cybersecurity analysts use to load and execute an untrusted application in a safe environment, where it cannot harm the host. In earlier days, analysts had a special host (sometimes called a detonation chamber, copying the military term for a dedicated chamber to safely disarm or blow-up potential explosive devices) dedicated to running unknown and untrusted software to determine its safety. However, with the advent of micro virtualization, analysts can now execute untrusted software in a small, dedicated virtual machine host. This sandbox, as it is referred to, can isolate and execute the software in a secure environment to ensure that it does not interfere with or alter the underlying system in any malicious way. Sandboxes are also very useful for malware forensics so that the malware can be reverse-engineered and analyzed. KEY TERM: Sandboxing is the process of executing a potentially malicious application in a controlled, secure environment for analysis. Port Security The word port has a lot of different meanings in information technology and security. You can “port” software from one platform to another, you can plug into a USB “port,” and you can send information over a TCP “port.” You can also have network ports, and although the term port security is tied to that context, it’s more than that. Port security does not necessarily mean only securing a physical network port on the switch, for example, although it certainly can include that. Certainly, you can configure a switch to turn off certain unused physical network ports or enable them to be tied to only specific MAC addresses. This is more of a function of the switch itself than a formal port security standard. Port security can also involve placing different network ports in specific virtual local area networks (VLANs) so that when a host with a specified MAC address plugs in to the switch port, it automatically becomes part of a specific VLAN. Port security as a technology is a name given to various authentication and encryption technologies that can secure logical network connections, typically from remote users. The standard for port security that we often hear about is the IEEE 802.1X specification. 802.1X provides for port-based authentication, and although widely seen on wireless enterprise network implementations (for example, WPA/WPA2 Enterprise), it can also be used on wired networks as well. 802.1X can authenticate both users as well as devices to the network. Because it’s more of a port-based security authentication framework than a protocol itself, it uses a wide variety of authentication and encryption protocols, including the classic Extensible Authentication Protocol (EAP) and its many variants (EAP-TLS, EAP-TTLS, and so on). As mentioned, 802.1X is most often seen in situations where users and devices connect to the corporate network either through wireless means or remotely via VPNs or other remote access technologies such as RADIUS. Exam tip: Understand that port security is a collection of technologies that may include assigning specific hosts to a VLAN and dynamically disabling unused ports on the switch, and consisting of various authentication and encryption technologies. Understand the basic concepts of the IEEE 802.1X port security standard. REVIEW Objective 3.2: Given a scenario, implement configuration changes to existing controls to improve security In this module, we discussed the fact that security controls are not static and must require changes from time to time since risk constantly changes. Controls may be replaced, upgraded, or even eliminated in some cases. First, we reviewed some important control concepts, such as the control category and function. There are typically three categories of controls considered by cybersecurity analysts: managerial or administrative, logical or technical controls, and physical or operational controls. There are also different functions each control performs: deterrence, prevention, detection, correction, compensating, and recovery. Many of these controls are extremely similar in function; in fact, some controls overlap and cover various functions. We also looked at how controls are balanced with risk. The organization must look at the total cost of implementing a control versus the value of the asset it is protecting. Decisions and tradeoffs will have to be made about whether the resources are worth the expense of the control, based on the amount of risk that can be mitigated. We also talked about different controls, including permissions and access control lists. We discussed how permissions are best assigned to groups versus individual users, and we looked at the different types of Windows and Linux permissions. We discussed access control lists, specifically allow and deny lists. Allow lists are used to allow the items in the list via entries called rules. Items could include software applications, network traffic, and even actions performed by an individual, depending on the context in which the access control list is used. Deny lists are used to deny the items in the list, and similarly contain rules to that effect. We then discussed the various types of firewalls. We know that a firewall essentially is there to filter incoming and outgoing traffic through a network. There are different types of firewalls that perform progressively more complex functions. The simplest type of firewall is a packet-filtering firewall, which filters network traffic based on basic elements such as source and destination IP addresses, port, protocol, and service. We then looked at circuit-level gateways, which filter based on TCP handshake completion. More complex firewalls perform more in-depth filtering and analysis. Stateful inspection firewalls keep track of a connection session’s state to prevent rogue sessions from being created and used to communicate with hosts on the inside of the network. Application-level gateways do deep packet inspection at the application level, and web application firewalls help protect web application servers.
Next-generation firewalls typically are more robust and can perform all the functions that lesser firewalls can perform, but are also packaged as multiple function devices, such as proxies, intrusion detection systems, VPNs, and concentrators, and they are threat intelligence aware. Cloud-based firewalls are offered as a service by cloud-based providers. We also briefly discussed intrusion detection rules and gave you an example of how Snort rules work and are created. We revisited data loss prevention solutions and how they can be deployed on the host or on the network and serve to tag sensitive files with metadata so they can be identified and prevented from leaving the network. We also looked at endpoint detection and response, which puts more focus on data collection and analysis at the host level in addition to the network level. Network access control is used to prevent insecure hosts from connecting to the network; a NAC conducts security health checks on the connecting host to ensure that its malware signatures are up to date, as well as its patch level and security configuration. It can also take remedial actions to correct these items. Sinkholing is a technique used to divert potentially malicious traffic from the host into an area where it can do no harm. It is often used to prevent compromised internal hosts from contacting command-and-control servers on the Internet. We also discussed malware signature development; malware signatures are still the most popular way to detect malware, except when there are no known signatures or patterns for new malware. We talked about two open-source utilities for creating malware signature rules: YARA and BASS. We then discussed sandboxing, which allows us to execute potentially harmful software in a controlled environment to observe its effects. Sandboxing is also useful in malware forensics so that we can reverse engineer a piece of malware to see how it was created, what its effects are, and how we can develop a defense for it. Finally, we discussed port security, which, in addition to physically protecting network switch ports, also means placing specific clients and MAC addresses in predetermined VLANs. Most of port security, however, involves port-based authentication and encryption, which ensures that random hosts cannot connect to the network without proper authentication. The IEEE 802.1X standard is the de facto standard for port security. 802.1X has the capability to authenticate both users and devices to the network; it’s used widely in wireless enterprise implementations, but also used in wired implementations as well.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.