Course 5 – IT Security: Defense Against the Digital Dark Arts

by
Contents hide
1 Week 5: Defense in Depth
2 PRACTICE QUIZ: SYSTEM HARDENING
3 PRACTICE QUIZ: APPLICATION HARDENING
4 QUIZ: DEFENSE IN DEPTH
Spread the love

Week 5: Defense in Depth

Our emphasis this week will be on concrete and details concerning practical input that would enhance security defenses for a system and application. At the end of the topic, you should be able to implement system and application hardening techniques and develop the operating system security policies required for those systems. At the end of the module, you should appreciate the essence of turning off unessential components within the system, configuring host-based firewalls, installing anti-malware protection, enabling disk encryption, and efficient management of software patch and application policies.

Learning Objectives

  • Adopt efficient hardening methods in the systems.
  • Techniques have been used for securing applications.
  • Establish and enact policies that enhance the security of the operating system.

PRACTICE QUIZ: SYSTEM HARDENING

1. What is an attack vector?

  • The classification of attack type
  • The direction an attack is going in
  • A mechanism by which an attacker can interact with your network or systems (CORRECT)
  • The severity of the attack

Nice job! An attack vector is any means by which a person can use the system to exploit your systems or networks. The attack vector is the way that attackers access your system to commit malicious activities.

2. Disabling unnecessary components serves which purposes? Check all that apply.

  • Closing attack vectors (CORRECT)
  • Making a system harder to use
  • Reducing the attack surface (CORRECT)
  • Increasing performance

Right on! Every unnecessary portion of a system represents a primal attack vector. All of these attack vectors confer to the aggregate measure entering into the attack surface. Therefore, unnecessary components mean the disabling of attack vectors, and thus the further reduction of the entire attack surface and an enhancement in security for the system.

3. What’s an attack surface?

  • The target or victim of an attack
  • The total scope of an attack
  • The payload of the attack
  • The combined sum of all attack vectors in a system or network (CORRECT)

Yep! The attack surface includes all possible actions and ways by which an attacker can contact and exploit weaknesses within a network and connected systems.

4. A good defense in depth strategy would involve deploying which firewalls?

  • Network-based firewalls only
  • Both host-based and network-based firewalls (CORRECT)
  • No firewalls
  • Host-based firewalls only

You got it! Defense-in-depth aggregates various overlapping layers of security in one structure to protect systems. Accordingly, it is recommended to apply host-based firewalls in addition to network-based firewalls in enhancing the level of protection.

5. Using a bastion host allows for which of the following? Select all that apply.

  • Running a wide variety of software securely
  • Applying more restrictive firewall rules (CORRECT)
  • Having more detailed monitoring and logging (CORRECT)
  • Enforcing stricter security measures (CORRECT)

Wohoo! Bastion hosts are purpose-built systems that provide controlled access to sensitive networks or systems. Their single purpose allows for the use of very strict authentication, tighter firewall rules, and monitored logging so as to further increase security.

6. What benefits does centralized logging provide? Check all that apply.

  • It prevents database theft.
  • It allows for easier logs analysis. (CORRECT)
  • It blocks malware infections.
  • It helps secure logs from tampering or destruction. (CORRECT)

Yes! Centralized logging has a few benefits, the main one being that the log server can be hardening against the attacks focused on clearing logs to cover up their traces. It can also be very simple to analyze the logs, as there is the convenience of having it centralized and not segregated into various places. This makes the searching and analyzing of aggregated data much easier as compared to having to deal with sets of disparate log systems.

7. What are some of the shortcomings of antivirus software today? Check all that apply.

  • It can’t protect against unknown threats. (CORRECT)
  • It only detects malware, but doesn’t protect against it.
  • It’s very expensive.
  • It only protects against viruses.

Awesome! Centralized logging is very important because it can let the log server be secured against attacks meant to obliterate logs to cover tracks. It simplifies log analysis as it aggregates logs from several sources into a single location for easier search and analysis instead of working with disparate systems of logs.

8. How is binary whitelisting a better option than antivirus software?

  • It has less performance impact.
  • It can block unknown or emerging threats. (CORRECT)
  • It’s cheaper.
  • It’s not better. It’s actually terrible.

That’s right! The principle of binary whitelisting is to increase security effectiveness by preventing any applications from being run by default and only allowing those that have received the prior approval of a trusted source. In this way, even unknown threats-that which may not yet be known to the user himself-are shut out because untrusted or possible malicious binaries will not be able to execute.

9. What does full-disk encryption protect against? Check all that apply.

  • Tampering with system files (CORRECT)
  • Malware infections
  • IP spoofing attacks
  • Data theft (CORRECT)

Excellent job! Upon encryption, data in a disk becomes unreadable by any means without obtaining a key for decryption. In case physical theft occurs, there is no way for an attacker to retrieve from the drive any data. Encryption also protects the system against physical attacks by incapacitating attackers from tampering or replacing the system files with malicious versions.

10. What’s the purpose of escrowing a disk encryption key?

  • Performing data recovery (CORRECT)
  • Protecting against unauthorized access
  • Providing data integrity
  • Preventing data theft

Yep! Key escrow is a mechanism in which a secure copy of the encryption key storage of the person is done in a secure place. For example, in instances where the primary passphrase has been forgotten or is otherwise unavailable, the escrowed key can be used for unlocking the disk and regaining access to the encrypted data.

PRACTICE QUIZ: APPLICATION HARDENING

1. Why is it important to keep software up-to-date?

  • To ensure compatibility with other systems
  • To address any security vulnerabilities discovered (CORRECT)
  • To ensure access to the latest features
  • It’s not important. It’s just annoying.

Nice work! So that’s why you keep updating your software – because basically that is the only way your vendor will patch any of their security holes. Once they’re found, patched by the vendor, the final action you will take is to apply those immediately to shield your systems against potential attacks. Updating becomes a regular routine and helps bring the security holes to closure; hence, your attack surface becomes lesser.

2. What are some types of software that you’d want to have an explicit application policy for? Check all that apply.

  • Word processors
  • Filesharing software (CORRECT)
  • Video games (CORRECT)
  • Software development kits

Great job! However, the viability of games and filesharing software may not be very much in a business environment, depending on the business type. It is wise to put down clear guidelines on whether these software programs are allowed to reside within company systems so as to minimize security risks and ensure use of systems for intended purposes.

QUIZ: DEFENSE IN DEPTH

1. What’s the key characteristic of a defense-in-depth strategy to IT security?

  • Strong passwords
  • Encryption
  • Confidentiality
  • Multiple overlapping layers of defense (CORRECT)

Right on! Defense in depth is a strategy of security that affords different levels of protection across overlapping defenses at different points of the system. This ensures that when one layer will be compromised, it would still give room for another layer to continue with the security given even when lowered the likelihood of a successful attack.

2. While antivirus software operates using a ______, binary whitelisting software uses a whitelist instead.

  • Greylist
  • Blacklist (CORRECT)
  • Secure list
  • Whitelist

You got it! Antivirus software relies on a blacklist to flag and place in quarantine those programs matching the signatures defined for known malicious entities. On the other hand, whitelisting barring every software not explicitly inscribed on an approved list carries default blocking. Therefore, this proactive defense is better than that against unknown threats.

3. What is a class of vulnerabilities that are unknown before they are exploited?

  • ACLs
  • Attack Vectors
  • Attack Surfaces
  • 0-days (CORRECT)

Nice job! Zero-day vulnerabilities are out-of-the-blue because they refer to holes or weaknesses in software or systems that nobody knew about before attacks were successfully executed. There is no knowledge of prior vulnerabilities, hence there is no patch for them until the vendor knows about it and issues a fix.

4. Which of these host-based firewall rules help to permit network access from a Virtual Private Network (VPN) subnet?

  • Access Control Lists (ACLs) (CORRECT)
  • Secure Shell (SSH)
  • Group Policy Objects (GPOs)
  • Active Directory

You got it! A typical setting for host-based firewall rule is by adding a few Access Control Lists (ACLs) that indicate the allowed or denied network traffic. When it comes to VPN, the ACLs would be configured to allow access to the specific subnet belonging to the VPN to ensure that only authorized users connected by VPN can reach the protected system or resource in the network.

5. A network security analyst received an alert about a potential malware threat on a user’s computer. What can the analyst review to get detailed information about this compromise? Check all that apply.

  • Security Information and Event Management (SIEM) system (CORRECT)
  • Logs (CORRECT)
  • Full disk encryption (FDE)
  • Binary whitelisting software

Spot-On! A Security Information and Event Management (SIEM) system is essentially a centralized server that consolidates, collects, and presents logs from various sources from where events occur and provides a holistic view of activity across the network as well as the systems. This makes it possible for an analyst to monitor, correlate, and analyze logs most effectively, thus enabling better detection of compromises or attacks. The events captured within logs can provide high visibility into traffic or activities that could identify suspicious behavior and bolster the entirety of security monitoring.

6. What can provide resilience against data theft, and can prevent an attacker from stealing confidential information from a hard drive that was stolen?

  • Full disk encryption (FDE) (CORRECT)
  • OS upgrades
  • Software patch management
  • Key escrow

Nice job! Installation of complete encryption Hard drives quite especially safeguard the whole data stolen. In such a case, be it stolen or lost, encrypted data is inaccessible by any unauthorized user to keep confidential information confidential. Access to retrieve or exploit contents from encrypted drive remains impossible without the proper decryption key.

7. What is the purpose of installing updates on your computer? Check all that apply.

  • Updating helps block all unwanted traffic.
  • Updating adds new features. (CORRECT)
  • Updating improves performance and stability. (CORRECT)
  • Updating addresses security vulnerabilities. (CORRECT)

Also adding new features and improvements for increased functionality and improved user experience.

Enhancements to increase performance and stability in order for the software to run even more efficient and reliable.

Resolving security issues that help to protect any systems or unknown breach points against potential threats or attacks by meeting known vulnerabilities.

8. What does a host-based firewall protect against that a network-based one doesn’t? Check all that apply.

  • Protection from MITM attacks
  • Protection from XSS attacks
  • Protection from compromised peers (CORRECT)
  • Protection in untrusted networks (CORRECT)

Nice work! In fact, a host-based firewall proves indispensable for such systems that are carried around or also operate in untrusted networks such as public Wi-Fi. All systems capable of accepting or making connections possible must be protected through inbound and outbound traffic, where the only connections allowed on the respective systems are those which are explicitly authorized. Moreover, host-based firewalls give protection against compromised peers on the same network, which would prevent potential malicious traffic coming from other devices over the same local network.

9. What does full-disk encryption protect against? Check all that apply.

  • Data theft (CORRECT)
  • Data tampering (CORRECT)
  • Malware
  • Eavesdropping

Wohoo! Encryption of an entire hard drive prevents unauthorized users from accessing the data if the device is either lost or stolen. The encrypted files are unreadable and unalterable unless the correct key of decryption is provided, thereby safeguarding against malicious tampering. This creates an additional layer of protection, keeping sensitive data protected even when the physical device is compromised.

10. What is the purpose of application software policies? Check all that apply.

  • They take log data and convert it into different formats.
  • They define boundaries of what applications are permitted. (CORRECT)
  • They serve to help educate users on how to use software more securely. (CORRECT)
  • They use a database of signatures to identify malware.

Application policies set limits specifying which applications shall be permitted or disallowed, thus controlling the software environment, reducing the chances of installing any unwanted or malicious applications.

Also, they play a very vital role in providing education for users on the use of software security and best practices, so as to mitigate possible security threats as a result of inappropriate use of applications.

11. Why is it risky if you wanted to make an exception to the application policy to allow file sharing software?

  • The software could be infected with malware. (CORRECT)
  • The software can normalize log data.
  • The software can shrink attack vectors.
  • The software could disable full disk encryption (FDE).

Nice job! Definitely! Prohibiting the use and application of any high-risk software-to include file-sharing applications and piracy-related software-is not just another approach but well-grounded to lower the chances of being infected. Such types of software are often associated with security risks due to the downloading of files without knowing that they could be harmful, compromising the system’s integrity, as well as potentially causing attacks on the networks. Thus, with this prohibition on the installation and usage of such applications, the organization would be better positioned regarding the systems and data from the possible threats.

12. How are attack vectors and attack surfaces related?

  • They’re not actually related.
  • They’re the same thing.
  • An attack surface is the sum of all attack vectors. (CORRECT)
  • An attack vector is the sum of all attack surfaces.

Yep! Correct! Attack surface represents the aggregate of all possible attack vectors pertaining to a particular system or environment. It literally encompasses every possible entry point that an attacker might possibly use to gain unauthorized access or exploit any existing vulnerabilities in a system. In other words, the larger the attack surface, the more numerous the openings available for recourse by an attacker with improvised opportunities for targeting weaknesses, making such an activity to be among those most paramount concerns of security.

13. Having detailed logging serves which of the following purposes? Check all that apply.

  • Event reconstruction (CORRECT)
  • Data protection
  • Vulnerability detection
  • Auditing (CORRECT)

Of course! Logs enable event tracking and verification of actions performed. Due to the incident, detailed logs help to reconstruct the chain of events that led to the incident.

Exactly! Having logs allows us to review events and audit actions taken. If an incident occurs, detailed logs allow us to recreate the events that caused it.

14. Securely storing a recovery or backup encryption key is referred to as _______.

  • Key encryption
  • Key obfuscation
  • Key escrow (CORRECT)
  • Key backup

That’s right! Key escrow refers to the process of safely maintaining a backup or recovery encryption key for full disk encryption, allowing for authorized access to data in case the primary encryption key is lost or compromised.

15. A hacker gained access to a network through malicious email attachments. Which one of these is important when talking about methods that allow a hacker to gain this access?

  • An attack surface
  • A 0-day
  • An attack vector (CORRECT)
  • An ACL

Right on! An attack vector, in a sense, can be defined as an avenue or ways through which an attacker attempts to traverse for unauthorized entry into a system and its security breach.

16. Which of these protects against the most common attacks on the internet via a database of signatures, but at the same time actually represents an additional attack surface that attackers can exploit to compromise systems?

  • Antivirus software (CORRECT)
  • Full disk encryption (FDE)
  • Security Information and Event Management (SIEM) system
  • Binary whitelisting software

Great work! Antivirus software that is designed to protect systems may, however, serve as an additional attack surface; through scanning, an attacker may find a way of exploiting the vulnerability of that program to gain entry into the compromised system.

17. A core authentication server is exposed to the internet and is connected to sensitive services. How can you restrict connections to secure the server from getting compromised by a hacker? Check all that apply.

  • Access Control Lists (ACLs) (CORRECT)
  • Secure firewall (CORRECT)
  • Patch management
  • Bastion hosts (CORRECT)

Yes, indeed! Denying ACLs with specific bastion hosts could secure sensitive services while providing general convenience for the organization.

Correctly configured firewalls will govern connections and lockdown the untrusted parts of the system.

Very true! Bastion hosts are actually hardened and run a minimal number of services with regards to other internal hosts. And as they are usually facing the internet, the practices for hardcore come to bear with a higher level of intensity.

18. If a full disk encryption (FDE) password is forgotten, what can be incorporated to securely store the encryption key to unlock the disk?

  • Application policies
  • Key escrow (CORRECT)
  • Application hardening
  • Secure boot

Indeed! Key escrow is all about the secure storage of the encryption key for the potential future access by an authorized party. If, for instance, a user forgets the passphrase to unlock an encrypted disk, the stored key can be used to allow that individual back into the disk.

19. Which of these plays an important role in keeping attack traffic off your systems and helps to protect users? Check all that apply.

  • Full disk encryption (FDE)
  • Multiple Attack Vectors
  • Antimalware measures (CORRECT)
  • Antivirus software (CORRECT)

You’re right! There is a huge amount of attack traffic on the internet, which is why antimalware measures should be in place to block those attacks and protect your systems and users.

Certainly! Antivirus software constantly watches and analyzes different activities such as creating or modifying files for signature-matching behaviors that are recognized as those of potential malware threats and thus prevents them from infecting systems.

20. When looking at aggregated logs, you are seeing a large percentage of Windows hosts connecting to an Internet Protocol (IP) address outside the network in a foreign country. Why might this be worth investigating more closely?

  • It can indicate a malware infection. (CORRECT)
  • It can indicate what software is on the binary whitelist.
  • It can indicate log normalization.
  • It can indicate ACLs are not configured correctly.

Well done! While going through the consolidated logs, it is mandatory to look for patterns and correlations in the traffic. For instance, if several hosts attempt contacting one particular external address, then it is an indicator that there is possibly malware infection and should be thoroughly investigated.

 21. What is the combined sum of all attack vectors in a corporate network?

  • The Access Control List (ACL)
  • The attack surface (CORRECT)
  • The risk
  • The antivirus software

Correct: Oh! It is the overall collection of possible entry points or attack vectors through which an attacker may penetrate a system or environment. The bigger the attack surface, the more chances there are for potential threats.

22. What does applying software patches protect against? Check all that apply.

  • Data tampering
  • Undiscovered vulnerabilities (CORRECT)
  • Newly found vulnerabilities (CORRECT)
  • MITM attacks

23. If a user’s machine gets infected with malware within a trusted network, what can help protect computers inside the trusted network from the compromised one?

  • The Domain Controller
  • A host-based firewall (CORRECT)
  • A network-based firewall
  • Active Directory

Correct: Thank you! Host-based firewalls are an important way of protecting individual machines, mainly when they operate in untrusted or hostile environments. It protects against compromised machines inside a trusted network, preventing lateral movement and attacks from the inside.

24. A hacker exploited a bug in the software and triggered unintended behavior which led to the system being compromised by running vulnerable software. Which of these helps to fix these types of vulnerabilities?

  • Log analysis
  • Implicit deny
  • Software patch management (CORRECT)
  • Application policies

Correct: Thank you! Vulnerabilities can mitigate even patching the software by updating these systems. Such fixes will address the bugs or security vulnerabilities that the attackers can exploit: hence, fortified and reducing the risk of contention.

Leave a Comment