CompTIA Security+ SYO-401

Certification Training
9045 Learners
View Course Now!
33 Chapters +

Appropriate Type of Mitigation Tutorial

1 AnalyZing a Scenario and selecting the Appropriate Type of Mitigation

In the world of networking and protection, the attackers are always waiting for an opportunity. We come up with an antivirus, and they respond with a stronger virus. And this continues as a tussle for intellectual supremacy. If you have to win, you need to know what your opponent is thinking. Hence, it’s vital to devise security measures to protect our systems and network. Let’s now look at the objectives covered in this lesson. After completing this lesson, you will be able to: • Define various logs that help monitor the system • Describe methods to strengthen Operating System’s security • Explain components of network security • Describe methods to maintain security posture • Define the ways to report security issues • Compare detection controls and prevention controls

2 Monitoring System Logs

In this topic, you will learn about various logs that help monitor the system. System logs record all activities performed by the OS and its components. Additionally, system logs contain information about device drivers, system changes, and system operations. Hence, system logging refers to maintaining details of the log components, duration to maintain logs, and list of authorized people who can access these logs. Ideal logging procedures involve keeping logs of every attempt to access the sensitive resources, maintaining backups on centralized logging servers, and defending logs from unauthorized alteration or deletion. Now let’s learn each log type that helps you monitor the system. Event logs contain details related to performance, uptime, and hardware. Though event log does not focus on security related issues, it can still be used to track events when a security issue has an impact on any of these events. Audit logs record user activity, and are used to verify if users adhere to the defined compliance and security policies. These log files are essential to consider the users responsible for their actions online. Security logs record activities related to security of devices and operations. These include details of changes that have an impact on security settings or policies of any device, and play a vital role in configuring security within the organization. Security log includes details of user access to delicate resource entities, user executing restricted operations, or any action detected by security devices such as firewall, IDS/IPS, router, and switches. Access logs play an important role in monitoring security, and include details of login attempts to the system or any resource with sensitive information. These log files should be copied to a centralized server and safeguarded from unauthorized access or modification. Additionally, access logs record the success and failure of events related to users logging in or accessing a resource. Recurrent failures indicate an intruder is attempting to gain access to the network. However, it is important to even validate successful attempts. This is because, an intruder might access the account of a user who is on a vacation.

3 Security of Operating Systems

In this topic, you will learn the ways to strengthen the security of Operating Systems. Hardening of an Operating System includes implementation of security compliance, which contains a list of security policies that are implemented against the baseline security measures. Hardening an OS protects the system from intentional attacks as well as unintentional damage. It applies security countermeasures, and allows the system to constantly operate even in the event of failure of some of its software and hardware components. Following are the key activities performed in an OS hardening procedure. • Deploying the latest OS version and regularly updating the versions of all device drivers. • Verifying whether remote-management or connectivity solutions are active and secure. • Avoiding FTP, Telnet, and other clear text or weak authentication protocols. • Disabling unnecessary services, protocols, and applications, and removing or securely configuring the SNMP protocol. • Synchronizing time-zones and clocks across the network with an Internet time server. • Configuring event-viewer log settings to store audit events. • Renaming default accounts; enforcing strong passwords on all accounts, and ensuring users change them periodically. • Restricting access to administrative groups and accounts. • Hiding the last-logged-on user’s account name, enforcing account lockout, and configuring a legal warning message to be displayed at logon. • Using secure sharing protocols or VPN to share files. • Using a security and vulnerability scanner against the system, and scan for open ports. • Disabling NetBIOS and Internet Control Message Protocol (ICMP) functionality on publicly accessible systems. • Configuring audits and backups.

4 Aspects and Techniques for Port Security

Now, let’s see the security aspect of three major entities, File System, Workstations, and Servers. The security of the internal system relies on the chosen file system. It is recommended to include a file system that incorporates security features such as access control and auditing. An example of a file system with all the security features is NTFS, whereas FAT32 system has no security. Workstations are computer systems that interact with the network, and are even referred to as client computers, terminals, or end-user computers. You need to ensure the access to workstations is secured and limited to only authorized individuals. This is achieved by providing a two-step authentication method, where the computer can be unlocked by using a password and a PIN. Servers are computer systems that manage networks and provide services to share resources within the network. So, it becomes important to provide both physical and logical protection to servers. From a physical aspect, servers must be placed in special rooms, and only selected authorized individuals should be allowed to enter these rooms. Similarly, from a logical aspect, not all users should be allowed to log on to the server and access the files. It’s said, “Prevention is better than cure.” Hence, we can say that it is better to secure a system than trying to save it after the incident. A network has thousands of services and open ports. But, do we need all of them? Moreover, an area of the exposed system is directly proportional to the number of services running on the system. It means, higher the number of services, greater is the exposed area to untrusted network or entities. Both, open ports and communication with entities on the untrusted network are an invitation to attackers. Therefore, it is recommended to run only the services and protocols that are crucial to conduct the required operation. In case you are unable to decide which services are essential, follow these three basic steps. First, plan or document the purpose of the system. Second, identify the services, applications, and protocols needed to support the purpose. Install them on the system. And third, identify the services, applications, and protocols that are already present on the system. Remove them if not needed. Moreover, you can run a trial and error test to identify the essential and non-essential services. The commonly used essential services include File sharing, Email, Web, File Transfer Protocol or FTP, Telnet, SSH, Remote Access, Network News Transfer Protocol or NNTP, Domain Name Service or DNS, and Dynamic Host Configuration Protocol or DHCP. The most common non-essential services include NetBIOS, Unix RPC, Network File System or NFS, X services, R services, Trivial File Transfer Protocol or TFTP, NetMeeting, Instant Messaging, Remote-control software, and Simple Network Management Protocol or SNMP. A management interface is a software that manages both hardware and software solutions. This is mostly available for hardware solutions, and is a remote device or a device at the client location that needs to be managed remotely. Examples include firewall, wireless access points, IDS or IPS, routers, switches, proxies, or other hardware solutions. Users can access the management interfaces in two ways: • By physical presence in the premises, and • Accessing the interface through VPN link, or using a dedicated management network. Accessing the interface via these methods is more secure than the general wired or wireless network. This interface should be heavily encrypted instead of using the simple plain text protocol. And the default password and account settings must be changed before installing it into a new production location. It is wrong to assume that physical protection is good enough for your hardware devices. Logical protection such as setting a secure password is equally important. Most hardware devices have their own default administrative passwords, and this information is freely available on many websites. So, it is important to change the default password, and set a new and unique password. In an IT network, if you find a component or service that is not used by anyone, it is important to get rid of it completely as it can be a threat to the security. As a Security Administrator, you need to eliminate the user accounts of employees who left the organization. So, we need a policy for the employee account creation and deletion. Often such policies are part of standards we need to implement in our organization. In this topic, you will learn few aspects and techniques to ensure port security as part of network security. When a system connects to a network, there are chances of an attack affecting the network. There are various factors responsible for such attacks or security breaches. Let’s now see some aspects that minimize network security issues related to port. Port security refers to the process of physically protecting all ports. An unauthorized user cannot access an active port of a physical adapter. This means, no ports are accessible by unauthorized users. Then the ports are electronically observed to avoid switching or spoofing. In the logical realm, port security reduces malicious or unrequired traffic trying to access critical services. If a port is not assigned a service, it is closed, and opens when a service is linked to it. While this seems to be enough for network security, it is actually insufficient for port security. Let’s discuss some techniques along with the issues related to port security. Media Access Control or MAC limiting and filtering is the technique of using only an approved MAC address list for restricting the users or devices to communicate with a network resource. It is mostly implemented on wireless access points and switches, but you can implement it during a connection control. Although this technique minimizes issues, it is not a comprehensive security solution. MAC limiting and filtering is very easy to spoof. Even simple Linux applications such as macchanger, and Windows applications such as MAC Makeup can spoof with a few keystrokes. 802.1x refers to a standard port-based access control that allows only authenticated clients to communicate with network resources. It allows any device to utilize the prevalent authentication services of the current network infrastructure. The standard is usually linked to wireless access points, nevertheless its use is not limited to it. With 802.1x, you can integrate many other authentication solutions and techniques into a communication system. These solutions and techniques to be implemented include smart cards, biometrics, token devices, digital certificates, Remote Authentication Dial-In User Service or RADIUS, and Terminal Access Controller Access Control System or TACACS. We discussed about disabling unused ports and services. Now, we will learn about disabling unused interfaces and unused application service ports. Like unused ports, you should block or disable any unused interface and application service ports. This makes a connection port electrically useless. The service of port blocking is offered by a hardware or software firewall that blocks or drops packets sent to pass through the electrically useless ports.Rogue machine detection finds out the unauthorized systems appearing on a secured network. Several techniques are available to detect such systems. One of the methods is a smart patch panel. This panel detects a new system when it is connected to a previously unused physical area of the wall. Another technique is to monitor MAC addresses. If a new MAC address is sensed in the network traffic, it indicates the presence of a rogue machine. Nevertheless, a few MAC spoofing methods enable a rogue machine to replicate the address of an authorized system. To overcome this limitation, you can use a network-based Intrusion Detection System or IDS, or Intrusion Prevention System or IPS.

5 Methods to Maintain Security Posture

In this topic, you will learn the methods to maintain the security posture. Security posture refers to the security status of an organization. It is a level up to which it is possible for an organization to resist an attack. Depending on the plan and implementation of the security posture components, an organization has either a poor or good posture. These components include in-depth policies and procedures, facilities and implementation in the IT infrastructure, and proper training of the workforce. Let’s explore the three aspects of security posture: initial baseline configuration, continuous security monitoring, and remediation. A security template is used to set up a baseline, or make a system comply with a security policy. This template has a collection of security settings to be applied for setting up a specific configuration. You can design security templates as per the organization’s requirements for workstations and servers. You can even apply specific security templates through the Windows’ Group Policy system. Once a template is ready, it is used to configure an existing or a new system, or to compare the current configuration to a desired one. The latter part is called security template analysis, which ends with a report showing compliance gaps. A security baseline made from a security template helps retain a hardened system. It is a standardized minimal security level to which all organizational systems need to comply. This helps establish a firm and security structures for setting up trust and assurance. The security policy of an organization defines the security baseline. This baseline includes specific hardware components, service packs, OS versions, patches/upgrades, add-ons, configuration settings, and service settings. For hardening a system, you have to first remove all unnecessary components including applications, services, protocols, and hardware such as device drivers. Next, update and patch the Operating System along with the installed services, applications, and protocols. Then, configure all the installed applications securely. Finally, enforce the restrictions on distributing information, its services, and its hosted resources. A vital aspect of setting a security baseline is documentation. You should document every minute detail of the system, from the design to the tuning phase. Lack of sufficient documentation causes problems in securing or locking down a server. Further, details about several system aspects such as Operating System, hardware configuration, services, applications, updates, and patches must be retrieved before any security improvements. However, there is no need to re-assess the environment for improvements, as the desired information is already documented. You have to examine three key areas before creating a baseline, namely Operating System, network, and applications. Securing your systems and network is just not enough for their smooth functioning. You need to constantly monitor your systems. This can be done by the following ways: Monitoring must be running and active. We must always ensure the proper functioning of security monitoring. If security monitoring becomes unavailable or goes offline, all user activities should be stopped and a notification must be sent to the administrators. Monitoring should be across all user accounts, not just end users. This will make every user to abide by their privileges and responsibilities towards office work. If anyone attempts to bypass these rules and regulations, they should be caught and handled strictly. Security monitoring should constantly function across the IT infrastructure to record all user activities and user activities occurs smoothly on every device. The monitoring action be done for every user, right from the time of log on until log off. In short, no user activity should take place in the absence of security monitoring. Remediation is the third aspect of security posturing in addition to detecting attempted violations and locking things down. It is the process of handling an attack, downtime, malicious code infection, system compromise, and so on. You need to plan, document, rehearse, and revise the documentation for remediation regularly for the success of its implementation. Remediation should cover prevailing problems, restore systems, and repair damage as soon as possible. Handling the problems smartly is as critical as detecting and preventing them.

6 Audit Reports - Alarms, Alerts, and Trends

In this topic, you will learn about audit reports. Use layout – 1) Format 2) Contents 3) Access 4) Frequency 5) On Completion After auditing the computing environment, a report should be pepared. It must be ensured the design of audit reports should be crisp, clear, and factual. The report format generated from audit trails varies significantly from one organization to another. Nevertheless, the basic outline remains the same, which includes the purpose, scope, and results of the audit. Moreover, you can prepare an audit report in different formats as per the hierarchy of the organization. An audit report addresses environment details such as date and time, and systems. It also includes several details regarding problems, events, and conditions; also details about baselines, criteria, standards, causes, impact, effect, and solutions. The report consists of an auditor’s opinions or recommendations on the discoveries found during audit trails. To access an audit report, sufficient privileges should be granted to desired people within the organization hierarchy. However, an audit report should only provide details pertaining to the position of staff who can access it. The frequency of creating an audit report depends on the level of risk involved and the value of assets to be covered. In case of more valued assets, higher are the risks and greater frequency of creating audit reports. After creating an audit report, it should be given to the assigned members as stated in the security policy, and a signed approval must be taken from them. If serious performance issues or security violations are reported, the report should be escalated to the authorized people at higher management levels for notification, review, and quick remedial actions. There are three concepts related to notifications and tendencies toward a good or bad event reported in an audit report. Image: show alarm clock with a ringing mode, alert icon, and a graph showing trends An Alarm is the technique of instantly notifying the occurrence of a critical event, so that immediate action is taken by the concerned authority. It is triggered for events such as system downtime, security breach, and server crash. An Alert refers to a non-emergency notification, which records the event details into a log. It may or may not notify an administrator as the event usually does not require an instant response. Trends refer to tendencies indicating a worse or a better event. To track trends, it is essential to monitor or analyze recorded events. This is critical for both security and performance monitoring as well as reporting. A few trends hint toward security breaches, system failure, and downtime, but should be detected as soon as possible.

7 Detection Controls and Prevention Controls

In this topic, you will learn the differences between detection controls and prevention controls. A preventative control stops an unauthorized or unwanted activity from occurring. Whereas, a detective control recognizes an activity as it happens. Both types of controls are essential components of any security infrastructure. They symbolize two beliefs of a strong security posture: Lock things and observe for violations. Moreover, several security controls can act as both preventative and detective. The table on the screen distinguishes between Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Intrusion Detection Systems are designed to detect security breaches, while Intrusion Prevention Systems are designed to prohibit violations from occurring. IDS are passive; they only detect issues, but do not attempt to eliminate them. Whereas IPS are active, as they not only sense an unauthorized access attempt, but also respond to stop them. In this way, IPS interact and interfere with the activities of unauthorized entities. Images of a guard and CCTV. Let’s now distinguish between a camera and a guard. A camera is chiefly used to sense and record any unauthorized activity. It mainly acts as a deterrent. On the other hand, a security guard physically moves around the property monitoring places that a camera cannot capture. Even security guards act as deterrent. However, a guard can also be an active control in stopping any unauthorized activity. Guards can respond to different issues and take actions according to changing conditions.

9 Summary

Let’s summarize the topics covered in this lesson. • It is essential to log all attempts to access sensitive resources, duplicate logs on centralized servers, and protect logs from unauthorized access. • Operating System hardening involves disabling unnecessary features, using native security features, and using supplementary options such as firewalls, code scanners, antivirus software, and malicious-code scanners. • Port security is an essential part of network security, and is taken care by MAC filtering, 802.1x, rogue machine detection, and disabling unused service ports. • Security posture has three aspects, namely, initial configuration baseline, continuous security monitoring, and remediation. • Audit reports should be in a proper format to cover specific details of a system, and must be handed over only to authorized staff. • A preventative control stops an unauthorized activity in an active manner, while a detection control only detects an unauthorized activity in a passive way. With this, we conclude the lesson, ‘Analyzing a Scenario and Selecting the Appropriate Type of Mitigation.’ The next lesson is, ‘Using Appropriate Tools and Techniques to Discover Security Threats and Vulnerabilities.’

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*