welcome to domain 2 of the Security Plus exam cram series 2024 Edition and here in domain 2 we'll focus on threats vulnerabilities and mitigations we'll begin with a look at threat actors and their motivations before we explore threat vectors and attack surfaces we'll examine the vulnerabilities that leave an organization open to Cyber attack before we dive in to indicators of malicious activity that may point to an attack in progress and we wrap up with a look at mitigation techniques you'll not only learn about these individual components but how they're related and how they impact an organization security posture these are all pieces on the board you must understand as you help an organization chart their course to a stronger security posture and I'll help you connect the dots as always we're going to go line by line through every skill measured in the official exam syllabus lots to get through let's dig in [Music] welcome back to the Security Plus exam cram series 2024 Edition in this installment covering every topic in the official exam syllabus for domain two of the Security Plus exam because it's so often requested you'll find a PDF copy of this presentation available in the video description intended for you to download and use in your exam preparation and the chapters within this course should appear automatically on the timeline but just in case you'll find a table of contents that's clickable in the video description so you can hop forward and back in the video as necessary as you prepare and as with the previous release of the Security Plus exam I recommend the official study guide from Cybex which includes 500 practice questions 100 flashcards and two practice exams as well as the companion practice test manual which brings another th000 practice questions and two practice exams and if you register for the online resources so you can leverage these questions in an electronic format I believe it's all the practice quizzing you're going to need to prepare yourself for exam day and I will leave you links in the video description to the least expensive copies on amazon.com and the focus of domain 2 is threats vulnerabilities and mitigations and as was the case with domain 1 in domain 2 we're going to go line by line through the official exam syllabus touching on every topic in there section 2.1 asks us to compare and contrast Common Thread actors and their motivations so we will look at the types of thread actors that are out there from the very sophisticated nation state to the very much unskilled attacker in a script Kitty we'll look at their attributes whether they're inside or outside inside the company and their relative funding levels and level of capability or sophistication and finally their motivations and I'm going to cover these in a way that will make it easy for you to map the actors to their attributes and their motivations as you prepare for the exam so if I were to just take a highlevel categorical perspective I could look at this from a mission versus money perspective around their motivations and incentives so if I look at money and Mission nonprofits those out there to improve Society governments will fall somewhere in the middle with economic and political motives business focused attackers that are purely driven by profit and at a high level I could throw some examples here criminal Enterprises are money driven governments tend to be somewhere in the middle and those who are focused on their mission on their principles don't really care about the money so the point is the motivations and incentives for different types of organizations will will vary and understanding an attacker motivation reveals probabilities and potential impacts so you can establish priorities so I want to begin with a walk through of the six type of threat actors called out in the syllabus we have the nation state which is a country's government that uses cyber attacks to disrupt or steal information from another country we have unskilled attackers who are someone with limited technical knowledge who may launch attacks just out of curiosity or malice you often hear unskilled attackers referred to as script kitties because they're often running malicious scripts that they know very little about we have the hacktivist an individual uses cyber attacks to promote a political or social cause they are mission driven we have The Insider threat an authorized internal user who intentionally or unintentionally misuses their access to harm a system or organization an important distinction there that it's not always intentional organized crime a criminal Syndicate that uses cyber attacks for financial gain such as stealing money or data and finally Shadow it these are employees leveraging unauthorized or unmanaged it resources within an organization which can create sec vulnerabilities Shadow it employees are not exactly an actor itself but it results in an exploitable risk we really saw the rise of Shadow it with the rise of cloud where employees could go out and with a credit card they could subscribe to a SAS service like cloud storage for example so they could more easily exchange files with parties outside the company or developers who might spin up an AWS subscription so they could quickly deploy VMS so they could get their development work done instead of waiting on it who might take days or weeks to deploy new VMS for them let's shift gears and talk through the motivations just to make sure you're familiar with each on the list so we have data exfiltration which is unauthorized removal of sensitive or proprietary information from a computer system Espionage which is conducted by organizations including nation states or corporations typically it's a corporate entity we're thinking about with the goal of stealing confidential information from another organization service disruption which is aimed at causing outages or disruptions to essential Services next we have blackmail attacks that threaten to expose sensitive information often embarrassing information unless the victim submits to a demand typically for money or other concessions financial gain where the motivation is to steal money or valuable through fraudulent activities political or philosophical attacks driven by ideological or political motivations so this motivation would clearly map back to the hacktivist who is driven by their ideological Mission ethical hacking which are authorized simulated attacks conducted by security researchers or ethical hackers to identify voner V abilities in a system and improve its overall posture authorized for the record means it would be included in a signed contract in writing then we have Revenge so motivated by a desire to retaliate against an individual or organization so retaliate meaning in response to some previous act by the other party generally driven by perceived wrongs often attempting to cause public embarrassment or operational disruption then we have disruption or chaos which is aimed at causing widespread disruption and hindering normal operations of a system or network may be driven by mere personal satisfaction or it could be furthering some other agenda so the disruption or chaos could be driven by a motive of Revenge or the political or philosophical and finally we have War the use of cyber attacks by military forces or civilian groups to disrupt enemy military operations and gain an advantage in an armed conflict War waged through cyber attacks is often called cyber warfare now that you've been introduced to thread actors and their motivations we're going to bring this information together along with their characteristics and capabilities and ultimately some examples all in a tabular format to make preparation for exam day an easy task so go going down the list here we have the nation state high level of skill motivations that include Espionage disruption and power motives we've seen Illustrated in spy movies for many years and on the news organized crime also typically high level of skill focused narrowly on financial gain fraud and extortion tend to be two of their primary motivations we have The Insider threat Now with an Insider threat the level of skill varies as does the intent so with an Insider threat the common malicious intents will be financial gain or a disgruntled employee who wants to do damage Espionage begins with an external source and usually the aim there is to steal sensitive information like trade secrets with the activist skill level can vary you know they're focused on their social or political causes a great example of a highly skilled activist organization would be the group that go simply by Anonymous the unskilled attacker is of course very low in the level of skill and they may be out for financial gain more often it's malice just trying to hurt or embarrass an adversary and often just sheer curiosity about the world of hacking and then finally Shadow it where the skill level varies but to the low end it could be a business person just buying cloud storage so they can more easily share files to the high end of skill being maybe a senior developer using their credit card to buy AWS time so they could accelerate their development activity now I want to go a step further and give you some examples and elaborate a bit but do remember The Insider threat and Shadow it these are the two that are inside the organization what these two have in common is they are generally employees they are insiders so to go one level deeper I could give you some examples so we start with the nation state that's really about stealing intellectual property State secrets we call them from a foreign competitor a lot of that is focused on the balance of power in the world we have the unskilled attacker who might do something as simple as launching a fishing campaign against random email addresses using a script they found on the internet or maybe that bought on the dark web as a kit the activist which is a port meau of hacker and activist so they might for example leak sensitive data from a big Corporation they believe is unethical for example leaking the secret pollution of an oil company or animal testing unknown to the public performed by a Cosmetics company and then we have The Insider threat who could be money focused selling customer data on the black market Market they could be focused on leaking or exfiltrating sensitive intellectual property that result in money or maybe even their next employment that's where we'll use a tool like a cloud access security broker to watch for Mass uploads Mass downloads potentially mass deletions then organized crime a ransomware attack on a major Hospital chain for example these organizations are very sophisticated and they know the RO I on these ransomware attacks they do the homework they do the math and they pick their targets we then have Shadow it this could be somebody in sales creating a cloud storage account outside of it control just so they can more conveniently share files it could be a developer spinning up an AWS or Azure subscription so they can get VMS to work on more quickly employees engaging in Shadow it are really just focused on increased productivity at least the perception of productivity and avoiding the red tape of procuring new resources so let's talk about the impact of skill and funding from another angle here so how to threat actor skill and funding level impact the threat to the organization so skill level highly skilled attackers can exploit complex vulnerabilities bypass security measures and remain undetected for extended periods of time they can Target specific systems or individuals within an organization making them very dangerous really low skilled attackers are going to be less likely to launch sophisticated attacks for that very reason they're going to rely on readily available tools or they're going to exploit well-known vulnerabilities whereas those High skill attackers may be coming at you with zero day threats or very clever exploits but even a low-skilled attacker can be dangerous if they target a vulnerable system or they trick employees into compromising security so social engineering fishing attacks are cheap and easy the ROI is good that's why fishing attacks are so common so if we think about it from a funding perspective your well-funded actors like nation states organized crime groups they can invest in advanced tools they can hire skilled attackers and develop custom malware this allows them to Target a wider range of organizations and to launch more complex attacks and larger scale attacks you're much more likely to see a distributed denial a service attack an effective distributed denial a service attack come from a highly skilled highly funded group or attacker your low funding parties are going to rely on free or readily available tools this will limit their capabilities but again it doesn't eliminate the threat they can still exploit basic vulnerabilities or launch social engineering attacks that don't require significant resources because that's the human element at play three things you can do to defend against any level of funding and skill good patch hygiene employee awareness training and defense in depth a layered defense we know patch hygiene patches known vulnerabilities that the lowf funded low-skilled attacker could come at employee awareness training teaching our employees about how to avoid falling prey to fishing emails teaching them about social engineering so they make good DEC decisions when they're asked to go around our processes and layered defenses so if those perimeter first layer Network defenses don't do the trick some other layer closer to our identities or devices and our data does stop that attack we'll be talking about threats vulnerabilities and mitigations throughout domain 2 so we'll definitely go deeper on all three so ranking them by their relative level of danger just the combined impact pretty well predictable High skill High funded are going to be most dangerous low skill low funded the least but the combination of high skill and high funding while it creates the most dangerous threats It's really because they have the resources and the skills to develop and launch sophisticated attacks that are difficult for us to defend against they can create some of those zero day attacks they can find new vulnerability ities that aren't well known which is why Aid driven machine learning driven protection out there that's based on malicious behaviors is so valuable we can't rely on anava signatures anymore but on the whole it comes down to doing the basics talking to one of my friends involved in incident response in breach scenarios she said attackers are lazy she said we're always dealing with recovery in organizations where they don't have the basics in place like multi Factor authentication they're not patching their systems they haven't configured the basic security controls around their cloud storage to reain in data leakage and oversharing and we'll definitely talk about those Basics and those best practices throughout this course that brings us to section 2.2 and here the syllabus asks us to explain common threat vectors and attack surfaces across a variety of services so we'll look at these two concepts in the context of message Based Services image file and voice removable devices software and systems networks open ports and default credentials and the supply chain which is really receiving heightened focus in 2023 and 2024 and wrap up with coverage of the human Vector social engineering covering a range of topics here from fishing to business email compromise Miss information and disinformation and a few areas you may not be familiar with like pretexting Watering Hole attacks and typosquatting but before we dive in I want to begin with the definition of a Threat Vector and an attack surface and how the two are related so we'll start with the Threat Vector which is a method or combination of methods that attackers use to gain unauthorized access to a computer system Network or data think of a Threat Vector as the pathway an attacker takes to exploit a vulnerability a few examples would be fishing emails malware and attachments unpatched software vulnerabilities or social engineering tactics and then we have the attack surface which is the sum total of all possible entry points that an attacker can exploit to gain access to a system it's really the broader landscape of weaknesses an organization or individual presents a larger attack surface means there are more Potential Threat vectors attackers can utilize so the attack surface really represents the our vulnerabilities unsecured devices weak passwords open service ports outdated software a Reliance on untrusted sources so let's bring these together in an analogy an example if you will so imagine a castle the Threat Vector would be a specific way to breach the castle like scaling a weak wall or or bribing a guard the attack surface would be the entire Castle itself including all its walls Gates and potential weaknesses like that guard we bribed so how are these related well the stronger the Castle's defenses the smaller the attack surface will be and the fewer effective ways the fewer threat vectors attackers will have to breach it we'll start with message-based services so email threat vectors here include fishing emails with malicious attachments or links spam containing malware and email spoofing for social engineering attacks your attack surfaces here include unprotected email accounts weak passwords lack of multiactor authentication poorly configured email filters your modern email Security will typically evaluate and execute URLs and attachments to make sure they're safe and they will typically rely on external threat intelligence to identify potentially malicious resources in near real time also in the message based category we have SMS or short message service so threat vectors here include SMS based fishing attacks called smishing attacks with malicious links and Sim swapping for account takeover Sim swapping where someone basically gets a new sim your sim and puts it into a different phone has been executed many times in the real world with technique as simple as walking into a mobile shop and a bad actor convincing a clerk that they are you attack surfaces here include unsecured mobile devices weak SMS verification processes and even just lack of user awareness about smishing threats and a bit of good news your mobile providers almost all offer free software to help reduce the smishing threat to basically identify these malicious text messages and to divert them from your inbox so to speak still in the message based category we have instant messages so malicious links or files shared with IM chats social engineering attacks impersonating your contacts all very common and we see these across a variety of instant messaging platforms including into the instant messaging channel on some of your social media providers your TX surfaces here are unencrypted IM platforms or lack of user access controls within your instant messaging applications it's nice to be able to configure privacy if you want so maybe only your deliberate contacts can see your contact information but that's not always easily configurable on these platforms moving on to image-based threats threat vectors here include steganography hiding malware within images fishing attacks using fake images to lure victims becoming increasingly common our attack surfaces here include downloading images from untrusted sources opening attachments without proper scanning you really see here the underlying threat is hum driven right and image-based generative AI is fueling a massive expansion of the fake image threat services like Dolly mid Journey just to name a couple but those two and many others have made generating very realistic and interesting fake images a very easy task next we have the filebase threat so malware hidden within files your documents or your executables and zero day vulnerabilities exploited through file attachments your attack surfaces here include downloading files from untrusted sources opening attachments without proper scanning outdated software with unpatched vulnerabilities all fixable with user awareness training good software hygiene make making sure we configure proper email scanning you definitely want to be familiar with the counter measures that protect against common threat vectors and we'll cover those throughout this series next we have the voice call so associated with the voice call is the Vishing attacks the Vishing attacks where attackers attempt to steal information over the phone by impersonating legitimate callers so here really a lack of awareness about vising threats weak user auth authentication processes over the phone and what really makes this dangerous is the proliferation of aib based voice deep fake attacks they make stop and verify a necessity we have seen a multi-million dollar corporate heist in the real world where a manager began transferring money for an acquisition ordered by a person on the other end of the phone he thought was his manager when in fact it was an AI based deep fake perpetrated by a bad Factor giving him their bank account and resulting in a multi-million dollar loss that has not been solved to this day and if that individual had the training in the presence of mind to stop and ask to call his boss back so he could verify by initiating the verification to a known good phone number that could have been avoided entirely this is a Threat Vector we're going to see grow significantly in the coming months and years I believe next we have the removable device this is where we see malware spread through infected USB drives or external hard drives or attack surfaces here include unrestricted use of personal USB drives on work computers and a lack of device scanning procedures so defense in depth can help certainly user awareness training to make sure employees don't bring personal USB drives to work but we can Implement policies to prevent the use of personal USB drives and if we don't we can still scan any device that's plugged into a system so again a layer defense defense in depth then we have vulnerable software so in the client-based category threat vectors include unpatched software with known vulnerabilities and outdated applications with security flaws the outdated operating systems and applications the lack of automated software update processes really good software hygiene is the fix here keep keep up with version upgrades and security patches easy peasy also in the category of vulnerable software we have agentless software so here the threat is exploiting vulnerabilities in the main software that doesn't require a separate agent for infection so while the attack surface is less less configurability limited patching options and increased Reliance on the vendor security are all risks agentless is attractive because there's nothing for us to deploy in the resource foot print is often less but it definitely comes with some potential downsides so you'll definitely want to discuss these concerns with the software vendor preferably before adoption next we have unsupported systems and applications so Legacy applications Legacy systems your primary Threat Vector here is attackers targeting known vulnerabilities in unsupported software where security patches are unavailable often times so using outdated and unsupported operating systems or applications due to lack of upgrade options are your primary attack surface here so even if the organization just can't deal with getting to a new version of the software what they can do is look at Network segmentation or isolation to reduce the threat to reduce the exposure and I've seen this in industrial and Manufacturing scenarios where you have systems that are decades old they haven't been supported for years but the business relies on them and that's what we do we segment and isolate those systems so they're not vulnerable to attack because their attack surfaces are not exposed on our networks to the extreme in manufacturing scenarios you'll see systems like this air gapped so there's no way to get to them next we have the unsecure networks category so let's start with wireless threat vectors here would include man-in-the-middle attacks on unencrypted Wi-Fi networks or EES dropping on network traffic so our attack surfaces here include connecting to public Wi-Fi networks without a VPN or using weak encryption protocols on wireless network so if we minimize our use of public Wi-Fi and keep access points updated and patched so we're using modern protocols and we don't leave our passwords at default we should be in good shape in the wired category your threat vectors here include physical access to a wired Network for un authorized access or malware spreading through a network your attack surfaces here include weak Network segmentation which enables lateral movement if a bad actor should get a foothold in your environment a lack of physical security measures for Network equipment so earlier in the series we talked about physical security and the fact that there is no security without physical security if I can get into that wiring closet where the network devices live there's no amount of logical security that's going to help but from a logical controls perspective Network segmentation or micro segmentation or key defenses if we put systems that need to communicate into the same segment whenever possible and prevent systems that don't need to communicate with those from entering that segment that's going to be an effective defense and to close out the unsecure networks category we have Bluetooth so your primary Threat Vector here is Bluetooth hijacking for data theft or malware infection and your potential threats here can range from annoyance attacks to full device takeover the attack surface here is unidentified or unsecured Bluetooth connections leaving bluetooth enabled on devices even when they're not in use which is a no no training your users to make sure that they only turn Bluetooth on when they need it for example if they're connecting a wireless headset next we have open service ports so your primary Threat Vector here are attackers exploiting known vulnerabilities and exposed Services running on specific ports so if you leave HTTP unencrypted HTTP running on Port 80 Bad actors will find that through a port scan if you leave RDP remote desktop protocol running and available to the internet for IT staff to connect for support purposes Bad actors will find that in a port scan these are precisely your attack surfaces unnecessary Services running on a system a failure to disable unused ports so even if you have to allow unencrypted HTTP to run on Port 80 you're going to have your external users your customers or whomever connecting to https on Port 443 so close down that Port 80 that's facing the internet and just inadequate network access control so for that remote support scenario you'd only want employees connecting to remote desktop protocol so make sure they have to connect to the corporate Network through VPN for example or incorporate just in time capabilities into your security where users can activate a port so it's available when they need it and close down when they're done we call that just in time or jit access you'll find several Cloud offerings out there that give you that sort of capability with the major cloud service providers next we have default credentials where your Threat Vector is Brute Force attack to guess default usernames and passwords for system access and if through a network probe that bad actor can get your device to respond maybe with a banner to tell them what kind of device it is they might not even need brute force your attack surfaces here leaving devices or applications with default credentials a lack of strong password policies generally next we have the supply chain and managed service providers vendors and suppliers are all cited on the exam and at a high level our primary Threat Vector here is compromise systems software or services within a supplier's network leading to attacks on their clients which of those is the culprit of course depends on the type of MSP vendor or supplier we're dealing with but our attack surface here our risk is a lack of vendor risk management or limited visibility into the vulnerabilities and security practices of our thirdparty providers if it's a cloud service provider like a Microsoft Azure or Amazon's AWS they will provide us on Demand with a sock 2 type 2 audit they'll provide ISO 271 audit we can look at their services to see that they are compliant in a measurable reliable way but even if you have you know good vendor risk management in place with some third parties like a third party consulting company you may only have their self attestation to go on when they say that they PR practice good security hygiene on their consultant's laptops for example but at the end of the day the risk here is direct or indirect exposure to all of a vendor's vulnerabilities and in the extreme we see a breach as we saw with solate with solar winds where the software itself was infected which meant that the threat the breach quietly made its way from the vendor into the customers on a mass scale so before we get into the social engineering category I want to talk through the principles of social engineering and there are six or seven depending on who you talk to so we'll look at the principles behind successful social engineering attacks so we have authority basically citing position responsibility or affiliation that grants the attacker the authority to make the request intimidation suggesting you may face negative outcomes if you don't facilitate access or initiate process consensus claiming that someone in a similar position or a has carried out the same task in the past scarcity limited opportunity diminishing availability that requires we get this done in a certain amount of time similar to urgency though scarcity is usually related to quantity next we have familiarity attempting to establish a personal connection often citing mutual acquaintances what we call social social proof familiarity is sometimes called liking then there's trust citing knowledge and experience assisting the target with an issue to establish a relationship and finally urgency time sensitivity that demands immediate action similar to scarcity but generally time-based you will often see urgency and scarcity used together in Social Engineering based attacks so all of these principles factor in to delivering a success uccessful social engineering attack which is an attempt by an attacker to convince someone to provide information like a password or to perform an action they wouldn't normally perform like clicking on a malicious link social Engineers may try to gain access to it infrastructure or even the physical facility but they're using those social engineering principles to get a user to abandon their normal thinking to go outside of company policy or process and to set the stage for our first social engineering concept want to touch on fishing which is commonly used to trick users into giving up their personal info like their passwords or to click a link so that's an email-based attack and we have spear fishing which targets A specific group of users so the fishing attempt may be a little more difficult to detect because it was crafted for a specific group whaling which targets typically highlevel Executives or really any high value Target then two we talked about earlier fishing which is voice fishing it's phone based and smishing which uses SMS or text messaging on mobile so fishing is the number one Cyber attack in the world today it's a common entry point for ransomware you want to be familiar with all of these variants here for the exam and also know that the best defense for social engineering on the whole and any of these fishing or variants is security awareness training basically user education okay so let's dive into the human vectors social engineering so we have fishing fishing smishing that we just talked about these are deceptive emails phone calls or SMS messages tricking users into revealing sensitive information or clicking malicious links attack surface is here lack of user awareness about social engineering tactics and user susceptibility to pressure or urgency tactics I like to deliver security awareness training quarterly and I teach users about those principles of social engineering I teach them how people are going to attempt to fool them you have two defenses here plain and simple two primary defenses show users less malicious content which means improve your security layers your email filtering make sure your users have software on their mobile devices that reduce the number of SMS messages that are malicious that are shown to them software that will block the spam phone calls which could be the precursor to a voice based deep fake you know capturing their voice so AI can then reproduce it and again the good news is there all of your major mobile providers have free or low cost software that will provide of these protections from smishing and Vishing you know the spam in text and voice and then the other way is to reduce the likelihood they will click or respond to those requests next we have misinformation and disinformation so the vector here spreading false or misleading information to manipulate public opinion or disrupt decisionmaking the attack surface here is human understanding Reliance on unverified sources of information or difficulty in Discerning truth from fiction online not all users are going to be equally savvy so user education and awareness training is a good defense here show your users where they can get reliable news online show them how to verify or debunk stories that appear Sensational or suspect then we have impersonation and business email compromise so here attackers in their creativity and leveraging social engineering principles are the primary threat vectors and your attack surface here is the user their vulnerability to emotional manipulation deceptive content as well as exploitation of their trust generative AI has made attacks in the area of email much more difficult to detect although on the flip side when you have an impersonation attack an impersonation attempt the email usually comes with a known employee name like the CEO but from an unfamiliar address and your email systems in the cloud like Microsoft Exchange online for example will increasingly give you some indication that even though it looks like it came from the CEO it came from an address that you don't normally say but in terms of the quality of these attacks generative AI has made it more difficult to detect because generative AI like a chat gbt will write good English emails for a haers that don't even speak English next we have pretexting and I want to give you a little background before we get into the threat vectors and attack surface there so pre in a pretexting attack an attacker tries to convince a victim to give up information of value or access to a system the distinguishing feature here is that the attacker develops a story or a pretext in order to fool the victim the pretext often leans on establishing Authority for the attacker as someone who should have access to the information the pretext often includes a character played by the scam artist and a plausible situation in which that character needs access to the information and to that end pretexting was called out on the syllabus in the human Vector social engineering category so it's deceptive communication where an attacker invents a scenario that pretext to gain a victim's trust and extract information or access the attack surface here is in many senses procedural so a lack of verification procedures for callers or requests or a user willingness to help without proper caution so those social engineering principles definitely factoring here but teaching users to pause and verify can reduce the risk so as part of that awareness training when a user gets an unusual request that's going around a process they should learn to pause and go verify if they have to call a third party within the company a man manager or someone to verify that it's okay they're doing what they're doing or if this is a request from a direct Superior and they simply need to verify it is who they believe it is they can hang up the phone and call them back but in either case when it comes to user awareness training today there's a lot of value in teaching users to pause and verify when they're going out of band outside of policy and procedure next we have the watering hole so the Threat Vector here uh when attacker compromise a legitimate website frequently visited by a Target group it's the watering hole and when victims visit the compromised site they become infected with malware or have their credentials stolen and again it's social engineering so the target is the user the attack surface here are users uh unfamiliarity with secure browsing practices visiting untrusted websites and while we can certainly Implement web filtering to reduce the likelihood users will visit malicious sites there's no security that's going to be perfect so the best defense there is going to be a combination of appropriate filtering web filtering email filtering to check those malicious URLs and well-trained users through security awareness training then we have brand impersonation this is where attackers create websites social media accounts or emails that closely resemble those of a legitimate brand to trick victims into revealing personal information or clicking malicious links this often comes down to a simple lack of attention to detail when interacting with online content not verifying the legitimacy of a website or a vendor and there are some protections for this you know certainly user awareness training first and foremost but in email systems most corporate environments today Implement a banner on every external email that comes in that tells the user in big red Tech this email came from an external Source review it carefully we don't have quite the same capability in a website though URL link validation is available in some of your better email scanning and and filtering systems last on the list is typo squatting but to give you just a bit of background here typo squatting is a form of cyber squatting sitting on sites under someone else's brand or copyright and targeting users who type an incorrect web address so basically minor misspellings and the like this is sometimes called URL hijack it may involve misspellings or the use of cerlic characters these attacks often employ a drive by download that can infect a device even if the user does not click anything just the act of visiting the site triggers the download so your threat vectors here attackers register domain names with slight misspellings of popular websites the misspell google.com or microsoft.com so when users mistype the address they're directed to a malicious website that might steal credentials or infect their device do a drive by download the attack surfaces here is user air and not being careful in Typing Web addresses but also not checking the URL carefully before entering login information or clicking on that URL in an email really just a habit that needs to be trained into users with recurring security awareness training and that brings us to section 2.3 where we'll be focusing on on vulnerabilities more specifically the syllabus asks us to explain various types of vulnerabilities we'll examine vulnerabilities across a number of categories including application operating system web-based vulnerabilities hardware virtualization Cloud specific a much bigger topic than that single line on the syllabus indicates supply chain cryptographic and misconfiguration mobile device and finally zero day vulnerabilities but before we dive into all this material there are four terms you must know before we begin these represent foundational knowledge that will help you to understand everything we're about to talk about so I'll cover those right now first we have vulnerability which is a weakness in a system application or infrastructure that can be exploited to gain unauthorized access or to cause damage it's the flaw or Gap in security that could be taken advantage of then we have a threat which is a potential event that could exploit a vulnerability and cause harm it's the possibility of something bad happening an exploit is a specific method or tool used to take advantage of a vulnerability it's like the recipe for hacking that leverages the system's weakness and finally the attack which is the actual attempt to exploit a vulnerability to achieve the malicious goal so let's look at how these relate to one another in the context of a potential security breach so a vulnerability exists in a system a bad actor identifies this threat and sees an opportunity the attacker then develops or uses an existing exploit to take advantage of the vulnerability and if successful this becomes a full-blown attack causing harm to the system or its data let they give you a simple analogy to to tie all these together that you may find helpful so imagine a house with a weak lock that's the vulnerability we have a burglar who is the threat who sees this and uses a crowbar the exploit to break in the attack so by understanding these terms and their relationship you should be able to better identify and address security risks in your own systems but for exam day it will help you understand what's being asked of you in those exam questions let's get into vulnerabilities beginning with buffer overflows which are attacks attackers use to exploit poorly written software a buffer overflow exists when a developer writes code that doesn't validate user input to ensure it doesn't allow input that is too large for its memory space so when this occurs or is exploited code or related data can overflow the memory buffer we prevent this with input validation and we can identify this with appropriate software testing maliciously inserting information into memory is known as memory injection and this is the primary goal of a buffer overflow Attack One version of the buffer overflow is the integer overflow which involves putting too much information into too small of a space that has been set aside for numbers it's a type of arithmetic overflow air when the result of an integer operation does not fit within the allocated memory space instead of an air handled in the program it usually causes the result to be unexpected and this often leads to buffer overflows and is generally ranked as one of the most dangerous software errors your err messages may include overflow or arithmetic overflow your countermeasures in this case are secure coding practices where we make sure we're validating the size of our data this is generally handled through appropriate typing of our variables so we could use larger variable types like long in Java or long integer in and C both of which accommodate 64 bits next we have race conditions which is a condition where the system's behavior is dependent on the sequence or timing of other uncontrollable events so the time of check is the moment a system verifies access permissions or other security controls and the time of use is the moment when the system accesses the resources or otherwise uses those granted permissions this creates a vulnerability to a time of check time of use exploit it's a timing vulnerability that occurs when the program checks access permissions too far in advance of a resource request and when use is attempted access is no longer there next we have malicious updates which is where an attacker attempts to deploy a fake patch that is designed to compromise the security of an application or an operating system software Publishers can protect against this threat with code signing and if systems only accept signed updates the threat is effectively mitigated when it comes to operating systems we have several potential os-based vulnerabilities default settings like default passwords or settings that are insecure out of the box or even unneeded apps or Services all of which become potential paths for attackers I will say many operating systems today aim for secure defaults I know that's true with mac and windows in particular but you still need to establish your intended starting point what we'd call your configuration Baseline which brings us to configurations or misconfigurations as configurations are often intentional but they may not be secure and that's where secure configuration baselines come in handy we establish a baseline configuration a starting point that we know covers our needs in production without unwanted apps and services and then we can use a vulnerability scanner to ensure that we don't have any holes in our configuration any security holes that is then we have privilege escalation vulnerabilities that allow attackers to gain higher privileges on a system than they should have allowing access to sensitive data or to install malware the fix here is we require authentication to elevate so that's user access control in Windows or sudu on Linux and Unix platforms zero day are a category of vulnerabilities that are unknown to the software or Hardware vendor and very dangerous because there is no patch available able to fix them defense in depth with AI and NextGen capabilities that we see in xdr extended detection and response intrusion detection and prevention systems as well as casby Cloud access security Brokers can offer layers of Defense to help identify potentially malicious behaviors and stop them before they become a full-blown attack bottom line an operating system has many features but the zero day can Target other apps systems data and infrastructure and in those many os features we have to remember the more features we enable the greater our attack surface that's why for operating systems on the whole we want to establish that secure Baseline that gives us the configuration with functionality that we need and nothing that we don't next up we have vulnerabilities compromised through web-based threats and these are exploited due to weakness in improper input handling the first vulnerability we're going to examine is used to compromise front-end web apps and their back-end databases amongst the most common we have the SQL injection attack which use uh unexpected input to a web application to gain unauthorized access to an underlying database SQL injections are not new and they can generally be prevented through good and secure coding practices your common counter measures include input validation first and foremost using stored procedures pre-compiled code rather than SQL queries SQL statements and to limit account Privileges and another in the web-based category you should know for the exam is a type of injection that uses malicious scripts called the cross site scripting attack it's a type of injection in which malicious scripts are injected into an otherwise benign and trusted website often through an input field it occurs when an attacker uses a web application to send malicious code to a different end user it occurs when web apps contain what's called reflected input as with SQL injection a good defense is input validation and filtering to catch malicious scripts and validating data length and data type now the cross-site scripting attack exploits clients I trust but the server plays a role as well let me explain through an analogy just a simple example so here's something you might find helpful let's take a Bakery accidentally mixing broken glass into a batch of cookies that's the server side vulnerability people buying those cookies from the bakery would trust that Bakery but if someone eats those cookies they're going to get hurt that's the client side execution the bakery the server in this case is responsible for ensuring safe ingredients validated user input validating those ingredients ensuring those cookies are safe before serving them to their customer just as the server should validate the input on that web page before serving it to the trusting client an oversimplification but I hope that helps in in digesting the cross site scripting attack and next we have the hardware category and Hardware vulnerabilities require attention in the design phase because some of your compensating controls are Hardware based firmware is a commonly attacked vulnerability and firmware attacks can occur through the update process or oneoff malicious downloads that impact the boot process good prevention here is a trusted platform module or TPM on the motherboard to facilitate a secure boot process and we'll dig into the TPM elsewhere in this series next we have end of life so aging equipment that has some usable lifespan left you should have a timeline of replacement in advance of production deployment because replacing that Hardware is going to require both budget and time and effort for the project to perform the replacement to migrate applications or data that reside on that Hardware over to the new hardware and then we have Legacy now the definition of legacy is a bit less clear and can take on several meanings but for the exam Legacy is used to describe Hardware software or devices that are unsupported next we have the virtualization category so server virtualization is the process of dividing a physical server into multiple unique and isolated virtual servers by means of a software application the hypervisor so virtual servers are commonly called VMS hypervisors would include things like VMware ESX or esxi or Microsoft's hyperv the related Concepts around this indicate server virtualization is the focus in this portion of the exam in this particular line item and that's because the vulnerability site it is VM Escape where an attacker gains access to a VM then attacks either the host machine that holds all the VMS the hypervisor or any of the other VMS proactive measures here would include ensuring patches for hypervisor and VMS are always up to date and guest privileges are low server level redundancy is a good idea and host-based intrusion detection and prevention are also effective the other vulnerability cited in this category is resource reuse which happens when Cloud providers take Hardware resources originally assigned to One customer and reuse them with another this creates a risk of data remnants due to incomplete eraser if the storage isn't securely erased there may be some recovery of data possible through forensic means So to avoid this you want to make sure that you encrypt your sensitive data so it cannot be recovered by the next customer through forensic techniques in a VM that's going to be very simple full disc encryption so that's going to be bit Locker on the Windows platform that's going to be DM Crypt on the Linux platform next up is the cloud category which takes on height and relevance here in 24 I actually have 11 examples of vulnerabilities I'm going to touch on in this category for you all coming from an authoritative list and a very credible source so the primary vulnerability in the cloud is that it is an internet based model organizations could be at risk if the csp's public facing infrastructure comes under attack number one any attack on your CSP or Cloud vendor may be unrelated to you as an organization threat actors may be targeting the CSP or another tenant of the CSP even and technically risk could even come from other tenants as well but in this scenario customers may be collateral damage of an attack on the CSP in some circumstances I want to take you through a list of cloud specific risks from the cloud security Alliance they detail the top Cloud specific security threats in their list entitled the CSA egregious 11 there's a word you don't hear every day egregious means shockingly bad in case you're not familiar I'll list the 11 here some perhaps you've seen before many I suspect you've never heard of and we'll dig into each of the 11 in detail one by one first we have data breaches which is the loss of sensitive data personally identifiable information protected Health info intellectual property sensitive data due to security breach and that's data loss now if we hear data leak that refers to unintentional loss or oversharing of data so keep data leak and data breach separate in your mind for exam day misconfiguration and inadequate change control so software can offer the most secure configuration options but if it's not properly set up then the resulting system is going to have security issues we remediate this risk we prevent impact through change in configuration management lack of cloud security architecture and strategy so as organizations migrate to the cloud some Overlook security or fail to consider their obligations in the shared responsibility model you need to know who is responsible for security at each layer in the cloud because sometimes it's you and sometimes the cloud service provider will provide a feature for you to configure to make that feature secure but you're responsible for configuration and that's often due to the fact that every customer's needs are different and you need to configure it to tailor the feature to your environment then there's insufficient identity credential access and Key Management the public Cloud offers benefits over Legacy on premises environments but it also brings additional complexities often in the form of new ways to configure familiar capabilities two great examples are identity and access management and secret and Key Management which are going to be very different in the cloud versus on premises on the whole identity and access management encryption key management all of it tend to be greater versus what we see on premises but new ways to implement these familiar features so there's going to be something of a learning curve next we have account hijacking is credential theft abuse and or elevation to carry out an attack fishing is going to be the most common approach here statistically speaking Insider threats of the vulnerability here are disgruntled employees employee mistakes and unintentional oversharing so notice the threat is both due to intentional damage and unintentional damage so job rotation and privileged access management will help us deal with the intentional and auditing and security training can help us to identify the unintentional and we have insecure interfaces and API so customers failing to secure access to systems gated by apis web consoles and other Cloud interfaces controls include multiactor authentication ro-based access control or key based API access to name a few a weak control plane so weaknesses in the elements of a cloud system that enable Cloud environment configuration and management is what we're talking about here the web console the C Elis and apis that are all available to facilitate management and automation you can mitigate these vulnerabilities by and large by following the csp's advice your big csps the Amazon microsofts Googles all provide reference architectures to ensure customers secure and isolate their Dev test and prod environments as well as their data they all provide a well architected framework a cloud adoption framework and more recently a zero trust adoption framework so for Insider threat I gave you some options for minimizing that threat but I want to show you some protections that are offered by csps in terms of tools or services in the cloud that allow us to proactively monitor for not only real Insider threats but the potential of Insider threat and again the exam is vendor agnostic so this is just an example for context the capabilities are going to vary by CSP I'm going to quickly browse to compliance. microsoft.com this is Microsoft's perview compliance portal where we can configure a variety of features that help us with data in particular and I'm going to scroll down in their Solutions menu here and you'll see they have one called Insider risk management and it comes complete with features beginning with guided configuration so you see here they gave me the top actions to help getting us up and running and then once we have the feature configured so it's monitoring for those user actions you see they have an alert portal here so we can see any potential alerts that have been flagged we can create cases so we can investigate and gather all the evidence one would imagine that's generally for intentional Insider risk so the disgruntled employee category we can configure policies here that will go out and scan daily user activity they're tracking users reports you can even see here a forensic evidence tab which is an investigative tool for viewing captured user activity and this Insider risk feature even has notice templates so we can standardize our communication and some adaptive protection which is going to involve some intelligent words like adaptive and intelligent usually tip us off that the feature involves Ai and machine learning or some other Advanced functionality continuing down the list we have metastructure and appla structure failures so vulnerabilities in the operational capabilities that csps make available like apis for accessing various cloud services the danger here is if the CSP has inadequately secured these interfaces any resulting Solutions built on top of those services will inherit these weaknesses we should address those terms meta structure and appla structure So Meta structure are the protocols and mechanisms that provide the interface between the cloud layers enabling management and configuration appla structure are applications deployed in the cloud and the underlying application Services used to build them an example would be in platform as a service features like message cues or functions that drive automation when triggered or messaging services of various sorts where the CSP is providing a great deal of functionality that we can leverage through simple deployment so who would be responsible in a situation like that well responsibility in this case would rely with the cloud service providers customers need to verify the CSP has implemented their own secure software development life cycle to ensure the service is adequately secure which means you may want to go to their portal and download a sock 2 type 2 audit and make sure that the service has been audited by a third party and it is adequately secure for your purposes as a customer and that's the takeaway I want you to focus on for the exam don't worry about memorizing meta structure and appla structure those terms aren't coming up on this exam next we have limited Cloud usage visibility this refers to when organizations experience a significant reduction in visibility over their information technology stack this is because in some models the CSP own owns the stack so whether or not this is truly a vulnerability comes down to understanding your responsibility in the shared responsibility model and if there is some bit of information that you need to know that the CSP isn't showing you in the built-in reporting and finally we have abuse and nefarious use of cloud services while the low cost and high scale of compute in the cloud is an advantage to Enterprises it's also an opportunity for attackers to execute disruptive attacks at scale because multiple customers share infrastructure it makes executing distributed denial of service and fishing attacks easier but more importantly it makes it less expensive for Bad actors to acquire highs scale compute for a low cost so they can disrupt organizations anywhere so csps have to implement mitigating security controls for these sorts of risks and the big three are all going to have some sort of built-in DDOS protection and potentially an optional premium tier of some sort you can buy to allow for enhanced configuration so just understanding these vulnerabilities and how the attack surface changes is half the battle now the question is how do we deal with these and there are several approaches to risk mitigation in Cloud environments many are just common sense it begins with selecting a qualified CSP making sure we have a CSP with the infrastructure and operations to support our needs and the security in place for the areas where they are responsible the next step is designing and architecting with security in mind security should be considered at every step starting with design we call that Dev SEC Ops the next risk mitigation tool is encryption and data should be encrypted both at rest and in transit storage and database encryption at rest TLS and VPN in transit and finally ongoing monitoring management to maintain security posture your major csps provide the ability to manage and monitor configuration security and to monitor changes to cloud services as well as to track usage and cloud service providers do offer some help here so again just for context I want to show you an example of how a cloud service provider gives you services and support for ongoing monitoring and maintenance of your security posture in the cloud as an example I'm going to show you Microsoft Defender for cloud which is a monitoring feature that allows us to monitor our Cloud security posture as well as some workload specific monitoring but for purposes of this discussion I'll just go to the Microsoft Defender for cloud portal and I'll come down here under Cloud security and click on security posture and what you'll see here is they even give us a score they gamify it so to speak and that gamification is important because it quantifies my current position so if I see that score go up or down I know if I am improve proving or regressing when I see the unhealthy resource count go up or down I know which direction my security posture is headed so let's look at the recommendations here and they're going to give me a list and in this particular tool for Defender for cloud they actually prioritize based on the impact and the ease of effort that is to say they're going to put the big wins and the quick wins up to the top of the list and I see some common sense recommendations here I should enable dis encryption on these VMS I should configure secure Communications on this server and here's another common sense one web application should only be accessible over https of course it should let's click on that recommendation and see what they give us under the hood and so here I see they describe the deviation from best practices and they even give me recommended actions and in this case they've gone a step further and they give me a quick fix and they mention that after we fix it it can take up to 30 minutes until this moves into the healthy category but if I click on fix here we notice we have just push button remediation so there's a lot of cloud security posture management support for us in this tool and similar tools on other Cloud platforms as well and they go beyond that in this particular tool we even see workload protections which would give us some features specific to P services for example like databases and web applications and they even have some Regulatory Compliance monitoring they can help us with but bottom line when it comes to ongoing monitoring and maintenance of your security posture it behooves these cloud service providers to ensure you are successful so you continue to be a subscriber so they give you tools to make that an easier task generally speaking let's move on to the supply chain category So Sophisticated attackers may attempt to indirectly interfere with an organ organization's business through their supply chain attackers might gain access to Hardware devices at the manufacturer or while in transit from the manufacturer to the end user to the company they may install back doors or other malware for device control they may also Target software providers inserting vulnerabilities into software before it's released attackers May compromise managed service providers to gain access to their Network and by association the customers they service so the vulnerabilities as you can imagine very widely based on the type of vendor in the supply chain we're working with so good prevention here is effective vendor management practices that uncover service provider security posture and practices to reduce risk to ensure that we are not inheriting vulnerabilities that impose an unacceptable level of risk on our business next up we have cryptographic vulnerabilities these are the weaknesses flaws in a cryptographic system that can be exploited to compromise system security this is another big topic we could spend hours on I'm going to give you a few examples here to give you some context of a range of areas of concern so you have some perspective for the exam so examples like weak encryption improper Key Management inadequate Randomness and authentication key lifetimes public key length symmetric key length the strength of our implementation so in the area of cryptography you know vulnerabilities like these can lead to severe consequences like exposure of our sensitive data unauthorized system access and other security breaches let's step through these examples one by one to give you some perspective starting with weak encryption so using an encryption algorithm that's no longer considered secure for example like Dez or RSA with a small key size which can make it easier for an attacker to decrypt information we want to make sure we select algorithms that are well suited to our use case widely accepted as secure make sure we pick an adequate key size before we move into implementation improper Key Management so failing to protect access to encryption Keys adequately can compromise the sensitive information they protect Keys should be stored in an access restricted store or vault inadequate Randomness some cryptographic algorithms such as generating session Keys require a source of random numbers and all of cryptography relies on Randomness on entropy so so in a situation where we need to provide Source random values we'd want to use a true random number generator not a pseudo random number generator which can weaken our encryption we're minimizing predictability next we have inadequate authentication so failing to authenticate parties properly in a cryptog graic exchange can lead to man in the- Middle attacks where an attacker intercepts and Alters Communications unauthenticated or even anonimous access is a big no no when we think about security key lifetimes the length of the time a key is used for encryption can affect the security of the cryptographic system the longer that key is around the more likely it is exposed to some compromise so for example client and server certificates should typically have a lifespan of no more than approximately one year in fact last I looked I believe the recommended lifespan of an x.509 certificate is somewhere around 390 395 days as an industry standard we have public key length so given a key of the same length public key cryptography also known as asymmetric cryptography is generally more vulnerable to attacks than symmetric key cryptography so for example it's recommended that we use a 20 48 bit key length for our x.509 certificates those are the certificates you'd issue from a pki so remember asymmetric comes up in cases where we need to securely transmit a symmetric key for bulk encryption digital signatures several other uses but complimentary to symmetric as I just mentioned the length of the symmetric key can also affect the security of the cryptographic system even with a currently accepted algorith so you have perfectly secure algorithms that offer differ key links for example with AES a 256bit key length is required in some US Government scenarios AES for example supports key lengths of 128 192 and 256 bits so shorter key length means fewer possible combinations which means greater vulnerability to Brute Force attacks for example next is strength of implementation so ensuring cryptographic Solutions are properly implemented is as important as selection of the Secure Solutions themselves it's crucial to implement the systems as recommended and to keep them updated to protect against vulnerabilities our next category is misconfiguration which occurs when a configuration mistake is made Human air for which Impact May Vary there are a variety of ways we can prevent human err in infrastructure is code configuration management tools continuous integration and continuous delivery or cicd checklists and templates to minimize the need to perform manual steps again and again change management that requires test and review and regular security Audits and vulnerability scans all of these will get mentioned somewhere in this series but all Concepts you should be familiar with in terms of their value to security moving on to the mobile device category we have rooting and jailbreaking custom firmware downloads are used to root an Android mobile device for example this gives us a higher level of permissions on a device and removes some elements of built-in vendor security the equivalent on Apple's IOS is jailbreaking it allows you to basically run unauthorized software and to remove device security restrictions now you can even still access the Apple App Store even though jailbreaking has been carried out for the exam remember that rooting and jailbreaking remove the vendor restrictions on a mobile device to allow unsupported software to be installed potentially malicious software to be installed continuing with mobile device threats we have third-party application stores so there is certainly a danger of downloading apps from thirdparty App Stores as there is no guarantee of the security of the app being installed this is a vulnerability it poses a risk as the vetting process for mobile apps and third party stores may be less rigorous than the official app stores we see for Android and iOS for apple and finally we have side loading which enables installing an application package in an APK format that's an Android format on a mobile device it's useful for developers to run trial of thirdparty apps but it also allows unauthorized software to be run on a mobile device and last but not least the zero day category so zero day exploits are attacks that use a vulnerability that's either unknown to anyone but the attacker or known only to a limited group of people basic security practices can often prevent zerod day vulnerabilities today AI machine learning and user and entity Behavior Analysis driven antivirus Sim and sore intrusion detection and prevention extended detection and response all offer some defense against zero day exploits because they're not based on watching for Signature matches they're looking for malicious behaviors they're looking at threat intelligence that helps to identify known Bad actors known malicious IP addresses software known to contain malware and here again all solutions will cover throughout this series that brings us to section two .4 where we'll focus on indicators more specifically given a scenario analyze indicators of malicious activity in this section references several categories of attacks malware physical attacks Network attacks application attacks cryptographic attacks and password attacks but in line with the name of this section we see the final area is indicators or indicators of compromise we call them so when it comes to cyber attacks on the Security Plus exam you should understand the basics of the attack how we mitigate that attack what are our preventative measures our counter measures but also we need to be familiar by this section with the indicators so I think we're going to rearrange the order here ever so slightly there are three terms I want to familiarize you with before we get into the content of this section but I'm also going to take that indicator section and I'm going to move it to the front of our discussion knowing a bit about these indicators before we talk about those indicators in the context of these various cyber attacks will be helpful so another long form reference to indicators as indicators of malicious activity for purposes of our discussion here we're simply going to call them indicators indicators are signs that something suspicious might be happening on a system or network and it could be technical like unusual login attempts or data exfiltration or it could be behavioral like employees downloading suspicious files they don't necessarily mean an attack is underway but they warrant investigation for sure then we have malicious activity which is a potential event that could exploit a vulnerability and cause harm malicious activity can be detected by indicators but it may be more subtle and require deeper investigation to get to what's really going on and then we have a cyber attack which is a deliberate and focused attempt to exploit a system or network vulnerability to achieve a specific goal this is the actual execution of malicious activity with a specific goal in mind so indicators malicious activity and Cyber attack let's put these in context through an analogy so indicators are like smoke detectors they might go off because of burning toast a false positive or A real fire a true positive malicious activity is like seeing Flames flickering in a window it suggests something bad is happening but it could be an unattended candle or a full-blown fire the attack is the actual fire spreading through the house it's the most damaging event in the sequence confirming malicious intent and causing significant harm with the important terms behind us let's move into indicators beginning with account lockout an account lockout happens when someone repeatedly fails to log in with the correct credentials suggesting Brute Force attacks or stolen passwords next we have concurrent session Usage Now if someone has access from geographically impossible locations at the same time it could indicate account compromise and someone else being logged in simultaneously so if my account shows I'm logged in in Sacramento and also logged in from Sydney Australia that would be a problem that's problematic concurrent session usage then we have blocked content so security systems might block access to malicious websites or files and when we see frequent attempts to access blocked content it could be a sign of malware trying to phone home next we have impossible travel time so logging attempts from locations too far apart in a short time span might indicate stolen credentials being used elsewhere so if I have a login from Sacramento and then 30 minutes later I log log in from Sydney Australia so not at the same time but in Rapid succession that indicates a greater distance than one could travel in that short amount of time resource consumption a sudden spike in resource usage that might be CPU memory Network could be disc which could be malware running or a hacker trying to exploit system vulnerabilities and then resource inaccessibility so critical resources being inaccessible could be a sign of a denial Asser or distributed denial a service attack or malware tampering with systems and resource consumption can lead to Resource inaccessibility if all the resources are consumed by a malicious function there won't be resources available for our application next we have out of cycle logging security systems typically log events on a schedule like every 5 minutes for example we might see a check-in in the system log so un scheduled or unexpected logging activity could indicate tampering or an attempt to cover tracks maybe we see a spike in the number of login attempts being logged in our security logs and it's not you know during the morning Rush that's an indication of something unusual then we have published or documented indicators so if a specific exploit or malware is well known Security Professionals might track instances where it's being used and finally missing logs so security logs are crucial for investigating incidents they give us our audit Trail and missing logs could be a sign of tampering by a bad actor to avoid detection now we'll step into attacks beginning with malware first we have ransomware so what is ransomware exactly well it infects a Target machine and then it uses encryption technology to encrypt documents spreadsheets files whatever it can find with a key known only to the malware Creator the user is unable to access their files they receive that popup message warning that the files will be permanently deleted unless the ransom is paid within a short period of time ransomware is actually a Trojan variant we'll talk about Trojans in just a moment there are a number of counter measures and prevention techniques we can use to defend against ransomware think of counter measures as reactive security controls and prevention as proactive so in the countermeasures category we can back up computers store backup separately we can back up our cloud storage it's quite common to see businesses back up their one drive associated with Office 365 for example because even if your cloud backup has a way to recover files taking a backup with a third party tool or with a separate complete backup allows us to restore them more quickly and user awareness training Can Be an Effective countermeasure so when a user sees ransomware they know how to respond essentially not to take any action and to escalate to it but your Cloud hosted email and file storage definitely ease in this backup process today and then we can think about prevention those proactive techniques keeping computers patched keep your applications updated use caution with web links most of your email filtering software nowadays will also have some sort of safe links functionality that will evaluate those links to make sure they're safe but nothing is perfect use caution with email attachments same story a lot of your email filtering and and protection software will now have a feature that detonates those attachment in a sandbox to make sure they're safe verify email senders every organization I know Flags mail coming from an external source with a red banner or something similar that says from an external sent proceed with caution and any sort of preventative software program this could be EDR xdr any number of features out there that protect against successful deployment of ransomware and modern EDR and xdr AI driven cloud services can definitely help in the prevention category they'll have access to external threat intelligence they monitor for emerging threats what some call zero day behaviors and generally they'll have some sort of portal that give you Central visibility into any situations of concern in your organization and at the highend of quality even some automated investigative capabilities up next we have the Trojan so a troen is a software program that appears good and harmless but it carries a malicious hidden payload that has the potential to wreak havoc on a system or a network good defense only allows software to be installed from Trust sources and don't let users install software install approved software for them set up a request process so when a user needs new software that's not already standard sanctioned software they have a path for approval and we have spyware so this is software designed to Monitor and steal a user's activity without their knowledge it can capture keystrokes passwords browsing habits and other sensitive information how do we mitigate spyware well we can install an update anti-spyware software teach users to be cautious of free software downloads that may contain spyware adjust browser privacy settings to limit tracking in a corporate environment we can typically do that at scale through policy on an individual basis teach users to be mindful of the information they share online and of course use strong passwords and avoid using them on multiple websites and that's another item that's important in our user security awareness training to make sure users know that when they create that strong password at work they don't take that home and reuse it on websites that they use in their personal life now let's pause and talk about some of those indicators specifically for ransomware Trojan and spyware because they have a few in common so a count lockout is certainly possible if malware attempts Brute Force logins to gain access to additional systems certainly a possibility with any of these the Trojan in particular could be delivering bad news like that blocked content may occur if security blocks malware upload or download attempts we could see resource consumption High CPU memory or network due to malware processes and even missing logs malware might try to tamper with logs to avoid detection and I'm doing this not to give you a list to memorize but to just really think through the process with you as you understand what an attack is you can then in your head begin to associate some of these indicators next we have a worm which is a self-replicating program that spreads itself across a network infecting other computers and it can exploit vulnerabilities in software or Hardware to propagate itself so how do we mitigate a worm well applying security patches closing those vulnerabilities down when we hear about them disabling unnecessary Network services and ports reducing our attack surface using firewalls to control Network traffic we'll have access lifts there educate our users about not opening suspicious emails or attachments making sure we scan systems for malware infections making sure that we have email protections that scan attachments and examine hyperlinks and as they self-propagate throughout your environment they can be configured to potentially consume resources steel data or otherwise disrupt system operations let's talk about the indicators related to the worm resource consumption worms can consume resources while replicating and we may see network inaccessibility worms can overload networks making our resources inaccessible out of cycle logging security systems might log worm propagation attempts so we might see spikes in logging and remember if a specific form is known Security Professionals might track its activity so in particular if you're using a Sim solution security information event management or a modern extended detection and response or xdr solution what you may find is that you have a canned query from your vendor that you can paste into your portal and search to see if you are impacted by a specific worm and that sort of capability is broadly applicable to malware that's published or documented in can be found through querying for specific sorts of patterns in your logs or network traffic so next we have bloatware which is unnecessary software pre-installed on a device that consumes resources and reduces performance it's not technically malicious but it can be unwanted and difficult to remove and may come with other behaviors that we don't like like maybe data collection around browsing habits and the like it can vary but how to mitigate research devices before purchase to understand the pre-installed software look for options to remove bloatware during device setup this is a great opportunity for implementing a golden image so you have a standardized image across your client estate that does not include that bloatware and use thirdparty uninstaller tools with caution you run the risk of removing critical software next up we have the key logger which is software or Hardware that records every keystroke typed on a computer it can be used to steal login credentials credit card information and other sensitive data mitigations for a key logger use a virtual keyboard for sensitive information entry as it prevents Hardware Key loggers enable two- Factor authentication for added login security be cautious of suspicious software downloads make sure you're downloading known good signed software and scan it make sure it's free of malware and and of course update your operating system and applications regularly closing down any vulnerabilities that are known and preventable so looking at the indicators for bloatware and the key logger resource consumption your bloatware might consume moderate resources key loggers might try to hide their activity by tampering with logs and in that respect blocking access to personal USB devices I've seen key loggers often come on a USB stick so if you block access to USB devices that are not your known corporate USB or in good shape if you don't allow users to Simply install software at will on your corporate systems so let's just visit a base definition of a computer virus which is a type of malicious code or program written to alter the way a computer operates and is designed to spread from one computer to another the keys there our malicious code alter the way the computer operates and spread from one to another but a virus is a class of threat with many types let's look at a couple of quick examples of viruses for context we have the multipartite virus which are viruses that use more than one propagation technique in an attempt to penetrate systems that defend against only one method or the other have stealth viruses that actually hide themselves by tampering with the operating system to fool antivirus into thinking everything is functioning normally polymorphic viruses that modify their own code as they travel from system to system so it looks at least slightly different everywhere it lands know the basic virus definition I just gave you indicators we've been talking about in mitigation for the exam but you don't need to remember these three these are just for context so let's talk about the logic bomb which is malicious code designed to trigger a spefic specific action at a predetermined time or event a logic bomb may take multiple different actions after it triggers but triggering at a predetermined timer event is the key to what makes a logic bomb a logic bomb it might erase data corrupt files or disable systems let's look at how we can mitigate Implement strong access controls to prevent unauthorized code installation regularly review system logs for suspicious activity so if we have xdr SIM in place we can automate some of this security audits to identify vulnerabilities and maintain backups of critical data for Recovery in case of attack so some proactive and some reactive next we have the rootkit a stealthy program that provides an attacker with privileged access to a computer system it can hide files processes a network activity and is as a result difficult to detect and remove mitigations for the rootkit Implement strong user authentication and access controls regularly scan systems for rootkit infections using specialized tools keep your operating system and applications up to date that's a theme I hope you're seeing be cautious of suspicious software downloads and attachments another theme and monitor system logs for unusual activity and many of these mitigations represent the ab abolute basics of security Implement strong authentication keep your operating system and your applications patched and be cautious of suspicious software downloads good user security awareness training and the logic bomb and the root kit share some indicators so we'll look at these together resource consumption so logic bombs might use resources before detonation root kits might use resources just to maintain stealth resource inaccessibility logic bombs might and render resources inaccessible root kits might hide critical resources out of cycle logging of course you might see some out of cycle logging when there's suspicious activity underway and missing logs logic bombs and root kits might tamper with logs to avoid detection next we're going to move on to physical attacks we have Brute Force attacks but of the physical variety which means breaking locks breaching locked doors and Gates or other means of UN authorized physical entry alarms physical barriers security patrols security inspections high security locks all make sense here as preventative or counter measures so looking at the indicators for Brute Force resource inaccessibility so physical damage from breaking in might render resources inaccessible like servers in a damaged room out of cycle logging so security systems might log unusual activity related to the break-in like triggered alarms or door sensor malfunctions missing logs an attacker might tamper with even physical security logs or security cameras to hide evidence so notice logs means something different in the context of a physical attack next we have RFID cloning these attacks work by cloning an RFID Card which can be difficult to detect if the RFID is the only identifier used a few things we could do here certainly encryption or cryptographic authentic a shielded badge holder which would prevent cloning just by mere physical proximity as well as statistical anomaly detection which can spot anomalies at time of use that might indicate a cloned card so looking at our indicators here we have impossible travel so this is certainly a key indicator if a cloned RFID Card is used from a location significantly different from the authorized user's typical location and missing logs an attacker might tamper with logs to hide unauthorized access via a cloned RFID tag that would certainly imply some form of previous access in most cases I think next we have environmental attacks these may include attacks on HVAC systems so heating and air conditioning triggering a fire alarm or fire suppression system maliciously physical tampering like cutting cables security cameras along arms controlled access paths security guards requiring checkin at a security desk in order to access a secure data center makes pretty good sense so indicators on the environmental category we have resource inaccessibility so environmental attacks can render resources inaccessible a flooded server room high heat damaging equipment which takes really only in the singled digit hours in some cases out of cycle logging security system might log unusual environmental sensor readings so certainly temperature humidity the presence of water and missing logs an attacker might tamper with security logs to hide their activity after causing damage within the environment moving on to network attacks the syllabus sites distributed denial a service so let's touch on the basics here we have a denila service attack which is a resource consumption attack intended to prevent legitimate activity on a VI victimized system so it might consume all the CPU or all the memory or all the network or maybe all of those things then we have a distributed denial service attack which is a Doss attack utilizing multiple compromised computer systems as sources of attack traffic thus the distributed because the attack is distributed across those multiple compromise systems your counter measures here firewalls routers intrusion detection Sim disabling broadcast gas packets entering or leaving your network disabling Echo replies patching but it's important to recognize that distributed denial a service are a class of attacks so there are two main variants that are called out in the syllabus as well that we need to touch on there's reflected DDOS which involves the attacker sending requests to a third party server with a spoofed source IP address the spoofed address is actually the target of the attack it sends the response to the Target instead of the attacker overwhelming the target with unsolicited traffic so the attacker sends the request out to their botn net to all of their compromise systems with that spoofed Source IP address that points to the Target of the attack and all of those nodes in the botn net then send their responses to the Target instead of the attacker then we have the Amplified DDOS attack this uses reflection techniques in combination with a technique called amplification at a high level what that means is a small request from the attacker generates a much larger response from the third party server there's a variant of an amplification attack called a DNS amplification attack that causes a vulnerable DNS server to generate a large amount of data and would essentially make it unavailable to all of the users that rely on it definitely very impactful if it's the wrong DNS server but these are the two main variants of distributed denial of service you want to know for the exam so let's look at indicators of attacks for distributed denial of service so resource consumption first and foremost a massive spike in network traffic would be a Telltale sign of a DDOS attack resource inaccessibility flooded networks can become inaccessible to legitimate users out of cycle logging your security systems are probably going to log unus traffic patterns in the case of a DDOS attack in progress and as we've mentioned with some other attacks another way we can find these would be if they're published or documented Security Professionals might be tracking it which means with our Sim we could probably run a canned query from our vendor that would tell us if we are experiencing that particular flavor of DDOS attack next we have DNS attacks and their Associated indicators so we'll start with DNS poisoning which is an attack where the attacker Alters the domain name to IP address mappings in a DNS system they may redirect traffic to a rogue system or perform denial of service against the system itself then we have DNS spoofing where the attacker sends false replies to a requesting system beating the real reply from the valid DNS server counter measures for DNS attacks would include only allowing authorized changes to DNS rest restricting Zone transfers to your other DNS servers you want those transfers to go to using verified forwarders log all your privileged DNS activity so you have an audit Trail as well as the ability to spot out of cycle logging all really well documented best practices that have been around for decades then we have domain hijacking this involves the attacker changing the registration of a domain through technical means like exploiting a vulnerability with with a domain registar or through non-technical means like social engineering the end result of a successful domain hijacking is the attacker can then change the settings and configuration of the domain registration counter measures might include using a secure domain registar one that offers two Factor authentication and other security measures configure your DNS servers to use only secure protocols like DNS SEC strong access control for DNS s record management diligent monitoring of your websites and DNS servers for malicious activity for sure so let's look at the indicators of DNS attacks one sign is resource consumption DNS servers under attack might experience High resource usage resource inaccessibility because a successful attack might render Internet Resources inaccessible by redirecting traffic out of cycle logging you might see security systems showing suspicious queries or attempts to modify DNS records if it's a widespread attack it may be published or documented something we can query through our logs perhaps in our Sim that'll be less common for sure and missing logs attackers might tamper with logs to hide their activity next we're going to have a look at Wireless attacks so in the wireless category we're going to talk about Wi-Fi but we're also going to touch on Bluetooth briefly so in the Bluetooth category there three attacks that are top of Mind blue jacking which is where pranksters push unsolicited messages to gain anoy other nearby Bluetooth through a loophole in Bluetooth messaging options we have blue snarfing which is Data Theft using Bluetooth in blue snarfing vulnerable devices are those using Bluetooth in public places with devices in discoverable mode and then we have blue bugging which was developed a year after bluejacking it cre creates a back door attack before returning control of the phone to its owner so if we were to categorize them blue jacking is annoyance blue snarfing is focused on data theft and blue bugging is eavesdropping or hacking really that's more of a device level attack and to prevent use long pin multiactor authentication and disable discovery mode so moving into the category of Wi-Fi we have the evil twin which is a m ious access point set up to appear to be a legitimate trusted Network one only need to visit any airport to see an evil twin we see free airport Wi-Fi everywhere and there are certainly malicious access points amongst those but once a client connects to an evil twin the attacker will typically provide internet connectivity while they then achieve any one of a number of malicious goals we then have Rogue access points these are access points added to your Network either intentionally or unintentionally and once connected they can offer a point of entry to attackers or unwanted users not necessarily malicious but certainly unauthorized counter measures here would include network monitoring Network segmentation strong Network protocols using WPA2 and wpa3 versus Legacy weap for example periodic Network scans to find those Rogue access points so looking at the indicators of Wireless attacks block content so security systems might block unauthorized access attempts on wireless networks and we see that in various implementations of network access protection where when a client gets onto a wireless network only known Mac addresses are allowed into the trusted so we see that Mac filtering of A Sort concurrent session usage so if unauthorized devices are accessing the network concurrently with legitimate ones out of cycle logging so security systems might log suspicious activity on wireless networks those Rogue access points being a chief example and missing logs certainly an attacker might tamper with logs to hide unauthorized wireless access next we have the on path attack previously known as the man- in the-middle attack in an onpath attack the attacker sits in the middle between two endpoints and is able to intercept traffic capturing and potentially changing information in route it essentially fools both parties into communicating with the attacker in between the two instead of directly with each other different versions of the attack exist some affecting websites email Communications DNS lookups or Wi-Fi networks good countermeasures using only encrypted secure Wi-Fi VPN https multiactor authentication potential indicators of onpath attacks blocked content so security systems might block suspicious traffic patterns indicative of of a man inth the- middle attack and missing logs attackers might tamper with logs to hide their activity next we have credential replay which involves stealing or capturing legitimate login credentials username and password session tokens Etc and then reusing them to gain unauthorized access to a system or account so the result of a successful credential replay attack is the attacker gains unauthorized access to the compromised accounter system and can attempt account takeover lateral movement privilege escalation any number of malicious behaviors counter measures to credential replay multiactor authentication regular password rotation secure login protocols session and idle timeout security awareness training monitoring logs what we see here is the longer a Secret Lives the more likely it is it can be compromised so at the short end of the scale in terms of time session and idle timeouts are an important step all of these are going to factor but session and idle timeout help us with those situations where a bad actor captures traffic and tries to replay within minutes of the actual conversation that originally happened so let's look at indicators for credential replay impossible travel so if stolen credentials are used from a location very different from the authorized user typical location account lockout so multiple mle login attempts from various locations could trigger lockouts and you'll see an even more nuanced version of account lockout in the cloud some of your Cloud platforms will have a smart lockout that will identify those Bad actors coming from impossible locations and Implement a lockout feature there that allows the trusted user sitting on your trusted Network to continue operating normally and concurrent session usage so multiple logins from unexpected locations for the same account could indicate credential replay definitely a higher likelihood of account lockout versus other network attacks with credential replay still here in the network attack category we have malicious code and there are several malicious code attacks that fall into the network category targeting the communication channels and exploit vulnerabilities within the network itself rather than individual devices some examples here would include denial a service or distributed denial a service the on path attack or credential replay let's look look at our indicators for malicious codee and we're talking about such a broad range of attacks so the list is fairly long here impossible travel for stolen credentials with the credential replay we saw account lockout with multiple login attempts concurrent session usage out of cycle logging now we're going to move into the application category and we'll start with directory traversal which is gaining access to restricted directories on a server so if an attacker is able to gain access to restrict a directory through HTTP it's called a directory traversal attack one of the simplest ways to perform directory traversal is by using what's called a command injection attack that carries out that action and if it's successful it might allow the attacker to get to the site route directory if you've ever worked from the command line the the dot dot that allows you to go up one directory level you'll see a number of commands that are using that CD dot dot dot allowing them to crawl up the tree to the root in fact most of your vulnerability scanners will check for weaknesses with directory reversal or command injection and let you know they're there so if you're doing you know monthly scans for vulnerabilities you should see that you're vulnerable to these because generally speaking they don't require authentication even you can find them with an unauthenticated vulnerability scan so to secure your system you should run a scanner and keep the web server software patched so the scanner patched and certainly there is some configuration that you'll need to do to make sure your server is locked down also in the app category we have injection attacks which are used to compromise web front ends and backend databases generally exploiting improper input handling SQL injection is a good example we talked about this one earlier basically unexpected input into a web application that allows the attacker to gain unauthorized access to an underlying database not a new attack and and can be prevented through good code practices first and foremost so counter measures are several first and foremost input validation so secure coding practices using stored procedures which are pre-compiled which is going to limit what the system will allow in terms of tsql queries limiting account Privileges and you can also stand up a web app firewall in front of that web app and a web app firew wall will generally have rule sets that implement the oasp top 10 web attacks and that will protect against SQL injection next we have buffer overflow attacks attackers used to exploit poorly written software and this is another one generally speaking that exploits input validation or lack of input validation and when this occurs the code you know can overflow the memory buffer you prevent with input validation identify with software testing because maliciously inserting information into the buffer is the primary goal it's its memory injection this can cause exception errors application crashes perhaps more importantly malicious code execution could result here because the attacker can embed their own malicious code within that data that overflows the buffer strategically placed to be executed by the program when it tries to access the overwritten instructions now these are less common attacks than they used to be due to operating system improvements so os's do address space layout randomization aslr that randomizes the location of Key Program components and memory making it more difficult for attackers to predict where their code needs to be placed and also data execution prevention which actually prevents certain areas of memory from being executed as code so these last three I described share some indicators injection attacks buffer overflows directory traversals resource consumption is one indicator exploit attempts might consume resources during the attack resulting then in resource inaccessibility by corrupting data crashing applications out of cycle logging so when we see these types of requests that directory traversal definitely shows up in your web server logs injection attack definitely shows up in your web or application logs now if there's a specific vulnerability out there it might be done documented or published in which case we can maybe get a query to run against our Sim to see if it's manifested in our environment and then missing logs attackers might try to tamper with logs to hide their activity continuing down the app category we have session replay this is an attack that targets web applications that rely on session tokens or cookies to identify and authenticate users essentially the in the capture sequence the attacker inter cepts a legitimate user log on session with the application and then the replay the attacker then uses the stolen token or cookie to replay the captured session so if they're successful the attacker gains access through a fake session that appears legitimate counter measures include short-lived session tokens invalidating a session on logout cross- site request forgery protection multiactor authentication server side validation what most of these counter measures have in common is that they need to be implemented through secure coding practices let's take a quick look at session replay indicators so we have concurrent session usage so if a user has multiple login sessions happening simultaneously especially geographically distant locations could be a strong sign of a session replay and in line with that impossible travel so seeing login activity from a location very far away from the user's usual location out of cycle logging so a sudden increase of successful logins from unusual locations or a significant rise in data transfer outside of normal usage patterns next we have privilege escalation which is a vulnerability that allows attackers to gain higher privileges on a system than they should have and potentially leads to sensitive data access or installation of malware a good way to mitigate this threat is to require authentication to elevate that's user access control on Windows sudu on Linux let's look at the indicators for privilege escalation we have a count lockout which would be possible if the attack involves brute forcing privilege credentials particularly if we're requiring authentication on elevation of privilege account lockout is going to be more likely for privilege escalation than other application attacks concurrent session usage this might occur if an attacker establishes a new privilege session alongside a legitimate one resource consumption so the exploit a attempts or privilege escalation might consume resources especially if it involves a Brute Force technique out of cycle logging so your systems might log suspicious activity there might be a spike in authentication attempts and missing logs an attacker might try to tamper with logs to hide their activity particularly if they are successful in elevating privilege then presumably they will have permission to go delete logs to cover their tracks next next on the list is forgery so request forgeries these exploit website trusts to execute code we have the cross site request forgery which is similar to cross-site scripting attacks but it exploits a different trust relationship it exploits trust a website has for your browser to execute code on the user's computer a preventable attack requires you creating web apps that use secure tokens and sites that check the referring URL and request to ensure it came from from a local site from a reputable Source there's another request forgery I want to touch on that exploits the server's functionality to make unintended request it's the serers side request forgery which is a type of injection in which the attacker targets a web application that fetches data from URLs provided by users so the vulnerability lies in the server trusting the user provided URL and acting upon it the server assumes the URL is safe because it originates from within the application itself it's provided by the user defense would include input validation and sanitation an allow list or deny list approach limiting the URLs accepted as input and certainly as with some other injection and forgy attacks we could drop a web app firewall in front of this application with an oasp core rule set to prevent these attacks and a quick look at the indicators for forgery we have blocked content so security systems might block forged requests like the web app firewall we talked about out of cycle logging certainly systems might log suspicious activity related to forgery attempts and like many other attacks if they're published or documented Security Professionals might track its use we may have a query we can make in our security information event management system to see if we have been affected he we're going to move on to cryptographic attacks and we'll start with the Collision attack which is an attack on a cryptographic hash to find two inputs that produce the same hash value the same output we call that a collision in the hashing world and your best offense is to beat it with Collision resistant hashing algorithms that's why md5 is not nearly so widely used anymore because of its vulnerability to Collision and certainly if we are using a tool or an application in our environment that relies on a vulnerable hashing algorithm it might be revealed in a vulnerability scan so let's look at our indicators for Collision attacks so resource consumption is one of those if we have a large scale Collision attack it might consume significant resources not highly likely with the state of compute where it is today but possible of course if it's published and documented then it's going to be something that Security Professionals have been tracking and we can get that query to go look in our logs in our security information event management system where we're Gathering all of those logs from various devices end points and applications continuing in the cryptographic category we have the downgrade attack so this is when a protocol is downgraded from a higher mode or version to a low quality mode or a lower version this commonly targets TLS where we should be up around version 1.2 or 1.3 but if you have a legacy application sitting out there that doesn't enforce this maybe it's still running 1.0 or 1.1 which should be just non-existent today but possible so let's look at the indicators for the downgrade attack we have out of cycle logging so security systems logging unusual attempts to negotiate that weaker cryptographic protocol and again if it's published or documented we can go query it we can go look for those requests in our Central logging facility we'll close out the cryptographic category with the birthday attack which is an attempt to find collisions in hash functions based on a statistical phenomenon called the birthday Paradox which makes brute forcing of oneway hashes easier so the birthday Paradox basically states that in order for there to be a 50% chance that somebody in a given room shares your birthday you need 253 people in that room however if you're simply looking for a greater than 50% chance that any two people in the room have the same birthday you only need 23 people because that makes up 253 pairs how does that apply here well it applies to hashing because it's much harder to find something that collides with a given hash than it is to find any two inputs that hash to the same value so relating that back to the birthday Paradox to find someone in that room who shares your birthday we need a lot of people in that room to find any two people that share the same birthday we need fewer people in that room the birthday attack commonly targets digital signatures indicators for the birthday attack resource consumption so large scale birthday attacks might consume significant resources during the calculation phase again less likely for most systems with compute where it is today and again if it's a published or a documented attack professionals are tracking we're going to be able to get some queries that will help us query that from our Central log facility to see if we are affected I want to share just a couple of additional insights on the cryptographic category here that might explain a trend you saw in the indicators we reviewed so account lockout concurrent session usage block content impossible travel missing logs resource accessibility are not necessarily likely indicators for the cryptographic attacks that we're talking about in most cases because often times these attacks happen behind the scenes without directly affecting user accounts or system functionality and they often Target weaknesses in the underlying algorithms or implementations of those algorithms so the logs may or may not be helpful and the final category we'll cover here in section 2.4 is password attacks so we have password spraying which is where an attacker tries a password against many different accounts to avoid the lockouts that typically come when you're brute forcing a single account if an attacker does a pure Brute Force many passwords Against One account a lockout is going to come relatively quickly but if they're trying a single password against many different accounts then they're going to fly under the radar for a while potentially this attack succeeds When an Admin or an application sets a default password for new users particularly a common and weak password your effective counter measures here would include multiactor off capture and forcing password change on first login technically still a type of Brute Force attack but a clever one at that so let's look at indicators for password spraying account lockout a high volume of failed login attempts from various accounts can certainly trigger lockouts resource consumption there could be a moderate increase in resource consumption by login processes that might occur during a spraying attack out of cycle logging we're certainly going to see a spike in logs typically for unusual login attempt patterns that would be indicative of spraying we'd see login attemps with the same password across a wide range of accounts in Rapid succession and if it's published or documented then again we might be able to go query that in our Central log facility and finally we have the Brute Force attack a Brute Force password attack attempts to randomly find the correct cryptographic key the correct password attempting all possible combinations trial and error password complexity and attack or resources will determine the effectiveness of this attack rainbow tables and Powerful compute are going to increase the likelihood this attack is successful it's going to make it more effective so a rainbow table is a pre-computed table for caching the outputs of a cryptographic hash function so it contains a whole bunch of hashes that the Brute Force attack can use can attempt to use in brute forcing these passwords now there's certainly an effective counter measure for this and that would include cryptographic salts which is where we inject a random value in with the password before it's hashed many identity platforms will do that for example uh entra ID what used to be Azure active directory Microsoft's Cloud identity platform uses cryptographic salts which basically makes rainbow tables worthless capture and the throttling rate of repeated logins which is something you can Implement through policy even on identity platforms that have been around a long time you can do that on active directory as well as using IP block list so let's look at the indicators for Brute Force so we have account lockout because of the repeated failed login attempts resource consumption due to the high number of attempts out of cycle logging we're going to see a spike in login attempts in our logs and then again if it's published or documented another way we can go and in query our Central log facility to see if we are affected that brings us to section 2.5 where we'll focus on mitigation techniques the syllabus directs us to explain the purpose of mitigation techniques used to secure the Enterprise and there's quite a list here from segmentation and access control to the very narrow topic of application allow list to the very broad concept of encryption we the monitoring lease privilege configuration enforcement which really means configuration Management in this context and decommissioning which really means focus on secure decommissioning so data sensitive data is not recoverable and we see a long list of hardening techniques which seem to be largely endpoint focused many mitigation techniques in this list are security control so we'll begin with a quick comparison of terms and then get into the technical details going to start with that phrase mitigation technique so mitigation refers to the process of reducing the severity or seriousness of the potential consequences of a risk so the mitigations here are a form of security controls but it's more about managing and minimizing the risks rather than eliminating them security controls more broadly speaking are safeguards or counter measures implemented to protect an organization's assets you'll hear these terms used interchangeably but technically safeguard s are proactive and counter measures are reactive we'll begin with segmentation and we're going to start with the basics of network segmentation so in segmentation the security of services that are permitted to access or be accessible from other zones in our environment involve a strict set of rules controlling this traffic rules are often enforced by the IP address ranges of each subnet will often only allow Ingress on specific ports and within a private subnet segmentation can be used to achieve departmental infrastructure application or data isolation and I'll give you a visual of that Concept in just a minute but on Prem segmentation may be physical or logical in the cloud segmentation is usually logical and what I mean by that is physical segmentation is with hardware and logical segmentation is with software and configuration so that answers the basics of what is segmentation but an equally important question is why should we Implement segmentation in the first place what are the benefits to the organization performance is one so when we locate systems that communicate frequently on the same network segment and take systems that rarely or never communicate and put them on separate segments it's going to reduce the amount of traffic in each of those segments it's going to reduce broadcast traffic and by association it automatically reduces at least some communication problems it's going to reduce congestion and contain communication issues like broadcast storms to individual subsections of the network and most important to our function here is it provides security it can improve security by isolating traffic and user access to those segments where they are authorized protecting sensitive data and resources and when we do have an issue if it's a performance issue or a security issue it's going to reduce the scope of the issue and in the facee of security it's going to reduce the scope of a potential security breach because we at least have the possibility of isolating it to a specific segment of our Network to contain it right out of the box so with the proliferation of cloud where we have all sorts of logical segmentation techniques available to us we saw rise of the term micro segmentation so this takes the concept of logical segmentation to a more granular level by further dividing apps or workloads the small segments or micro segments contain a specific workload or functionally similar or even identical nodes and we target those micro segments with specific policies and security controls based on the workloads or systems that we've put in those segments and this potentially even further limits the scope of impact outage or breach lateral movement it shrinks that blast radius so to speak I want to shift Focus for just a second and talk about segmentation in the context of the public Cloud so here we have virtual networks public and private subnets segmentation API inspection all important elements in Cloud network security what I wanted to start with here is what we call a virtual private Cloud it's a virtual Network that consists of cloud resources where the VMS for one company are isolated from the resources of another company and separate vpcs can be isolated using public and private networks or seg ation subnets are configured within vpcs which can communicate by default but that virtual private cloud is essentially that Network range in fact vpcs in the cloud are typically isolated from each other by default but that concept of a VPC exists in all the major public clouds but they don't all call it exactly the same thing in AWS it is in fact a VPC in Microsoft Azure it's called a virtual Network or v-net for short and in Google Cloud platform it's also a VPC a related Concept in the cloud that helps with micro segmentation is something called a security group or a network security group which acts as something of a virtual firewall for vpcs vets and resource instances like your virtual machines your databases your subnets it carries a list of security rules IP and Port ranges that can allow or deny Network traffic to Resource instances on the subnets within the VPC so it provides a layer 4 virtual firewall for a collection of cloud resources within the same security posture it exists in multiple csps the details vary slightly with each in AWS it's a security group in Azure it's a network security group in Google Cloud platform they basically rely on Virtual firewall within the VPC but this is a logical control that only exists in the public Cloud now just to give you a visual on this let's look at a simple Cloud segmentation example we have a VPC or a v-net pretty big address pool there the CER range you see is a 10 0000 with a/6 and we have our server subnet and we have our database subnet and within that Network those subnets are allowed to communicate by default and generally speaking your on premises endpoints will not be able to communicate by default unless we take steps so we'll need hybrid connectivity from on-prem to the cloud plus some other configuration potentially so other vpcs or v-ets would not be able to communicate with this one by default generally speaking now we can change that so it does require peer Network peering or a VPN configuration but your subnets within that Network are going to be able to communicate by default except where we put restrictions on it with a security group or a network security group group to put some Port restrictions and some source and destination some Ingress and egress restrictions so if we look at a network security group basically you'll see here that it looks a lot like a firewall table like firewall rules table and the action column determines if the rule allows or denies traffic and you'll notice that the lower the number the higher the priority and that there's a kind of a catchall at the end there so just as on a typical Hardware firewall if there's no allow found as it goes down the list it's going to deny and it is a vendor agnostic exam so I don't expect it's going to get to In The Weeds on segmentation in the cloud but I wanted to give you the basics so you're ready for the big day now there are some other ways we can think about segmentation and I want to touch on some other areas where we can segment our environment so mobile device management is one that comes up so in a bring your own device mobile device scenario mobile app application management will keep personal and business data separate in fact it can prevent business data from leaking into personal apps where maybe a user copies business data and unintentionally tries to paste it into a personal email and then when that user separates from the organization we can also do a selective wipe so we can remove the business data the business context from the device without affecting their personal data and several of your big mobile device management platforms have that functionality Microsoft oft in tune AirWatch will have something equivalent to that from an endpoint perspective we might segment devices that have become vulnerable like an unpatched printer for example where there are no updates you could place these printers in their own VLAN non- compliant devices can be quarantined until they're remediated so if we have a desktop or a laptop connected to the network that's not up to date on its latest patches for example it could be quarantined and sent over to to a remediation Network we call that network access control that's another one of those features that will vary a bit by vendor in terms of its naming applications So within a private subnet vlans can be used to carry out segmentation and traffic filtering for sensitive apps and data we could also enforce these rules with subnets and firewalls we're going to move on to access control and we'll talk through five Access Control models or systems and we'll finish on those that I think are most relevant for the ex examine really the intention of this module there's mandatory Access Control where the access policy is determined by the system not the object owner it relies on classification labels that are representative of security domains and Realms discretionary access control on the other hand permits the owner or creator of an object to control and Define its accessibility because the owner has full control by default a good example of discretionary Access Control NTFS file permissions on Windows nondiscretionary Access Control enables the enforcement of systemwide restrictions that override object specific Access Control non-discretionary access control is actually a form of mandatory Access Control rule-based Access Control defines specific functions for access to requested objects and it's commonly found in firewall systems and rule-based is one of those I think is most likely to come up on the exam here here's why so rule-based access control is what we see with routers and firewalls they use rules within Access Control list that Define the roles of Ingress and egress for a network so these rules Define the traffic that devices allow into the network and the other I think will most likely Factor would be role-based access control which uses a well-defined collection of name job roles to endow each one with specific permissions it aims to ensure that you users who occupy such roles can access what they need to to get their jobs done we see ro-based access control on Windows and in your public Cloud platforms application security controls can certainly prevent attacks and that's where an application allow list can help so an application allow list enables only explicitly allowed applications to run everything else is going to be denied firewalls your IDs and IPS systems and endpoint detection and response can typically have an allow list they have a feature we can configure that will allow us to sanction certain applications to run and everything else will be disallowed by default now certainly you can take an opposite approach and use an application deny list or a block list which restricts traffic but in the opposite way of an allow list essentially any application not explicitly denied is allowed it's going to be less restrictive more permissive than an application allow list therefore somewhat less secure by Design though how much less secure depends on the circumstances another mitigation technique is isolation which means technically blocking access altogether so in government classified data scenarios for example air gap endpoints are used to view classified data to isolate the endpoint from the network to protect against any danger of a network-based attack the air gap eliminates all network connectivity wired or Wireless the only way to extract data from an airgap computer is by a removable device like a US USB drive this will typically be layered with another technique which is requiring users entering an area for confidential meetings or to view secret research to place their phones in a faraday cage this blocks electromagnetic signals from entering or exiting the cage rendering cellular signals useless on the subject of isolation you know blocking access alog together I'd say isolation of IC and OT systems that stands for industrial control systems and operational technology these are systems that are mission critical because they combine hardware and software to control and automate physical processes in Industries like power grids water treatment plants transportation systems and Health Care Facilities so even to the degree complimentary elements within an icot system were connected you can certainly appreciate why you'd want them insulated from the internet and other networks next up we have p patching patch management also known as update Management in some circles a patch management process and system ensures that systems are kept up to date with current patches and not just ensuring they're kept up to date it will typically test approve and deploy patches or or give us the ability to evaluate test approve and deploy patches system audits verify the deployment of approved patches on the system most patch Management Systems will have a pretty good reporting feature so we can see the status of our patch deployments and we want to make sure we patch both native OS and thirdparty apps not just operating systems not just the apps from the company that makes our operating system but all those thirdparty applications were installing as well so yes we need to patch Windows yes we need to patch Microsoft Office but we need to also patch Adobe and everything else we've installed there and make sure those are up to date and most of your vendors are going to have a regular Cadence for p patching but we need to make sure that we can apply out of- band updates promptly as well every now and again you'll have a critical patch something for a zero day threat and we'll need to get that out more quickly and it's so important that we have a robust patching practice because organizations without patch management are definitely going to be open to experiencing more outages from known vulnerabilities that could have been prevented through simple patch management and I want to touch briefly on often overlooked areas in patch manage man agement that result in a weak patch Management program so certainly firmware comes immediately to mind it's commonly overlooked in iot devices and other embedded systems like your Voiceover IP phones we don't really think of a Voiceover IP phone a vo phone as being a computer but that's really how we need to treat it it's a device with an IP address on The Trusted Network so it gives an attack or a target a place to establish persistence from an operating system perspective certainly Windows has his historically B and continues to be the biggest target but we do need to keep Mac and Linux patched also and now that we live in a time where everyone has a smartphone mobile systems are a common Target of threat actors we need to make sure that we do not allow mobile devices that are rooted or jailbroken or don't have a minimum operating system version or are unmanaged do not access our Network or our corporate data and I can remember a time that Apple for example came out and said if you're not running at least iOS 1631 you're going to be open to this major vulnerability and so we pretty quickly made sure that all of our mobile devices accessing corporate data were up to that level in terms of applications in many environments non-microsoft applications commonly called thirdparty apps just get completely overlooked for patching and this is dueing part to the fact that many management tools and software vendors don't offer the same level of Auto and Microsoft is one of those they're great about patching their own software but all of those other applications are not their responsibility which means we need to make some decisions around the tools we use to manage our patch Management program moving on to encryption we'll start with a hardware rout of trust this is a line of defense against executing unauthorized firmware on a system and when certificates are used in full dis encryption like bit Locker on Windows they use a hardware rout of trust for key storage and it's the hardware rooted trust job to verify that the keys match before a secure boot process takes place and that secure boot process is supported in your desktop platforms generally by a trusted platform module a TPM which is an implementation of a hardware routed trust the TPM itself is a chip on the motherboard of the device and its multi-purpose in that its function is storage and management Keys used for functions like full dis encryption and secure boot of the device operating system but it provides the operating system with access to keys to the encryption keys but prevents Drive removal and subsequent data access what I mean by that is if an encrypted Drive is removed from a system the data on that drive is inaccessible since the encryption keys are in the TPM so we'll Circle back and drill down on full dis encryption in just a moment but before we do I want to talk about Boot and Integrity boot Integrity ensures the host is protected during the boot process so all protections are in place when the system is fully operational when the OS is booted and a user is logged in and it begins with unified extensible firmware interface or UEFI UEFI is a modern version of BIOS that is more secure and it's needed for secure boot of the operating system the older bios cannot provide secure boot so measured boot is a secure boot process where all components from the firmware applications and software are measured and information stored in a log file and the log file is on the trusted platform module chip on the motherboard trusted secure Boot and boota test station is something we see in operating systems like Windows 10 which can perform a secure booted startup where the OS checks that all of the drivers have been signed and if they haven't the boot sequence fails as the system Integrity has been compromised Ed and this can be coupled with attestation which signifies the software Integrity has been confirmed in fact bit Locker full dis encryption implements attestation and its keys are stored on the TPM so on the topic of Drive encryption we have full dis encryption which is built into the Windows operating system it's called bit locker and it's an implementation of full dis encryption the keys for bit Locker stored on the TPM on the Linux platform you have a similar feature called DM Crypt you can also Implement Drive encryption through Hardware so a self- encrypting Drive is how we do that encryption on a self- encrypting Drive is built into the hardware of the drive itself anything that's written to that drive is automatically stored in encrypted form and that's going to have some security and performance advantages because it's driven from Hardware rather than software but a good self-encrypting drive should follow the opal storage specification in fact we can take a second and just unpack each of these a little bit further so full dis encryption under the hood when you're working with bit Locker you've got the trusted platform module on the motherboard that's used to instore the encryption key so when the system boots it can compare the keys and ensure the system hasn't been tampered with that's that Hardware rout of trust functionality when you're using certificates for full dis encryption they use that TPM that Hardware rooted trust that verifies the keys match so on the topic of self- encrypting drives I mentioned the opal storage specification which is essentially the industry standard for self- encrypting drives it's a hardware solution so it will generally outperform the software based Alternatives and because it's a hardware based solution they don't have the same vulnerabilities as software and they are therefore more secure the self- encrypting drives are solid state drives they're purchased already said to encrypt data at rest and the encryption keys are stored on the hard drive controller they are immune to a cold boot attack and they are compatible with all operating systems self encrypting drives are effective in protecting the data on lost or stolen devices like a laptop because only the user and the vendor can decrypt the data we're going to move on to monitoring and we'll look at monitoring from a couple of perspectives Germain to this module's focus and I'm going to start with monitoring pred operations privileged entities like our administrators are trusted but it is possible that they abuse their privileges so it's important to monitor all assignment of Privileges and the use of privileged operations the end goal is basically to ensure that trusted employees do not abuse the special privileges they're granted so monitoring these operations can also detect many attacks because attackers commonly use special privileges and really one of the foundation components of monitoring privileged operations or anything else is log monitoring logs from various systems services and devices record the details of activities on our systems and their networks and it takes multiple logs to get the full view of a security breach but by monitoring those logs it's possible to detect security incidents whether it's an internal threat or an external threat but it takes more than just people to catch up with this log monitoring we really need automated log monitoring to automatically detect and investigate potential incidents and today centralizing log collection for your cloud and on Prem infrastructure and applications and automating investigation is absolutely the norm it's the only way to keep Pace with the threats out there and the centralized monitoring Solution that's become very common today is the sem and sore strategy so we have security information event management which is the system that collects data from many other sources in the network it provides realtime monitoring analysis correlation and notification of potential attacks and with s we frequently see sore security orchestration Automation and response which is centralized alert and response automation with threat specific playbooks and response may be fully automated or single click but you'll find many providers deliver these cap capabilities together and generally these Solutions use AI machine learning external threat intelligence feeds and the solution will be run from a security Operation Center staffed with sock analysts now we're going to visit S andur more than once in this series I'm going to go just a bit deeper here and then we'll park it for now but let's talk about how log data is collected and what log data is collected for a Sim so many Sims have built-in log collector tooling that can collect information both from a CIS log server and multiple other servers and sometimes you'll have an agent placed on a device that can collect the information parse it and restructure it and then pass it to the SIM for aggregation but depending on the solution it might be an agent it might be directly from CIS log it could be through an API but the idea is that the Sim is going to aggregate the logs that log aggregation is going to correlate and aggregate the events so the duplicates are filtered out we have a better understanding in network events and it'll help us to identify potential attacks and it's typically going to standardize that data to a common event schema as well so it allows us not only to have Insight across our entire environment but then we can with a single query query data across many different log sources but the data inputs are varied and extensive it can collect a massive amount of data from various sources and that might include your identity management system mobile device management the cloud access security broker extended detection and response and more but as you move along in your security career you're definitely going to hear more about Sim andur and we'll definitely come back to it again in this series but I want to move on to the principle of least privilege and its core Focus which is limiting access and damage so in fact need to know and the principle of lease privilege are two standard it security principles that are implemented in Secure networks they limit access to data and systems so that users and other subjects only have access to what they require they help prevent security incidents and they also help limit the scope of incidents when they occur and when these principles are not followed and security incidents do happen they result in potentially far greater damage to the organization and in fact there's a third principle that you can put with these and the three together serve a complimentary goal so there's separation of Duties which is a basic security principle that ensures that no single person can control all the elements of a critical function or system it reduces the likelihood of collusion amongst employees simply because it makes it more difficult for two employees to work together undetected more difficult then we have least privilege where a subject should be given only those privileges necessary to complete their job related tasks this can prevent or limit the scope of security incidents and data theft and need to know limits access to information to those who genuinely require it to perform their job duties which will both minimize the risk of data leak and increase accountability and these three together are very powerful next up is configuration enforcement and here we'll focus on configuration and change management these two when done right can prevent security related incidents and outages configuration management ensures that systems are configured similarly and configurations are known and documented baselining a common configuration management technique ensures that systems are deployed with a common baseline or starting point and imaging is a common baselining method Imaging for desktops and servers has been around a long time and we've seen the logical equivalent of this take hold in the cloud as absolutely the norm and then we have change management which helps reduce outages or weakened security from changes here versioning uses a labeling or numbering system to track unauthorized changes in updated versions of software but change management requires changes to be requested approved tested and documented and they're generally not approved without both a roll out and a roll back plan now we're going to touch on a few configuration management techniques so we'll start with diagrams so detailed diagrams to show the relationship of all the interconnected devices ensuring the security team have visibility of the security in place standard naming conventions are very helpful in identifying the type of device for example like a router a printer or a server naming prefixes can be helpful for example RTR for router PR for printer svr for server and it's pretty common that we'll see environment make its way into naming conventions as well so production might include prod in the names of the devices asset management is an important component of configuration management making sure we have an up-to-date asset register to ease the process of tracking and maintaining assets and we want to support this process by scanning for unknown devices regularly and ensuring the devices we know about are patched and when it comes to Baseline configurations having that standardized starting point is very important and I mentioned image based deployment is very popular in the cloud we see infrastructure as code as part of a cicd strategy continuous integration and continuous deployment the firewalls can be used to block traffic so reducing our attack surface and we can use either an MDM solution like Microsoft InTune or group policy from active directory domain services to change the configuration on endpoint devices so we're standardizing and automating configuration through policy and when we move into the cloud we'll more often see infrastructur as code and continuous integration and continuous deployment used to automate configurations like that as well but you should see a recurring theme Here of standardization and automation mobile device management we can use an MDM solution to push configuration changes out to our mobile devices so minimum IOS and Android versions requiring a six-digit pin enforcing no rooted or jailbroken devices app management policies another aspect of maintaining configuration is ensuring that harmful content doesn't change the configuration of our endpoints and unwanted ways so blocking harmful content with filtering appliances like unified threat management or next generation firewalls so UTM are common in smaller businesses because they bundle multiple features together in a single device web filtering email antivirus intrusion prevention quite commonly your next gen firewalls will use external threat intelligence feeds to help it to identify malicious entities in real time or near real time updating and revoking certificate so tracking certificate expiration and ensuring we enforce minimum TLS versions next we have decommissioning Hardware being retired must be disposed of securely so data at Host is not recoverable through forensic means and when we're deleting data crypto shredding is a data deletion method that involves discarding the encryption keys of the encrypted data but if data is recoverable through forensic tools and techniques the system has not been properly decommissioned or recycled and it's not Not Unusual that endol life Hardware gets recycled for reuse whether it's sold off or donated it could be reused so secure data deletion is very important so essentially being very sure there's no data remnants moving on to hardening techniques you want to know these four types of endpoint protection for the exam we have antivirus software that scans endpoints for the presence of malware like viruses worms Trojans and other malicious code and when an infection is detected it can generally remediate automatically through quarantine or removal of detected malware so several years ago antivirus software relied on antivirus signatures basically a signature of known threats but today it more often relies on AI and threat intelligence to detect malicious behaviors because the bulk of malware we see today on endpoints is unique it's not been seen before so signatures have become very ineffective next we we have endpoint detection and response or EDR this is a security technology that focuses on detecting and responding to threats at the endpoint level it often uses behavioral analysis techniques to identify suspicious activity and contain threats before they cause damage it prevents unauthorized access tampering a pretty wide variety of potential attacks so next we have extended detection and response or xdr this is a Next Generation security technology that goes beyond the endpoint to include other types of devices and systems like network devices Cloud infrastructure iot it basically provides a broader view of the entire it environment and enabling faster more accurate threat detection and response when we have a broader view across different areas of our infrastructure we have better context as to the scope of malicious activity and a potential breach and on the end point we'll often see host intrusion prevention systems or hips it's intrusion prevention local to a single host or endpoint an intrusion prevention will use techniques like behavior analysis file Integrity monitoring and application control to detect threats and when possible hips will take action to stop identified threats now do bear in mind that host-based intrusion prevention is typically sof software installed on a server so it may be easier for an attacker to disable potentially as simple as killing a service or a process so while we're here we saw host-based intrusion prevention called out as a line item on the syllabus and it's IDs or IPS in software form installed on a host often a server but I want to talk about the difference between IDs and IPS so we have host-based intrusion detection system systems the IDS which analyzes whole packets both header and payload looking for known events and when a known event is detected a log message is generated maybe an email alert hips on the other hand intrusion prevention analyzes the same packet header and payload looking for known event and when a known event is detected the packet is rejected it's going to focus not just on reporting and alerting like intrusion detection it's going to focus on prevention in the hardening category we also saw host based firewall on the syllabus so an application firewall that's built into desktop operating systems like Windows or Linux and as with hips because it's an application it's more vulnerable to attack in some respects versus a hardware firewall and as with hips restricting service or process access to ensure malicious parties cannot stop or kill the firewall that's running is important but it's very common that we'll see host-based and network-based firewalls used together in a layered defense and likewise with intrusion prevention not at all unusual that we'd see host-based intrusion prevention systems and network-based intrusion prevention systems used as part of a layered defense they're going to be complimentary in several respects and to wrap up hardening techniques we're going to look at a few best practices for the endpoint so closing open ports and disabling unneeded services so listening ports should be restricted to those that are necessary and filtered to restrict traffic and disabled or closed entirely if unneeded any unused Services should be disabled and we can certainly block through a firewall or disable the underlying service if we don't need remote desktop protocol very often for example maybe we block it through a firewall and we have an option to enable that port to open that Port up just in time but we don't disable the underlying service completely then we have the registry this is a Windows item so access to the registry should be restricted and updates controlled through policy where possible so eliminating Human air wherever we can and we always want to take a backup of the registry before we start making changes then there's operating system hardening so OS hardening can often be implemented through security B baselines we can apply our desired settings through Imaging or through Active Directory Group policies or management tools like a mobile device management platform like Microsoft InTune or AirWatch which really give us Enterprise endpoint management so not just mobile devices but Windows and Mac as well and we could roll up all of these configuration items the ports we want to restrict the services we want to disable the firewalls we want to configure the registry we want to secure the operating system settings that are important for reducing our attack footprint and roll those all up into a Baseline and then Implement that Baseline through Imaging or group policies or scripts or some combination of all of those if we have any services or apps or if the operating system have pre-created users with a default password that should be changed before deployment and removing unnecessary software so making sure any software that's definitely unneeded is removed to reduce the attack surface and the patching burden and always use OS Imaging over thirdparty uninstallers when you're dealing with bloat Weare or other potentially unwanted applications those freew wear third party uninstallers you find to remove difficult to eliminate bloatware can potentially uninstall other components you're not aware of or maybe leave behind un wanted software of its own and congratulations you've reached the end of domain 2 of the Security Plus exam gram series I hope you're getting value out of the series as always leave your questions in the comments section or Reach Out directly on LinkedIn I'll look forward to joining you here in a couple of days to kick off domain 3 and until next time take care and stay safe [Music]