IT Infrastructure Security

Questions and Answers

Which of the following best describes IT infrastructure?

• The legal and ethical guidelines governing data privacy.
• The strategic plan for a company's market positioning.
• The entire suite of hardware, software, network resources, and services required for an organization's IT needs. (correct)
• A collection of best practices for project management.

Which of the following is the MOST accurate definition of Infrastructure Security?

• The implementation of cybersecurity awareness training for all employees.
• The process of securing physical buildings and facilities.
• The use of appropriate processes, people, and technology to protect computing resources against unauthorized actions. (correct)
• A method of risk assessment that focuses on identifying potential threats.

What is the primary difference between an attack surface and an attack vector?

• The attack surface refers to internal threats, while the attack vector refers to external threats.
• The attack surface describes the methods used in an attack, while the attack vector describes the vulnerabilities targeted.
• There is no significant difference; the terms are interchangeable in cybersecurity contexts.
• The attack surface is the sum of vulnerabilities accessible to attackers, while the attack vector is the path used to exploit those vulnerabilities. (correct)

Which level of IT infrastructure security involves measures like locked doors, fences, and security cameras?

Physical Level (B)

At which level of IT infrastructure security is data encryption primarily considered?

Data Level (B)

Regularly updating software to fix security vulnerabilities is an example of which key component of IT infrastructure security?

Server Security (D)

Monitoring endpoints for suspicious activity and providing response capabilities is a function of:

Endpoint Detection and Response (EDR) (C)

Which of the following is a key component of cloud security?

Managing user access to cloud resources. (B)

Which security measure involves monitoring physical spaces for suspicious activity?

Surveillance Systems (C)

Which of the following is NOT a key element of network security?

Employee Satisfaction Surveys (A)

What is the purpose of implementing a default deny policy in a firewall?

To allow only necessary traffic and deny everything else. (B)

Which of the following is a critical step in securing wireless networks?

Enabling WPA2 encryption. (C)

Why is it important to practice the principle of least privilege?

To minimize the potential damage from compromised accounts. (A)

What does a firewall do?

A network security device that monitors and controls incoming and outgoing network traffic based on defined security rules. (B)

What is the difference between host-based and network-based firewalls?

Host-based firewalls protect individual devices, while network-based firewalls protect entire networks. (B)

What is a packet filter firewall?

A firewall that operates at the network layer, examining IP packet information. (B)

What is the key characteristic of a stateful packet filter?

It operates at the transport layer and analyzes previous SYN packets. (C)

What is the function of an application proxy in a firewall?

To operate at the application layer, acting as an intermediary for network traffic. (A)

What is the primary purpose of an Intrusion Detection System (IDS)?

To detect attacks before, during, and after they occur. (A)

What is the difference between signature-based and anomaly-based intrusion detection systems?

Signature-based systems detect known attacks, while anomaly-based systems detect deviations from normal behavior. (A)

What is the primary function of an Intrusion Prevention System (IPS)?

To prevent attacks by actively blocking or mitigating malicious activity. (A)

What is a 'false positive' in the context of IDS/IPS?

The security control acts because of benign activity. (A)

What is the difference between 'Fail Open' and 'Fail Closed' in the context of IPS failure?

Fail Open allows all traffic, while Fail Closed blocks all traffic. (D)

What is the main purpose of a Virtual Private Network (VPN)?

To provide secure access to an organization's network over a public network. (C)

How do VPNs create a secure connection?

By creating a secure, encrypted 'tunnel' between devices. (A)

Which of the following is a security related risk associated with using free VPN services?

All of the above. (D)

Which VPN protocol is considered the oldest and least secure?

PPTP (A)

What is the role of a proxy server?

To act as an intermediary between a client computer and the internet. (C)

What is a key security benefit of using a proxy server?

It can hide clients' actual IP addresses, improving anonymity. (A)

What is a primary use case for a reverse proxy server?

Hiding the internal structure of an application from external clients. (B)

What distinguishes a transparent proxy from other types of proxy servers?

It operates invisibly, without requiring user configuration. (C)

What is the function of AAA in network security?

Authentication, Authorization, and Accounting. (A)

Which AAA process involves verifying a user's identity using credentials like a username and password?

Authentication (A)

What is the AAA process of 'Authorization' responsible for?

Determining user permissions based on policies. (C)

What process does the AAA framework use to log and monitor user activities, including tracking resource usage?

Accounting (D)

Flashcards

Infrastructure

The basic physical and organizational structures and facilities needed for a society or enterprise to operate.

IT Infrastructure

The entire suite of hardware, software, network resources, and services required for an organization's IT needs.

IT Infrastructure Components

Servers, workstations, storage systems, networking components, software, cloud services, and data centers.

IT Infrastructure Security

The use of processes, people, and technology to protect computing resources against unauthorized access or modification.

Network Level Security

At its core, network security protects data as it travels into, out of and across the network.

Application Level Security

Security also needs to be considered at the application level, it involves the protection of databases against attacks.

Data Level Security

At the lowest level of infrastructure security, data protection must be considered, no matter where or how it is stored.

Network Security

Protecting the network from unauthorized access, use, disclosure, disruption, modification, or destruction.

Endpoint Security

Protecting end-user devices like laptops and mobile devices from threats.

Server Security

Protecting servers that host critical applications and data.

Firewall

A network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on security rules.

Firewall Packet Filtering

Examines the 5-tuple of an IP packet (source IP, destination IP, etc.) to permit or deny a packet.

Packet Filter

A firewall that operates at the network layer, based on IP packet information.

Stateful Packet Filter

A firewall that lives at the transport layer and utilizes previous SYN packets.

Application Proxy

A firewall that operates at the application layer where it functions as a proxy.

Intrusion Detection Systems (IDS)

Systems used to detect attacks before, during, and after they occur.

Signature Based IDS

Detects attacks based on specific known signatures or patterns.

Anomaly Based IDS

Attempts to define a baseline of normal behavior and provides a warning when the system strays too far from this baseline.

Intrusion Prevention Systems

It is similar to IDS, except IPS's have the added ability to take automated action.

False Negative

The security control did not detect actual malicious activity.

False Positive

The security control acted as a consequence of benign (non-malicious) activity.

Virtual Private Network (VPN)

A type of network that uses public telecom infrastructures, like the Internet, to provide secure access to an organization's network.

Site To Site VPN

Connect entire networks together.

Remote Access VPN

Allow a remote user to connect to a private network.

Proxy Server

A network intermediary between a client computer and the Internet.

Forward Proxy

A proxy server that sits between clients and the internet.

Reverse Proxy

A proxy server that sits between servers and clients, hiding actual server addresses.

Transparent Proxy

A proxy server operates invisibly, caching traffic for all systems on a network.

AAA

Framework of network security that includes Authentication, Authorization, and Accounting.

AAA Framework

Only authorized users can access the network or resources.

Defense In Depth

Enforces multi-layered security controls, inside and out.

Layer-1: Perimeter Defense

First line of defense, focusing on securing the boundaries of your network or physical infrastructure.

Layer-2: Operating Systems and Servers Protection

This layer focuses on securing the core systems that run your network and applications.

Layer-3: Host Protection

This layer focuses on protecting individual devices (hosts) such as workstations, laptops, and mobile devices.

Layer-4: Information Protection

Innermost layer, focusing on protecting the data itself, regardless of where it is stored or transmitted.

Security Baselining

The act of studying the network at regular intervals to ensure that the network is working as designed.

Study Notes

IT Infrastructure Security

• IT infrastructure security uses the right processes, people, and technology.
• It protects computing resources against unauthorized access, modification, and denial of service.

Attack Surface vs Attack Vector

• The attack surface is the total sum of vulnerabilities in a computing device or network that are accessible to attackers.
• Attack vectors are the paths or means by which attackers gain access to resources.
• Attacks can happen through network, software, physical, or social engineering.

Levels of IT Infrastructure Security

• Physical: Requires physical protection like locked doors, fences, backup generators, and security cameras.
• Network: Protects data as it travels into, out of, and across the network including traffic encryption and firewall management.
• Application: Considers security at the application level, including protection of databases against attacks like SQL injections.
• Data: Considers data protection at the lowest level, regardless of where or how it is stored, including encryption, backups, and anonymization.

Key Components of IT Infrastructure Security

• Network Security: Protects the network from unauthorized access, use, disclosure, disruption, modification, or destruction.
• Endpoint Security: Protects end-user devices from threats, and includes:
  • Antivirus and Anti-malware Software: Detects and removes malicious software.
  • Endpoint Detection and Response (EDR): Monitors endpoints for suspicious activity and provides response capabilities.
  • Data Loss Prevention (DLP): Prevents sensitive data from leaving the organization's control.
• Server Security: Protects servers which host critical applications and data, including:
  • Operating System Hardening: Configuring servers to minimize vulnerabilities.
  • Access Control: Restricting access to servers based on user roles and permissions.
  • Patch Management: Regularly updating software to fix security vulnerabilities.
• Data Security: Protects data from unauthorized access, use, disclosure, disruption, modification, or destruction including:
  • Encryption: Converting data into an unreadable format to protect it from unauthorized access.
  • Data Backup and Recovery: Creating copies of data to restore it in case of data loss.
  • Data Loss Prevention (DLP): Prevents sensitive data from leaving the organization's control.
• Cloud Security: Protects data and applications stored in cloud environments, including:
  • Access Control: Managing user access to cloud resources.
  • Data Encryption: Encrypting data stored in the cloud.
  • Security Audits and Compliance: Ensuring cloud providers meet security standards.
• Physical Security: Protects physical IT assets from theft, damage, or unauthorized access, including:
  • Access Control: Limiting physical access to data centers and server rooms.
  • Surveillance Systems: Monitoring physical spaces for suspicious activity.
  • Environmental Controls: Maintaining proper temperature and humidity in data centers.

Network Security

• Network security protects computer networks from unauthorized access, malicious attacks, and data loss.
• It safeguards network infrastructure, connected systems, and data.
• Key elements include:
  • Firewalls
  • Intrusion detection/prevention systems
  • Antivirus software
  • Anti-spam solutions
  • Encryption algorithms
  • Virtual private networks (VPNs)
  • Access control - Management of user privileges
  • Patch management - Regularly updating software
  • Policies- rules that provide guidance
  • User awareness training

Best practices for strong network security:

• Use firewalls, and implement a default deny policy that allows only necessary traffic.
• Secure wireless networks by enabling WPA2 encryption, changing default SSIDs and passwords, isolating guest networks, and turning off wireless when not in use.
• Practice the principle of least privilege by assigning users and applications only the minimum permissions they require.
• Use strong passwords and two-factor authentication.
• Keep software updated by applying patches and updates for operating systems, applications, and firmware.
• Monitor and audit network activity using intrusion detection and auditing tools to identify unauthorized access and suspicious activity.
• Provide security awareness training.

Firewalls

• A firewall is a network security device that monitors incoming and outgoing network traffic.
• It decides whether to allow or block specific traffic based on a defined set of security rules.
• Firewalls have been a first line of defense in network security for over 25 years.
• They establish a barrier between secured and controlled internal networks and untrusted outside networks (e.g., the Internet).
• A firewall can be hardware, software, or both.

Firewall Types

• Host-based (personal firewalls).
• Network-based (enterprise firewalls).

Firewall Implementation

• Hardware firewalls use dedicated hardware.
• Software firewalls use software (e.g., iptables in Linux).

Firewall Protection Methodology

• Packet filter
• Stateful packet inspection
• Connection filter
• Application proxy filter

Packet Filter

• Operates at the network layer, based on IP packet information.
• Also called a stateless packet filter.

Stateful Packet Filter

• Operates at the transport layer, and utilizes previous SYN (synchronize) packets.

Application Proxy

• Operates at the application layer and functions as a proxy.

Firewall Packet Filtering Rules

• Firewalls examine the 5-tuple of an IP packet (Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol Number) to permit or deny a packet.
• Security rules called ACLs (Access Control Lists) are used to create rules which are applied to a firewall policy.

Intrusion Detection Systems (IDS)

• IDSs detect attacks before, during, and after they occur.
• They inspect for "unusual" activity.

IDS Types

• HIDS (Host Based Intrusion Detection System): Applies detection for endpoint devices (hosts).
• NIDS (Network Based Intrusion Detection System): Applies detection for network traffic.

Intrusion Detection Mechanism

• Signature based IDS: Detects attacks based on specific known signatures or patterns, where a signature refers to the hash value of a virus (file).
• Anomaly based IDS: Attempts to define a baseline of normal behavior and provide a warning whenever the system strays too far from the baseline.

Intrusion Prevention Systems (IPS)

• IPSs give warnings whenever they detect attacks based on a signature or baseline.
• IPSs are hardware and/or software devices with the same functionality as IDSs, except IPSs have prevention capability.

IDS and IPS Detection Results

• False negative: The security control did not detect actual malicious activity.
• False positive: The security control acted as a consequence of benign (non-malicious) activity.
• True negative: The security control has not acted, because there was no malicious activity.
• True positive: The security control acted as a consequence of malicious activity.

IPS Failure Options

• Fail Open: Allows traffic without inspection whenever a failure happens.
• Fail Closed: Shuts down network traffic whenever a failure happens.

Virtual Private Networks (VPNs)

• A VPN uses public telecommunication infrastructures, like the Internet.
• It provides remote offices or individual users with secure access to their organization's network.
• VPNs create a secure, encrypted "tunnel" between devices so data can be transmitted securely over an untrusted network.
• VPNs allow remote users to access a private network, making it appear that their device is directly connected to the private network.
• They assign the remote user a virtual IP address from the organization's VPN IP range.
• VPN connections use encryption like TLS, SSL or IPsec to scramble all data sent between devices.

Common uses of VPNs:

• Allowing remote workers to access organizational resources securely.
• Creating secure connections between remote offices.
• Circumventing geo-restrictions and censorship.
• Browsing privately and anonymously.

Types of VPNs:

• Site-to-site VPNs connect entire networks together.
• Remote access VPNs allow a remote user to connect to a private network, also called a router-to-router VPN.
• SSL VPNs use the SSL/TLS protocol for encryption.

VPN Operation Modes:

• Host-to-gateway where a client device connects directly to a VPN gateway.
• Peer-to-peer where devices connect directly to each other.

Dangers of Free VPNs:

• There are lots of free VPNs on the market, but most of them are limited at best and dangerous at worst.
• The main issues with free VPNs are monthly data caps, limited server choice, slow speeds, and abuse of personal data.

VPN Protocol:

• There are several VPN protocols, or methods of security.
• The oldest is PPTP, point-to-point tunneling protocol, which is still in use today but widely considered one of the least secure.
• Others are IKEv2, L2TP/ I PSec, SSL, TLS, SSH, and Open VPN.
• OpenVPN is an open-source protocol, making it among the most secure as any vulnerabilities are quickly noticed and patched.

Proxy Server

• A proxy server acts as an intermediary between a client computer and the Internet.
• A client connects to a proxy server and then forwards requests to the Internet, returning responses to the client.

Main purposes of a proxy server:

• Security: Filters Internet traffic to protect clients from malware and other threats and hides clients' IP addresses to improve anonymity.
• Caching: Stores copies of frequently requested web pages and sends them to clients from the cache, reducing load on the origin server and improving response time.
• Access control: Limits which Internet resources clients are allowed to access.
• Logging and reporting: Logs all Internet activity for network monitoring, auditing, and troubleshooting.
• Filtering: Filters Internet content based on keywords, URLs, or file types to enforce acceptable use policies.
• Bandwidth management: Limits the bandwidth each client uses, ensuring fair sharing of Internet connectivity.

Types of proxy servers:

• Forward proxy.
• Reverse proxy.
• Transparent proxy.

Main advantage of using the proxy server:

• Improves security and enhances user privacy.
• Hides the identity (IP address) of the user.
• Controls the traffic and prevents crashes.
• Saves bandwidth by caching files and compressing incoming traffic.
• Protects our network from malware.
• Allows access to the restricted content.

Need of Proxy Server:

• Reduces the chances of data breaches.
• Adds a subsidiary layer of security between server and outside traffic.
• Protects from hackers.
• Filters the requests.

AAA (Authentication, Authorization and Accounting)

• AAA is a framework of network security that includes three processes: Authentication, Authorization, and Accounting.
• Authentication: Verification of a user's identity, with a username and password, ensuring only authorized users gain access.
• Authorization: Determination of what an authenticated user is allowed to do, based on the user's credentials and privileges.
• Accounting: Logging and monitoring of users' activities with tracking resource usage, billing for services, and generating audit trails and reports.
• AAA uses separate modules to handle each of these processes.
• Authentication Module: Verifies users' identities using credentials like usernames, passwords and tokens utilizing authentication methods like password, certificate and multifactor authentication.
• Authorization Module: Determines users' permissions based on authorization policies using authorization methods including access control lists (ACLs), role-based access control (RBAC) and attribute-based access control (ABAC).
• Accounting Module: Records and tracks users' actions and resource usage in log files. Then the information is used to generate reports, bill for resources, and perform auditing.

The AAA framework ensures:

• Only authorized users can access the network or resources.
• Users only have access to what they are authorized for based on their role and permissions.
• All user activity is logged and monitored for security, auditing, and billing purposes.

The AAA framework helps with auditing in a few keyways:

• Logging of authentication events- Authentication module.
• Logging of authorized actions- Authorization module.
• Recording of resource usage- Accounting module.
• Generating reports- Accounting logs.
• Detecting anomalies- Security analysis.
• Supporting non-repudiation- undeniable evidence.
• Facilitating forensic investigations

Types of AAA:

• Local AAA.
• Centralized AAA.
• Distributed AAA.
• AAA can be implemented locally, centrally or in a distributed manner using various technologies.
• Centralized and distributed AAA architectures provide better scalability, availability and management of AAA services compared to local AAA.

Technologies that implement AAA:

• RADIUS: Remote Authentication Dial-In User Service is a standardized protocol used to provide centralized AAA services, and its servers are used for remote access VPNs...
• TACACS+: Terminal Access Controller Access-Control System Plus is another centralized AAA protocol, mainly used for managing network device access like routers and switches.
• Diameter: An enhanced AAA protocol used for authentication in wireless and 4G/LTE networks. It provides more extensibility and security compared to RADIUS.
• Active Directory: A directory service used in Windows networks that provides authentication, authorization and group policies for centralized management of users and computers.
• FreeRadius, OpenDiameter, EDirectory - Open source implementations of RADIUS, Diameter and Active Directory respectively.

Defense-in-depth Approach

• The four key "Defense-in-depth Approach" layers of the security model are: Layer-1: Perimeter Defense, Layer-2: Operating Systems and Servers Protection, Layer-3: Host Protection, Layer-4: Information Protection.
• Layer-1: Perimeter Defense: This is the first line of defense, focusing on securing the boundaries of your network or physical infrastructure.
• Examples: Firewalls, IDS/IPS, Routers and Switches, Physical Security
• Layer-2: Operating Systems and Servers Protection: This layer focuses on securing the core systems that run your network and applications. Examples: Operating System Hardening, Regular Patching, Access Control Lists (ACLs), Antivirus and Anti-malware Software.
• Layer-3: Host Protection: This layer focuses on protecting individual devices (hosts) such as workstations, laptops, and mobile devices. Examples: Endpoint Detection and Response (EDR), Host-based Firewalls, Data Loss Prevention (DLP), User Account Control (UAC)
• Layer-4: Information Protection: This is the innermost layer, focusing on protecting the data itself, regardless of where it is stored or transmitted. Examples: Encryption, Data Backup and Recovery, Access Control, Data Loss Prevention (DLP), Information Rights Management (IRM).

Security Baselining

• A baseline is a process for studying the network at regular intervals to ensure that the network is working as designed.
• It gains valuable information on the health of the hardware and software.
• Determines the current utilization of network resources.
• Helps make accurate decisions about network alarm thresholds.
• Identifies current network problems and predicts future problems.
• The objective of baselining is to determine the current status of network devices, compare that status to standard performance guidelines, and sets thresholds to alert when the status exceeds those guidelines.

Notes on IT infrastructure Security

• Training people and implementing information processes are important aspects of security.
• Using NOS and OS hardening is crucial and saves you money on security control devices and tools.
• Honeypots and Honeynets are used to understand hacker Techniques, Tactics and Procedures (TTP).
• Defense in depth and continuous network monitoring is the latest methodology to defend infrastructure using layers of independent security controls.
• Continuous network monitoring is controlling network and infrastructure from visibility and control perspective.
• Information Security is a process.