Operating System & Network Security

Questions and Answers

What is the primary advantage of using Linux operating systems for servers from an IT security perspective?

• Wider user familiarity compared to proprietary systems.
• Lower cost of implementation compared to Windows-based systems.
• Greater software availability compared to Windows.
• Enhanced reliability, making them suitable for handling server tasks. (correct)

In the context of operating system security, what does 'hardening' refer to?

• Regularly backing up important system files to prevent data loss.
• Increasing the processing power of the system to handle more tasks.
• Installing the latest software updates to enhance performance.
• Implementing strict access controls and reducing the attack surface. (correct)

Why is it important to balance security measures with business needs when hardening an operating system?

• To comply with industry regulations and avoid legal liabilities.
• To simplify the process of managing security policies across the network.
• To ensure all applications and functions remain accessible and operational. (correct)
• To reduce the cost associated with implementing security measures.

What is the primary benefit of implementing domain policies in a network environment?

To streamline security management and ensure consistent policies across all machines. (B)

Why should an organization maintain logs for an extended period, ideally up to a year?

To ensure effective investigation of attacks that may go unnoticed for months. (B)

What is the role of Shadow Copies in filesystem configuration?

To provide backups of drive files, enabling restoration of previous versions after accidental changes. (C)

What is the importance of synchronizing system clocks across a network?

To ensure accurate log correlation and event analysis for security monitoring. (D)

Why is it important to test and monitor a machine after implementing security measures?

To ensure the machine works as intended and address any new problems. (B)

What is a key consideration when dealing with virtual environments compared to physical networks from a security standpoint?

Each virtual server running in a virtual environment is more critical due to hosting multiple servers or networks. (C)

What measure can reduce the negative impacts when performing actions to the live virtual environment?

Replicate another virtual environment for testing purposes on a smaller scale. (C)

What are the recommended treatments for the host machines that run virtual environments?

Install only the minimum programs required and use strong passwords. (D)

What is the security implication of an attacker gaining administrative access to a hosted virtual server?

The attacker can gain full control over the virtual environment. (A)

Which service model allows businesses to focus on delivering a service without managing hardware and networking systems?

Software as a Service (SaaS) (D)

What type of cloud is utilized for organizations with similar requirements to reduce the cost of operating a private cloud?

Community Cloud (A)

What is a key data security concern when using cloud services?

The potential for unauthorized access due to vulnerabilities in cloud servers and authentication systems. (D)

What is the primary recommendation for securing data stored in the cloud?

Encrypt any data that is stored in a cloud. (A)

What should organizations do when reviewing a Service Level Agreement (SLA) or End User License Agreement (EULA) from cloud providers?

Thoroughly review them and seek legal consultation if possible. (A)

What is the primary purpose of a Web Access Firewall (WAF)?

To protect web applications by allowing certain ports and applications, also mitigating DDoS attacks. (A)

What is a key limitation of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)?

Their inability to compensate for weak authentication systems and passwords. (D)

What is a counter-attack in the context of network security?

An active attack to suppress the attacking machine, which should only be done within a private network. (C)

What is the primary benefit of using Security Onion?

Its open-source nature, Security Onion is therefore free. (A)

What is the function of the Packet Sniffer module in SNORT?

Capturing packets in the network to be then given to the Packer Decoder. (A)

What do Security Information Event Management (SIEM) systems do?

Gather data of multiple device logs and consolidate the data. (D)

What is the significance of threat intelligence in a SIEM system?

It provides real-time data for use with proactive attack capabilities. (C)

For large networks, how do multiple SIEM servers work together effectively?

Multiple SIEM servers cluster together with reporting to higher level SIEM servers. (B)

What is the role of an agent in a SIEM architecture?

To forward log files to the SIEM server. (B)

What is the main function of the Indexer component in Splunk?

To store and index data, and respond to search requests. (D)

As a general approach, what should the security specialist do in the incident prevention?

Suspect there are indeed attacks in progress. (D)

What is the recommended approach to budgeting for security measures?

Determine the priorities of the security safeguards to budget. (D)

Which tool can be used to check web sites for exploits?

Shodan (D)

Flashcards

Why are Operating Systems prime targets?

Operating systems are prime targets for attackers, essential for device control.

What is OS Hardening?

Securing an OS to reduce vulnerabilities.

What are Network Policies?

Standardized security configurations propagated network-wide.

What are System Logs?

Records of system events critical for security analysis.

What is a SIEM?

A system that centralizes logs for analysis and alerting.

What are Shadow Copies?

Shadow Copies enable quick restoration of previous file versions.

What does OS Hardening involve?

Uninstall or disable unnecessary legacy services

What is a Hypervisor?

A software that runs virtual machines.

What is a Type 1 Hypervisor?

Installed directly on hardware, offering better performance.

What is a Type 2 Hypervisor?

Installed on top of an existing OS.

What is IaaS?

Infrastructure as a Service; provides virtualized computing resources.

What is PaaS?

Platform as a Service; provides a development environment.

What is SaaS?

Software as a Service; provides ready-to-use applications.

What is a Man-In-The-Middle attack?

Unauthorized access using a fake Wi-Fi hotspot.

How to enhance Cloud Data Security?

Encrypt data stored in the cloud.

What is WAF?

An application firewall for cloud environments.

What are IDSs/IPSs?

Systems that detect and prevent malicious network activity.

What is Security Onion?

Linux distro for network security.

What is SNORT?

Open source IDS/IPS.

What is Threat Intelligence?

Current attack information

What is Data Aggregation?

Log data from devices

What is Correlation?

Examine relationships of events.

What are SIEM agents?

Programs installed on devices.

What are SIEM sensors?

Hardware extending SIEM reach.

What is Splunk?

Splunk is a leading SIEM solution.

What is a Splunk Forwarder?

Moves data to indexers

What is a Splunk Indexer?

Stores and indexes processed data.

What is Splunk Search Head?

Graphical interface for searching and analyzing data.

What is SPL?

Language to create searches

What is Prevention?

The most desirable action to take rather than responding to an attack.

Study Notes

Operating System Security

• Multiple vendors develop operating systems, either proprietary such as Windows or open source like Linux
• Linux OS's are better for handling servers due to reliability, while Windows is better for workstations due to end user familiarity
• OS's are prime targets for attackers because they control devices
• OS's are used in desktops, servers, laptops, phones, network switches, printers, firewalls and embedded car systems
• OS hardening, also called locking down, secures an OS by attempting to balance security with business and application needs

Network Policies

• Domain policies apply to network computers in an enclave or domain
• Security policies crafted at controlling network servers are propagated to all machines, providing standardization across the network
• Policies can be designed to suit different groups or machines based on their roles
• Admin accounts require longer passwords
• Mail servers have specialized policies for protocols and messaging
• Backup servers have restrictive policies for vital data protection

Logs and SIEMS

• Every OS generates logs that are valuable to both security personnel and attackers for finding attack evidence, vulnerabilities, and errors
• Reviewing logs is a reactive activity that is prompted by an event or incident
• Security Information Event Management (SIEM) systems review logs and create alerts
• SIEMs gather logs from network devices provide graphical dashboards of network status, and report suspicious activities
• SIEMs alert personnel via email and SMS when an event is found in the logs
• SIEMs analyze events; For example, they notice five logon attempts on a server during off hours and send out an alert based on rules set by security personnel
• Security personnel determine if the alert was intentional, an honest mistake, or malicious
• Logs come in three forms: System Logs, Security Logs and Application logs
• System logs record events within the OS and associated hardware, such as the OS's kernel, system clock, and services
• Security logs track successful/failed events dealing with logins, file and system permissions
• Application logs deal with programs native to the OS or installed by 3rd parties
• Logs should be maintained for at least 90 days, up to a year, as attacks can take months to detect
• Log retention time depends on compliance requirements
• Logs must be maintained for 7 years when following Sarbanes-Oxley Act (SOX) for financial businesses within the United States

Primary Steps in Securing Operating Systems

• Securing an OS typically follows a defined process, assuming a clean build
• Filesystem Configuration
• Drives may be partitioned with RAID configuration settings
• Enable backups to recover previous file changes (shadow copies)
• Shadow copies are useful for accidental deletions or file modifications, and a previous version can be restored

Updates

• OS updates are essential, but may need to be delayed in restrictive networks until internet is available
• Devices may have joined the network, with a designated server sending updates

OS Hardening

• Uninstall or disable legacy services like Telnet
• Disable applications or services that are not to be used (Xbox game app), as well as vulnerable SMB network protocols

User Account Settings

• Apply password requirements along with user rights assignments & disable the Guest account on local machine settings if it ever becomes disjoined

Audit and Log Settings

• Ensure auditing policies are in effect for accounts and configure the size, retention, and transmission of event logs

Drive, File and Folder Permissions

• Modify permissions for drives and file/folder structure to a secured state
• Preventing unauthorized access to the hidden share of the C drive with windows

Synchronize System Clock

• Ensure the machine has its clock synchronised to a designated server and there stays on time with the rest of the network, and set appropriate time zone

Remote Access

• Configure the system properly for remote access
• Disabling the Remote Assistance feature of Windows desktops

Security Applications

• Install security products like Anti-Virus, Anti-Spyware and Firewalls

Physical Security

• Change the machine’s BIOS in setting up the password and disabling USB drive booting
• Secure computers (desktops and laptops) can be locked by cable to a desk and servers should be secured by locked rack doors

Test and Monitor

• Ensure installed machine works as intended, troubleshoot and fix any problems so that any problems will not comeback and become more difficult to fix

Other Considerations

• Once the machine is ready, it can be monitored according to the organization’s maintenance plan

Center for Internet Security (CIS)

• The Center for Internet Security (CIS) provides detailed steps to harden all forms of operating systems
• CIS offers Benchmarks, the guidelines for specific operating systems, which require registration to download
• CIS Home Website: https://www.cisecurity.org
• CIS Benchmarks for Operating Systems: https://www.cisecurity.org/cis-benchmarks/

Virtual Environments

• Virtual environments reduce hardware costs and run multiple virtual machines on a single server
• Virtual environments can function with servers in a cluster for fault tolerance
• Virtual environments are more secure than physical networks because there are less servers to attack
• Virtual operating systems are harder for attackers to exploit
• Virtual machines have custom MAC addresses for easier security management
• Snapshots of virtual machines act as backups & are easier to perform than standard backup systems
• Restarting a compromised virtual machine can be done by restoring from the last snapshot
• Virtual environments cost less and allow for Universal Power Supplies (UPSs)
• VMware is a popular vendor offering ESXi for enterprise-level networks, and offering VM Player, allowing windows machines to run one virtual machine
• Linux operating systems are a preferred choice because of their stability and free virtual systems
• VirtualBox is a popular virtual machine because of its ease of use

Hypervisor

• The hypervisor is the software that runs the virtual machines, and there are two types that differ based on how they are installed:
• Type 1 or Native (Bare Metal): installed directly to the host hardware, control all of the virtual OS's, and provide better performance and security, such as VMware’s ESXi
• Type 2 or Hosted: installed onto a host’s OS, controlling additional OS’s, but are less secure, such as Windows running VM Player with a virtual Linux OS

Security Principles for Virtual Environments

• The key principle is that servers are more critical than physical servers due to having multiple servers/networks within
• Virtual servers can be a single point of failure for a network
• Virtual network faults or compromises can be more severe than with a physical network
• Implement effective change management and replicate another virtual environment for testing purposes at a smaller scale
• Conduct improvements, upgrades or changes with a test virtual environment to reduce live environmental impacts
• Attackers target the host machines, and administrative access onto a hosted virtual server could allow for full control

Key Security Principles

• Treat the host machines with respect by installing only the minimum programs required
• Avoid using the hosted web browser to surf and download from the Internet
• Use very strong and complex passwords for the host machine, and strict remote access management with encrypted communications
• Power off any virtual machines that are not needed
• Perform routine snapshots and backups of the virtual machines
• Secure the virtual environment like a physical network with defence in depth principles
• Monitor the event logs of the host machines

Cloud Environments

• Clouds are virtual server clusters with advantages and potential security problems

Service Models

• Clouds provide three service models to specialized software applications:
• Infrastructure as a Service (IaaS): Infrastructure is provided using virtual machines, allowing cloud-based servers
• NIST Definition: The consumer can provision processing, storage, networks, and fundamental computing resources, but does not manage/control the underlying cloud infrastructure and has limited control of networking components
• Platform as a Service (PaaS): Provides an environment for software developers
  • NIST Definition: The consumer can deploy consumer-created/acquired applications, but the consumer does not manage/control the underlying cloud infrastructure including network, servers, OS' or storage, and control over the deployed applications
• Software as a Service (SaaS): Focuses on delivering a service without worrying about hardware and networking systems with subscriptions
• NIST Definition: The consumer uses the provider's applications running on a cloud infrastructure, accessible from various client devices via thin client interface

Ransomware as a Service (RaaS)

• Ransomware as a Service (RaaS) is a form of Saas used covertly, to attack networks and computers with ransomware
• If the ransom is paid, the service provider pays a commission from the ransom to the agent

Deployment Models

Deployments for clouds follow those models:

1. Private Clouds

• Private infrastructure with internal or external (3rd party) management
• Most expensive to operate with security posture managed by the organization or a 3rd party

2. Public Clouds

• Hosted by companies for public use
• Security reliance by the managing cloud companies
• Security management varies, and ISO compliance is preferred with secure communications required

3. Community Clouds

• Private clouds shared amongst similar organizations
• Reduces the cost of a private cloud, as exemplified by different state-level government agencies using the same cloud

4. Hybrid Clouds

• Separated combination of above clouds for an organization to take advantage of the benefits of both types of clouds
• Maintain the the data of an entity on their private cloud, but use public cloud software that is made available as a service

Data Security - Cloud Computing

• Primary security concerns exist with cloud data
• Cloud servers have vulnerabilities to unauthorized data access
• Authentication for cloud servers relies on User ID and Password
• Attackers try to gain user credentials
• Conducting Man-In-The-Middle attacks with Wi-Fi access points
• Customers mistakenly connect to the attacker's Wi-Fi access point in a café
• Attacker gains access to personal files in the cloud from customer access to a cloud service

Cloud Systems

• Systems may have vulnerabilities, which allow the attacker to gain access to all other cloud servers from one server
• Dropbox suffered a breach in 2014 with over 7 million user accounts compromised
• The Australian Department of Defence has provided recommendations for security risk assessing for deciding on the use of clouds
• Secure clouds technically with encryption
• Have legal consultation

Data Ownership - Cloud Computing

• Cloud providers may exist in foreign countries with cloud servers clustered worldwide
• Data in a cloud can be subjected to foreign government laws, where organization data does not receive the same legal privacy protection
• A foreign government may gain access to the organization's data without their consent
• High encryption is recommended, with thoroughly reviewed Service Agreements

Web Access Firewalls (WAF) and Services

• Clouds have Web Access Firewalls available
• The firewalls allow only certain ports and applications, and protect from Distributed Denial of Service (DDoS)
• WAFs are offered by vendors with service plans, especially for DDoS mitigation
• WAFs have only specific ports open in the cloud, limiting traffic and programs
• Vendors allow DDoS mitigation by scrubbing malicious traffic and commands, with range from affordable prices to enterprise

IDSs and IPSs

• Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are implemented together and must have both Detection and Prevention capabilities to be considered for use otherwise

Examples of using IDSs and IPSs

• To monitor and analyze User & device activities
• Performing Audits of System for Vulnerabilities & Configuration Deviations
• Verifying File Integrity
• Analyzing for Activity Patterns
• Determination of Abnormal Activity
• Preventing Unauthorized Logins
• Isolating Infected Systems
• Blocking Malicious Traffic

Capabilities of IDSs/IPSs

• System capabilities and limitations need to be understood
• Adds an Integrity Level to a Network
• Traces User traffic entries and exits
• Observes, Reports, Deletions, Overwrites of Data
• Automation of Monitoring and Searching for new Attacks
• Detect Active Attacks
• Locates and Reports Internal Configuration File issues
• Blocking Connections, Protocols, Ports
• Blocking User Accounts
• Host Blocking by Disabling NIC
• Blocking of Unauthorized Protocols
• implements firewall

Limitations of IDSs/IPSs

• Cannot compensate for weak Authentication System
• Cannot investigate Attacks without Human Impact
• Cannot compensate for Weak Protocols
• May not be able to Determine Quality Content in Files
• Must be able to Analyze Traffic
• Must know Source, especially Counter Attacks
• Shut Down compromised Financial Institution

Security Onion

• Security Onion is a Linux Distro
• Security Onion = nemesis of Kali Linux
• Useful on a Budget
• Since Open Source = Free
• Will still have cost with old Desktops and Laptops to Repurpose
• Security Onion has programs that can perform IDS, IPS
• Developed by Doug Burks (Contains): SNORT: Open Source IDS/IPS Suricata: Same as SNORT (Better Modular Performance) Sguil: GUI (Graphical User Interface) for SNORT & Suricata Monitoring Snorby: Web-based for Network activity with SNORT and Suricata Xplico Selects from Packets and Recovers SIP, IRC, HTTP, IMAP

SNORT

• Open Source IDS w/Detection and Prevention Capabilities Snort: Command Line Interface (CLI) Drive
  • Uses Sguil MODULES:

1. Packet Sniffer- Capturing Packets, giving to Packer Decoder
2. Packet Decoder- Headers of Packets for Anomalies in OSI - (Layers 2,3)
3. Preprocessor: Same w/ OSI Layers 3,4,7 Means conducts Analyses
4. Intrusion Detection Engine: Uses Rules make Determinations of Anomalies
5. Output Module: Generates Alerts in Formats (Log files) Rules: Light Weight & One Text line Registered Non Subscribers to Rules have > 30 days Old

• Poses Problem w/Zero-Day Attacks
• Subscription= Low at $30 (Individuals) Business= $399 Fairly Complex, covered in Course.

Security Information Event Management (SIEM)

• Important for Security
• Includes Capabilities, Core Systems, Splunk
• Has Capabilities

SIEM Capabilities

• (SIEMS)- Depending on Systems, provides all Capabilities:

• Threat Intelligence is Available info in Currents/ Future Threat on World:

• Can Be Built/ Means to Connect Intel Services: 1. Monitoring/ Protecting Network 2. Preventative Attack Capabilities 3. Implementation/ Monitor Rules

• Data Aggregation:

• Gather the data of All Devices & Consolidate

• Correlation Aggregated Data Performs Analyses, Presents Info/Relations

• Intrusion Detection System (IDS)

• Part of SIEM & NI/HIDS,

• Depending on the Configuration/ Install of Software Agent Can Integrate 3rd Party instead of Install Agent

• Alerts (Communications) Dashboard(s), Emails & SMS

• Asset Discovery- Available to SIEMS :Scans Network/ IDs Host Name/ Operations

• Vulnerability Assessment & Compliance Conducts Assessment w/ 3rd Party

• Can Determine Compliance of Governance ISO :Compulsory Legal- (Health care Providers & Compliance)

• Forensic Analyzes-- Aids personell with search filters, and reducing work hours

• Reporting- Can be used to make quick reports

• Clustering- For large entities, Multiple Servers Assigned to a Portion and report to higher-level Masters/Feds

SIEM Core Components

• Server*
• Master/ Gathers Info/ Correlation & Aggregated, alerts.
• Agent*
• Installed, Main agent to Forward Log Files
• Sensor*
• Hardware dedicated for Range and Performance

SIEM Further Considerations

• Logger is Used to ease the Load on SIEM and Archives long term.
• Sensors are usually for segregated networks

Splunk

• SIEM by US company Based in San Francisco
• Can be found Intergrating Google Cloud Platforms
• in's and outs, this knowledge is gained to use with others

The Three Key Components of Spluk

• Forwarder* forwards data remotely
• Indexer* : Stores data and sends request
• Search Head* : Front end run searches Across allowing data Scaling

SPL -Key Item Different From Other SIEM's

• (Search Proccesing Lanquage)

  • Combines Capabilities of SQL & UNIX Pipeline Syntax Allowing: -Access all data, optimize Events, Lanquage Vizualtions

  • Source type Access_Combined I limit = 100 domain I Stats to Count Training and Repetition

Incident Prevention

• Always suspect that there is an attack or attacks being conducted "Indeed Attacks In Progress" and hopefully all of the attacks aren't getting further than the Firewall and Decoys

Attackers

• Succeed through Users -Inserting an Infected Media Device -Opening an infected Attachment

When an Infection occurs

• Alarms being Generated/ Emerging Effects/Usage, Evil Popup Ad are Given

• However If attack Gets into Network -Can be Done instead of Waiting for Alerts to Pop Up SIEM Yes

• Addressed Before Further

  • Budgeting W/management Budget First part to Preventing Event & Budget For Event Budget is not Profitable source Like Companies So importance for security is routine matrixes/ reports

When a Panel member Asks

• "For my company I only have enough for Either Firewall or Detection "
• IDS.* can show Management with the Logs -Can then Get a Budget for the Firewall
• Seeing= Believing
• Had Only Purchased than Safe -Attacks May Still Work/No Device to Stop

Likelihood and Rarirty

• May be Faced with Updated Technology or Policies to not Allow Open sourced & Management is Stingy

• Make cuts w/ Security Therefore Dealing has Crucial Value Risk Value Asset info, Discussed in Different Module

• Rule:* When Budget Limited - Prioritize the Security Safeguards & SIEM/ Reports/ open source- Antivirus Repurpose an Over computer

Examples of Open Source security systems

• Perimeter Firewall* IP,PSence, OP,NG
• ID and IPS*
• Antivirus* -Snort

Prevention and Action

• Best action is to be Actively take Rather Than Respond;Limited Actions Can be prevented as follows

• Insider threats* is: Difficult threats to detect and prevent -Can observers Insider threats by Observing. Same facility or shift.

• Prevent insider Attacks by

• Least Privilege & need to know

• In Network Users

• Prevention and alerts for UBS to be used

• Data prevention System

• Training- New Technology

• Unusual Traffic

Reconnaissance (Testing)

• Internet, with Comp Network. This can be with online Vendors and Social media sites.

• With (Google) info - Network

• The Internet can use version of shodan which is exploited

• Is there Password? compromised.com list comp email

Prevention/Applications

• Bug Tracking* and system/ vulnerabilities , so look & patching
• SIEM*- Looks & Checks Spot,Dashboard produces Alerts when everything Checks for the Date

Scanning and Baselining

• Accepted the Network Scanning
• List -Compliances
• Monitor Network* - Sniffing Traffic for Codes