1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf

LAYERS OF DEFENSE AND TECHNOLOGY
SOLUTIONS
CSAP 301.3
CSAP 301 - Cyber Security for Aspiring Practitioners

CSAP 301.3 - Layers of Defense and Technology Solutions
Course Topics
1. Access Control Technology Solutions
2. Application Security Technology Solutions
3. Data Security Technology Solutions
4. Host Security Technology Solutions
5. Network Security Technology Solutions
6. Cloud Security Technology Solutions
7. Security Information and Event Management (SIEM)
8. Vulnerability Scanners
9. Summary
© DIGISS CSAP 301 2

Access Control Technology Solutions
On completion of this section, you will:
• Understand the fundamentals of access control
• Be able to explain common terms such as object, subject, authentication, authorization, and
accountability

Access control is all about controlling (i.e., denying or
permitting) access to a resource. Any technology solution must be
capable of making the right determination based on the output of
control checks.These checks are in three phases namely:
• Identification
• Authentication
• Authorization
In addition to these three phases, there are three other elements
of access control:
• Accountability
• Subject
• Object
Before discussing access control technologies, we’re going to
examine two practical examples of access control in action.
In the example presented in these slides, user Luke Boyle is
seeking access to a computer system and needs to identify himself
by entering his username.

Next, the system needs to know that the individual seeking
access is truly Luke Boyle and so it requires him to authenticate by
entering his password. Once Luke’s access to the computer system
has been granted, he tries to open a file named
employees_salary.xlsx but is unable to do so because he’s not
authorized to view the file. The system performing all these checks
must also be capable of recording (auditing and logging) all the
events to aid investigations should there be a need to retroactively
review the user’s activities.This property is called accountability.
In our example above, the subject is Luke Boyle whereas the
object is employees_salary.xlsx. The subject is typically the entity
requesting access to a resource (e.g., a user, application, or process)
while the object is the resource being accessed (e.g., a file or an
application).

Example 2
Identification
Now, imagine that Luke Bolye has just been hired as a bank
teller at Royal Bank. On his second day at work, the security guard
asks to see his ID badge to be sure that Mr. Boyle is a staff of the
bank.

Authentication
Next, Mr. Boyle proceeds to his department and needs to prove
that he is indeed a member of that department by swiping his badge
to gain access.

Authorization
Once access is granted, he settles in and commences his daily
work related activities. In the process, he needs to place some cash in
the vault, but on attempting to access the vault, he is denied entry
because he is not authorized to access the vault.

Accountability
Royal Bank’s computer systems are configured to log every
successful and failed attempt to gain access to the vault. Hence,
Luke’s failed attempt was logged and a system generated alert was
sent to the security department. In addition, a security guard
standing post in the vault’s lobby has manually logged Luke’s
attempted access to the vault.

In this example, Luke Boyle is the subject while the vault is the object.

Access control is a broad subject in cyber security. This control
applies to (and is enforced at) every layer of defense implemented
around digital assets that organizations want to protect.
The overall goal of any access control solution is to regulate
access from a requesting entity (subject) to a requested resource
(object).

There are three broad categories of access control, namely:
• Administrative (e.g., policy)
• Physical (e.g., entrance gate or security guard)
• Technical (i.e., logical access control to computer systems
and other digital resources)
The focus of this module, however, is technical (or logical) access
control.
Various access control specific technology products exist on the
market today, but most access control functionalities are built into
other technology products. For instance, an entity must be correctly
identified and authenticated before being allowed to use any
information system therefore almost every technology product is
capable of identifying and authenticating such entity.
Where access control is centralized, the task of identifying and
authenticating such entities is typically delegated to an enterprise
Identity and Access Management platform.

The access controller’s main purpose is to provide centralized
authentication services by granting or denying access to objects.
Thus, it needs to know about every object on the network to which
access must be controlled.
Every computer system (server or workstation) and user in a
Microsoft Window’s enterprise environment is contained in Active
Directory. In the authentication example presented on the first slide,
a subject logs on to a computer system by providing his/her domain
user credentials. The computer system passes the subject’s
credentials to an AD server for validation. If the credentials are
validated, AD sends an “authentication success” message back to the
computer system, which in turn grants the subject access to the
object.
In a highly sensitive and controlled enterprise environment,
specialized access control technology products (such as smart cards
or hardware token) may be required in addition to username and
password to gain access to any domain-joined computer system.

Network devices have the ability to authenticate users locally,
but a TACACS or RADIUS server is typically used in an enterprise
environment for centralized administration. TACACS is short for
Terminal Access Controller Access Control System. This protocol was
developed by Cisco for handling remote authentication for network
devices through a centralized server.
RADIUS, which stands for Remote Authentication for Dial-in User
Service is also a networking protocol that provides centralized access
control services.
Both authentication protocols proxy authentication requests and
responses back and forth between the end-user and enterprise
directory server(s).

The primary function of a firewall is to control access from a
subject to an object. Access control lists (ACL) are implemented on
firewalls for this purpose. Best practice dictates that access from one
network location to the other—when separated by a firewall—must be
implicitly denied unless explicitly allowed through firewall access
control configuration.
In example on the first slide, the HR analyst at computer address
10.10.10.10 was able to access the resource on the server at
10.10.20.20 because that traffic was explicitly allowed across the
firewall having been determined to be legitimate business traffic.
In the example on the second slide, the marketing director tries
to access the CRM web application. The username
lboyle@company.com is how the access controller (Active Directory)
identifies the user while the password is how the user proves that
he’s indeed Luke Boyle. Authentication request will be granted once
those credentials are successfully validated.

The above diagram is an example of where a purpose-built
security technology product is used to provide access control service.
The financial strategist tries to access a protected (encrypted) file
share. However, in this instance, the resource can only be accessible
if the subject had been previously issued the right cryptographic key,
which is what will be required to unlock (decrypt) the protected
(encrypted) file share.
Cryptography is an advanced field of computer security, which is
beyond the scope of this course but from a conceptual standpoint, it
is the bedrock of information confidentiality. Technology solutions
that offer cryptographic services mainly translate plaintext into
gibberish that can’t be understood by anyone not authorized to read
it.

Active Directory (AD) is a special purpose database designed to
handle a number of operations1
. Chief among these operations is
the process of controlling users’ access to resources. Access control
for objects in AD Domain Services is based on Windows access
control models, which enable the system to control the ability of a
subject to access a protected object or perform various other tasks2
.
Access privileges for resources in Active Directory Domain
Services are usually granted through the use of an access control
entry (ACE). An ACE defines access or audit permission on an object
for a specific user or group3
.
Lightweight Directory Access Protocol (LDAP) is the protocol used
to query AD for the requested resource/object (workstation or server)
in order to determine its attributes, while Kerberos is the
authentication protocol that allows the user (subject) to access the
workstation or server.

The Kerberos protocol uses strong cryptography so that a client
can prove its identity to a server (and vice versa) across an insecure
network connection. After a client and server have used Kerberos to
prove their identities, they can also encrypt all of their
communications to assure privacy and data integrity as they go
about their business4
.

Subjects are typically authenticated by access controllers
through the use of one or a combination of the following:
• Something you have – this is typically a hardware token
that generates a random number at regular intervals. It is the
type that is issued by financial institutions to online banking
customers to reduce the risk of electronic fraud. It could also be a
soft token such as an application installed on a smart phone that
generates random numeric characters every time a button is
pushed. Hard and soft tokens pretty much serve the same
purpose.
• Something you are – this is typically a user’s unique
physical characteristics or biometrics such as a fingerprint. It is
typically the most secure because it’s pretty much impossible to
replicate an individual’s unique physical characteristics.
• Something you know – another name for this is
knowledge-based authentication.An example is a password and/
or answer to security questions such as mother’s maiden name
or place of birth.

These slides present examples of “something you have”,
“something you are”, and “something you have” authentication
modes.
SecurID RSA hard and soft tokens are typically used by
employees to gain remote access to their organization’s network
through a VPN connection. These tokens can also be used by IT
administrators to gain access to critical internal systems through a
remote desktop connection (RDP).

Application Security Technology Solutions
• Grasp the fundamental concept of application security
• Understand diﬀerent types of application security technology solutions
• Be familiar with major vendors of application security products
• Be able to describe core features and functionalities of application security products

Application security is what an organization does to protect its
critical data from external and internal threats by ensuring that every
software used to run the business is appropriately identified,
cataloged and secured5
.
Application security is a broad field within cyber security. Every
organization needs different types of applications, acquired from
multiple sources, to achieve business objectives. The proliferation of
different applications in an enterprise environment therefore
presents an attractive attack surface to the adversary.
Applications are essentially data gatekeepers because once an
application is breached, the backend data becomes highly
susceptible to compromise given that the attacker can then abuse
the trust relationship that exists between the application and the
database.

An application security technology tool otherwise known as code
analysis tool, among other things, helps identify, fix, and prevent
security vulnerabilities in any kind of software application.
Other application security technology products protect
enterprise applications by detecting and preventing attacks that
target the applications. Examples of these are:
• Web application firewall (WAF)
• Email security gateway
• Database security platform (DSP)
Web servers are the most susceptible to attacks because of the
business requirement to have web applications available to service
users on the Internet. Web application firewalls are typically
deployed “in-line” between the client and the protected web server
to detect and block malicious traffic destined for the protected web
server. A WAF compares traffic destined to the protected resource
against expected traffic patterns (or known baselines) and performs
response actions based on preconfigured trigger conditions.
One of the most popular vendor products on the market is
Imperva SecureSphere, which automates the process of learning
application structure and expected user behavior by profiling

protected applications and building a baseline or “white list” of
acceptable user behavior6
.
As with most technology solutions on the market today, a WAF
product can be deployed as a physical appliance, virtual appliance, or
in the cloud.
Some cloud service providers also offer WAF as a service.
Sitelock Trueshield is one good example of an advanced cloud-based
web application firewall7
.
Examples of technology products include:
• Imperva SecureSphere
• Citrix
• Trustwave
• F5
• Fortinet

The next three slides present an example of a legitimate web
transaction between a client’s browser and a web application server
and describes the behavior of the WAF under such circumstances.
1. The user “Luke Boyle” makes a visit to www.crm.com with
the traffic traversing a WAF for inspection.
2. This traffic, being legitimate, is permitted through the WAF.
3. Access to the requested web resource is subsequently
granted and the user is presented with the login page to
www.crm.com.

4. The user then attempts to log into the web application by
entering his username and password.
5. This expected and legitimate traffic is permitted by the WAF
and the user gains access to the web resource.

These two slides present an example of a malicious web
transaction between a client’s browser and a web application server
and describes the behavior of the WAF under such circumstances.
The first four steps of this communication are exactly the same as in
the previous example but access request to trick the web application
into running malicious commands is detected and blocked by the
WAF in step five.
1. The user “Luke Boyle” makes a visit to www.crm.com with
the traffic traversing a WAF for inspection.
2. This traffic, being legitimate, is permitted through the WAF.
3. Access to the requested web resource is subsequently
granted, and the user is presented with the login page to
www.crm.com.
4. Instead of entering his username and password, the user
types SQL commands in the username and password field in an
attempt to conduct a SQL injection attack against the web
application and its database.
5. The WAF identifies the SQL traffic and, since it deviates from
the expected behavior, the request is blocked, and the session is
terminated.

DSP complements WAF by introducing an additional layer of
protection. DSP will block anomalous database commands in the
event that the WAF fails to detect these hostile commands at the web
application layer.

3. web application server and gets processed.
4. The DSP protecting the database server identifies the SQL
commands in the transaction has abnormal and blocks the
request.
The commands entered into the form field of the CRM web
application are intended to return all credit card records in the SQL
database. However, with a well configured and implemented DSP in
place, this sort of malicious command will be blocked while security
analysts monitoring the system will be promptly notified to enable
them to take appropriate response actions.
The slide above presents an example of a malicious web
transaction and describes the behavior of the DSP under such
circumstances.
1. A user enters SQL commands into the username and
password fields of the www.crm.com web application in an
attempt to perform a SQL attack against the web application and
its database.
2. Assuming that there is no WAF protecting the web
application or that the WAF is inadequately configured, the

Email remains one of the primary delivery mechanisms for
malicious software. According to the latest (2017) Verizon Data
Breach Investigations Report (DBIR) where over 65 organizations
were surveyed, it was found that two out of every three malware were
installed via malicious email attachments.
An email security gateway (ESG) protects the email application
against attacks, but unlike other application security technology
solutions, the end-user is the ultimate target because this solution is
essentially stopping malicious emails from getting to the user who
may be lured into opening a malicious attachment thus infecting
their workstation.
Deployment model of an ESG solution can either be appliance-
based or cloud-based, but the same threat detection mechanism
applies regardless of the mode of deployment. The ESG, using its
malware detection engine, tests every email (with or without
malicious attachment) against all conventional security checks such
as using anti-malware signatures or inspecting embedded URLs in
known reputational databases.

Zero-day attacks are threats not seen before therefore using
signature-based detection for this category of attack is not effective.
Most ESG products on the market today now have the ability to
detonate suspicious files in a sandboxed environment for in-depth
analysis of its behavior after which a determination is made whether
to deliver the email to the intended recipient or block it.
The above diagram shows two examples of emails sent to an
enterprise user by different actors. In the first example, the ESG
analyzes the email and forwards it on to the user after determining it
to be safe. The second example depicts a threat actor whose email is
blocked because it contains a malicious attachment.

A code analysis tool, among other things, helps identify, fix and
prevent security vulnerabilities in any kind of software application.
This application security technology product must be prioritized for
organizations that use a lot of internally developed applications.
Most application vulnerabilities are usually introduced during the
code development stage. A code analysis tool alleviates this problem
by providing insight into the types of flaws whilst helping developers
of the application understand what classes of issues are present. The
goal is to arm the developers with information to help them make
the application's source code more secure thus helping to increase
the quality of an application by reducing its number vulnerabilities.
Using code analysis tools to reduce application vulnerabilities makes
it more difficult for a malicious user to exploit them8
.
There are two techniques for code analysis, namely:
• Static
• Dynamic

Static code analysis inspects the static or non-running part of the
source code to identify security vulnerabilities or flaws. Static code
analysis is also referred to as “white-box” testing.
Dynamic code analysis, on the other hand, inspects the software
while it is running by executing data in real-time and by emulating
the actions of a real-world attacker.
Code analysis ensures that software bugs and security flaws are
identified and fixed throughout the software development lifecycle.
Software developers are often pushed to develop new applications or
enhancements quickly. Product release deadlines may force
developers to cut corners and bypass the code analysis phase,
releasing software with functionality flaws and risky security issues.
Identifying and fixing security flaws before an application is
released to production is crucial as it reduces the likelihood of an
adversary finding and exploiting such flaws. Successful exploitation
of an application vulnerability could lead to a data breach for which
remediation efforts could prove costly to the affected organization.

Data Security Technology
Solutions
On completion this section, you will:
• Understand diﬀerent types of technology products that can be deployed to secure enterprise data
• Be familiar with data encryption, data leakage prevention (DLP), and digital rights management
(DRM)
• Understand the concepts of “data in use”, “data at rest”, and “data in motion”
• Be familiar with practical use cases of data security technology products in an enterprise environment

Every IT business is driven by data which, in some cases, can
become a valuable target for an adversary. Data security is the act of
protecting data at rest (i.e., stored in a computer hard drive), in
transit (i.e., from an end-user to an e-commerce website), and in use
from unauthorized disclosure or destruction.
Data security is an essential aspect of any organization that is
serious about safeguarding their most valuable data.
There are three (3) main types of data security technology
solutions which will be covered in detail in the next few slides. These
technologies are:
• Encryption and key management
• Data leakage protection (DLP)
• Digital rights management (DRM)

or database they decrypt therefore if the computer in question is
compromised, so will be the keys.
Managing encryption keys can be very daunting because they
grow exponentially in an enterprise environment where
cryptographic keys and digital certificates are in widespread use. As
each encrypted item has its own personal key, the management and
protection of thousands of encryption keys within an enterprise
become a huge undertaking. Once data is secured through
encryption, the encryption keys themselves must be guarded from
theft or accidental loss9
. This is why a centralized key management
technology solution is a critical capability for any organization with a
business need to protect their critical data.
Encryption and key management go hand in hand. The secrecy
of a cryptographic key is far more important than the complexity of
the encryption algorithm. Without a centralized key management
capability, encryption keys will be stored next to the disk, file, folder,
or database they decrypt therefore if the computer in question is
compromised, so will be the keys.
Encryption and key management go hand in hand. The secrecy
of a cryptographic key is far more important than the complexity of
the encryption algorithm. Without a centralized key management
capability, encryption keys will be stored next to the disk, file, folder,

Encryption causes a plaintext (readable message) to be
transformed into ciphertext (unreadable message) through the
application of an encryption algorithm and cryptographic key.
Decryption causes the opposite effect. When a cipher text is run
through the same encryption algorithm using the same
cryptographic key that was used to encrypt the message, the
resulting output is the original plaintext message.

Data can be protected at rest on a computer’s hard drive by
applying full-disk encryption. Data can also be protected while its
being used and stored in memory by applying memory encryption.
And lastly, data can be encrypted in transit using certificates.

Encryption is not complete without key management because
the secrecy of your key determine the secrecy of your data. Most
organizations encrypt data and store the key in the same system
system where the encrypted data resides. If the system were to get
compromised, it would be trivial for an adversary to locate the key,
and use the key to decrypt the data.
Hardware security module (HSM) is a dedicated appliance
designed for the protection, management, and processing of
cryptographic keys. In order to reduce the risk of data breaches and
monitor protection, security controls across networks must be
centrally managed using a high-assurance system that protects keys
from abuse or theft and reliably distributes them over long periods
for only authorized use10
.
Cryptographic key management can also be software-based. In
this implementation, the key management software is installed on
an existing server, which then acts as the HSM. While this helps
reduce the hardware footprint and investment cost, there is an
associated performance cost due to latency in the cryptographic
processes. This can present a different kind of problem in any
organization where the objective is to minimize the latency
introduced by cryptography. HSMs have an obvious advantage over

their software counterpart in that they are designed to optimize the
efficiency of cryptographic processing. Compared to software
running on general-purpose servers, HSMs will accelerate processing
—an outcome of being purpose-built11
.

Data leakage prevention (DLP) technology solution prevents
misuse, theft, and abuse of sensitive or regulated data within an
enterprise environment. There are various reasons why an
organization will want to protect its high-value data (such as
unpublished financial performance reports, market research data, or
strategic information relating to merger and acquisition activities). A
single data leakage event may spell the end of a project that has cost
several million dollars or cause the loss of competitive advantage,
therefore preventing leakage of business critical data is an essential
business requirement.
Fundamentally, every DLP solution must be able to12
:
• Locate and catalog sensitive information stored throughout
the enterprise
• Monitor and control the movement of sensitive information
across enterprise networks
• Monitor and control the movement of sensitive information
on end-user systems

These three (3) core functionalities are aligned with the different
states in which data may exist in its lifecycle.These states are:
Data at rest – the DLP solution must be able to scan the network
to identify different file types and their names where they are located
on the network. Upon discovery, contents of the files must be
analyzed and, depending on DLP policy settings, information about
files of interest will be collected and communicated to the security
engineer for further actions.
Data in transit – this is also referred to as data in motion. The
DLP tool must be capable of passively monitoring network traffic for
suspicious data leakage events through network leakage channels
(such as email, online storage system, and webmail). If sensitive data
are detected flowing to an unauthorized destination, the DLP
solution should have the capability to alert and optionally block the
data flows in real or near real time, based on the rule set defined
within its central management console13
.
Data in use – from a leakage prevention standpoint, this is the
hardest category of data to protect because the fact that the user
already has it opened means they can already see the content. If the
information interests the user, then there are different means by
which it can be misused. The easiest and most common way is by
copying the data onto a USB thumb drive. Other ways include
copying and pasting the data into another application, attaching it to
an email, sending to the printer, or using a smartphone to take
pictures of the pages of interest—all but one (phone photos) leakage
methods can be prevented with the use of a DLP endpoint agent.

Another simple way to reduce the risk of leakage of data in use is
by developing and applying a policy that controls the use of personal
mobile storage devices on company owned computers across the
enterprise. A technical control must be implemented to enforce this
policy. One way of doing this is by disabling the USB ports of
enterprise workstations unless the flash drive in use is an enterprise
approved one obtainable from the IT department.

Bear in mind that the leakage path depicted here is one of many
possible leakage channels though. Another insider threat actor may
choose to use a USB flash drive to copy the data or send the files as
email attachments from corporate email application (such as
Microsoft Outlook) to a personal webmail inbox (e.g., Gmail or
Yahoo!). Every enterprise grade DLP solution will be capable of
addressing these use cases as well.
The scenario in this slide is representative of how a DLP tool can
prevent theft of company’s intellectual property by an insider threat
actor. Consider that the employee is leaving this organization to go
work for a competitor who will benefit from learning about the
market research data and future plans of current employer (hopefully
no competitor hires anyone for this purpose!).
The DLP tool intervenes when this employee attempts to upload
these classified files to an online storage service by blocking the data
leakage attempt and sending alert to security operations center
analysts for proper investigation.

In order to get a great return on security investment (ROSI), the
DLP tool must be optimally configured and constantly tuned to
ensure reduction in the number of false positive alerts. A false
positive alert creates an incident where there isn’t one by notifying
the security analyst of an ongoing incident when indeed the event is
benign. A false positive happens when the detected event is similar
to an unwanted event defined by the DLP policy.
Below is an example of how a false positive alert could unfold:
1. DLP tool is configured to send an alert where any document
that contains an IP address such as 210.23.34.200 is detected in
transit.
2. A user attempts to email a file that contains the phone
number 210.498.2327.
3. The DLP tool flags it as a DLP leakage attempt, blocks the
email and notifies the security analyst.
This is lose-lose situation represents an example of how security
activities can get in the way of the business through negative user
experience therefore it is extremely important for cyber security
practitioners to ensure that incidents like this are reduced to the very
minimum. This can only be achieved through continuous tuning and
capability improvement.

Digital or information rights management (DRM or IRM) is
another defense-in-depth layer that takes data security to the next
level. Where sensitive data evades data leakage security controls,
DRM steps in by providing persistent protection wherever the data
goes. Data owners can use a DRM server to develop and assign file
access policies to business critical data to ensure that they’re
adequately protected against unauthorized use throughout their
lifecycle. In order for any user to open a protected file, a connection
will have to be established with a DRM server located inside the
perimeter of the organization that owns the data, and the user will
have to prove that they have been authorized to view, print, or make
changes to the file by providing their authentication credentials.
OpenText, one of the leaders in the DRM market space,
summarizes some of the capabilities of an enterprise DRM solution
as follows14
:
Protection against any form of distribution: Lock files against
unauthorized access, whether those files are distributed manually
(via USB drive or CD), sent via email, or downloaded inappropriately.
Prevent unauthorized users from opening or forwarding email
attachments.
Protect all file types: Add digital rights management to content
produced in Microsoft Office applications as well as virtually all other
file formats, including PDF, HTML, CAD, image files, ZIP, archives, and
more.
Apply rights management to existing and new content: Add
rights management to an OpenText repository to further protect
existing content, and set policies to protect new files as they’re stored
in the repository.

Protect content on BlackBerry: Allow only authorized users to
open and view protected content on their BlackBerry smartphones.
Comply with government and industry requirements:
Demonstrate compliance with information security standards such as
U.S. Sarbanes-Oxley Act, Health Insurance Portability and
Accountability Act (HIPAA), and similar regulations around the world.

1. The DRM protected file is shared with the business partner,
typically via e-mail.
2. The recipient of the DRM protected file attempts to open it,
but s/he is automatically redirected to the organization’s DRM
server and asked to authenticate.
3. An adversary will only be able to access the contents of the
file if s/he has the correct authentication credentials.
4. The owner of the file can revoke access to the file at any
time.
The slide above represents an example of where DRM is used to
protect confidential files:
1. An employee needs to share a confidential document with a
business partner. The employee uploads the file to the DRM
server and creates an access policy that allows the business
partner to access the document.
2. The employee defines the appropriate access permissions
(i.e., view download, print, etc.) for the confidential document
before sharing it with the business partner.

Persistent protection follows business critical data that is
deliberately or inadvertently moved outside of an enterprise
environment. Configurable usage rights include view, e-mail, print,
forward, and so forth.
Apart from encryption solutions, not many security technology
products protect an organization’s intellectual property beyond its
network perimeter. Once the data escapes the network, it’s typically
game over, but this is not the case with DRM/IRM thus making it a
highly critical technology capability for an organization that relies
heavily on its trade secrets (e.g., patents, inventions, formulas,
software code, designs, research data, etc.).
As shown in this image, protection follows the data wherever it
goes. It can only be accessed if there is an established network path
to the DRM server, and the user needs to be successfully
authenticated.

Host Security Technology Solutions
• Understand diﬀerent types of host security technology products
• Be familiar with the features and functionalities of antivirus, application whitelisting, next generation
endpoint security, full disk encryption, and file integrity monitor
• Understand how diﬀerent host security products complement one another
• Be familiar with the practical use cases of host security technology products in an enterprise
environment

Hosts are the containers for what the attacker wants, therefore
they will always remain the attacker’s target until such a time as
anyone figures out where else to keep digital data or run
applications from. Attackers follow the money, which in this case is
the data. Given the need to adequately protect enterprise hosts
against cyber attacks, a good number of host security solutions
continue to appear on the security technology market. As attackers
figure out new attack tactics and techniques, the security technology
industry helps enterprise defenders respond by designing solutions
that combat the new security problems created by the bad guys.
In this section, we are only going to cover some of the most
popular host security solutions.These are as follows:
• Antivirus (traditional signature-based such as McAfee)
• Application whitelisting
• Next generation endpoint security (NGES)
• File integrity monitor (FIM)
• Full disk encryption (FDE)
• Third party application software agent

Historically, firewalls and antivirus were the most popular
security solutions. Given this fact, there have been a lot of
misconceptions amongst those with limited knowledge of cyber
security. In today’s cyber threat landscape, attackers have figured out
a way to bypass firewalls with relative ease by coming in through the
front doors. Most firewalls allow outbound web traffic (TCP ports 80
and 443) given that users must be able to surf the web therefore
attackers have figured out a way to use this same path to launch their
attacks.
Similarly, some users still believe that once an antivirus (AV)
solution is installed on their computer, and its virus definitions
database is up-to-date then such computer is immune to any
type of attack. Nothing can be further from the truth.
Today’s attackers have changed the game by figuring out
different evasion techniques. In 2015, Christopher Kruegel, chief
scientist at Lastline Inc., wrote that evasive malware behavior was up
2000% compared to 2014. This new malware bypassed traditional
firewalls, security gateways and sandboxes causing organizations to
struggle as cybercriminals design sophisticated and stealthy
malware to loop, cloak itself, and morph to evade detection15
.
Low-level details of malware evasion techniques are beyond the
scope of this course but be sure to refer to the presentation that Chris
gave at the RSA conference in 2015. A copy of this presentation is
included as part of your study materials.
In spite of the available malware evasion techniques, antivirus
solutions are still very relevant and should be installed on every host
running within an enterprise environment. Because it’s a reactive
technology, there is a malware gap that AV solutions create. This is
where other complementary host security technologies come in.
Antivirus vendors react to instances of malware attack by analyzing
the malware and understanding how it works before developing

detection signatures for it meaning that some hosts (first hit
otherwise known as patient zero) must be compromised before other
hosts running a particular AV software can be protected.
Deployment model in enterprise environments is agent-to-
server. The antivirus agents are pushed out to protected hosts from a
central management server, which is essentially the command and
control station. Software updates and virus database updates are
pushed out to managed hosts from this central server while the
managed hosts also send information about detected threats back to
the AV server.

Generally, antivirus solutions typically use two detection
mechanisms namely:
• Signature based detection
• Heuristics detection
In the case of signature-based detection, when a protected
computer comes in contact with any file or program, it computes a
cryptographic hash of the file/program and checks it against its
known database of malware hashes. A virus alert is displayed to the
user and also sent to the AV server when there is a match.

On the other hand, a heuristically detected malware is
essentially a file/program suspected to be malicious based on its
behavior. Here, the antivirus software analyzes the file/program to
determine if it performs actions attributable to a malicious software
such as executing scripts, installing a program or downloading
additional programs which the user has not approved.
The second slide on this page lists the most popular vendors in
the AV industry.

Additionally, there is a high probability of greatly impacting end-
user’s productivity where whitelisting applications are deployed
therefore those thinking of using this solution must proceed with
caution.
Application whitelisting is a very effective host protection
(malware prevention) technique, but it remains a maturing field
because of the complexity involved in its deployment. Unlike
security technologies such as antivirus software, which block known
bad activity and permit all other, application whitelisting
technologies are designed to permit known good activity and block
all other16
. The challenges associated with effective design and
implementation of whitelisting technology stem from the fact that
most organizations can hardly tell unauthorized from authorized
applications in their IT environment.

There are two major operational modes of most AW
technologies:
• Audit Mode - allows execution of all its items (whitelisted or
not) any logs their execution.
• Enforcement Mode - permits execution of only whitelisted
applications and blocks everything else.
An application whitelisting technology running in monitor (or
audit) mode is merely learning and logging events relating to how
applications are being used. It is not configured to stop an
application that has not been whitelisted from executing, but can
report the event to the whitelisting server. This is the best mode of
deployment for organizations that plan to establish a baseline of
trusted applications within their environment without running the
risk of impacting business productivity.

An application whitelisting solution deployed in enforcement
mode will only allow whitelisted applications to run whilst blocking
unauthorized ones. This deployment mode is not very common
within enterprise environments but organizations with near accurate
and up-to-date baseline (or inventory) of authorized applications,
developed over a period of time, will benefit greatly from using the
whitelisting solution in this mode—this is when true return on
security investment can be derived.

Next generation endpoint security solution (or platform) is a
response to the challenge created by antivirus technology. This
family of products offers protection against zero-day (previously
unseen) threats by analyzing the malware and its behavioral
characteristics. All digital elements (e.g., binaries, process activity,
network connectivity, and configuration changes) required to
compromise a computer are continuously monitored, and action is
taken when required.
Effective protection against modern, sophisticated threats
requires a revolutionary threat detection mechanism that analyzes,
blocks, and remediates identified threats. The ability to see what
is running on an endpoint, and how every application or process is
behaving was the biggest missing piece in solving the malware
problem, and this is core functionality of a next generation endpoint
security platform17
.

This solution thrives on the quality of threat intelligence
available to the vendor who typically has numerous sensors
deployed at various points on the Internet to collect threat
intelligence. This intelligence is then fed to the NGES analytics
engine which is the command and control station for managed
endpoints. Deployment model is very similar to AV’s in that agents
are deployed onto managed devices that are then controlled from a
centralized NGES analytics platform.

File integrity monitoring (FIM) technology product monitors,
detects, and alerts on changes to critical database, application, and
operating system files.
File integrity solution works by computing cryptographic hash
copies of the files to be protected. This creates a baseline of known
hashes, which must be investigated in the event of any change to the
hash value. The most efficient way to do this is to ensure that a
security incident ticket is raised for every detected change for which
there is no change record.This has a secondary benefit of curbing the
bad practice of unauthorized changes within an organization.

In the example on the first slide, a user is logs on to a computer
system that has a FIM agent installed to monitor some files against
unauthorized changes. One of those files is “Config.txt” that is saved
on the desktop.The file contains the configuration settings for a Cisco
ASA firewall. Upon accessing this file, the user changes the password
setting in the configuration and saves it. This is enough to cause an
alert to be sent to the FIM manager because the cryptographic hash
must have changed. If this is not an authorized change, then the
security analyst must make the assumption that it is a security
incident, raise an incident ticket, and follow their documented
response process.

Full disk encryption solution protects the host by encrypting its
entire hard drive content when it’s not operational. To decrypt the
hard drive, the user needs to supply valid password. This is more of
asset protection against theft than endpoint protection because the
solution only becomes useful whenever the protected device is lost
or stolen — provided it’s in a shut down state when lost or stolen.
To decrypt the hard drive, the user must supply the decryption
password during the boot-up process.
If the supplied password is correct, the computer will proceed to
decrypt the hard drive.

On enterprise hosts, non-Microsoft applications are referred to as
third-party applications. These third-party applications widen a host’s
attack surface because of how difficult they are to patch compared to
Microsoft’s applications. Microsoft addresses vulnerabilities in its
applications and operating systems by releasing security updates on
the 2nd
Tuesday of every month (patch Tuesday). These updates are
then pushed out to enterprise Windows computers from Microsoft’s
System Center Configuration Manager (SCCM).
Conversely, patching third-party applications is cumbersome
because Microsoft does not track vulnerabilities in those
applications.
This is why a software agent is required on hosts (mostly
workstations) that scans for installed third-party applications and
reports back to it central management server, which could be on-
premise or in the cloud.
Vulnerabilities in any application present attackers with the
opportunity to gain unauthorized access, therefore a third party
applications management capability is a crucial layer of defense.

In the example on the first slide, a third-party application agent
is running on a managed enterprise computer. The computer is also
running an outdated version of Adobe Reader and Java, for which
exploitable vulnerabilities have been recently reported. Upon
discovery of the vulnerable applications, the third-party application
agent sends an alert to the central management server. The central
management server could take one of two actions:
• Remotely patch the vulnerable applications
• Send an alert to a system administrator to perform a manual
update

Network Security Technology
Solutions
• Understand diﬀerent types of technology products that can be deployed to secure an enterprise
network
• Be familiar with the core features and functionalities traditional network firewalls, intrusion
prevention system (IPS), web security gateway (WSG), and network access control (NAC)
• Understand the practical use cases of network security technology products in an enterprise
environment

Traditionally, networks were only secured by firewalls. However,
evolution in attack vectors has brought about de-perimeterization.
In the past, a perimeter firewall had the answer to almost every
security problem because only the ports that are required for
legitimate business reasons are opened. Examples of such ports are
80 (HTTP) and 443 (HTTPS). In today’s threat landscape, however,
once a user makes an HTTP request to any compromised web server,
such user’s workstation becomes highly susceptible to attack.
A traditional network perimeter consists of one or more points of
entry into an organization’s internal network. The point of entry is
typically located at a data center and provides internal users access to
the Internet, as well as allows external users to access an
organization’s external-facing servers (i.e., e-commerce website).

However, as time went on, the attackers figured out a way to use
these same open ports as attack vehicle thus pushing the perimeter
to the host attached to the network—in essence, removing the
boundary between the internal network and the outside world. This
is what’s referred to as de-perimeterization, which then means that
organizations must have a response to this problem, a de-
perimeterization strategy or defense-in-depth strategy.
Network firewalls are one of many network security technology
solution. The following solutions will also be discussed in the next
few slides:
• Intrusion Prevention System (IPS)
• Network Access Control (NAC)
• Web Security Gateway (WSG)

• Source IP address of the system requiring access to a
protected resource; or source IP address of the protected
resource requiring access to a non-protected resource.
• Destination IP address of the protected resource to which
access is being requested; or destination IP address of the non-
protected system to which a protected resource needs access.
• Communication protocol (i.e., UDP,TCP, ICMP, IP)
• Destination port(s) or service(s) (i.e., 22, 80, 443, etc.)
• Action that the firewall must take on the network traffic that
matches the attributes in an ACL (i.e., permit or deny)
Network firewalls create network segments or security zones.
Each security zone has a trust level that is derived from the criticality
of the systems assigned to the zone.
Traffic flow between two zones of different trust levels is
permitted or denied in accordance with business requirements.
A network firewall is a physical appliance installed on the
network to protect digital resources based on specific business
requirements.These business requirements translate to a set of rules
or access control list (ACL) configured to:
• Permit authorized access, or
• Deny authorized access to the protected resource.
Every ACL must include the following attributes:

• The demilitarized zone (popularly known as DMZ) – this
is the semi-trust or low-trust zone. It is the buffer between the
outside world and the internal network. Services which must be
available to the outside world (such as email, web service, etc.)
run out of this zone.
• The internal zone – this is the trusted zone where end-user
computers and enterprise servers are situated. Traffic in and out
of this zone is highly controlled in comparison to the DMZ.
This is only a high-level/simplistic view of the enterprise
network. Organizations who are serious about securing their critical
assets will break the internal zone further (using internal firewalls)
into different segments depending on the breach tolerance of the
information systems being protected.
For network segmentation to be an effective security control,
firewalls must be configured in such a way to allow traffic flows
between systems in adjacent zones only. In the example presented
in the slide, the Internet zone is allowed to communicate with
systems in the low-trust security zone. Similarly, systems in the low-
The security label attached to a network segment—protected by a
firewall—is a function of the criticality of the systems placed within
that network segment.
Generally, there are three (3) security zones in an enterprise
environment.These are:
• The Internet zone – this is the untrusted zone. It is outside
of the perimeter (or edge) firewall, therefore services running in
this environment are treated as hostile by default.

and medium-trust zones are able to communicate with systems
in the medium- and high-trust zones respectively. Conversely,
the Internet and low-trust zones are not allowed to communicate
with systems inside the medium- and high-trust security zones
respectively. The idea behind this concept is to reduce the attack
surface of digital assets placed in high-trust security zones.
The slide above presents an example of a typical network
communication traversing a firewall.

Here are some of the most popular firewall technology vendors:
• Cisco
• Checkpoint
• Palo Alto
• Juniper
• Fortinet
• SonicWall
Although there are tough challengers, Cisco remains the market
leader in the network security technology space with about 35%
share of the firewall technology market. Checkpoint and Palo Alto
come in 2nd
and 3rd
places respectively while Juniper, Fortinet, and
SonicWall are other popular products.

Intrusion prevention is the act of preventing network based
attacks that evade firewall security controls. This family of product
comes either as a software or hardware appliance. Deployment mode
is typically:
• Passive/monitor mode
• Active/blocking mode
When deployed in passive/monitor mode, it is known as an
Intrusion Detection System (IDS). In this mode, when attack traffic is
detected, the only action taken by this tool is to log the incident and
send an alert to the security analyst.
This is essentially a “safe” operational mode because, in the
event of a mis-detection (or false positive), legitimate business
productivity traffic would not be blocked. On the flip side, if a worm is
rapidly infiltrating the network, this tool will be of little value to the
organization as it would be powerless to stop the worm while
operating in “detect only” mode.
When deployed in active/blocking mode, the device acts as an
Intrusion Prevention System (IPS). In this mode, the IPS is placed “in-
line” typically between an organization’s internal network and the
perimeter or Internet firewall. The disadvantage of this mode is that
the IPS could potentially block legitimate business traffic when
inaccurate detection occurs. On the other hand, this tool would be
very effective in stopping a worm outbreak before it attempts to
spread to internal systems.

The scenario on the first slide shows a good example of where an
IPS provides business value by stopping an attack. The host in the
diagram appears to have been compromised because it beacons out
to an external host at regular interval—this is indicative of a
command and control communication (the latter phase of the attack
kill chain). The IPS is aware of this behavior and so blocks the traffic
thus (potentially) terminating an attacker’s connection to the internal
network.
As mentioned earlier, the major disadvantage of an IPS is the
possibility of blocking legitimate business traffic when an event
suspected to be malicious is actually benign. This is reflected in the
second example where an internal user attempts to send log files to
an external third party for troubleshooting purposes. The internal
computer makes an outbound FTP connection to an external party,
the IPS sees the traffic, suspects it’s malicious, and blocks it. The user
continues to try, but the connection attempts keep getting blocked.
This undoubtedly would lead to frustration and productivity loss
among other things.

Before deploying an IPS in blocking mode, security teams
should make absolutely certain that they, at least, have a good
understanding of traffic patterns in their environment, as well as
good knowledge of legitimate business applications. There will be
some “misses” but those should be in exceptional circumstances
alone.
IPS use different detection mechanisms, but most popular
amongst those are:
• Signature-based
• Statistical anomaly
Signature-based detection in IPS works in the same way as it
does in an anti-virus solution. The IPS vendors regularly release
signature updates, which are then deployed onto the IPS platform
within the enterprise. With an up-to-date signature database, the IPS
can detect and block known threats.
Statistical anomaly detection, on the other hand, is a type of
behavioral-based detection mechanism where an alert is fired when
the IPS notices deviation from normal network traffic pattern.

The overall goal of a network access control solution is to prevent
unauthorized, non-compliant, or infected endpoints from
contaminating the network by getting other hosts infected.
An endpoint that has been off the network for some period of
time is considered hostile and must be thoroughly examined by the
NAC solution before it is allowed back on the network.
The endpoint in the example on the second slide is allowed to
access the network because it meets all the requirements defined in
the corporate access policy and is therefore recognized by the NAC
solution as an authorized endpoint.

The endpoint in this example is disallowed from accessing the
network because it is unrecognized by the NAC solution probably
because it’s personally owned or its user is not a full-time employee
of the company.

Web security gateway (or secure web gateway) used to be
referred to as a proxy server before evolutions in the cyber threat
landscape necessitated enhancements in its capabilities. Because the
Internet is such a hostile environment, outbound requests to
potentially harmful web contents must be tightly controlled.
This product works by categorizing different websites, which
then allows organizations to select categories that should be
permitted (e.g., news, research, sports, etc.) and ones that should be
blocked (e.g., hacking, pornography, gambling, etc.).
The following snapshot from Bluecoat—one of the leaders in the
WSG market space—shows examples of different category types
available. More information is available at https://
sitereview.bluecoat.com/testcategories.jsp.

In this example, a user attempts to access www.123.com, which
is categorized by the WSG as malicious. The WSG terminates the
connection and sends a warning message (block page) to the user
explaining why his/her request is not allowed.

Cloud Security Technology
Solutions
• Be familiar with diﬀerent cloud security technology products
• Understand the key features and functionalities of cloud access security broker (CASB) technology
solution
• Understand the similarities between on premise and cloud based information systems and security
technology products
• Know some of the leading cloud security technology vendors

The “cloud” has revolutionized how organizations do business
today. There is a great business case for cloud adoption—reduced
carbon footprint, agility, lower total cost of ownership (CTO), and
higher return on investment (ROI) are just a few justifications, which
are compelling enough to make business leaders consider moving
their information systems to the cloud. With this drive towards the
cloud comes the need to secure externalized information systems
regardless of their location. Security technology vendors have now
responded to this need by creating cloud-based equivalents of on-
premise solutions.
Some of the most popular security capabilities that exist in the
cloud today include:
• Web security gateway
• Data leakage prevention
• E-mail security gateway
• Encryption and key management
• Cloud access security broker (CASB)

A cloud-based web security gateway delivers the same
functionality as an on-premise web security hardware appliance, but
eliminates the hardware requirements.
The cloud-based WSG sits in-line between the endpoint and the
Internet, inspecting every web request originated at the endpoint.
One of the advantages of this model is that the endpoint is protected
whether it is on the network (at the corporate office, for example) or
off the network (at a coffee shop).
A cloud-based WSG offers a wide range of security capabilities,
including (this list is not exhaustive):
• URL filtering to block web request deemed unauthorized by
an organization’s policy.
• Threat detection and prevention.
• Application control (i.e., control traffic to Facebook, YouTube,
etc.)
• Malware detection
• Cloud sandboxing (i.e., detonate files that appear to be
malicious)

This slide presents examples of authorized and unauthorized web request and how they are handled by the cloud-based WSG.

A cloud-based DLP solution offers the same functionality as an
on-premise DLP hardware appliance, but the main selling point is
the reduction in hardware footprint.
Just like the cloud-based WSG, the cloud-based DLP solution sits
in-line between the endpoint and the Internet, inspecting every bit
of data that an endpoint sends out to the Internet. Some cloud-based
WSG include DLP capabilities as part of their service offering.
In the first part of the example on the second slide, an internal
employee attempts to send an earnings report to his/her personal
Google Drive account in an effort to continue working on the file
from home. The cloud-based DLP solution intercepts and blocks the
request because the DLP policies were configured to block access to
unsanctioned online storage sites.
In the second part of the example, a remote employee attempts
to upload a spreadsheet containing sensitive information to his/her
company’s SharePoint Online site. The cloud-based DLP solution
intercepts and blocks the request because the DLP policies were
configured to look for sensitive data (such as credit card and social
security numbers) in the metadata and body of every file and prevent
files that match those conditions from leaving the organization’s
perimeter.

In the first part of the example on the second slide, an employee
sends a benign e-mail to her boss requesting time off. The e-mail is
intercepted and inspected by the cloud-based e-mail security
gateway. The cloud-based e-mail security gateway determines that
the e-mail is benign and proceeds to route it to the destination
mailbox.
The second part of this example shows an adversary crafting a
malicious e-mail to the organization’s HR Director.The cloud-based e-
mail security gateway intercepts and inspects the e-mail, and
identifies a malicious attachment. The e-mail is then quarantined for
further analysis and eventual deletion.

In the example on the second slide, an employee needs to store
confidential files in an Amazon Web Services (AWS) S3 storage
bucket. Company policies mandate that any data deemed
confidential must be encrypted at rest. The cloud-based encryption
gateway is configured to intercept user traffic, inspect it for matching
conditions (i.e., keywords or classification labels defined by the
company), and encrypt the data if the traffic matches a pre-
configured encryption policy. Before beginning the encryption
process, the cloud encryption gateway must fetch the encryption keys
that are typically stored within an organization’s perimeter. After the
data is encrypted, the cloud encryption gateway routes the encrypted
files to the AWS S3 storage bucket.

To decrypt the data, the cloud-based encryption gateway
reverses the process described in the previous slide. The user
retrieves the encrypted file from the AWS S3 storage bucket, which is
subsequently intercepted by the cloud encryption gateway. To
decrypt the file, the cloud encryption gateway must retrieve the
encryption keys from the organization’s internal network. The
decrypted file is then delivered to the requestor.

Cloud access security brokers (CASBs) are on-premise or cloud-
based security policy enforcement points, placed between cloud
service consumers and cloud service providers to enforce enterprise
security policies as cloud-based resources are accessed. Examples of
security policies include authentication, single sign-on,
authorization, credential mapping, device profiling, encryption,
tokenization, logging, alerting, malware detection/prevention and so
on18
.
CASB products provide an integral layer of security centering
around the following pillars of security19
:
• Visibility - which users are accessing the company’s cloud-
based data and what devices they’re using? Being able to easily
identify risky data exposures and/or user behavior across all
cloud-based resources is the first step in securing the
environment.
• Compliance – a CASB solution helps organizations fulfill
their compliance obligations by making it possible for them to
have similar level of protection, access, and visibility into their
cloud-based assets as though they are on-premise.
• Data Security - identifying, monitoring, and securing
sensitive data are critical aspects of data security that can be
achieved through the use of a CASB solution.
• Threat Protection – this is the ability to identify, mitigate,
and remediate threat events such as compromised accounts,
privileged user accounts misuse and malware infections in
trusted cloud services20
.

In this example, an employee has accessed a sales SaaS
application in an effort to view his/her sales forecast from his/her
personally-owned device. Company policies allow employees to
view sales data from any endpoint, but prohibit downloading such
data to unmanaged devices.
The CASB solution intercepts the request and, based on pre-
configured access policies, allows the user to view the sales data.
When the employee attempts to download the sales report, the CASB
solution blocks the attempt, logs the incident, and sends an alert to
the security analyst for further investigation.

Security Information and Event Management
(SIEM)
• Understand the fundamentals of Security Information and Event Management (SIEM)
• Understand the core features and functionalities of a SIEM
• Through practical use case examples, gain an insight into how value can be derived from a SIEM in an
enterprise environment
• Understand the diﬀerence between security information management (SIM) and security events
management (SEM)

A Security Information and Events Management (SIEM) system
collects, processes, alerts, and reports on security events across and
enterprise network. This technology product increases the efficiency
and automation of events monitoring and incident response by
collecting events from disparate event sources throughout the
network. Rather than log on to different technology products to
review/research security alerts or reports, the analyst can now see
everything happening on his/her network on one management
console.
The SIEM collects logs and events from several sources including
network assets, firewalls, antivirus management server, vulnerability
scanner, host operating systems, applications, databases, web
application firewalls, web and email security gateways, identity and
access management systems, file integrity monitor, asset
management, an so forth.

The collected logs are normalized, correlated, enriched and
translated into near real-time security alerts. These alerts help the
security analyst understand what’s unfolding on their network so as
to be able to take response actions.
The two primary capabilities offered by this technology product
are:
• Security Information Management (SIM)
• Security Event Management (SEM)
The slide lists some of the most popular vendors in the SIEM
technology space.

In a nutshell, before developing an alert use case, security teams
need to understand what the business needs. It is this
understanding that informs the development of the use case.
Consider the following three examples where business
requirements informed the development of alert use cases:
As powerful as SIEM products are, they cannot be run in
autopilot mode. Organizations get the best out of a SIEM tool only
when they do the hard work of properly understanding their
business requirements and network environments. In other words,
the SIEM needs to be told what should be brought to the analyst’s
immediate attention.This is achieved through alert use cases.
A use case is a list of actions that define interactions between an
actor and a system to achieve a goal21
. With any security alert use
case, the goal of the security analyst is to be quickly notified about
unwanted interactions between two systems where a threat actor is
controlling at least one of those systems.

Vulnerability Scanners
On completion of this section, you will
• Be familiar with a vulnerability scanner and its core features and functionalities
• Be able to explain why a cyber security team needs vulnerability scanning capability
• Be familiar with market leaders in vulnerability scanning products
• Through practical example, understand how a vulnerability scanner is used is an enterprise
environment

In order for an IT system or application to be attacked, it must
first be found vulnerable therefore vulnerability scanners give the
enterprise defender an insight into what the attackers can potentially
see during the first phase—reconnaissance—of the cyber attack kill
chain. From an attacker’s standpoint, reconnaissance is about
gathering intelligence about his target but from a security
practitioner’s standpoint, (good) reconnaissance is about gathering
intelligence about his/her network to identify exposure points and
configuration weaknesses that an attacker can leverage. Based on
this understanding, the defender then prioritizes remediation efforts
by focusing on the most critical vulnerabilities first.
A vulnerability scanner is a security technology tool used to
discover and assess information systems for security weaknesses
such as missing patches, application bugs, and misconfigurations.
The on-premise implementation version of this scanner can either be
hardware or software-based while vulnerability scanning is also
offered as a service by cloud security service providers such as
Qualys.
Vulnerability scanning is a critical requirement for any cyber
security department as it provides the means to detect vulnerabilities
and validate remediation once the system owner indicates that the
necessary action has been taken.

In detecting vulnerabilities, the scanner follows the following
steps:
• Step 1a (first slide) – host discovery: the scanner sends
ICMP echo requests to every IP address on a particular subnet
and waits for a reply to determine which hosts are alive.
• Step 1b (second slide)– echo reply: alive hosts reply back
to the vulnerability scanner.

• Step 2a (first slide) – port scanning: depending on its
configuration, the scanner scans discovered hosts to detect what
ports they’re listening on.The scanner may be configured to scan
the host for well-known ports (0 to 1023) or all ports (0 to
65535).
• Step 2b (second slide) – the hosts respond to the scanners
indicating which ports they are listening on.

• Step 3a (first slide) – scanner interrogates discovered hosts
to determine their individual operating systems.
• Step 3b (second slide) – hosts respond with information
about their operating system (usually over 99% level of
accuracy).

• Step 4a (first slide) - scanner interrogates discovered hosts
to determine the services running on them and versions of
applications detected.
• Step 4a (second slide) – hosts respond with available
information in line with the scanner’s request.

• Step 5a – proper vulnerability assessment commences. The
scanner begins to evaluate every discovered service or
application against its own dictionary of vulnerabilities.
Vulnerability discovery techniques employed by the scanner can
be anyone of fuzzing, static analysis, or penetrating testing but
that subject is beyond the scope of this course.
• Step 5b – vulnerable hosts begin to respond back to the
scanner.
On completion, a vulnerability scan report is generated and sent
to individual system owners to take appropriate remedial actions.

Summary

Access control is such an important security capability that most
information systems have some sort of in-built access control
functionality.
Application Security Technology Solutions
Application security is the act of protecting enterprise
applications against malicious attacks that target application
vulnerabilities in order to gain access to their backend database.
Web application firewall (WAF), code analysis tool (CAT), and
database security platform (DSP) are three of the most popular
application security technologies.
A WAF detects attacks by comparing traffic destined for the
protected resource against expected traffic pattern; the CAT analyzes
software applications (internally developed and commercial “off the
shelf) for security flaws, and the DSP complements the WAF by
enforcing expected behaviors to help defend against database
specific attacks.
Access Control Technology Solutions
Access control is about controlling the flow of information
between a subject and an object, where the subject is the requestor
(user, process, or application) of access and the object (file or
application) is the resource to which access is requested.
The fundamental concepts of access control are identification,
authentication, authorization, and accountability (or auditability).

DLP is the means by which the leakage of sensitive or regulated
business data is prevented regardless of its state (i.e., at rest, in use
or in transit).
Typical leakage channels include removable media, cloud
storage, and webmail.
DRM offers persistent protection to intellectual property
regardless of its location.
Host Security Technology Solutions
Enterprise endpoints (workstations and laptops) are more
exposed to threats than servers, therefore they are usually protected
by multiple host security software agents.
Popular host security solutions include anti-virus, file integrity
monitor, application whitelisting, next generation endpoint security
solution, and full disk encryption.
Data Security Technology Solutions
Three most popular types of data security solutions are
encryption and key management, data leakage prevention (DLP),
and Digital Rights Management (DRM).
When data is encrypted, it is transformed into an unreadable
format such that only authorized users with the right decryption keys
can read it.
Encryption alone is not good enough without effective key
management.

probability of blocking legitimate business traffic as a result of
false detection.
NAC controls access to network resources by ensuring that only
hosts that comply with defined security policies are admitted onto
the network.
WSG protects end-user computers by filtering web traffic to
detect and block traffic to malicious sites that could potentially infect
an endpoint.
Cloud Security
Widespread adoption of cloud-based services is rapidly
changing the IT landscape.As organizations continue to migrate their
information systems to the cloud, security technology vendors
continue to devise ways to ensure effective protection of those assets
sitting outside the network perimeter
Cloud access security brokers (CASBs) are on-premises, or cloud-
based security policy enforcement points, placed between cloud
service consumers and cloud service providers to combine and
interject enterprise security policies as the cloud-based resources are
accessed. CASB solution offers visibility, compliance, data security,
and threat protection capabilities
Network Security Technology Solutions
Firewalls used to be the be all and end all of network security,
but evolution in the threat landscape has completely changed the
game.With that said, they remain very critical to network security.
Other network security solutions include intrusion prevention
system (IPS), network access control (NAC), and web security gateway
(WSG).
IPS prevents network-based attacks by monitoring network traffic
and proactively blocks detected nefarious activities before the
attacker does any damage.The main weakness of an IPS is its high

A use case is a list of actions that define interactions between an
actor and a system to achieve a goal. With any security alert use case,
the goal of the security analyst is to be quickly notified about
unwanted interactions between two systems where a threat actor is
controlling at least one of those systems.
Vulnerability Scanners
A vulnerability scanner is a security technology tool used to
discover and assess information systems for security weaknesses
such as missing patches, application bugs, and misconfigurations
Popular vendors in this space are rapid7, Qualys, Nessus, and
tripwire.
SIEM
Security information and events management system collects,
processes, alerts and reports on security events across and enterprise
network.
The SIEM collects logs and events from several sources including
network assets, firewalls, antivirus management server, vulnerability
scanner, host operating systems, applications, databases, web
application firewalls, web and email security gateways, identity and
access management systems, file integrity monitor, asset
management, an so forth.

References
1https://msdn.microsoft.com/en-us/library/aa746492(v=vs.85).aspx
2https://msdn.microsoft.com/en-us/library/windows/desktop/aa374876(v=vs.85).aspx
3https://msdn.microsoft.com/en-us/library/windows/desktop/aa706028(v=vs.85).aspx
4https://web.mit.edu/kerberos/
5http://www.veracode.com/sites/default/files/Resources/Whitepapers/what-is-application-security-veracode.pdf
6https://www.imperva.com/docs/DS_SecureSphere_Web_Application_Firewall.pdf
7https://www.sitelock.com/web-application-firewall
8https://www.mitre.org/publications/systems-engineering-guide/enterprise-engineering/systems-engineering-for-mission-assurance/secure-code-review
9http://aspg.com/10-tips-for-securing-encryption-keys/#.WRJZqFPys_U
10https://www.thales-esecurity.com/products-and-services/products-and-services/key-management-systems
11https://safenet.gemalto.jp/resources/data-protection/hsm-risk-management-offer/?LangType=1041
12http://www.isaca.org/Groups/Professional-English/security-trend/GroupDocuments/DLP-WP-14Sept2010-Research.pdf
13http://www.isaca.org/Groups/Professional-English/security-trend/GroupDocuments/DLP-WP-14Sept2010-Research.pdf
14http://www.opentext.com/what-we-do/products/enterprise-content-management/content-management/opentext-rights-management
15https://www.rsaconference.com/events/us15/agenda/sessions/2022/evasive-malware-exposed-and-deconstructed#sthash.Lc7FCoTs.dpuf
16NIST SP800-167 – Guide to Application Whitelisting
17https://www.sentinelone.com/wp-content/uploads/2016/02/WP-Next-Gen-EPP-2016.pdf
18http://www.gartner.com/it-glossary/cloud-access-security-brokers-casbs/
19https://www.cloudlock.com/cloud-access-security-broker/
20https://www.skyhighnetworks.com/skyhigh-threat-protection/
21https://en.wikipedia.org/wiki/Use_case

1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf

Recommended

Recommended

More Related Content

Similar to 1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf

Similar to 1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf (16)

Recently uploaded

Recently uploaded (20)

1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf