Submit Search
Upload
1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf
•
0 likes
•
7 views
T
ThangVuQuang4
Follow
1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf
Read less
Read more
Technology
Slideshow view
Report
Share
Slideshow view
Report
Share
1 of 117
Download now
Download to read offline
Recommended
Access Control for Windows
Access Control for Windows
ayousif
Secure Architecture and Incident Management for E-Business
Secure Architecture and Incident Management for E-Business
Marc S. Sokol
Solvit identity is the new perimeter
Solvit identity is the new perimeter
S.E. CTS CERT-GOV-MD
ANS_Ch_04_Handouts.pdf
ANS_Ch_04_Handouts.pdf
MeymunaMohammed1
Insuring Security for Outsourced Data Stored in Cloud Environment
Insuring Security for Outsourced Data Stored in Cloud Environment
Editor IJCATR
Bluedog white paper - Our WebObjects Web Security Model
Bluedog white paper - Our WebObjects Web Security Model
tom termini
Designing a security policy to protect your automation solution
Designing a security policy to protect your automation solution
Schneider Electric India
Security Architecture
Security Architecture
amiable_indian
Recommended
Access Control for Windows
Access Control for Windows
ayousif
Secure Architecture and Incident Management for E-Business
Secure Architecture and Incident Management for E-Business
Marc S. Sokol
Solvit identity is the new perimeter
Solvit identity is the new perimeter
S.E. CTS CERT-GOV-MD
ANS_Ch_04_Handouts.pdf
ANS_Ch_04_Handouts.pdf
MeymunaMohammed1
Insuring Security for Outsourced Data Stored in Cloud Environment
Insuring Security for Outsourced Data Stored in Cloud Environment
Editor IJCATR
Bluedog white paper - Our WebObjects Web Security Model
Bluedog white paper - Our WebObjects Web Security Model
tom termini
Designing a security policy to protect your automation solution
Designing a security policy to protect your automation solution
Schneider Electric India
Security Architecture
Security Architecture
amiable_indian
Attivio Active Security Technical Brief
Attivio Active Security Technical Brief
Attivio
Comprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security Challenges
sidraasif9090
Bf25342345
Bf25342345
IJERA Editor
Top three tips in ensuring security and compliance in cloud computing
Top three tips in ensuring security and compliance in cloud computing
OsazeeOboh
Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing
IRJET Journal
The Federal Information Security Management Act
The Federal Information Security Management Act
Michelle Singh
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiency
JonathanPritchard12
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal Thing
Karen Oliver
Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327
vimal Kumar Gupta
Is4560
Is4560
Tara Hardin
Access Control and Maintenance.pptx
Access Control and Maintenance.pptx
Kinetic Potential
Data base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access method
International Journal of Engineering Inventions www.ijeijournal.com
55994241 cissp-cram
55994241 cissp-cram
bsnl007
Database managementsystemes_Unit-7.pptxe
Database managementsystemes_Unit-7.pptxe
chnrketan
Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...
Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...
FilGov
report on network security fundamentals
report on network security fundamentals
Jassika
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Wonjun Hwang
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
Deakin University
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
null - The Open Security Community
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
null - The Open Security Community
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
LBM Solutions
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
More Related Content
Similar to 1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf
Attivio Active Security Technical Brief
Attivio Active Security Technical Brief
Attivio
Comprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security Challenges
sidraasif9090
Bf25342345
Bf25342345
IJERA Editor
Top three tips in ensuring security and compliance in cloud computing
Top three tips in ensuring security and compliance in cloud computing
OsazeeOboh
Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing
IRJET Journal
The Federal Information Security Management Act
The Federal Information Security Management Act
Michelle Singh
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiency
JonathanPritchard12
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal Thing
Karen Oliver
Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327
vimal Kumar Gupta
Is4560
Is4560
Tara Hardin
Access Control and Maintenance.pptx
Access Control and Maintenance.pptx
Kinetic Potential
Data base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access method
International Journal of Engineering Inventions www.ijeijournal.com
55994241 cissp-cram
55994241 cissp-cram
bsnl007
Database managementsystemes_Unit-7.pptxe
Database managementsystemes_Unit-7.pptxe
chnrketan
Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...
Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...
FilGov
report on network security fundamentals
report on network security fundamentals
Jassika
Similar to 1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf
(16)
Attivio Active Security Technical Brief
Attivio Active Security Technical Brief
Comprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security Challenges
Bf25342345
Bf25342345
Top three tips in ensuring security and compliance in cloud computing
Top three tips in ensuring security and compliance in cloud computing
Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing
The Federal Information Security Management Act
The Federal Information Security Management Act
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiency
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal Thing
Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327
Is4560
Is4560
Access Control and Maintenance.pptx
Access Control and Maintenance.pptx
Data base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access method
55994241 cissp-cram
55994241 cissp-cram
Database managementsystemes_Unit-7.pptxe
Database managementsystemes_Unit-7.pptxe
Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...
Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...
report on network security fundamentals
report on network security fundamentals
Recently uploaded
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Wonjun Hwang
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
Deakin University
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
null - The Open Security Community
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
null - The Open Security Community
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
LBM Solutions
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Alex Barbosa Coqueiro
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Memoori
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
BookNet Canada
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
comworks
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
Addepto
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
shyamraj55
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
Neo4j
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
MarianaLemus7
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Patryk Bandurski
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
gvaughan
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Enterprise Knowledge
Recently uploaded
(20)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf
1.
LAYERS OF DEFENSE
AND TECHNOLOGY SOLUTIONS CSAP 301.3 CSAP 301 - Cyber Security for Aspiring Practitioners
2.
CSAP 301.3 -
Layers of Defense and Technology Solutions Course Topics 1. Access Control Technology Solutions 2. Application Security Technology Solutions 3. Data Security Technology Solutions 4. Host Security Technology Solutions 5. Network Security Technology Solutions 6. Cloud Security Technology Solutions 7. Security Information and Event Management (SIEM) 8. Vulnerability Scanners 9. Summary © DIGISS CSAP 301 2
3.
CSAP 301.3 -
Layers of Defense and Technology Solutions Access Control Technology Solutions On completion of this section, you will: • Understand the fundamentals of access control • Be able to explain common terms such as object, subject, authentication, authorization, and accountability © DIGISS CSAP 301 3
4.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 4 Access control is all about controlling (i.e., denying or permitting) access to a resource. Any technology solution must be capable of making the right determination based on the output of control checks.These checks are in three phases namely: • Identification • Authentication • Authorization In addition to these three phases, there are three other elements of access control: • Accountability • Subject • Object Before discussing access control technologies, we’re going to examine two practical examples of access control in action. In the example presented in these slides, user Luke Boyle is seeking access to a computer system and needs to identify himself by entering his username.
5.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 5 Next, the system needs to know that the individual seeking access is truly Luke Boyle and so it requires him to authenticate by entering his password. Once Luke’s access to the computer system has been granted, he tries to open a file named employees_salary.xlsx but is unable to do so because he’s not authorized to view the file. The system performing all these checks must also be capable of recording (auditing and logging) all the events to aid investigations should there be a need to retroactively review the user’s activities.This property is called accountability. In our example above, the subject is Luke Boyle whereas the object is employees_salary.xlsx. The subject is typically the entity requesting access to a resource (e.g., a user, application, or process) while the object is the resource being accessed (e.g., a file or an application).
6.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 6 Example 2 Identification Now, imagine that Luke Bolye has just been hired as a bank teller at Royal Bank. On his second day at work, the security guard asks to see his ID badge to be sure that Mr. Boyle is a staff of the bank.
7.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 7 Authentication Next, Mr. Boyle proceeds to his department and needs to prove that he is indeed a member of that department by swiping his badge to gain access.
8.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 8 Authorization Once access is granted, he settles in and commences his daily work related activities. In the process, he needs to place some cash in the vault, but on attempting to access the vault, he is denied entry because he is not authorized to access the vault.
9.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 9 Accountability Royal Bank’s computer systems are configured to log every successful and failed attempt to gain access to the vault. Hence, Luke’s failed attempt was logged and a system generated alert was sent to the security department. In addition, a security guard standing post in the vault’s lobby has manually logged Luke’s attempted access to the vault.
10.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 10 In this example, Luke Boyle is the subject while the vault is the object.
11.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 11 Access control is a broad subject in cyber security. This control applies to (and is enforced at) every layer of defense implemented around digital assets that organizations want to protect. The overall goal of any access control solution is to regulate access from a requesting entity (subject) to a requested resource (object).
12.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 12 There are three broad categories of access control, namely: • Administrative (e.g., policy) • Physical (e.g., entrance gate or security guard) • Technical (i.e., logical access control to computer systems and other digital resources) The focus of this module, however, is technical (or logical) access control. Various access control specific technology products exist on the market today, but most access control functionalities are built into other technology products. For instance, an entity must be correctly identified and authenticated before being allowed to use any information system therefore almost every technology product is capable of identifying and authenticating such entity. Where access control is centralized, the task of identifying and authenticating such entities is typically delegated to an enterprise Identity and Access Management platform.
13.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 13 The access controller’s main purpose is to provide centralized authentication services by granting or denying access to objects. Thus, it needs to know about every object on the network to which access must be controlled. Every computer system (server or workstation) and user in a Microsoft Window’s enterprise environment is contained in Active Directory. In the authentication example presented on the first slide, a subject logs on to a computer system by providing his/her domain user credentials. The computer system passes the subject’s credentials to an AD server for validation. If the credentials are validated, AD sends an “authentication success” message back to the computer system, which in turn grants the subject access to the object. In a highly sensitive and controlled enterprise environment, specialized access control technology products (such as smart cards or hardware token) may be required in addition to username and password to gain access to any domain-joined computer system.
14.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 14 Network devices have the ability to authenticate users locally, but a TACACS or RADIUS server is typically used in an enterprise environment for centralized administration. TACACS is short for Terminal Access Controller Access Control System. This protocol was developed by Cisco for handling remote authentication for network devices through a centralized server. RADIUS, which stands for Remote Authentication for Dial-in User Service is also a networking protocol that provides centralized access control services. Both authentication protocols proxy authentication requests and responses back and forth between the end-user and enterprise directory server(s).
15.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 15 The primary function of a firewall is to control access from a subject to an object. Access control lists (ACL) are implemented on firewalls for this purpose. Best practice dictates that access from one network location to the other—when separated by a firewall—must be implicitly denied unless explicitly allowed through firewall access control configuration. In example on the first slide, the HR analyst at computer address 10.10.10.10 was able to access the resource on the server at 10.10.20.20 because that traffic was explicitly allowed across the firewall having been determined to be legitimate business traffic. In the example on the second slide, the marketing director tries to access the CRM web application. The username lboyle@company.com is how the access controller (Active Directory) identifies the user while the password is how the user proves that he’s indeed Luke Boyle. Authentication request will be granted once those credentials are successfully validated.
16.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 16 The above diagram is an example of where a purpose-built security technology product is used to provide access control service. The financial strategist tries to access a protected (encrypted) file share. However, in this instance, the resource can only be accessible if the subject had been previously issued the right cryptographic key, which is what will be required to unlock (decrypt) the protected (encrypted) file share. Cryptography is an advanced field of computer security, which is beyond the scope of this course but from a conceptual standpoint, it is the bedrock of information confidentiality. Technology solutions that offer cryptographic services mainly translate plaintext into gibberish that can’t be understood by anyone not authorized to read it.
17.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 17 Active Directory (AD) is a special purpose database designed to handle a number of operations1 . Chief among these operations is the process of controlling users’ access to resources. Access control for objects in AD Domain Services is based on Windows access control models, which enable the system to control the ability of a subject to access a protected object or perform various other tasks2 . Access privileges for resources in Active Directory Domain Services are usually granted through the use of an access control entry (ACE). An ACE defines access or audit permission on an object for a specific user or group3 . Lightweight Directory Access Protocol (LDAP) is the protocol used to query AD for the requested resource/object (workstation or server) in order to determine its attributes, while Kerberos is the authentication protocol that allows the user (subject) to access the workstation or server.
18.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 18 The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identities, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business4 .
19.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 19 Subjects are typically authenticated by access controllers through the use of one or a combination of the following: • Something you have – this is typically a hardware token that generates a random number at regular intervals. It is the type that is issued by financial institutions to online banking customers to reduce the risk of electronic fraud. It could also be a soft token such as an application installed on a smart phone that generates random numeric characters every time a button is pushed. Hard and soft tokens pretty much serve the same purpose. • Something you are – this is typically a user’s unique physical characteristics or biometrics such as a fingerprint. It is typically the most secure because it’s pretty much impossible to replicate an individual’s unique physical characteristics. • Something you know – another name for this is knowledge-based authentication.An example is a password and/ or answer to security questions such as mother’s maiden name or place of birth.
20.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 20 These slides present examples of “something you have”, “something you are”, and “something you have” authentication modes. SecurID RSA hard and soft tokens are typically used by employees to gain remote access to their organization’s network through a VPN connection. These tokens can also be used by IT administrators to gain access to critical internal systems through a remote desktop connection (RDP).
21.
CSAP 301.3 -
Layers of Defense and Technology Solutions Application Security Technology Solutions On completion of this section, you will: • Grasp the fundamental concept of application security • Understand different types of application security technology solutions • Be familiar with major vendors of application security products • Be able to describe core features and functionalities of application security products © DIGISS CSAP 301 21
22.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 22 Application security is what an organization does to protect its critical data from external and internal threats by ensuring that every software used to run the business is appropriately identified, cataloged and secured5 . Application security is a broad field within cyber security. Every organization needs different types of applications, acquired from multiple sources, to achieve business objectives. The proliferation of different applications in an enterprise environment therefore presents an attractive attack surface to the adversary. Applications are essentially data gatekeepers because once an application is breached, the backend data becomes highly susceptible to compromise given that the attacker can then abuse the trust relationship that exists between the application and the database.
23.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 23 An application security technology tool otherwise known as code analysis tool, among other things, helps identify, fix, and prevent security vulnerabilities in any kind of software application. Other application security technology products protect enterprise applications by detecting and preventing attacks that target the applications. Examples of these are: • Web application firewall (WAF) • Email security gateway • Database security platform (DSP) Web servers are the most susceptible to attacks because of the business requirement to have web applications available to service users on the Internet. Web application firewalls are typically deployed “in-line” between the client and the protected web server to detect and block malicious traffic destined for the protected web server. A WAF compares traffic destined to the protected resource against expected traffic patterns (or known baselines) and performs response actions based on preconfigured trigger conditions. One of the most popular vendor products on the market is Imperva SecureSphere, which automates the process of learning application structure and expected user behavior by profiling
24.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 24 protected applications and building a baseline or “white list” of acceptable user behavior6 . As with most technology solutions on the market today, a WAF product can be deployed as a physical appliance, virtual appliance, or in the cloud. Some cloud service providers also offer WAF as a service. Sitelock Trueshield is one good example of an advanced cloud-based web application firewall7 . Examples of technology products include: • Imperva SecureSphere • Citrix • Trustwave • F5 • Fortinet
25.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 25 The next three slides present an example of a legitimate web transaction between a client’s browser and a web application server and describes the behavior of the WAF under such circumstances. 1. The user “Luke Boyle” makes a visit to www.crm.com with the traffic traversing a WAF for inspection. 2. This traffic, being legitimate, is permitted through the WAF. 3. Access to the requested web resource is subsequently granted and the user is presented with the login page to www.crm.com.
26.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 26 4. The user then attempts to log into the web application by entering his username and password. 5. This expected and legitimate traffic is permitted by the WAF and the user gains access to the web resource.
27.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 27 These two slides present an example of a malicious web transaction between a client’s browser and a web application server and describes the behavior of the WAF under such circumstances. The first four steps of this communication are exactly the same as in the previous example but access request to trick the web application into running malicious commands is detected and blocked by the WAF in step five. 1. The user “Luke Boyle” makes a visit to www.crm.com with the traffic traversing a WAF for inspection. 2. This traffic, being legitimate, is permitted through the WAF. 3. Access to the requested web resource is subsequently granted, and the user is presented with the login page to www.crm.com. 4. Instead of entering his username and password, the user types SQL commands in the username and password field in an attempt to conduct a SQL injection attack against the web application and its database. 5. The WAF identifies the SQL traffic and, since it deviates from the expected behavior, the request is blocked, and the session is terminated.
28.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 28 DSP complements WAF by introducing an additional layer of protection. DSP will block anomalous database commands in the event that the WAF fails to detect these hostile commands at the web application layer.
29.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 29 3. web application server and gets processed. 4. The DSP protecting the database server identifies the SQL commands in the transaction has abnormal and blocks the request. The commands entered into the form field of the CRM web application are intended to return all credit card records in the SQL database. However, with a well configured and implemented DSP in place, this sort of malicious command will be blocked while security analysts monitoring the system will be promptly notified to enable them to take appropriate response actions. The slide above presents an example of a malicious web transaction and describes the behavior of the DSP under such circumstances. 1. A user enters SQL commands into the username and password fields of the www.crm.com web application in an attempt to perform a SQL attack against the web application and its database. 2. Assuming that there is no WAF protecting the web application or that the WAF is inadequately configured, the
30.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 30 Email remains one of the primary delivery mechanisms for malicious software. According to the latest (2017) Verizon Data Breach Investigations Report (DBIR) where over 65 organizations were surveyed, it was found that two out of every three malware were installed via malicious email attachments. An email security gateway (ESG) protects the email application against attacks, but unlike other application security technology solutions, the end-user is the ultimate target because this solution is essentially stopping malicious emails from getting to the user who may be lured into opening a malicious attachment thus infecting their workstation. Deployment model of an ESG solution can either be appliance- based or cloud-based, but the same threat detection mechanism applies regardless of the mode of deployment. The ESG, using its malware detection engine, tests every email (with or without malicious attachment) against all conventional security checks such as using anti-malware signatures or inspecting embedded URLs in known reputational databases.
31.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 31 Zero-day attacks are threats not seen before therefore using signature-based detection for this category of attack is not effective. Most ESG products on the market today now have the ability to detonate suspicious files in a sandboxed environment for in-depth analysis of its behavior after which a determination is made whether to deliver the email to the intended recipient or block it. The above diagram shows two examples of emails sent to an enterprise user by different actors. In the first example, the ESG analyzes the email and forwards it on to the user after determining it to be safe. The second example depicts a threat actor whose email is blocked because it contains a malicious attachment.
32.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 32 A code analysis tool, among other things, helps identify, fix and prevent security vulnerabilities in any kind of software application. This application security technology product must be prioritized for organizations that use a lot of internally developed applications. Most application vulnerabilities are usually introduced during the code development stage. A code analysis tool alleviates this problem by providing insight into the types of flaws whilst helping developers of the application understand what classes of issues are present. The goal is to arm the developers with information to help them make the application's source code more secure thus helping to increase the quality of an application by reducing its number vulnerabilities. Using code analysis tools to reduce application vulnerabilities makes it more difficult for a malicious user to exploit them8 . There are two techniques for code analysis, namely: • Static • Dynamic
33.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 33 Static code analysis inspects the static or non-running part of the source code to identify security vulnerabilities or flaws. Static code analysis is also referred to as “white-box” testing. Dynamic code analysis, on the other hand, inspects the software while it is running by executing data in real-time and by emulating the actions of a real-world attacker. Code analysis ensures that software bugs and security flaws are identified and fixed throughout the software development lifecycle. Software developers are often pushed to develop new applications or enhancements quickly. Product release deadlines may force developers to cut corners and bypass the code analysis phase, releasing software with functionality flaws and risky security issues. Identifying and fixing security flaws before an application is released to production is crucial as it reduces the likelihood of an adversary finding and exploiting such flaws. Successful exploitation of an application vulnerability could lead to a data breach for which remediation efforts could prove costly to the affected organization.
34.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 34
35.
CSAP 301.3 -
Layers of Defense and Technology Solutions Data Security Technology Solutions On completion this section, you will: • Understand different types of technology products that can be deployed to secure enterprise data • Be familiar with data encryption, data leakage prevention (DLP), and digital rights management (DRM) • Understand the concepts of “data in use”, “data at rest”, and “data in motion” • Be familiar with practical use cases of data security technology products in an enterprise environment © DIGISS CSAP 301 35
36.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 36 Every IT business is driven by data which, in some cases, can become a valuable target for an adversary. Data security is the act of protecting data at rest (i.e., stored in a computer hard drive), in transit (i.e., from an end-user to an e-commerce website), and in use from unauthorized disclosure or destruction. Data security is an essential aspect of any organization that is serious about safeguarding their most valuable data. There are three (3) main types of data security technology solutions which will be covered in detail in the next few slides. These technologies are: • Encryption and key management • Data leakage protection (DLP) • Digital rights management (DRM)
37.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 37 or database they decrypt therefore if the computer in question is compromised, so will be the keys. Managing encryption keys can be very daunting because they grow exponentially in an enterprise environment where cryptographic keys and digital certificates are in widespread use. As each encrypted item has its own personal key, the management and protection of thousands of encryption keys within an enterprise become a huge undertaking. Once data is secured through encryption, the encryption keys themselves must be guarded from theft or accidental loss9 . This is why a centralized key management technology solution is a critical capability for any organization with a business need to protect their critical data. Encryption and key management go hand in hand. The secrecy of a cryptographic key is far more important than the complexity of the encryption algorithm. Without a centralized key management capability, encryption keys will be stored next to the disk, file, folder, or database they decrypt therefore if the computer in question is compromised, so will be the keys. Encryption and key management go hand in hand. The secrecy of a cryptographic key is far more important than the complexity of the encryption algorithm. Without a centralized key management capability, encryption keys will be stored next to the disk, file, folder,
38.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 38 Encryption causes a plaintext (readable message) to be transformed into ciphertext (unreadable message) through the application of an encryption algorithm and cryptographic key. Decryption causes the opposite effect. When a cipher text is run through the same encryption algorithm using the same cryptographic key that was used to encrypt the message, the resulting output is the original plaintext message.
39.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 39 Data can be protected at rest on a computer’s hard drive by applying full-disk encryption. Data can also be protected while its being used and stored in memory by applying memory encryption. And lastly, data can be encrypted in transit using certificates.
40.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 40 Encryption is not complete without key management because the secrecy of your key determine the secrecy of your data. Most organizations encrypt data and store the key in the same system system where the encrypted data resides. If the system were to get compromised, it would be trivial for an adversary to locate the key, and use the key to decrypt the data. Hardware security module (HSM) is a dedicated appliance designed for the protection, management, and processing of cryptographic keys. In order to reduce the risk of data breaches and monitor protection, security controls across networks must be centrally managed using a high-assurance system that protects keys from abuse or theft and reliably distributes them over long periods for only authorized use10 . Cryptographic key management can also be software-based. In this implementation, the key management software is installed on an existing server, which then acts as the HSM. While this helps reduce the hardware footprint and investment cost, there is an associated performance cost due to latency in the cryptographic processes. This can present a different kind of problem in any organization where the objective is to minimize the latency introduced by cryptography. HSMs have an obvious advantage over
41.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 41 their software counterpart in that they are designed to optimize the efficiency of cryptographic processing. Compared to software running on general-purpose servers, HSMs will accelerate processing —an outcome of being purpose-built11 .
42.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 42 Data leakage prevention (DLP) technology solution prevents misuse, theft, and abuse of sensitive or regulated data within an enterprise environment. There are various reasons why an organization will want to protect its high-value data (such as unpublished financial performance reports, market research data, or strategic information relating to merger and acquisition activities). A single data leakage event may spell the end of a project that has cost several million dollars or cause the loss of competitive advantage, therefore preventing leakage of business critical data is an essential business requirement. Fundamentally, every DLP solution must be able to12 : • Locate and catalog sensitive information stored throughout the enterprise • Monitor and control the movement of sensitive information across enterprise networks • Monitor and control the movement of sensitive information on end-user systems
43.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 43 These three (3) core functionalities are aligned with the different states in which data may exist in its lifecycle.These states are: Data at rest – the DLP solution must be able to scan the network to identify different file types and their names where they are located on the network. Upon discovery, contents of the files must be analyzed and, depending on DLP policy settings, information about files of interest will be collected and communicated to the security engineer for further actions. Data in transit – this is also referred to as data in motion. The DLP tool must be capable of passively monitoring network traffic for suspicious data leakage events through network leakage channels (such as email, online storage system, and webmail). If sensitive data are detected flowing to an unauthorized destination, the DLP solution should have the capability to alert and optionally block the data flows in real or near real time, based on the rule set defined within its central management console13 . Data in use – from a leakage prevention standpoint, this is the hardest category of data to protect because the fact that the user already has it opened means they can already see the content. If the information interests the user, then there are different means by which it can be misused. The easiest and most common way is by copying the data onto a USB thumb drive. Other ways include copying and pasting the data into another application, attaching it to an email, sending to the printer, or using a smartphone to take pictures of the pages of interest—all but one (phone photos) leakage methods can be prevented with the use of a DLP endpoint agent.
44.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 44 Another simple way to reduce the risk of leakage of data in use is by developing and applying a policy that controls the use of personal mobile storage devices on company owned computers across the enterprise. A technical control must be implemented to enforce this policy. One way of doing this is by disabling the USB ports of enterprise workstations unless the flash drive in use is an enterprise approved one obtainable from the IT department.
45.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 45 Bear in mind that the leakage path depicted here is one of many possible leakage channels though. Another insider threat actor may choose to use a USB flash drive to copy the data or send the files as email attachments from corporate email application (such as Microsoft Outlook) to a personal webmail inbox (e.g., Gmail or Yahoo!). Every enterprise grade DLP solution will be capable of addressing these use cases as well. The scenario in this slide is representative of how a DLP tool can prevent theft of company’s intellectual property by an insider threat actor. Consider that the employee is leaving this organization to go work for a competitor who will benefit from learning about the market research data and future plans of current employer (hopefully no competitor hires anyone for this purpose!). The DLP tool intervenes when this employee attempts to upload these classified files to an online storage service by blocking the data leakage attempt and sending alert to security operations center analysts for proper investigation.
46.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 46 In order to get a great return on security investment (ROSI), the DLP tool must be optimally configured and constantly tuned to ensure reduction in the number of false positive alerts. A false positive alert creates an incident where there isn’t one by notifying the security analyst of an ongoing incident when indeed the event is benign. A false positive happens when the detected event is similar to an unwanted event defined by the DLP policy. Below is an example of how a false positive alert could unfold: 1. DLP tool is configured to send an alert where any document that contains an IP address such as 210.23.34.200 is detected in transit. 2. A user attempts to email a file that contains the phone number 210.498.2327. 3. The DLP tool flags it as a DLP leakage attempt, blocks the email and notifies the security analyst. This is lose-lose situation represents an example of how security activities can get in the way of the business through negative user experience therefore it is extremely important for cyber security practitioners to ensure that incidents like this are reduced to the very minimum. This can only be achieved through continuous tuning and capability improvement.
47.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 47 Digital or information rights management (DRM or IRM) is another defense-in-depth layer that takes data security to the next level. Where sensitive data evades data leakage security controls, DRM steps in by providing persistent protection wherever the data goes. Data owners can use a DRM server to develop and assign file access policies to business critical data to ensure that they’re adequately protected against unauthorized use throughout their lifecycle. In order for any user to open a protected file, a connection will have to be established with a DRM server located inside the perimeter of the organization that owns the data, and the user will have to prove that they have been authorized to view, print, or make changes to the file by providing their authentication credentials. OpenText, one of the leaders in the DRM market space, summarizes some of the capabilities of an enterprise DRM solution as follows14 : Protection against any form of distribution: Lock files against unauthorized access, whether those files are distributed manually (via USB drive or CD), sent via email, or downloaded inappropriately. Prevent unauthorized users from opening or forwarding email attachments. Protect all file types: Add digital rights management to content produced in Microsoft Office applications as well as virtually all other file formats, including PDF, HTML, CAD, image files, ZIP, archives, and more. Apply rights management to existing and new content: Add rights management to an OpenText repository to further protect existing content, and set policies to protect new files as they’re stored in the repository.
48.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 48 Protect content on BlackBerry: Allow only authorized users to open and view protected content on their BlackBerry smartphones. Comply with government and industry requirements: Demonstrate compliance with information security standards such as U.S. Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act (HIPAA), and similar regulations around the world.
49.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 49 1. The DRM protected file is shared with the business partner, typically via e-mail. 2. The recipient of the DRM protected file attempts to open it, but s/he is automatically redirected to the organization’s DRM server and asked to authenticate. 3. An adversary will only be able to access the contents of the file if s/he has the correct authentication credentials. 4. The owner of the file can revoke access to the file at any time. The slide above represents an example of where DRM is used to protect confidential files: 1. An employee needs to share a confidential document with a business partner. The employee uploads the file to the DRM server and creates an access policy that allows the business partner to access the document. 2. The employee defines the appropriate access permissions (i.e., view download, print, etc.) for the confidential document before sharing it with the business partner.
50.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 50 Persistent protection follows business critical data that is deliberately or inadvertently moved outside of an enterprise environment. Configurable usage rights include view, e-mail, print, forward, and so forth. Apart from encryption solutions, not many security technology products protect an organization’s intellectual property beyond its network perimeter. Once the data escapes the network, it’s typically game over, but this is not the case with DRM/IRM thus making it a highly critical technology capability for an organization that relies heavily on its trade secrets (e.g., patents, inventions, formulas, software code, designs, research data, etc.). As shown in this image, protection follows the data wherever it goes. It can only be accessed if there is an established network path to the DRM server, and the user needs to be successfully authenticated.
51.
CSAP 301.3 -
Layers of Defense and Technology Solutions Host Security Technology Solutions On completion of this section, you will: • Understand different types of host security technology products • Be familiar with the features and functionalities of antivirus, application whitelisting, next generation endpoint security, full disk encryption, and file integrity monitor • Understand how different host security products complement one another • Be familiar with the practical use cases of host security technology products in an enterprise environment © DIGISS CSAP 301 51
52.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 52 Hosts are the containers for what the attacker wants, therefore they will always remain the attacker’s target until such a time as anyone figures out where else to keep digital data or run applications from. Attackers follow the money, which in this case is the data. Given the need to adequately protect enterprise hosts against cyber attacks, a good number of host security solutions continue to appear on the security technology market. As attackers figure out new attack tactics and techniques, the security technology industry helps enterprise defenders respond by designing solutions that combat the new security problems created by the bad guys. In this section, we are only going to cover some of the most popular host security solutions.These are as follows: • Antivirus (traditional signature-based such as McAfee) • Application whitelisting • Next generation endpoint security (NGES) • File integrity monitor (FIM) • Full disk encryption (FDE) • Third party application software agent
53.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 53 Historically, firewalls and antivirus were the most popular security solutions. Given this fact, there have been a lot of misconceptions amongst those with limited knowledge of cyber security. In today’s cyber threat landscape, attackers have figured out a way to bypass firewalls with relative ease by coming in through the front doors. Most firewalls allow outbound web traffic (TCP ports 80 and 443) given that users must be able to surf the web therefore attackers have figured out a way to use this same path to launch their attacks. Similarly, some users still believe that once an antivirus (AV) solution is installed on their computer, and its virus definitions database is up-to-date then such computer is immune to any type of attack. Nothing can be further from the truth. Today’s attackers have changed the game by figuring out different evasion techniques. In 2015, Christopher Kruegel, chief scientist at Lastline Inc., wrote that evasive malware behavior was up 2000% compared to 2014. This new malware bypassed traditional firewalls, security gateways and sandboxes causing organizations to struggle as cybercriminals design sophisticated and stealthy malware to loop, cloak itself, and morph to evade detection15 . Low-level details of malware evasion techniques are beyond the scope of this course but be sure to refer to the presentation that Chris gave at the RSA conference in 2015. A copy of this presentation is included as part of your study materials. In spite of the available malware evasion techniques, antivirus solutions are still very relevant and should be installed on every host running within an enterprise environment. Because it’s a reactive technology, there is a malware gap that AV solutions create. This is where other complementary host security technologies come in. Antivirus vendors react to instances of malware attack by analyzing the malware and understanding how it works before developing
54.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 54 detection signatures for it meaning that some hosts (first hit otherwise known as patient zero) must be compromised before other hosts running a particular AV software can be protected. Deployment model in enterprise environments is agent-to- server. The antivirus agents are pushed out to protected hosts from a central management server, which is essentially the command and control station. Software updates and virus database updates are pushed out to managed hosts from this central server while the managed hosts also send information about detected threats back to the AV server.
55.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 55 Generally, antivirus solutions typically use two detection mechanisms namely: • Signature based detection • Heuristics detection In the case of signature-based detection, when a protected computer comes in contact with any file or program, it computes a cryptographic hash of the file/program and checks it against its known database of malware hashes. A virus alert is displayed to the user and also sent to the AV server when there is a match.
56.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 56 On the other hand, a heuristically detected malware is essentially a file/program suspected to be malicious based on its behavior. Here, the antivirus software analyzes the file/program to determine if it performs actions attributable to a malicious software such as executing scripts, installing a program or downloading additional programs which the user has not approved. The second slide on this page lists the most popular vendors in the AV industry.
57.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 57 Additionally, there is a high probability of greatly impacting end- user’s productivity where whitelisting applications are deployed therefore those thinking of using this solution must proceed with caution. Application whitelisting is a very effective host protection (malware prevention) technique, but it remains a maturing field because of the complexity involved in its deployment. Unlike security technologies such as antivirus software, which block known bad activity and permit all other, application whitelisting technologies are designed to permit known good activity and block all other16 . The challenges associated with effective design and implementation of whitelisting technology stem from the fact that most organizations can hardly tell unauthorized from authorized applications in their IT environment.
58.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 58 There are two major operational modes of most AW technologies: • Audit Mode - allows execution of all its items (whitelisted or not) any logs their execution. • Enforcement Mode - permits execution of only whitelisted applications and blocks everything else. An application whitelisting technology running in monitor (or audit) mode is merely learning and logging events relating to how applications are being used. It is not configured to stop an application that has not been whitelisted from executing, but can report the event to the whitelisting server. This is the best mode of deployment for organizations that plan to establish a baseline of trusted applications within their environment without running the risk of impacting business productivity.
59.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 59 An application whitelisting solution deployed in enforcement mode will only allow whitelisted applications to run whilst blocking unauthorized ones. This deployment mode is not very common within enterprise environments but organizations with near accurate and up-to-date baseline (or inventory) of authorized applications, developed over a period of time, will benefit greatly from using the whitelisting solution in this mode—this is when true return on security investment can be derived.
60.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 60 Next generation endpoint security solution (or platform) is a response to the challenge created by antivirus technology. This family of products offers protection against zero-day (previously unseen) threats by analyzing the malware and its behavioral characteristics. All digital elements (e.g., binaries, process activity, network connectivity, and configuration changes) required to compromise a computer are continuously monitored, and action is taken when required. Effective protection against modern, sophisticated threats requires a revolutionary threat detection mechanism that analyzes, blocks, and remediates identified threats. The ability to see what is running on an endpoint, and how every application or process is behaving was the biggest missing piece in solving the malware problem, and this is core functionality of a next generation endpoint security platform17 .
61.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 61 This solution thrives on the quality of threat intelligence available to the vendor who typically has numerous sensors deployed at various points on the Internet to collect threat intelligence. This intelligence is then fed to the NGES analytics engine which is the command and control station for managed endpoints. Deployment model is very similar to AV’s in that agents are deployed onto managed devices that are then controlled from a centralized NGES analytics platform.
62.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 62 File integrity monitoring (FIM) technology product monitors, detects, and alerts on changes to critical database, application, and operating system files. File integrity solution works by computing cryptographic hash copies of the files to be protected. This creates a baseline of known hashes, which must be investigated in the event of any change to the hash value. The most efficient way to do this is to ensure that a security incident ticket is raised for every detected change for which there is no change record.This has a secondary benefit of curbing the bad practice of unauthorized changes within an organization.
63.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 63 In the example on the first slide, a user is logs on to a computer system that has a FIM agent installed to monitor some files against unauthorized changes. One of those files is “Config.txt” that is saved on the desktop.The file contains the configuration settings for a Cisco ASA firewall. Upon accessing this file, the user changes the password setting in the configuration and saves it. This is enough to cause an alert to be sent to the FIM manager because the cryptographic hash must have changed. If this is not an authorized change, then the security analyst must make the assumption that it is a security incident, raise an incident ticket, and follow their documented response process.
64.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 64 Full disk encryption solution protects the host by encrypting its entire hard drive content when it’s not operational. To decrypt the hard drive, the user needs to supply valid password. This is more of asset protection against theft than endpoint protection because the solution only becomes useful whenever the protected device is lost or stolen — provided it’s in a shut down state when lost or stolen. To decrypt the hard drive, the user must supply the decryption password during the boot-up process. If the supplied password is correct, the computer will proceed to decrypt the hard drive.
65.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 65
66.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 66 On enterprise hosts, non-Microsoft applications are referred to as third-party applications. These third-party applications widen a host’s attack surface because of how difficult they are to patch compared to Microsoft’s applications. Microsoft addresses vulnerabilities in its applications and operating systems by releasing security updates on the 2nd Tuesday of every month (patch Tuesday). These updates are then pushed out to enterprise Windows computers from Microsoft’s System Center Configuration Manager (SCCM). Conversely, patching third-party applications is cumbersome because Microsoft does not track vulnerabilities in those applications. This is why a software agent is required on hosts (mostly workstations) that scans for installed third-party applications and reports back to it central management server, which could be on- premise or in the cloud. Vulnerabilities in any application present attackers with the opportunity to gain unauthorized access, therefore a third party applications management capability is a crucial layer of defense.
67.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 67 In the example on the first slide, a third-party application agent is running on a managed enterprise computer. The computer is also running an outdated version of Adobe Reader and Java, for which exploitable vulnerabilities have been recently reported. Upon discovery of the vulnerable applications, the third-party application agent sends an alert to the central management server. The central management server could take one of two actions: • Remotely patch the vulnerable applications • Send an alert to a system administrator to perform a manual update
68.
CSAP 301.3 -
Layers of Defense and Technology Solutions Network Security Technology Solutions On completion of this section, you will: • Understand different types of technology products that can be deployed to secure an enterprise network • Be familiar with the core features and functionalities traditional network firewalls, intrusion prevention system (IPS), web security gateway (WSG), and network access control (NAC) • Understand the practical use cases of network security technology products in an enterprise environment © DIGISS CSAP 301 68
69.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 69 Traditionally, networks were only secured by firewalls. However, evolution in attack vectors has brought about de-perimeterization. In the past, a perimeter firewall had the answer to almost every security problem because only the ports that are required for legitimate business reasons are opened. Examples of such ports are 80 (HTTP) and 443 (HTTPS). In today’s threat landscape, however, once a user makes an HTTP request to any compromised web server, such user’s workstation becomes highly susceptible to attack. A traditional network perimeter consists of one or more points of entry into an organization’s internal network. The point of entry is typically located at a data center and provides internal users access to the Internet, as well as allows external users to access an organization’s external-facing servers (i.e., e-commerce website).
70.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 70 However, as time went on, the attackers figured out a way to use these same open ports as attack vehicle thus pushing the perimeter to the host attached to the network—in essence, removing the boundary between the internal network and the outside world. This is what’s referred to as de-perimeterization, which then means that organizations must have a response to this problem, a de- perimeterization strategy or defense-in-depth strategy. Network firewalls are one of many network security technology solution. The following solutions will also be discussed in the next few slides: • Intrusion Prevention System (IPS) • Network Access Control (NAC) • Web Security Gateway (WSG)
71.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 71 • Source IP address of the system requiring access to a protected resource; or source IP address of the protected resource requiring access to a non-protected resource. • Destination IP address of the protected resource to which access is being requested; or destination IP address of the non- protected system to which a protected resource needs access. • Communication protocol (i.e., UDP,TCP, ICMP, IP) • Destination port(s) or service(s) (i.e., 22, 80, 443, etc.) • Action that the firewall must take on the network traffic that matches the attributes in an ACL (i.e., permit or deny) Network firewalls create network segments or security zones. Each security zone has a trust level that is derived from the criticality of the systems assigned to the zone. Traffic flow between two zones of different trust levels is permitted or denied in accordance with business requirements. A network firewall is a physical appliance installed on the network to protect digital resources based on specific business requirements.These business requirements translate to a set of rules or access control list (ACL) configured to: • Permit authorized access, or • Deny authorized access to the protected resource. Every ACL must include the following attributes:
72.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 72 • The demilitarized zone (popularly known as DMZ) – this is the semi-trust or low-trust zone. It is the buffer between the outside world and the internal network. Services which must be available to the outside world (such as email, web service, etc.) run out of this zone. • The internal zone – this is the trusted zone where end-user computers and enterprise servers are situated. Traffic in and out of this zone is highly controlled in comparison to the DMZ. This is only a high-level/simplistic view of the enterprise network. Organizations who are serious about securing their critical assets will break the internal zone further (using internal firewalls) into different segments depending on the breach tolerance of the information systems being protected. For network segmentation to be an effective security control, firewalls must be configured in such a way to allow traffic flows between systems in adjacent zones only. In the example presented in the slide, the Internet zone is allowed to communicate with systems in the low-trust security zone. Similarly, systems in the low- The security label attached to a network segment—protected by a firewall—is a function of the criticality of the systems placed within that network segment. Generally, there are three (3) security zones in an enterprise environment.These are: • The Internet zone – this is the untrusted zone. It is outside of the perimeter (or edge) firewall, therefore services running in this environment are treated as hostile by default.
73.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 73 and medium-trust zones are able to communicate with systems in the medium- and high-trust zones respectively. Conversely, the Internet and low-trust zones are not allowed to communicate with systems inside the medium- and high-trust security zones respectively. The idea behind this concept is to reduce the attack surface of digital assets placed in high-trust security zones. The slide above presents an example of a typical network communication traversing a firewall.
74.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 74 Here are some of the most popular firewall technology vendors: • Cisco • Checkpoint • Palo Alto • Juniper • Fortinet • SonicWall Although there are tough challengers, Cisco remains the market leader in the network security technology space with about 35% share of the firewall technology market. Checkpoint and Palo Alto come in 2nd and 3rd places respectively while Juniper, Fortinet, and SonicWall are other popular products.
75.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 75 Intrusion prevention is the act of preventing network based attacks that evade firewall security controls. This family of product comes either as a software or hardware appliance. Deployment mode is typically: • Passive/monitor mode • Active/blocking mode When deployed in passive/monitor mode, it is known as an Intrusion Detection System (IDS). In this mode, when attack traffic is detected, the only action taken by this tool is to log the incident and send an alert to the security analyst. This is essentially a “safe” operational mode because, in the event of a mis-detection (or false positive), legitimate business productivity traffic would not be blocked. On the flip side, if a worm is rapidly infiltrating the network, this tool will be of little value to the organization as it would be powerless to stop the worm while operating in “detect only” mode. When deployed in active/blocking mode, the device acts as an Intrusion Prevention System (IPS). In this mode, the IPS is placed “in- line” typically between an organization’s internal network and the perimeter or Internet firewall. The disadvantage of this mode is that the IPS could potentially block legitimate business traffic when inaccurate detection occurs. On the other hand, this tool would be very effective in stopping a worm outbreak before it attempts to spread to internal systems.
76.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 76 The scenario on the first slide shows a good example of where an IPS provides business value by stopping an attack. The host in the diagram appears to have been compromised because it beacons out to an external host at regular interval—this is indicative of a command and control communication (the latter phase of the attack kill chain). The IPS is aware of this behavior and so blocks the traffic thus (potentially) terminating an attacker’s connection to the internal network. As mentioned earlier, the major disadvantage of an IPS is the possibility of blocking legitimate business traffic when an event suspected to be malicious is actually benign. This is reflected in the second example where an internal user attempts to send log files to an external third party for troubleshooting purposes. The internal computer makes an outbound FTP connection to an external party, the IPS sees the traffic, suspects it’s malicious, and blocks it. The user continues to try, but the connection attempts keep getting blocked. This undoubtedly would lead to frustration and productivity loss among other things.
77.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 77 Before deploying an IPS in blocking mode, security teams should make absolutely certain that they, at least, have a good understanding of traffic patterns in their environment, as well as good knowledge of legitimate business applications. There will be some “misses” but those should be in exceptional circumstances alone. IPS use different detection mechanisms, but most popular amongst those are: • Signature-based • Statistical anomaly Signature-based detection in IPS works in the same way as it does in an anti-virus solution. The IPS vendors regularly release signature updates, which are then deployed onto the IPS platform within the enterprise. With an up-to-date signature database, the IPS can detect and block known threats. Statistical anomaly detection, on the other hand, is a type of behavioral-based detection mechanism where an alert is fired when the IPS notices deviation from normal network traffic pattern.
78.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 78 The overall goal of a network access control solution is to prevent unauthorized, non-compliant, or infected endpoints from contaminating the network by getting other hosts infected. An endpoint that has been off the network for some period of time is considered hostile and must be thoroughly examined by the NAC solution before it is allowed back on the network. The endpoint in the example on the second slide is allowed to access the network because it meets all the requirements defined in the corporate access policy and is therefore recognized by the NAC solution as an authorized endpoint.
79.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 79 The endpoint in this example is disallowed from accessing the network because it is unrecognized by the NAC solution probably because it’s personally owned or its user is not a full-time employee of the company.
80.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 80 Web security gateway (or secure web gateway) used to be referred to as a proxy server before evolutions in the cyber threat landscape necessitated enhancements in its capabilities. Because the Internet is such a hostile environment, outbound requests to potentially harmful web contents must be tightly controlled. This product works by categorizing different websites, which then allows organizations to select categories that should be permitted (e.g., news, research, sports, etc.) and ones that should be blocked (e.g., hacking, pornography, gambling, etc.). The following snapshot from Bluecoat—one of the leaders in the WSG market space—shows examples of different category types available. More information is available at https:// sitereview.bluecoat.com/testcategories.jsp.
81.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 81 In this example, a user attempts to access www.123.com, which is categorized by the WSG as malicious. The WSG terminates the connection and sends a warning message (block page) to the user explaining why his/her request is not allowed.
82.
CSAP 301.3 -
Layers of Defense and Technology Solutions Cloud Security Technology Solutions On completion of this section, you will: • Be familiar with different cloud security technology products • Understand the key features and functionalities of cloud access security broker (CASB) technology solution • Understand the similarities between on premise and cloud based information systems and security technology products • Know some of the leading cloud security technology vendors © DIGISS CSAP 301 82
83.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 83 The “cloud” has revolutionized how organizations do business today. There is a great business case for cloud adoption—reduced carbon footprint, agility, lower total cost of ownership (CTO), and higher return on investment (ROI) are just a few justifications, which are compelling enough to make business leaders consider moving their information systems to the cloud. With this drive towards the cloud comes the need to secure externalized information systems regardless of their location. Security technology vendors have now responded to this need by creating cloud-based equivalents of on- premise solutions. Some of the most popular security capabilities that exist in the cloud today include: • Web security gateway • Data leakage prevention • E-mail security gateway • Encryption and key management • Cloud access security broker (CASB)
84.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 84 A cloud-based web security gateway delivers the same functionality as an on-premise web security hardware appliance, but eliminates the hardware requirements. The cloud-based WSG sits in-line between the endpoint and the Internet, inspecting every web request originated at the endpoint. One of the advantages of this model is that the endpoint is protected whether it is on the network (at the corporate office, for example) or off the network (at a coffee shop). A cloud-based WSG offers a wide range of security capabilities, including (this list is not exhaustive): • URL filtering to block web request deemed unauthorized by an organization’s policy. • Threat detection and prevention. • Application control (i.e., control traffic to Facebook, YouTube, etc.) • Malware detection • Cloud sandboxing (i.e., detonate files that appear to be malicious)
85.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 85 This slide presents examples of authorized and unauthorized web request and how they are handled by the cloud-based WSG.
86.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 86 A cloud-based DLP solution offers the same functionality as an on-premise DLP hardware appliance, but the main selling point is the reduction in hardware footprint. Just like the cloud-based WSG, the cloud-based DLP solution sits in-line between the endpoint and the Internet, inspecting every bit of data that an endpoint sends out to the Internet. Some cloud-based WSG include DLP capabilities as part of their service offering. In the first part of the example on the second slide, an internal employee attempts to send an earnings report to his/her personal Google Drive account in an effort to continue working on the file from home. The cloud-based DLP solution intercepts and blocks the request because the DLP policies were configured to block access to unsanctioned online storage sites. In the second part of the example, a remote employee attempts to upload a spreadsheet containing sensitive information to his/her company’s SharePoint Online site. The cloud-based DLP solution intercepts and blocks the request because the DLP policies were configured to look for sensitive data (such as credit card and social security numbers) in the metadata and body of every file and prevent files that match those conditions from leaving the organization’s perimeter.
87.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 87
88.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 88 In the first part of the example on the second slide, an employee sends a benign e-mail to her boss requesting time off. The e-mail is intercepted and inspected by the cloud-based e-mail security gateway. The cloud-based e-mail security gateway determines that the e-mail is benign and proceeds to route it to the destination mailbox. The second part of this example shows an adversary crafting a malicious e-mail to the organization’s HR Director.The cloud-based e- mail security gateway intercepts and inspects the e-mail, and identifies a malicious attachment. The e-mail is then quarantined for further analysis and eventual deletion.
89.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 89
90.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 90 In the example on the second slide, an employee needs to store confidential files in an Amazon Web Services (AWS) S3 storage bucket. Company policies mandate that any data deemed confidential must be encrypted at rest. The cloud-based encryption gateway is configured to intercept user traffic, inspect it for matching conditions (i.e., keywords or classification labels defined by the company), and encrypt the data if the traffic matches a pre- configured encryption policy. Before beginning the encryption process, the cloud encryption gateway must fetch the encryption keys that are typically stored within an organization’s perimeter. After the data is encrypted, the cloud encryption gateway routes the encrypted files to the AWS S3 storage bucket.
91.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 91 To decrypt the data, the cloud-based encryption gateway reverses the process described in the previous slide. The user retrieves the encrypted file from the AWS S3 storage bucket, which is subsequently intercepted by the cloud encryption gateway. To decrypt the file, the cloud encryption gateway must retrieve the encryption keys from the organization’s internal network. The decrypted file is then delivered to the requestor.
92.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 92 Cloud access security brokers (CASBs) are on-premise or cloud- based security policy enforcement points, placed between cloud service consumers and cloud service providers to enforce enterprise security policies as cloud-based resources are accessed. Examples of security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on18 . CASB products provide an integral layer of security centering around the following pillars of security19 : • Visibility - which users are accessing the company’s cloud- based data and what devices they’re using? Being able to easily identify risky data exposures and/or user behavior across all cloud-based resources is the first step in securing the environment. • Compliance – a CASB solution helps organizations fulfill their compliance obligations by making it possible for them to have similar level of protection, access, and visibility into their cloud-based assets as though they are on-premise. • Data Security - identifying, monitoring, and securing sensitive data are critical aspects of data security that can be achieved through the use of a CASB solution. • Threat Protection – this is the ability to identify, mitigate, and remediate threat events such as compromised accounts, privileged user accounts misuse and malware infections in trusted cloud services20 .
93.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 93 In this example, an employee has accessed a sales SaaS application in an effort to view his/her sales forecast from his/her personally-owned device. Company policies allow employees to view sales data from any endpoint, but prohibit downloading such data to unmanaged devices. The CASB solution intercepts the request and, based on pre- configured access policies, allows the user to view the sales data. When the employee attempts to download the sales report, the CASB solution blocks the attempt, logs the incident, and sends an alert to the security analyst for further investigation.
94.
CSAP 301.3 -
Layers of Defense and Technology Solutions Security Information and Event Management (SIEM) On completion of this section, you will: • Understand the fundamentals of Security Information and Event Management (SIEM) • Understand the core features and functionalities of a SIEM • Through practical use case examples, gain an insight into how value can be derived from a SIEM in an enterprise environment • Understand the difference between security information management (SIM) and security events management (SEM) © DIGISS CSAP 301 94
95.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 95 A Security Information and Events Management (SIEM) system collects, processes, alerts, and reports on security events across and enterprise network. This technology product increases the efficiency and automation of events monitoring and incident response by collecting events from disparate event sources throughout the network. Rather than log on to different technology products to review/research security alerts or reports, the analyst can now see everything happening on his/her network on one management console. The SIEM collects logs and events from several sources including network assets, firewalls, antivirus management server, vulnerability scanner, host operating systems, applications, databases, web application firewalls, web and email security gateways, identity and access management systems, file integrity monitor, asset management, an so forth.
96.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 96 The collected logs are normalized, correlated, enriched and translated into near real-time security alerts. These alerts help the security analyst understand what’s unfolding on their network so as to be able to take response actions. The two primary capabilities offered by this technology product are: • Security Information Management (SIM) • Security Event Management (SEM) The slide lists some of the most popular vendors in the SIEM technology space.
97.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 97
98.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 98 In a nutshell, before developing an alert use case, security teams need to understand what the business needs. It is this understanding that informs the development of the use case. Consider the following three examples where business requirements informed the development of alert use cases: As powerful as SIEM products are, they cannot be run in autopilot mode. Organizations get the best out of a SIEM tool only when they do the hard work of properly understanding their business requirements and network environments. In other words, the SIEM needs to be told what should be brought to the analyst’s immediate attention.This is achieved through alert use cases. A use case is a list of actions that define interactions between an actor and a system to achieve a goal21 . With any security alert use case, the goal of the security analyst is to be quickly notified about unwanted interactions between two systems where a threat actor is controlling at least one of those systems.
99.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 99
100.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 100
101.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 101
102.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 102
103.
CSAP 301.3 -
Layers of Defense and Technology Solutions Vulnerability Scanners On completion of this section, you will • Be familiar with a vulnerability scanner and its core features and functionalities • Be able to explain why a cyber security team needs vulnerability scanning capability • Be familiar with market leaders in vulnerability scanning products • Through practical example, understand how a vulnerability scanner is used is an enterprise environment © DIGISS CSAP 301 103
104.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 104 In order for an IT system or application to be attacked, it must first be found vulnerable therefore vulnerability scanners give the enterprise defender an insight into what the attackers can potentially see during the first phase—reconnaissance—of the cyber attack kill chain. From an attacker’s standpoint, reconnaissance is about gathering intelligence about his target but from a security practitioner’s standpoint, (good) reconnaissance is about gathering intelligence about his/her network to identify exposure points and configuration weaknesses that an attacker can leverage. Based on this understanding, the defender then prioritizes remediation efforts by focusing on the most critical vulnerabilities first. A vulnerability scanner is a security technology tool used to discover and assess information systems for security weaknesses such as missing patches, application bugs, and misconfigurations. The on-premise implementation version of this scanner can either be hardware or software-based while vulnerability scanning is also offered as a service by cloud security service providers such as Qualys. Vulnerability scanning is a critical requirement for any cyber security department as it provides the means to detect vulnerabilities and validate remediation once the system owner indicates that the necessary action has been taken.
105.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 105
106.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 106 In detecting vulnerabilities, the scanner follows the following steps: • Step 1a (first slide) – host discovery: the scanner sends ICMP echo requests to every IP address on a particular subnet and waits for a reply to determine which hosts are alive. • Step 1b (second slide)– echo reply: alive hosts reply back to the vulnerability scanner.
107.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 107 • Step 2a (first slide) – port scanning: depending on its configuration, the scanner scans discovered hosts to detect what ports they’re listening on.The scanner may be configured to scan the host for well-known ports (0 to 1023) or all ports (0 to 65535). • Step 2b (second slide) – the hosts respond to the scanners indicating which ports they are listening on.
108.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 108 • Step 3a (first slide) – scanner interrogates discovered hosts to determine their individual operating systems. • Step 3b (second slide) – hosts respond with information about their operating system (usually over 99% level of accuracy).
109.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 109 • Step 4a (first slide) - scanner interrogates discovered hosts to determine the services running on them and versions of applications detected. • Step 4a (second slide) – hosts respond with available information in line with the scanner’s request.
110.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 110 • Step 5a – proper vulnerability assessment commences. The scanner begins to evaluate every discovered service or application against its own dictionary of vulnerabilities. Vulnerability discovery techniques employed by the scanner can be anyone of fuzzing, static analysis, or penetrating testing but that subject is beyond the scope of this course. • Step 5b – vulnerable hosts begin to respond back to the scanner. On completion, a vulnerability scan report is generated and sent to individual system owners to take appropriate remedial actions.
111.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 111
112.
CSAP 301.3 -
Layers of Defense and Technology Solutions Summary © DIGISS CSAP 301 112
113.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 113 Access control is such an important security capability that most information systems have some sort of in-built access control functionality. Application Security Technology Solutions Application security is the act of protecting enterprise applications against malicious attacks that target application vulnerabilities in order to gain access to their backend database. Web application firewall (WAF), code analysis tool (CAT), and database security platform (DSP) are three of the most popular application security technologies. A WAF detects attacks by comparing traffic destined for the protected resource against expected traffic pattern; the CAT analyzes software applications (internally developed and commercial “off the shelf) for security flaws, and the DSP complements the WAF by enforcing expected behaviors to help defend against database specific attacks. Access Control Technology Solutions Access control is about controlling the flow of information between a subject and an object, where the subject is the requestor (user, process, or application) of access and the object (file or application) is the resource to which access is requested. The fundamental concepts of access control are identification, authentication, authorization, and accountability (or auditability).
114.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 114 DLP is the means by which the leakage of sensitive or regulated business data is prevented regardless of its state (i.e., at rest, in use or in transit). Typical leakage channels include removable media, cloud storage, and webmail. DRM offers persistent protection to intellectual property regardless of its location. Host Security Technology Solutions Enterprise endpoints (workstations and laptops) are more exposed to threats than servers, therefore they are usually protected by multiple host security software agents. Popular host security solutions include anti-virus, file integrity monitor, application whitelisting, next generation endpoint security solution, and full disk encryption. Data Security Technology Solutions Three most popular types of data security solutions are encryption and key management, data leakage prevention (DLP), and Digital Rights Management (DRM). When data is encrypted, it is transformed into an unreadable format such that only authorized users with the right decryption keys can read it. Encryption alone is not good enough without effective key management.
115.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 115 probability of blocking legitimate business traffic as a result of false detection. NAC controls access to network resources by ensuring that only hosts that comply with defined security policies are admitted onto the network. WSG protects end-user computers by filtering web traffic to detect and block traffic to malicious sites that could potentially infect an endpoint. Cloud Security Widespread adoption of cloud-based services is rapidly changing the IT landscape.As organizations continue to migrate their information systems to the cloud, security technology vendors continue to devise ways to ensure effective protection of those assets sitting outside the network perimeter Cloud access security brokers (CASBs) are on-premises, or cloud- based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASB solution offers visibility, compliance, data security, and threat protection capabilities Network Security Technology Solutions Firewalls used to be the be all and end all of network security, but evolution in the threat landscape has completely changed the game.With that said, they remain very critical to network security. Other network security solutions include intrusion prevention system (IPS), network access control (NAC), and web security gateway (WSG). IPS prevents network-based attacks by monitoring network traffic and proactively blocks detected nefarious activities before the attacker does any damage.The main weakness of an IPS is its high
116.
CSAP 301.3 -
Layers of Defense and Technology Solutions © DIGISS CSAP 301 116 A use case is a list of actions that define interactions between an actor and a system to achieve a goal. With any security alert use case, the goal of the security analyst is to be quickly notified about unwanted interactions between two systems where a threat actor is controlling at least one of those systems. Vulnerability Scanners A vulnerability scanner is a security technology tool used to discover and assess information systems for security weaknesses such as missing patches, application bugs, and misconfigurations Popular vendors in this space are rapid7, Qualys, Nessus, and tripwire. SIEM Security information and events management system collects, processes, alerts and reports on security events across and enterprise network. The SIEM collects logs and events from several sources including network assets, firewalls, antivirus management server, vulnerability scanner, host operating systems, applications, databases, web application firewalls, web and email security gateways, identity and access management systems, file integrity monitor, asset management, an so forth.
117.
CSAP 301.3 -
Layers of Defense and Technology Solutions References 1https://msdn.microsoft.com/en-us/library/aa746492(v=vs.85).aspx 2https://msdn.microsoft.com/en-us/library/windows/desktop/aa374876(v=vs.85).aspx 3https://msdn.microsoft.com/en-us/library/windows/desktop/aa706028(v=vs.85).aspx 4https://web.mit.edu/kerberos/ 5http://www.veracode.com/sites/default/files/Resources/Whitepapers/what-is-application-security-veracode.pdf 6https://www.imperva.com/docs/DS_SecureSphere_Web_Application_Firewall.pdf 7https://www.sitelock.com/web-application-firewall 8https://www.mitre.org/publications/systems-engineering-guide/enterprise-engineering/systems-engineering-for-mission-assurance/secure-code-review 9http://aspg.com/10-tips-for-securing-encryption-keys/#.WRJZqFPys_U 10https://www.thales-esecurity.com/products-and-services/products-and-services/key-management-systems 11https://safenet.gemalto.jp/resources/data-protection/hsm-risk-management-offer/?LangType=1041 12http://www.isaca.org/Groups/Professional-English/security-trend/GroupDocuments/DLP-WP-14Sept2010-Research.pdf 13http://www.isaca.org/Groups/Professional-English/security-trend/GroupDocuments/DLP-WP-14Sept2010-Research.pdf 14http://www.opentext.com/what-we-do/products/enterprise-content-management/content-management/opentext-rights-management 15https://www.rsaconference.com/events/us15/agenda/sessions/2022/evasive-malware-exposed-and-deconstructed#sthash.Lc7FCoTs.dpuf 16NIST SP800-167 – Guide to Application Whitelisting 17https://www.sentinelone.com/wp-content/uploads/2016/02/WP-Next-Gen-EPP-2016.pdf 18http://www.gartner.com/it-glossary/cloud-access-security-brokers-casbs/ 19https://www.cloudlock.com/cloud-access-security-broker/ 20https://www.skyhighnetworks.com/skyhigh-threat-protection/ 21https://en.wikipedia.org/wiki/Use_case © DIGISS CSAP 301 117
Download now