IT Security: Defense against the digital dark arts. Week5: Defense in Depth
What is a class of vulnerabilities that are unknown before they are exploited?
0-days; 0-day vulnerabilities are unique in that they are previously unknown before being exploited in the wild.
Which of these host-based firewall rules help to permit network access from a Virtual Private Network (VPN) subnet?
Access Control List (ACLs);Part of host-based firewall rules would likely provide Access Control Lists (ACLs) that permit access from the VPN subnet.
What is an attack vector?
a mechanism by which an attacker can interact with your network or systems; An attack vector can be thought of as any route through which an attacker can interact with your systems and potentially attack them.
Using a bastion host allows for which of the following? Select all that apply applying more restrictive firewall rules enforcing stricter security measures running a wide variety of software securely having more detailed monitoring and logging
applying more restrictive firewall rules having more detailed monitoring and logging; Bastion hosts are special-purpose machines that permit restricted access to more sensitive networks or systems. By having one specific purpose, these systems can have strict authentication enforced, more firewall rules locked down, and closer monitoring and logging. You didn't select all the correct answers
A good defense in depth strategy would involve deploying which firewalls?
both host-based and network-based firewalls; Defense in depth involves multiple layers of overlapping security. So, deploying both host- and network-based firewalls is recommended.
Disabling unnecessary components serves which purposes? Check all that apply.
closing attack vectors reducing the attack surface; Every unnecessary component represents a potential attack vector. The attack surface is the sum of all attack vectors. So, disabling unnecessary components closes attack vectors, thereby reducing the attack surface.
Having detailed logging serves which of the following purposes? Check all that apply. event reconstruction vulnerability detection data protection auditing
event reconstruction; Having logs allows us to review events and audit actions taken. If an incident occurs, detailed logs allow us to recreate the events that caused it. vulnerability detection; This should not be selected Not quite. Please refer back to the "System Hardening" lesson for a refresher. Incorrect You didn't select all the correct answers
What are some types of software that you'd want to have an explicit application policy for? Check all that apply.
filesharing software video games; Video games and filesharing software typically don't have a use in business (though it does depend on the nature of the business). So, it might make sense to have explicit policies dictating whether or not this type of software is permitted on systems.
What can provide resilience against data theft, and can prevent an attacker from stealing confidential information from a hard drive that was stolen?
full disk encryption (FDE); Systems with their entire hard drives encrypted are resilient against data theft, preventing an attacker from stealing confidential information from a hard drive that has been stolen or lost
How is binary whitelisting a better option than antivirus software?
it can block unknown or emerging threats; By blocking everything by default, binary whitelisting can protect you from the unknown threats that exist without you being aware of them.
When looking at aggregated logs, you are seeing a large percentage of Windows hosts connecting to an Internet Protocol (IP) address outside the network in a foreign country. Why might this be worth investigating more closely?
it can indicate a malware infection; When looking at aggregated logs, you should pay attention to patterns and correlations between traffic. For example, if you are seeing a large percentage of hosts all connecting to a specific address outside your network, that might be worth investigating more closely, as it could indicate a malware infection.
What are some of the shortcomings of antivirus software today? Check all that apply.
it can't protect against unknown threats; Antivirus software operates off a blacklist, blocking known bad entities. This means that brand new, never-before-seen malware won't be blocked
What benefits does centralized logging provide? Check all that apply.
it helps secure logs from tampering or destruction it allows for easier logs analysis; Centralized logging is really beneficial, since you can harden the log server to resist attempts from attackers trying to delete logs to cover their tracks. Keeping logs in place also makes analysis on aggregated logs easier by providing one place to search, instead of separate disparate log systems.
What's the purpose of escrowing a disk encryption key?
performing data recovery; Key escrow allows the disk to be unlocked if the primary passphrase is forgotten or unavailable for whatever reason.
What does a host-based firewall protect against that a network-based one doesn't? Check all that apply.
protection from compromised peers protection in untrusted networks; A host-based firewall can provide protection to systems that are mobile and may operate in untrusted networks. It can also provide protection from compromised peers on the same network.
A hacker exploited a bug in the software and triggered unintended behavior which led to the system being compromised by running vulnerable software. Which of these helps to fix these types of vulnerabilities?
software patch management; Vulnerabilities can be fixed through software patches and updates which correct the bugs that attackers exploit.
What does full-disk encryption protect against? Check all that apply.
tampering with system files Data theft; With the contents of the disk encrypted, an attacker wouldn't be able to recover data from the drive in the event of physical theft. An attacker also wouldn't be able to tamper with or replace system files with malicious ones.
What's an attack surface?
the combined sum of all attack vectors in a system or network; The attack surface describes all possible ways that an attacker could interact and exploit potential vulnerabilities in the network and connected systems.
Why is it risky if you wanted to make an exception to the application policy to allow file sharing software?
the software could be infected with malware; It is generally a good idea to have a policy to disallow particularly risky classes of software. Things like file sharing software and piracy-related software tend to be closely associated with malware infections.
Why is it important to keep software up-to-date?
to address any security vulnerabilities discovered; As vulnerabilities are discovered and fixed by the software vendor, applying these updates is super important to protect yourself against attackers.