Welcome to Cyber is video series in The Comedy of Security, plus 5 +01 Certification and Exam.
I'm your Instructor, Round Warner.
In this video, we'll be talking about section 2.4.
Given a scenario, analyze and interpret output from security technologies.
Keywords for this video are gonna be interpreting output.
Most systems and security administrators implement a combination of many different types of technologies.
However, there are challenges with it, like choosing the right security technology,
configuring it, optimizing it and then last how to interpret the output from these technologies. Technologies provide a lot of good information,
but are you using it
with the output you have three choices
do nothing, either because it's a false positive. Or the organization really has no significant risk to fixing or eliminating the vulnerability or security gap
or three accepting the risk but implementing mitigating controls.
In this video, I'll discuss the process of analyzing and interpreting output from these different security technologies so you can select an act upon the proper option. You see, the different technologies will be talking about in this video on your screen, including firewalls, host based firewalls, network firewalls,
file integrity checks,
application white listing
data loss prevention, removal meet, removable media control,
application firewalls and data exfiltration prevention.
Let's dive into the world of technology output.
The first type of technology I'll be talking about where we need to understand the output are firewalls on hosts,
desktops and laptops, and even mobile devices all need to have layered security just like servers. One of the most common ways to protect desktops and laptops is to use ah, Host firewall
for the purpose of this video, The discussion focuses on software firewalls that could be implemented into the user environment.
Most major operating systems come with its own host firewall on Windows. It's the Windows firewall you can locate by typing wfp dot MSC at a Windows Command Prompt.
Lennox has its uncomplicated firewall or U F. W
I. P tables is also associated with Lennox.
Each of these provide the ability to block ports Service's I P's or I P Range is. They can also use other types of rules to block unwanted network traffic onto the host.
Host firewalls provide a great layered security across your network.
There can be some challenges, though, with firewall configurations, for example, end user should not be allowed to disable a firewall or change the firewall rules, you should always be centrally managed.
Additionally, the firewall needs to monitor both incoming and outgoing network traffic, not just one or the other. But both
the output of the firewall depends on the actual application and the operating system in use.
For example, on Window, she should be looking at the Windows Event viewer security event to see output from firewall logs. There may also be more information through pop ups.
Lennox Logs Too far log.
Take some time to be familiar with your own operating systems and how your host firewalls work.
Another protection technology we see on hosts is the host Intrusion detection System or host intrusion prevention system
hit heads or hips.
Each of these provides sensors on each host. That relay backed with centralized management console, which compiles the data to identify distributed friends, for example, you see viruses across your network.
Each of those are sensors going to a centralized management console that can tell you of a whole network wide event. It's not just on one system, but happening across your infrastructure.
Heads and hips may also be included with the host firewall or anti virus solution. So consult your own documentation for the solution that's on your systems.
Some issues associated with kids in hips include false positives, legitimate traffic labeled as an attack and false negatives. Attacks labeled as legitimate traffic
concept is to match that traffic identified as an attack with the actual network traffic. To learn more about intrusion detection prevention systems, you should check out nest SP 894 which is their guide.
There's a lot of good information about kids and hips. I recommend you check out to learn more about this topic.
There are a variety of different anti virus and anti Mauer solutions available for desktops, servers, even mobile devices. On your screen, you see Windows Defender.
Windows 10 delivers a comprehensive built in ongoing security protections, including Windows Defender, antivirus firewall and more.
Windows Defender Anti Virus delivers ongoing riel time protection again software threats like viruses and ransom, where you see a typical pop up, which is the output from anti virus or anti malware. Review How these pop ups work and what you can do. For example, it's
this message is telling you that there's harmful or
potentially unwanted software on the machine,
and you can remove it. You can review it, or you can ignore it.
This is an important output regarding anti virus and anti malware
in enterprises. They may use centralized consoles to take away this decision from the end users. Either way, I know how your anti virus and anti malware software works.
Common challenges we see with antivirus and anti malware software particularly associated with output is that pop up warning you saw on the previous screen. If that's happening on an end user system, there's a good potential that the engineers air might click. Ignore.
That's why it's important to centralize security and automate the response as much as possible to take the end user out of the equation
for malware, you should consider whether to quarantine it so putting in its own safe container or removing it.
It's often up to the anti virus, anti malware application that makes this decision and should trust it. But go to the manufacturer's website to learn more about that particular virus or malware warning that occurs through the anti virus anti Mauer.
Other issues associated with anti virus and anti Mauer include the Avie not being updated and outdated signatures
way Anti Virus Works is that it pulls signatures from the vendor that corresponds with known malware wolf. It's not continually being updated. There's a potential for a zero day to be able to sneak through and breach that host system.
Another challenge is false positives. As previously mentioned,
it might be an alert that really doesn't exist. That'll be an annoyance for the end user.
Mauer may still be present even when it said it's been quarantined or removed.
Malware is going to be very tricky, and you can sometimes stay in residents, even though it looks like it's gone, really takes practice and removing it. And the best choices to re image the system.
All of these air challenges associated with anti virus and anti Mauer
there's some simple solutions to the challenges with antivirus and anti malware. First auto updating Auto updating requires network connectivity, but the system should be set to automatically pull signatures and update the antivirus program.
If there is a virus within your network environment, you need to detach that system from the network, make sure that virus doesn't spread.
Another idea is potentially used different products.
For example, I run Windows Defender, along with malware bites, provides layered approach to security.
I previously mentioned hunting malware with CeCe internals in a different video, learning how to manually remove malware. It can be very tricky, but it's a great experience. It's something to learn about.
The last thing to do with malware on a system is to just re image the system. Put on a new operating system that you know is good and clean.
All of these are potential solutions. Review them as you're studying for your security plus material.
A file Integrity checker is another type of security solution you may find on either servers or clients.
What it does is it computes a cryptographic hash such a Shaw one or MD five for all selected files and creates a database of the hash is so has the file name, along with the hash value.
Hashes are periodically cup re calculated and compared to the hash is in the database to check for modification.
It's a little check to see against a known hash and have exchanged than the file has changed, and an alert could be sent to the management console
for alert. You need to determine what has changed and why. It could be due to patching or other types of software upgrades or could be due to malware.
File integrity. Checkers are nice layered approach to security on servers and on hosts. A common program associated with the File Integrity Checker is trip wire
in Application White listing an organization of proof software applications that are permitted to be used on their assets permitted on desktops, laptops or even mobile devices.
Onley. Those approved applications can be installed and used.
The primary purpose of white listing is to protect Resource is from harmful applications. For example, in Microsoft Environment, APP Locker can be used to a white list applications based on the following three Conditions.
Publisher for digitally signed files.
The PATH, which identifies an application by its location.
Or the file hash, which uses a system computed cryptographic hash.
All of these air techniques for application white listing that provide more security on who's based systems and servers
on your screen. You see Windows App Locker in use. AP Locker lets you control which APS and files users can run.
These include Execute herbal file scripts, Windows installer files dynamic linked libraries or D l's packaged APS and packaged app installers.
AP Locker helps you define the rules based on those attributes I talked about on the last slide.
A sign rules to a security group or an individual user create exceptions to rules.
For example, you can create a rule that allows all users to run all Windows binaries except the registry editor like Reg et it.
Another benefit for AP lockers to use audit on Lee Mode to deploy the policy and understand its impact before enforcing it.
AP Lockers. Powerful Tool I recommend you experiment with it to get that hands on experience with application white listing
data loss prevention DLP is a tool to prevent sensitive information from physically or logically leaving corporate systems. You start by determining what is sensitive. So do you have credit cards, Social Security numbers or other personally identifiable information on your systems or network?
Once it's identified, you can ensure it's not being ex full traded
through a DLP solution.
It's designed to detect and prevent unauthorized use and transmission of that confidential information,
and it could be being put out to a USB drive. US people lockers or out to social media, cloud storage or even through email deal. People will check for this to make sure it does not occur.
Deal P systems provide another layered approach to security The output is basically an alert, saying a user's trying to expel trait data. Knowing what to do when that situation occurs is all part of your incident response plan.
And it's all part of a DLP solution.
On the last light, I talked about US bees Common challenge within corporations. People can put him in their pockets, store confidential information on it and walk out the building with it and could be hard to detect. When that happens,
removable media control prevents that it can block all US be usage from a particular set of devices, say, from laptop or desktop. You can use this type of control either locally on a system or throughout your network by setting a corporate policy.
Be aware of how you handle exception. For example, you have a marketing director who has to put his presentation on a thumb drive to deliver it to a client. Maybe you can set temporary permissions for removable media, but normally not allow its use within your corporation.
Another concept is to use only corporate owned and secure devices.
US bees that are encrypted and are owned by the organization and inventory.
Lastly, is to scan the removal media on each used to make sure that there's no viruses or malware being transmitted and that they're scrubbed and cleaned if they're no longer in use.
Patching is one of the best ways. Cleanest ways, easiest ways to prevent and reduce the effects of malware. Another type of breaches.
Automate your patches whenever possible. You should also have a patching process where you start with the vendor notification. For example, second Tuesday of every month, Microsoft sends out a notification about its patches.
Then you test those patches within some type of a test environment
to make sure they're not gonna have some detrimental effect on your network or systems.
Then they want to use stage deployment rather than rolling out a patch to everybody, which could be problematic. You do it to pockets. Maybe I t gets the patch first and then contested over a few days, and then different groups. You roll it out in stages.
Lastly, is reporting have all of the systems received the patch is it hasn't taken. Do any systems miss the patch? Going through that report is very important part of a security professionals life to make sure all the systems within your infrastructure stay up to date and none are missing that patches.
Creating those alerts on failed patches is another type of output you see from Patch management systems.
The Microsoft patches take care of a lot of the major ones on Windows systems,
but not all. If you have any third party applications, make sure they are up to date and automatically. If at all possible,
help automate the patch management process. There's some tools that you can use. One is the Microsoft System Center Configuration Manager or S. C. C. M,
formerly known as the System Management Server. This consolidates and centralizes patching within the Microsoft environment so you could make sure you pull it down from a centralized resource and then distributed out through your network all of your windows systems and devices. Following that process, I just mentioned
the Lenox Red Hat package. Manager RPM does something similar for Lennox Systems.
These Patch Management service is provide automated approach for patching, which reduces if overhead increases efficiency and security.
In a previous video, I talked about you, T m's and N G F W s. These are all one firewall appliances from a single vendor with one management console.
The output from this will depend on the particular vendor.
They will use some type of a console, and sometimes this will be sent to a security operation center that can be monitored and watched 24 by seven
and set it up. It's too who has alerted when anomalies or problems are identified through a U T M or N G. F W.
Also from a previous video, I discussed wafts Web application firewalls,
thes control, the input output and our access to, from or by applications or service is based on categories, rules or heuristics. It watches what's happening on your Web applications, and we'll block malicious traffic in the output from these devices. Will depend on the particular application or vendor in use.
Refer to their documentation for more information.
Typical rules apply for handling output from laughs. Have your incident response plan in place and be ready if you see an attack happening against a Web application server
data execution prevention or depth is available either through hardware or software and prevents malware from executing in the memory space reserved for operating system processes.
You see the example on your screen from Microsoft. This is available in both E a. M D and Intel platform. It's built into the hardware capabilities taught automatically protect the operating systems memory space from potential malware.
This is available also on Windows 10.
In this video, I discussed numerous security technologies and the potential output you may see as a security professional.
Let's practice on a sample quiz question.
The security tool is best for checking to see if specific system files have been changed and report on those changes.
The answer is a file integrity checker
provides hash of system files and checks the hash to see if the file has changed.
You're working as a security analyst and receive a call from an end user saying he has received a warning about a virus.
Which of the following is not a step you should take to resolve the issue?
The answer is B manually delete virus files that won't fully get rid of the virus. You need to be using an antivirus program that will help you remove that file or re image the system.
There are also labs associated with this module,
the first being the application data establishing host security.
In this guide, you will practice with antivirus programs and explore built in anti Mauer applications used within Windows 10 such as Windows Security Essentials.
Another lab you may consider. It's the one on implementing patching using W sauce.
Granted, WS Us is an older technology, but it gives you the ideas of how Windows patching works.
Windows Server Update Service provides a cost effective patch management solution to deploy updates to the main join window servers and workstations in corporate networks.
In this exercise, you learn how to install and configure it, create computer groups and W S U. S. And configure the group policy object policy for it.
It's another opportunity for you to get hands on experience with this material.
This concludes the video for section 2.4. Given a scenario, analyze and interpret output from security technologies.
Refer to your study material for more information on these topics,