Unit4 - Subjective Questions

Definition:
Network Security Baselines are a set of minimum security controls, standards, and configuration settings that are applied to network devices (routers, switches, firewalls) and systems to ensure a consistent level of security across the infrastructure. They serve as a reference point for auditing and monitoring.

Criticality:

1. Consistency: Ensures that all systems, regardless of who deployed them, adhere to the same security standards.
2. Drift Detection: Makes it easier to identify 'configuration drift,' where settings are changed (intentionally or accidentally) making the system vulnerable.
3. Compliance: Helps meet regulatory requirements (e.g., PCI-DSS, HIPAA) by enforcing standard security practices.

Common Elements:

• Access Control Lists (ACLs): Defining strictly what traffic is allowed or denied.
• Disable Unused Services: Turning off Telnet, FTP, or unused ports to reduce the attack surface.
• Password Policies: Enforcing strong, periodically changed passwords for administrative access.

Intrusion Detection System (IDS):

• Function: Monitors network traffic for suspicious activity and known threats.
• Action: It is a passive device. It alerts the administrator (via logs, emails, or SIEM) when a potential threat is detected but does not stop the packet flow.
• Placement: Often connected via a SPAN port or network tap (out-of-band).

Intrusion Prevention System (IPS):

• Function: Monitors traffic similarly to an IDS but has the capability to control access.
• Action: It is an active device. It can drop malicious packets, reset connections, or block traffic from specific IP addresses automatically.
• Placement: Placed inline (in the direct path of traffic) to effectively block threats before they reach the target.

Summary Table:

Endpoint Detection and Response (EDR):
EDR is an integrated endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities.

Key Functions:

• Data Recording: Continually records system activities and events.
• Detection: Uses behavioral analytics to detect anomalies that signature-based tools miss.
• Investigation: Provides tools for threat hunting to understand the scope of an attack.
• Response: Can isolate an infected host, kill malicious processes, or delete files remotely.

Difference from Traditional Antivirus (AV):

• Detection Method: Traditional AV relies primarily on signatures (databases of known malware fingerprints). EDR relies on behavioral analysis (looking for suspicious activities like PowerShell execution or unusual lateral movement).
• Scope: AV is preventative (blocking known bad files). EDR is detective and responsive (finding active breaches and helping remediate them).
• Zero-Day Threats: AV often misses zero-day attacks; EDR is designed to detect the behaviors associated with zero-day exploits.

BYOD Risks:

1. Data Leakage: Corporate data mixing with personal apps increases the risk of accidental sharing or copying to unsecured cloud storage.
2. Lost/Stolen Devices: Personal devices often lack encryption or strong pins, putting data at risk if the device is lost.
3. Malware: Personal devices may access risky websites or download unvetted apps, introducing malware to the corporate network.
4. Shadow IT: Use of unauthorized applications for work purposes.

Role of Mobile Device Management (MDM):
MDM software allows IT administrators to secure, monitor, and manage mobile devices. Mitigation strategies include:

• Remote Wipe: Allows IT to delete corporate data (or the whole device) if it is lost or stolen.
• Containerization: Creates a secure, encrypted container for corporate apps and data, separating them from personal data.
• Enforcement of Policies: Forces the user to set a PIN/passcode and enables device encryption.
• App Whitelisting/Blacklisting: Prevents the installation of malicious apps or restricts corporate data access to verified apps.

Mobile Device Hardening refers to the process of securing a mobile device (smartphone, tablet) by reducing its surface of vulnerability. It involves configuring the OS and applications to minimize security risks.

Five Techniques:

1. Disable Unused Interfaces: Turning off Bluetooth, NFC, and Wi-Fi when not in use to prevent eavesdropping or bluejacking attacks.
2. Full Disk Encryption: Ensuring all data stored on the device is encrypted so it is unreadable without the decryption key/passcode.
3. Biometric Authentication: Enabling fingerprint or facial recognition alongside strong passcodes to prevent unauthorized physical access.
4. Keep OS Updated: Regularly applying patches and updates to fix known security vulnerabilities in the mobile OS (iOS/Android).
5. Disallow Rooting/Jailbreaking: Preventing users from gaining administrative privileges, which bypasses the built-in security sandbox of the OS.

Comparison:

• HTTP (Hypertext Transfer Protocol): Transmits data in plaintext. Anyone intercepting the traffic (Man-in-the-Middle) can read usernames, passwords, and data. It operates on port 80.
• HTTPS (HTTP Secure): Transmits data in an encrypted format. Even if intercepted, the data appears as gibberish. It operates on port 443.

Security Mechanism (SSL/TLS):
HTTPS uses TLS (Transport Layer Security) or its predecessor SSL (Secure Sockets Layer) to encrypt communications.

1. Handshake: The client and server exchange 'Hello' messages.
2. Certificate: The server sends its digital certificate to prove its identity.
3. Key Exchange: They negotiate encryption algorithms and exchange cryptographic keys (often using asymmetric encryption to exchange a symmetric session key).
4. Secure Session: All subsequent data transfer is encrypted using the agreed-upon symmetric key, ensuring confidentiality and integrity.

OWASP Top 10:
The OWASP (Open Web Application Security Project) Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

SQL Injection (SQLi):

• Concept: A vulnerability where an attacker interferes with the queries an application makes to its database. The attacker injects malicious SQL code into input fields (like a login form).
• Example: Entering ' OR '1'='1 in a password field might trick the database into evaluating the condition as true, logging the attacker in without a password.

Prevention:

1. Prepared Statements (Parameterized Queries): The most effective defense. It forces the database to treat user input as data, not as executable code.
2. Input Validation: Sanitize all user inputs to ensure they conform to expected formats (allow-listing characters).
3. Least Privilege: Ensure the database user account used by the web app has only the minimum necessary permissions (e.g., cannot drop tables).

The Shared Responsibility Model defines the division of security obligations between the Cloud Service Provider (CSP) and the Customer.

1. Infrastructure as a Service (IaaS):

   • CSP Responsibility: Physical security of data centers, power, cooling, and the underlying network/virtualization infrastructure.
   • Customer Responsibility: Operating system patching, firewall configuration, application security, data encryption, and identity management. (Customer manages the most here).

2. Platform as a Service (PaaS):

   • CSP Responsibility: Physical infrastructure, OS patching, and runtime environment maintenance.
   • Customer Responsibility: Securing the application code and the data. The customer does not manage the underlying OS.

3. Software as a Service (SaaS):

   • CSP Responsibility: Manages almost everything: Application, Data (storage/backup), Runtime, OS, and Infrastructure.
   • Customer Responsibility: Identity and Access Management (who can log in), and data governance (what data is put there). (Customer manages the least here).

Telnet (Teletype Network):

• Telnet is a legacy protocol used for command-line interface access to remote hosts.
• Vulnerability: It sends all data, including usernames and passwords, in cleartext. An attacker using a packet sniffer (like Wireshark) can easily capture credentials.

SSH (Secure Shell):

• SSH is a cryptographic network protocol for operating network services securely over an unsecured network.
• Security: It provides strong encryption for the session. Even if packets are intercepted, the content is unreadable.
• Authentication: SSH supports public-key authentication, which is stronger than simple passwords.
• Integrity: Ensures data has not been altered in transit.

Significance: In security baselines, disabling Telnet and enforcing SSH (specifically SSHv2) is a mandatory step to prevent credential theft and Man-in-the-Middle attacks.

Cross-Site Scripting (XSS):
XSS is a vulnerability where an attacker injects malicious client-side scripts (usually JavaScript) into web pages viewed by other users. When the victim loads the page, the script executes in their browser, potentially stealing cookies, session tokens, or redirecting the user.

Types:

1. Stored XSS (Persistent):

   • The malicious script is permanently stored on the target server (e.g., in a database via a comment field or forum post).
   • Impact: Every user who views that specific page/comment will execute the script. It is generally more dangerous due to its reach.

2. Reflected XSS (Non-Persistent):

   • The malicious script is reflected off the web server, usually via an error message or search result.
   • Mechanism: The attack is delivered via a link (e.g., in a phishing email) containing the script in the URL parameters. The script executes only if the victim clicks the specific link.

Definition:
SIEM is a software solution that aggregates and analyzes activity from many different resources across the entire IT infrastructure (logs from firewalls, servers, routers, endpoints).

Enhancement Capabilities:

1. Centralization: Collects logs from disparate sources into a single pane of glass, making monitoring manageable.
2. Correlation: It links events from different sources. For example, it might correlate a failed login on a server with a firewall alert from a suspicious IP, identifying a coordinated attack.
3. Real-time Alerting: Provides immediate notifications when pre-defined security rules are violated.
4. Compliance Reporting: Automates the generation of reports required for audits (PCI, GDPR).
5. Forensics: Stores historical data, allowing security teams to investigate how a breach happened days or months later.

Defense in Depth (also known as the Castle Approach) is a strategy that leverages multiple security layers to protect an endpoint. If one layer fails, subsequent layers provide backup protection.

Layers in Endpoint Security:

1. Perimeter/Network Level (Host Firewall): Controls traffic entering and leaving the specific device.
2. Prevention Level (Antivirus/Anti-malware): Signature-based scanning to stop known threats.
3. Detection/Response Level (EDR): Behavioral monitoring to catch advanced threats or ransomware executing in memory.
4. Application Level (Whitelisting): Allowing only approved applications to run.
5. Data Level (Encryption): Encrypting the hard drive (e.g., BitLocker) so data is safe even if physical theft occurs.
6. User Level (Education): Training users not to click phishing links.

By combining these, the endpoint remains secure even if, for example, the user clicks a bad link (Education fail) but the Antivirus catches the download (Prevention success).

Concept:
Network Segmentation involves dividing a computer network into smaller parts (subnetworks or segments). This is often achieved using VLANs (Virtual Local Area Networks), subnets, and firewalls.

Role in Security:

1. Containment: If an attacker compromises one segment (e.g., the Guest Wi-Fi), they cannot easily move laterally to sensitive segments (e.g., the Finance Database or HR systems).
2. Reduced Attack Surface: Limits the visibility of resources to unauthorized users.
3. Performance: Isolate heavy traffic to specific segments, preventing Denial of Service (DoS) due to congestion.
4. Better Monitoring: Easier to spot anomalous traffic moving between segments than amidst general noise.
5. Compliance: Isolating sensitive data (like credit card info) reduces the scope of compliance audits.

Definition:
Jailbreaking and Rooting act to remove the manufacturer's software restrictions, granting the user administrative (root) access to the file system.

Security Risks:

1. Bypassing Security Sandbox: Mobile OSs use sandboxing to isolate apps from each other and the core system. Rooting breaks this, allowing a malicious app to steal data from banking apps or modify system files.
2. Voiding Warranty & Support: Manufacturers often refuse to support compromised devices, leaving them unpatched.
3. Malware Susceptibility: Users often root devices to download apps from third-party stores. These stores lack the rigorous security checks of the Apple App Store or Google Play, increasing malware exposure.
4. Bricking: Improper rooting can corrupt the OS, rendering the device unusable.
5. Disablement of Security Updates: Rooted devices may fail to receive standard Over-The-Air (OTA) security updates.

Definition:
A CASB is a software tool or service that sits between an organization's on-premises infrastructure and a cloud provider's infrastructure. It acts as a gatekeeper, allowing the organization to extend their security policies beyond their own perimeter.

The Four Pillars of CASB:

1. Visibility: Detecting all cloud services (Shadow IT) in use by employees, including unauthorized apps.
2. Compliance: Ensuring that data stored in the cloud meets regulatory standards (HIPAA, GDPR) and data residency requirements.
3. Data Security: Implementing Data Loss Prevention (DLP) to prevent sensitive data (PII, IP) from being uploaded to unauthorized cloud locations or shared externally.
4. Threat Protection: Detecting and responding to insider threats, compromised accounts, and malware within the cloud environment.

Importance:
Patch Management is the process of distributing and applying updates to software. It is crucial because unpatched software contains known vulnerabilities (CVEs) that attackers can exploit. Patching closes these security holes.

Patch Management Lifecycle:

1. Inventory/Discovery: Identify all devices, operating systems, and applications on the network.
2. Scanning: Regularly check the inventory against a database of known vulnerabilities to see what is missing updates.
3. Testing: Apply the patches in a test environment (sandbox) to ensure they do not break critical business applications or cause system instability.
4. Deployment: Roll out the patches to production systems. This can be phased (pilot group first, then everyone).
5. Verification/Reporting: Verify that the patches were successfully installed and generate reports for compliance.

Symmetric Encryption:

• Concept: Uses a single key for both encryption and decryption.
• Analogy: A door with one key; whoever has the key can lock and unlock it.
• Pros: Very fast and efficient for large amounts of data.
• Cons: Key distribution is difficult. How do you send the key securely without it being intercepted?
• Use in TLS: Used for the actual data transmission (session key).

Asymmetric Encryption (Public Key Cryptography):

• Concept: Uses a pair of keys: a Public Key (shared with everyone) and a Private Key (kept secret).
• Mechanism: Data encrypted with the Public Key can only be decrypted with the Private Key.
• Pros: Solves the key exchange problem. You can publicly share the encryption key.
• Cons: Much slower and computationally expensive.
• Use in TLS: Used during the handshake to verify identity and securely exchange the Symmetric session key.

Combined Use: Protocols like HTTPS use Asymmetric encryption to safely agree on a Symmetric key, then switch to Symmetric encryption for the rest of the conversation.

Definition:
CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. It exploits the trust that a site has in a user's browser.

How it works:
If a user is logged into their bank (bank.com) and visits a malicious site in another tab, the malicious site might contain hidden code (like an image tag) that sends a request to bank.com (e.g., transfer_money). Since the user's browser automatically sends the session cookies for bank.com, the bank accepts the request assuming the user intended it.

Mitigation: Anti-CSRF Tokens:

• The server generates a unique, random token for each user session or request.
• This token is embedded in legitimate forms (hidden field).
• When a form is submitted, the server checks if the token is present and matches.
• An attacker cannot forge this token because they cannot read the user's session data due to Same-Origin Policy, so the malicious request fails validation.

Definition:
Network Access Control (NAC) is a security solution that enforces policy on devices before they are allowed to access the network. It handles authentication and endpoint security posture checks.

Enhancement Mechanisms:

1. Pre-admission Checks: Before a device (laptop, smartphone) connects, NAC checks its 'health'. Is the antivirus running? Is the OS patched? Is the firewall on?
2. Quarantine: If a device fails the health check (e.g., has a virus), NAC places it in a quarantine VLAN with limited access, allowing it only to download patches/remediation tools.
3. Role-Based Access: Once authenticated, NAC assigns specific access rights. An IoT camera gets access only to the NVR server, while an HR employee gets access to HR records.
4. Guest Management: Provides a captive portal for guests, keeping them on a separate, restricted network segment.

Serverless Computing (e.g., AWS Lambda, Azure Functions):
A cloud execution model where the cloud provider dynamically manages the allocation of machine resources. The customer writes code (functions) that run in response to events.

Security Implications:
While the provider manages the OS, the customer is still responsible for application logic and data.

Specific Challenges:

1. Insecure Dependencies: Serverless functions often rely on many third-party libraries. If a library has a vulnerability, the function is compromised.
2. Over-privileged Roles: Functions often need permissions to access other cloud services (databases, storage). Developers often grant 'Admin' access to functions for ease, violating the Principle of Least Privilege.
3. Event Injection: Attackers can inject malicious data into the event triggers (e.g., an email, an HTTP request, or a database change) to manipulate the function logic.
4. Lack of Visibility: Traditional monitoring agents cannot be installed on the underlying server (since it's abstract), making standard security monitoring difficult.