Host Intrusion Detection/ Prevention Systems
Security and Event Log Analysis
Data Execution Prevention (DEP)
Enhanced Mitigation Experience Toolkit (EMET)
Answer: Maintaining Access
SysInternals Toolkit: The Windows Sysinternals Toolkit is a pack of free utilities for troubleshooting Windows systems. Some of the free tools are Process Explorer, Autoruns, RootkitRevealer, Contig, Pagedefrag, and dozens of other useful tools.
Least Privilege: A lazy company with rookie a rookie IT might give out system administrator privileges to all users on the network. Why? Because it’s simple and convenient. However, this introduces a huge amount of risk into the business. Users could sabotage or steal company data, on purpose or accidentally. Or, hackers could compromise an employee account, and have full access to the systems!
Best practice in cybersecurity is to implement least privilege: giving users only the minimum amount of access and power on the system to do their job. This helps to reduce risk across the board and secure the business systems.
Mandatory Vacations: It might sound odd for a company to force employees to take vacations, but it actually makes practical security sense. If an employee has access to important information or business functions, there’s a chance that employee might abuse his position to commit fraud or other crimes. By forcing vacations, employee positions will rotate and these rotations can uncover fraud and abuse.
Password Expiration: Passwords are fundamental to security and, unfortunately, many people do not use best practices for passwords. User passwords will often be short, easily guessed, and rarely changed. By making passwords expire, this will periodically force users to change their passwords. The idea is, if any of those passwords had been compromised at the time of the change, the hackers will lose access to that account when the password is changed. However, password expiration is often seen as an inconvenience by users.
Passwords are sort of like milk, if you think about it…
Configuration Management: Every organization wants their products and systems to be functioning optimally and operating consistently over time. Configuration management (CM) has five major disciplines, which are: planning and management, identification, control, status, and verification/audit.
VLANs: A VLAN is a logically separated part of a network. In an enterprise organization, all the many computers and network devices would all be physically to each other through the same cables, switches, and routers. In order to split up the networks, you don’t have to physically separate them with different cables. Instead, set up a VLAN, to chunk up the network into network segments.
Network Segmentation: Splitting up a computer network into smaller, separate segments is known as network segmentation. The larger the organization, the more important it is to implement network segmentation. You can segment off the programming department from the accounting department, for example, because a coder likely has no business messing around in the accounting department files, and vice-versa. This prevents employees from messing around in systems they shouldn’t and, if their accounts ever gets hacked, makes life a lot harder for the hackers.
Trust Zones: Many security features often come with a degree of inconvenience for the user. Designing cybersecurity solutions can be a balancing act between security and convenience. A trust zone indicates the level of trust that two systems have with each other: for example, an out-of-the-box router will usually have a very high degree of trust with the first devices connected to it. High trust makes devices communicate and function easily with each other, but this comes with a high of degree of risk in the event that one system exploits the other. If these default trust zone configurations are not changed, your systems will be less hardened and more vulnerable to cyberattack.
Host IDS/IPS: Intrusion detections systems (IDS) and intrusion prevention systems (IPS) can both be implemented on the network level. However, IDS and IPS can also be placed on the host, the actual computer users are using. The host version of IDS and IPS is an extra layer of defense that can detect or prevent hackers that make it past the network IDS/IPS. Network IDS/IPS, if configured properly, can work in tandem with host IDS/IPS.
Security and Event Log Analysis: All sorts of activity logging and monitoring can be set up to detect suspicious or malicious activity on your systems. These logging systems should be set up to alert security personnel of specific suspicious activity, because otherwise your security staff will be flooded with a never-ending tidal wave of log information. Logs at big organizations can rack up thousands and millions of log data each day, which no amount of security personnel could possibly be able to keep up with. Logs can, and should, be analyzed by automated tools, which can scan logs faster than humans possibly can. These tools, however, are not perfect, and sometimes humans have to manually sort through stacks of logs to find what they’re looking for.
SELinux: A special type of security module is built into certain flavors of Linux, and this module is known as Security-Enhanced (SE) Linux. SELinux is a modified version of the kernel, and kernel is the beating-heart center of computer software. One of the features of SELinux is built-in leasts privilege in regards to the system daemons (auto-services): each service has the least amount of privilege needed to function. SELinux was developed with the US Department of Defense (DoD) and National Security Agency (NSA) in mind.
Data Execution Prevention: Almost all malware will, at some point, need to execute data from a file. Data execution prevention is a tool that looks at binary (executable) files as they are being run, and if suspicious behavior or patterns are detected, can stop and even delete the files before it is opened as a process.
One of the latest developments in antivirus and antimalware technology is the integration of data execution prevention with machine-learning. This is important, because machine-learning is the best way for automated systems to learn the difference between real malware and legitimate software, cutting down on the number of false positives while still catching most of the malware before it is executed.
Enhanced Mitigation Experience Toolkit: EMET is a Microsoft utility that helps protect Windows software from exploitation. EMET puts significant barriers in front of software that hackers would have to hurdle past in order to hack the software EMET protects. However, EMET has an end of life date scheduled for July 30, 2018, at which time Microsoft will stop providing updates for EMET.