Security+: Types of Mitigation and Deterrent Techniques (SY0-401) [DECOMMISSIONED ARTICLE]
NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.
Introduction
Mitigating potential risks and deterring would-be offenders are essential parts of any security infrastructure. To pass the CompTIA Security+ exam, you must understand the important concepts of mitigation and deterrent techniques as they appear in the current certification, and that we will discuss in this article.
What Do I Need to Know About Monitoring System Logs for the Security+ Exam?
Logging is the method of choice when it comes to auditing an organized set of information. Monitoring a log is a vital part of your security plan as a whole.
Event logs: Event logs record significant system occurrences, often different from events pertaining to the users. The security administrator should review event logs for issues with regard to hardware failures, uptime, or performance. Event logs can also provide evidence for forensic purposes.
Audit logs: An audit log is a document that records user activities on an IT system. For example, the audit logs record what resources were accessed, who accessed them, a timestamp and user’s login information. Audit logs, in fact, are used to verify whether the users are complying with the defined authorization and security policy of the organization.
Security logs: A security log is used to record information regarding events related to system security, such as authorized or unauthorized login attempts or locally opened, created, or deleted objects or files. The security administrator can specify which events should be recorded in the security logs. Common examples of security logs include Windows Security Log and Internet Connection Firewall security log.
Access logs: A company may provide its employees a limited access to resources of a sensitive nature. An access log records event about the authorized or unauthorized access to that resources. For example, the access log tracks down which users access the resource at which time and to at what extent. Access logs also record the successful and unsuccessful login attempts to the resources.
What Hardening Techniques do I Need to Know for the Exam?
Operating system hardening techniques are used to improve OS security, manage risks, and reduce vulnerabilities. You need to know some important hardening techniques to pass the Security+ exam. These techniques include:
Disabling unnecessary services: The security administrator should reduce the attack surface of the system to achieve appropriate security goals. The attack surface is the area of the system that’s vulnerable to cyber-attacks or exposed to porous networks. If a system is running various unnecessary protocols and services, the attack surface will be larger than the attack surface of a system hosting only indispensable protocols and services. Therefore, the security expert must be prepared to remove all unnecessary applications and services on a system before deploying it on the network.
Protecting management interface and applications: Management interfaces are software applications that can be used to configure the security or a function of hardware devices or software applications. Besides, the management interfaces can control access to network communication, such as routers, switches, and wireless access points, or to carry out security operations, such as proxies, IDS/IPS, or firewalls. Usually, the administrators have access to management interfaces, and therefore can make configuration changes and modify settings to the system or systems. Unauthorized access to the management interfaces can have grave repercussions for the organization. Therefore, the security administrators must encrypt the channel that provides access to the management interface so that unauthorized access can be prevented.
Password protection: Default passwords are always weak and vulnerable to malicious parties. Therefore, the default password should be changed to a complex one that may involve numbers, letters, and special characters.
Disabling unnecessary accounts: This is an essential component of OS hardening. It is very important that you get rid of any unnecessary accounts. Apart from domain accounts, OS hardening also requires attention on local accounts because they are vulnerable to various hacking techniques. Moreover, the principle of least privilege should also be taken into consideration. By deploying this principle, the user account can have only the level of access that can be necessary to perform a particular job function.
What Do I Need to Know About Network Security Mitigation Techniques?
Network security is a prerequisite to the overall security of an IT environment because the intruders can infiltrate the company IT resources and services through an insecure network. The important aspects of network security are discussed below.
MAC limiting and filtering: In computer networking, MAC limiting and filtering allows network administrators to define a list of devices and allow only those devices on their WiFi network. A MAC filter assigns a 48-bit address to each legitimate listed device in order to determine access to the network. MAC filters are commonly configured on switches and wireless access points. However, MAC filtering isn’t a viable solution because it may be vulnerable to MAC spoofing whereby the attackers can circumvent this control.
802.1X: The IEEE standard 801.1X is the port-based network access control that makes sure that the users cannot access the resources or services until the proper authentication is made. By using the 802.1X standard, network administrators can integrate various other solutions, such as TACACS, RADIUS, biometrics, and smart cards into any communication system.
Disabling unused interfaces and unused application service ports: Security administrators should block or disable any unused interfaces and unused application service ports. They can use a Port blocking service that is provided by a hardware or software firewall. This firewall blocks packets directed towards disallowed ports.
Rogue machine detection: A rouge machine is any unauthorized system that either an employee adds by plugging into an RJ45 connector or an intruder adds through a weak network channel, with the express purpose of compromising sensitive data. The rough machine can pose a serious security risk to the organization.
What Do I Need to Know About Security Posture and Reporting?
The security posture is the level and extent to which an enterprise can withstand cyber-attacks. The organization that has good security posture can better defend against security attacks. A good security posture may include well-defined policies and procedures, effective physical controls, proper training of employees, and so on. Reporting is the process of recording all incidents, either minor or severe, in the form of documents. The detailed description of security posture and reporting are discussed below.
Initial baseline configuration: The security baseline is used to harden a system or maintain an already hardened system. It provides a minimal level of security that all the systems in the enterprise should comply with. The security baseline may define security requirements for hardware components, Operating System versions, configuration settings, patches, and so on. For example, the security baseline may spell out that the unnecessary components should be removed; patches should be applied to the OS, installed applications, protocols, and services.
Continuous security monitoring: The security monitoring must be continuous, active, and running. The security management should not define any timeframe when security will be inactive or dysfunctional. However, if security maintenance is inevitable, all user activities should be ended and the administrators should be apprised. The principle of least privileges should also be monitored continually to check workers’ compliance with job-specific responsibilities.
Remediation: This is the process of dealing with malicious code attacks, system compromise, downtime, and so forth. The remedial measures should be prompt and effective in order to repair damage and restore systems to their original states as soon as possible.
Alarms: When an attack or any important event occurs, the alarms notify the security manager to respond promptly. Those events may include security breaches, server crashes, system configuration changes, and so forth.
Alerts: An alert is the anticipation of an unwanted occurrence. It’s a non-emergency or less immediate type of notification. The alerts record events into log files and may notify the security management, later on.
Trends: Trends are tendencies towards worse or better occurrences. Analyzing recorded events or monitoring for trends for trending activities is crucial for security reporting and monitoring.
What Do I Need to Know About Detection and Prevention Controls?
Both Detection and Prevention are essential components of any reliable security infrastructure. A detection control is applied to detect an unauthorized or unwanted activity over a porous network. On the other hand, a preventive control can be used to put an end to unauthorized or unwanted activity.
IDS vs. IPS: An Intrusion Detection System (IDS) is a detection mechanism used to discover security violations. An Intrusion Prevention System (IPS) is a prevention technique used to prevent the security violations or vulnerability exploits from occurring. Network Intrusion Detection Systems (NIDS) and Network-Based Intrusion Prevention System (NIPS) are examples of both types of security controls.
Camera vs. guard: In the physical realm, a camera is a video surveillance mechanism can be utilized to detect and records people’s activities and deter intruders from committing any unwanted or unauthorized activity. In addition, a security guard, also known as a protective agent, can be hired to protect company’s assets from various hazards (such as unsafe worker behavior, damaged property, waste, theft, and so on) by employing standard preventive measures.
InfoSec Security+ Boot Camp
If you are aspiring to take the Security+ exam, then InfoSec Institute is the right institution for you. As a matter of fact, the InfoSec offer a Security+ Boot Camp that teaches you the information theory, as well as reinforces theory with hands-on exercises that help you “learn by doing.”
InfoSec also offers thousands of articles on all manner of security topics.