- 2.9.1 – Operating System Security
- 2.9.2 – Malware Prevention
- 2.9.3 – Application Management
- 2.9.4 – Host Based Network Security Controls
- 2.9.5 – File Integrity Monitoring
- 2.9.6 Removable Media Control
- 2.9.7 – Data Execution Prevention (DEP)
2.9.1 – Operating System Security
There are many OS security settings. You should establish a baseline for OS security settings that are used in your environment. One of these might be removing users from the local administrators group. This can be done using Group Policy.
Applying patches is critical to avoid known vulnerabilities being exploited. You can set the update settings using Group Policies.
Applying Updates on a Linux System
This can be done on the command line to get and install updates:
Sudo yum update
This involves analysing the default settings and services of the OS, and removing or locking down settings or services that aren’t needed
System hardening tasks
- Remove unnecessary software and operating system components to configure the system for the least functionality required to perform its function. This is known as reducing the attack surface, the fewer things there are installed, the fewer there are for an attacker to exploit
- Lockdown the host firewall configuration to only allow access to those services intended for use by other systems
- Disable any default accounts and passwords that came with the OS or applications
Trusted Operating Systems
This is a formal term used to describe operating systems that have gone through an accreditation process by government agencies, known as the common criteria. The process for accreditation as a trusted operating system is very rigorous
2.9.2 – Malware Prevention
See Section 1.1 Malware for more information on the different types of malware.
Types of Malware Prevention
- Signature Detection: this method uses databases of known patterns and scans the files and memory of a system for any data matching the pattern of known malicious software. If the antivirus software finds suspect file contents, it can then remove that content from the system, or quarantine it for further analysis. When you are using signature detection, it’s critical that you frequently update the virus definition file to ensure that you have current signatures for newly discovered malware.
- Heuristic or Behaviour Detection: Instead of using patterns of known malicious activity, these systems attempt to model normal activity, and then report when they discover anomalies, activity that deviates from the normal pattern. Behavioural detection techniques are found in advanced malware protection tools. These advanced tools go beyond basic signature detection, and perform deep instrumentation of endpoints. They analyse memory and processor usage, registry entries, network communications, and other system behaviour characteristics.
These systems often have the capability of performing sandboxing. When a system receives a suspicious executable, the advanced malware protection system sends that executable off to a malware sandbox before allowing it to run on the protected system. In that sandbox, the malware protection solution runs the executable and watches it’s behaviour, checking for suspicious activities. If the malware behaves in a manner that resembles an attack, it is not allowed to execute on the protected endpoint.
Malware logs should be sent to a centralised system for storage and analysis.
2.9.3 – Application Management
Application control restricts the programs that run on a system to the programs that meet the organisations security policy. There are 2 parts to application control:
- Whitelisting: administrators create a list of all the applications that may run on a system. This works well but can be difficult to manage if there are a lot of different programs.
- Backlisting: administrators create a list of the applications that are prohibited to run on a system. This is easier to manage but not as secure.
Windows has the built in AppLocker that can be used to whitelist/blacklist software. You can create these rules using Group Policies. You should send the AppLocker logs to your central log repository.
It is important to patch both Operating Systems and applications.
Host Software Base-lining
This uses a standard list of software you expect to see on your hosts, then reports back if there are any deviations to this on the hosts.
2.9.4 – Host Based Network Security Controls
These monitor the connections from internal to external traffic (and vice versa) and only allow connections that are allowed according to the organisations rules and policies. They follow the “Default Deny Principle”:
Block anything not explicitly allowed.
There are 2 types of firewalls:
- Network firewalls: hardware devices that regulate connections between two networks. In most cases this is at the edge of the network between the internal network and the internet.
- Host firewalls: this is a software component on a host (client or server) that limits connections to and from that host.
Domain profile: affects any systems on the same domain
Private Profile: affects any systems on the same network, but not necessarily the same domain
Public profile: affects any systems from outside the network, eg: internet
EXAM TIP: granting network access requires configuring both network and host firewalls!
Firewall logs should be sent to your central log repository.
2.9.5 – File Integrity Monitoring
File Integrity Monitoring watches servers or file share locations for unexpected modifications, then reports on these incidents. They use hash functions to monitor this.
Hash Functions are one-way functions that transform a variable length input into a unique fixed-length output.
File Integrity Monitoring systems run hash functions on the files that are being monitored and store the results. They then run these hash functions periodically and compare the results to what they have stored. IF they are different they can alert administrators.
Tuning of these systems if critical. EG: log files will change regularly, if these are being monitored the alerts would be too much. But you would want the core OS files of the server being monitored.
Exam TIPS: analysing the output of a file integrity monitoring system would make a good exam question
File Integrity monitoring is often a compliance requirement.
2.9.6 Removable Media Control
You can have the highest security measures in play to stop a user stealing sensitive data over a network, but this can all be circumnavigated if a user can copy data to a removable drive and walk out the door with it.
Securing Removable Media
You can take 2 different steps to address this threat:
- Limit or block the use of removable media
- Track attempts to copy data to removable media
In Windows you can prevent or limit access to removable media using Group Policies.
2.9.7 – Data Execution Prevention (DEP)
This protects the core components of the Windows OS from malware and other exploits. DEP works by enforcing specific restrictions on the places where executable code is stored. This prevents many types of attacks by preventing the execution of code from inside a space reserved for system data, without the authorisation of a system administrator.
By default DEP is turned on in Windows systems. You can turn it off or make exceptions for programs if it causing you issues.