Please enable JavaScript.
Coggle requires JavaScript to display documents.
Host and Network Defences (Preventive/Protective Before attack - to…
Host and Network Defences
Preventive/Protective
Before attack - to discourage risk of attack
Close unnecessary ports
Vulnerability assessment
/pen testing
Default security settings
Mis-configuration errors
Well known vulnerabilities
AntiVirus/anti-
spyware updating
May depend on signatures augmented with heuristic rules - regular updating needed
Strengthen OS Policies
Address Space Layout Randomization (ASLR)
- helps prevent against buffer overflow attacks
Code signing
- software vendor sign the app, but doesn't say what app is going to do, or it could be fraudulently signed with a stolen key. Called
Authenticode
in Windows.
Patching
Some don't keep up with patches
Defensive/reactive
What happens when you are attacked
- Host based
Active
Antivirus/
anti-spyware
/rootkit detection
Detection
Identification
Disinfection
Prevention
Virtual machine/sandbox
Personal firewall
Can filter traffic based on ports, IP addresses, protocol, application
Passive
- look at what's going on a gathers evidence
Host-based IDS
Need defence in depth, as if perimeter wall is broken, attacker is in and so need defence in depth
Defensive/reactive
What happens when you are attacked
- Network based
Active
-interfere
with attack
Blocking
- filtering, don't want to block legitimate traffic
Firewalls
Access control lists
Whitelists/
blacklists
Network administration
control, quarantine
Spam filtering
Deception
Redirection
- into a false environment. Let
attack happen, but now in a restrictive system
Slowing down
-buys some
extra time to take action
Rate throttle
Tarpit
Passive
- look at what's going on a gathers evidence
Honeypots,
black holes
Honeypot:
appears convincing
appears vulnerable
monitors and records
restrict attacks to HP only
(without poss of spreading).
IDS
Essentially packet sniffers with analysis engine to recognise patterns of suspicious traffic and raise alarms.
Sensors, Analysis, Output.
Signature/Misuse-based
- traffic data is compared to set of signatures (patterns) for known attacks
Anomaly-based
- any behaviour outside of a 'normal profile' is considered suspicious.
Traffic may also be obfuscated by attacker e.g. fragmentation, encryption, tunnelling.
Modelling:
Attack Tree
Attack Graph
Traffic monitoring
Sniffers
RMON Probes
IDS
Server logs
Routers (Netflow)
Firewalls
Honeypots - decoy PCs/
servers