Time
1 hour 51 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

Mitigation and Deterrent Today's lessons focuses on system log management and monitoring as a first level view of what's happening in real time with all aspects of your network and security environment. We discuss the importance of constant monitoring of event, audit, access and other logs, why its important know what services are running, learning when unnecessary services have been launch and how that "real time" info may indicate a security breach. You'll learn about Mac filtering, why it's essential to disable unused application services or interfaces and how security breaches can occur when this is not done. [toggle_content title="Transcript"] Today we will be discussing mitigation and deterrent techniques. We would look at some monitoring of our system logs. And handling of systems to start with. When you monitor your system logs, everything that takes place on a network is captured by a log. All activity on a network are captured by a type of log. It is our responsibility to monitor to these logs periodically, frequently to ensure that we can see and tell what is taking place on the networks. If you go into the event viewer you can have access to your event logs, your audit logs, your security logs and your access logs. The event logs will let you know what's transpired. The audit logs would also let you know what is taking place on the networks once changes are taking place. The security logs will let you know who had access to what, your access logs would also tell you have, what is means one says what access was successful, what access was denied. All of these you can monitor the logs to tell you what took place. Your logs could give you historical knowledge, well logs could also give you present knowledge and based on what you see within the logs, what you can tell, you could infer future activities just by observing your logs. Say for example you're monitoring the failed access logs. You could only tell me [determine] because you having filled access it could possibility be that maybe the passwords are too complex for users to remember or maybe we're having poor physical security at a certain location that's allowing malicious people come attempt to logon on to the system. So by doing further studies you are able to ensure the security of your enterprise. When we talk about hardening the system, it means you are taking any system out of its default settings. You are making them much more secure. some of the things we do when we had a system are unnecessary services best practices we disable them. We want to disable unnecessary services. If you have services that are not needed and they are running some people would find use of these services so the something that is disabled cannot be utilized. So the best practice you disable all services that are not in use. That way you reduce your vulnerability. You also want to protect management interfaces and applications. Some example of a management interface is control panel. The control panel is a management interface. It's a simple example to illustrate at this point. This is why in certain enterprises basic users do not have access to Control Panel. The moment you log on the system that does authentication does authorization to check that if you don't have access you are not allowed to see control panel. It is a management interface within which many controls and changes could be implemented on the system. It is important that your users don't see management interfaces, you put in control policies to protect the use or access of management interfaces. Also applications certain applications could change the modifications on your system. You want to prevent or protect. stop applications from all users only privileged users should have access to such applications. You also want to implement password protection. Password protection could be done to harden your servers, to harden your network devices. You implement passwords. It is a bad practice just to say all right we have too many passwords, for that reason we don't put any passwords on that device, you know that is not good. You harden a system by putting in complexity password; complexity passwords include uppercase, lowercase, numbers and special characters. That way you ensure that only a person that has knowledge of the password can access the system. So the system is much more secure. You also want to disable unnecessary accounts, on your systems, or on your local systems, your guest account could be an unnecessary account so you IF don't need it you disable it. If you have in some environments we install Active Directory. Active Directory is a solution by Microsoft , Active directory is software you will actually install or you install on your servers. When you install Active Directory to Active Directory also installs for you automatically what we call built in account. These accounts with unnecessary disable anyone that's not in use. If you have accounts that are not disabled and malicious people stumble upon them, it is very possible that these accounts might even have no passwords or they might have default passwords which everybody is very easily able to gather across the Internet. So best practice, unnecessary accounts disable them. Account could even become unnecessary even after a staff has left the organization. May be terminated. Voluntary termination or involuntary termination you want to disable such accounts. Any accounts that are not in use, guest account, built in accounts, terminated accounts that you have on your networks, best practice you disable them. The essence of disabling them ensures that nobody can stumble upon them and use them maliciously. To secure our networks, we could also implement network security. When we do that we will talk about MAC filtering, MAC limiting 802.1x, you disable unused interfaces and disable unused application service ports. When we talk about MAC filtering, every device that can connect to a network has a physical address. This is a unique address which we call the MAC address. A media access control address. This is a forgery. This is an address that is unique to every device able to connect to a network. If you limit access based on the MAC address you limit access to your routers or to your network you are said to be MAC filtering. Limiting access to your network based on MAC address is called MAC filtering. MAC limiting means that you limit the number of devices certain number of devices that can belong to your network based on their MAC address. Maybe you want to limit your routers or your switches or some human servers, you want to limit the number of them, then using the MAC address you could say you are MAC limiting. Access will be granted or denied based on the MAC address. It could be access to your routers. You could list only on the access control list you could key in the numbers you want to allow or the numbers you don't want to allow, that is the numbers you want to deny. If you limit access based on the MAC address you are said to be in MAC filtering. You could also do this on your routers to dictate who has access to your routers or who doesn't have access to your routers. Then we see there is 802.1x. This is the port based authentication standard. It is a port based authentication standard to limit the use of rogue devices on our networks. Rogue devices, are devices that are not authorized to be on our network. Without - without 802.1x it is possible that somebody could bring in a router, connect it to the switch on the wall plug it in or to the wall, on the ports on the wall or any other network device and they're able to pull their network service, say access to the Internet. But when you implement 802.1x it ensures that every device connecting to your network must authenticate. Your users must authenticate before they can pull the networks service. The Internet access cannot be gotten unless you authenticate to the network. You also want to disable unused interfaces. And interfaces that are not in use should be disabled, because some users are very skilled and they can find their way around the system by hopping around different interfaces. So any interface that is not in use should be disabled. Your programmers should disable these so that you cannot use them. Malicious persons have no use of them. You also want to disable unused application service ports. Malicious persons will scan your ports to see what ports are in use. If there are ports that you don't use, best practice disable them. When we are hardening systems we want to disable unused accounts, we want to disable unused services; we also want to disable unused ports. You want to disable any application service ports otherwise the malicious persons will use them against you. [/toggle_content]

Video Transcription

00:04
today we will be discussing mitigation and deterrent techniques. We would look at some monitoring off our system. Logs on hard, mean off systems to start with.
00:15
When you money told your system logs,
00:19
everything that takes place on the network is captured by a log.
00:23
All activities on the network are captured in a type of law,
00:28
So it is our responsibility to money. Thought these logs
00:32
periodically,
00:34
frequently to ensure that we can see. I'm tell what is taking place on the networks.
00:40
If you go into your event viewer, you can have access to your event logs. Your audit logs your security logs on your access logs.
00:49
The event logs will let you know what's transpired.
00:53
Audit loves would also let you know
00:57
what has taken place on the networks. What changes have bean taking place.
01:00
Your security logs will let you know who's that? Access to what your access loves would also tell you, you know? Yeah, What this means once was successful. What access was successful, what access was denied. All of these. You can monitor the logs to tell you what's to place.
01:18
Your logs called. Give you historical knowledge.
01:22
Your logs could also give you a present knowledge on based on what you see within the logs. What you can tell you could infer
01:32
future activities just by observing your logs. Say, for example, you're monitoring their failed access logs
01:40
you couldn't determine because you haven't filled access. It could possibly be that Maybe the passwords are too complex. What he uses to remember. Or maybe we're having
01:49
poor physical security at a certain location that's allowing malicious people come attempt to log onto the situation so to the system. So by doing further studies, you are able to ensure the security off your enterprise.
02:06
When we talk about hot name the system,
02:08
it means you're taking any system out of its default settings. You're making them much more secure. So some of the things we do when we hard in the system are on necessary. Service is best practice. We disable them.
02:23
You want to disable on necessary service is, if you have service is that are not needed
02:30
on they are running. Some people would find use off. The service is so the something that is disabled cannot be utilized, so the best practice you disable all service is that are not in use. That way you reduce your vulnerability.
02:46
You also want to protect management interfaces on applications.
02:52
Some examples of a management interferes is control panel.
02:55
The control panel is a management interferes.
02:59
It is a simple example toe to illustrate at this point. So this is why, in sudden enterprises, busy users do not have access to control panel the moment you Logan the system have the authentication. Those authorization to check that if you don't have access, you are not allowed to see control panel.
03:17
It is a management in toughies
03:19
within which many controls and changes could be implemented on the system. So if it is important that your users don't see management interfaces
03:30
and put in controls policies, toa protect
03:32
the use or access off management interface is also applications. Certain applications called Change the modifications on your system.
03:43
You wantto event, um,
03:46
pretend chuck applications from all users on Lee. Privileged users should have access to such applications.
03:53
You also want to implement password protection.
03:58
Password protection could be done toe hard in your service toe hard in your network devices,
04:02
you implement passwords.
04:05
It is a bad practice justice. All right, we have too many passwords. For that reason, we don't put it on any passwords on that device. You know that is not good. You hard in a system by putting in complexity passwords, complexity. Passwords include a park is lower case numbers and special characters. That way you ensure that
04:26
only persons that have knowledge off the password
04:29
I can't access the system so the system is much more secure.
04:33
You also want to disable on necessary accounts
04:38
on your systems. Earlier local systems your guest account is could be on unnecessary account. Say you don't need it.
04:46
You disable it.
04:47
If you have in some environment, we install Active directory. Active Directory is the solution by Microsoft. Active Directory is software you actually install or you install on your service when you install active directory.
05:02
Active Directory also installs for you automatically what we call a built in account
05:09
these accounts
05:11
unnecessary.
05:13
Disabled anyone that's not in use. If you have accounts that are not disabled on malicious people stumble upon them. It is very possible that this account might even have no passwords, or they might have default passwords, which everybody's very easily ableto gather across the Internet. So best practice
05:31
on necessary accounts,
05:33
disabled them accountable, even become unnecessary even after a stuff has left, the organization may be terminated. Voluntary termination or involuntary termination. You want to disable such accounts? Any accounts that are not used guest account building account terminated accounts that
05:51
you have on your networks
05:54
best practice you disable them. The essence off dissembling them ensures that nobody can stumble upon them and use them maliciously.
06:03
So to secure our networks, we could also implement network security. When we do that, we will talk about mark filled train mark limiting 2.1 X You disable Unused interface is disabled on used application service sports. When we talk about mark filtering,
06:21
every device that can connect to a network has a physical address. This is a unique address, which we call the mark. Address.
06:30
A media access control address. This is a 40. This is a dress that is unique, toe every device able to connect to a network. So if you limit access
06:42
based on the Mac address, you limit access to your outers or to your network. You are said to be much
06:48
filtering,
06:49
limiting access to your network based on the Mac address is called mark filtering
06:56
mark. Limiting means that you limit the number off devices certain number of devices that can belong to a network based on their Mac address. So maybe you want to limit your routers or your switches or some even servers. You want to limit the number off them. Then, using the Mac address,
07:15
you could say you're much limited.
07:17
Access could be granted or denied. Business remark addressed. It could be access to your routers.
07:26
We could list
07:28
on the access control. This you could keying the numbers you want to allow or the numbers you don't want to allow. That is the numbers you want to deny. If you limit access based on the Mac address, you are said to be mark filtering. You could also do this on your routers toe dictate who has access
07:46
to your outers or who doesn't have access to your routers.
07:49
Then we see the 2.1 X. This is a port based authentication standard. It is a port based authentication standard to limit the use of rogue devices on our networks. So rogue devices that devices that are not authorized to be on our networks without
08:09
content. Without a row 2.1, it's it is possible that somebody could bring in a router connected to the switch the switch on the wall, plug it or to the wall on the ports on the wall or any other network device on their ableto pull the network service, say access to the Internet. But when you implement a row 2.1 X,
08:28
it ensures that
08:30
every device connecting to your network most authenticate, so your users must authenticate before they can pull the network service. The Internet access cannot be gotten unless you authenticate to the network.
08:43
You also want to disable on used interfaces. Any interference that is not used should be disabled because some users are very skilled on. They can find their way around the system by hoping around different interfaces,
09:00
so any interferes that is not in use should be disabled. Your programmers, you dissemble This said that you cannot use them. Malicious persons have no use of them.
09:11
You also want to disable
09:13
on used application service ports.
09:16
Malicious persons
09:18
scan your points to see what parts of the news. So if there are points that you don't use best practice disabled them. When we are hardening systems, we want to disable on used accounts we want to disable on you. Service is we also want to disable on used ports. So
09:37
you want to disable any application service ports, Otherwise, the militias persons
09:41
will use them against you.

Up Next

Fundamental Vulnerability Management

Vulnerability Management is a continuous information security risk process that requires management oversight and includes a 4-tier approach of: discovery, reporting, prioritization, and response

Instructed By

Instructor Profile Image
John Oyeleke
Lead IT Security Instructor
Instructor