Did you know Cybrary has FREE video training? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
Mitigation and Deterrent Today's lessons focuses on system log management and monitoring as a first level view of what's happening in real time with all aspects of your network and security environment. We discuss the importance of constant monitoring of event, audit, access and other logs, why its important know what services are running, learning when unnecessary services have been launch and how that "real time" info may indicate a security breach. You'll learn about Mac filtering, why it's essential to disable unused application services or interfaces and how security breaches can occur when this is not done. [toggle_content title="Transcript"] Today we will be discussing mitigation and deterrent techniques. We would look at some monitoring of our system logs. And handling of systems to start with. When you monitor your system logs, everything that takes place on a network is captured by a log. All activity on a network are captured by a type of log. It is our responsibility to monitor to these logs periodically, frequently to ensure that we can see and tell what is taking place on the networks. If you go into the event viewer you can have access to your event logs, your audit logs, your security logs and your access logs. The event logs will let you know what's transpired. The audit logs would also let you know what is taking place on the networks once changes are taking place. The security logs will let you know who had access to what, your access logs would also tell you have, what is means one says what access was successful, what access was denied. All of these you can monitor the logs to tell you what took place. Your logs could give you historical knowledge, well logs could also give you present knowledge and based on what you see within the logs, what you can tell, you could infer future activities just by observing your logs. Say for example you're monitoring the failed access logs. You could only tell me [determine] because you having filled access it could possibility be that maybe the passwords are too complex for users to remember or maybe we're having poor physical security at a certain location that's allowing malicious people come attempt to logon on to the system. So by doing further studies you are able to ensure the security of your enterprise. When we talk about hardening the system, it means you are taking any system out of its default settings. You are making them much more secure. some of the things we do when we had a system are unnecessary services best practices we disable them. We want to disable unnecessary services. If you have services that are not needed and they are running some people would find use of these services so the something that is disabled cannot be utilized. So the best practice you disable all services that are not in use. That way you reduce your vulnerability. You also want to protect management interfaces and applications. Some example of a management interface is control panel. The control panel is a management interface. It's a simple example to illustrate at this point. This is why in certain enterprises basic users do not have access to Control Panel. The moment you log on the system that does authentication does authorization to check that if you don't have access you are not allowed to see control panel. It is a management interface within which many controls and changes could be implemented on the system. It is important that your users don't see management interfaces, you put in control policies to protect the use or access of management interfaces. Also applications certain applications could change the modifications on your system. You want to prevent or protect. stop applications from all users only privileged users should have access to such applications. You also want to implement password protection. Password protection could be done to harden your servers, to harden your network devices. You implement passwords. It is a bad practice just to say all right we have too many passwords, for that reason we don't put any passwords on that device, you know that is not good. You harden a system by putting in complexity password; complexity passwords include uppercase, lowercase, numbers and special characters. That way you ensure that only a person that has knowledge of the password can access the system. So the system is much more secure. You also want to disable unnecessary accounts, on your systems, or on your local systems, your guest account could be an unnecessary account so you IF don't need it you disable it. If you have in some environments we install Active Directory. Active Directory is a solution by Microsoft , Active directory is software you will actually install or you install on your servers. When you install Active Directory to Active Directory also installs for you automatically what we call built in account. These accounts with unnecessary disable anyone that's not in use. If you have accounts that are not disabled and malicious people stumble upon them, it is very possible that these accounts might even have no passwords or they might have default passwords which everybody is very easily able to gather across the Internet. So best practice, unnecessary accounts disable them. Account could even become unnecessary even after a staff has left the organization. May be terminated. Voluntary termination or involuntary termination you want to disable such accounts. Any accounts that are not in use, guest account, built in accounts, terminated accounts that you have on your networks, best practice you disable them. The essence of disabling them ensures that nobody can stumble upon them and use them maliciously. To secure our networks, we could also implement network security. When we do that we will talk about MAC filtering, MAC limiting 802.1x, you disable unused interfaces and disable unused application service ports. When we talk about MAC filtering, every device that can connect to a network has a physical address. This is a unique address which we call the MAC address. A media access control address. This is a forgery. This is an address that is unique to every device able to connect to a network. If you limit access based on the MAC address you limit access to your routers or to your network you are said to be MAC filtering. Limiting access to your network based on MAC address is called MAC filtering. MAC limiting means that you limit the number of devices certain number of devices that can belong to your network based on their MAC address. Maybe you want to limit your routers or your switches or some human servers, you want to limit the number of them, then using the MAC address you could say you are MAC limiting. Access will be granted or denied based on the MAC address. It could be access to your routers. You could list only on the access control list you could key in the numbers you want to allow or the numbers you don't want to allow, that is the numbers you want to deny. If you limit access based on the MAC address you are said to be in MAC filtering. You could also do this on your routers to dictate who has access to your routers or who doesn't have access to your routers. Then we see there is 802.1x. This is the port based authentication standard. It is a port based authentication standard to limit the use of rogue devices on our networks. Rogue devices, are devices that are not authorized to be on our network. Without - without 802.1x it is possible that somebody could bring in a router, connect it to the switch on the wall plug it in or to the wall, on the ports on the wall or any other network device and they're able to pull their network service, say access to the Internet. But when you implement 802.1x it ensures that every device connecting to your network must authenticate. Your users must authenticate before they can pull the networks service. The Internet access cannot be gotten unless you authenticate to the network. You also want to disable unused interfaces. And interfaces that are not in use should be disabled, because some users are very skilled and they can find their way around the system by hopping around different interfaces. So any interface that is not in use should be disabled. Your programmers should disable these so that you cannot use them. Malicious persons have no use of them. You also want to disable unused application service ports. Malicious persons will scan your ports to see what ports are in use. If there are ports that you don't use, best practice disable them. When we are hardening systems we want to disable unused accounts, we want to disable unused services; we also want to disable unused ports. You want to disable any application service ports otherwise the malicious persons will use them against you. [/toggle_content]