Chapter 56 Β· Flashcards

Mitigation Techniques Flashcards

Click any card to reveal its definition.

0 / 10 flipped
Patching
Tap to reveal
The highest-impact preventive mitigation β€” most real-world exploits target known vulnerabilities with available patches that were never applied. Four categories: Monthly OS patches (Microsoft Patch Tuesday = second Tuesday of each month); Third-party application patches (browsers, PDF readers, Office β€” among the most exploited surfaces); Firmware and driver patches from hardware manufacturers; Emergency out-of-band patches for actively exploited vulnerabilities, deployed immediately outside normal maintenance windows. Enterprise deployment: patches are tested in staging first (WSUS/SCCM/endpoint management), then rolled to production β€” cannot auto-update blindly in production environments.
Emergency Out-of-Band Patch
Tap to reveal
A patch released outside the vendor's normal schedule for a critically exploited vulnerability. Cannot wait for the next Patch Tuesday or scheduled maintenance window. Decision rule: for an actively exploited critical CVE, the risk of running unpatched exceeds the risk of deploying without full testing. Why urgency matters: threat actors reverse-engineer released patches within hours β€” every day unpatched after a public advisory is a day of elevated exploitation risk. The window between patch release and deployment is the period of maximum organizational exposure. Emergency patches bypass normal testing timelines but require expedited change management authorization.
Full Disk Encryption (FDE)
Tap to reveal
Encrypts the entire storage volume β€” OS, applications, user data, swap files, temp files. All disk content is ciphertext to anyone without the encryption key. Protects against physical theft: a removed drive connected to another machine reads only ciphertext. Windows: BitLocker (requires TPM 2.0; optional PIN adds a second factor). macOS: FileVault 2. Linux: LUKS. FDE is the mandatory baseline for all portable devices. Critical limitation: FDE does not protect data while the volume is mounted and the OS is running β€” an attacker who authenticates as the user sees decrypted files. FDE's threat model is physical drive theft, not account compromise.
File-Level vs. Application-Level Encryption
Tap to reveal
File-level (Windows EFS): Encrypts individual files or folders within NTFS. Tied to the user's Windows account β€” decrypts transparently for the authorized user, ciphertext for all other accounts. Protects against drive theft and other-account access. Does NOT protect if the account that encrypted the files is compromised β€” attacker logs in as that user and files decrypt automatically. Application-level: Application manages its own encryption independently of OS and file system. Deepest layer β€” survives failures of FDE and file-level encryption. Examples: password managers (encrypted vault file), end-to-end encrypted messaging, database column encryption. Exam rule: application-level encryption protects data even if the storage medium is compromised.
Monitoring β€” Sensors and Collectors
Tap to reveal
Sensors (data sources): IPS (network anomalies, signatures), firewall logs (blocked/permitted connections), authentication logs (login success/failure, account lockouts), web server logs (HTTP requests, error codes), database transaction logs (queries, access patterns, row counts), email security gateway logs (phishing attempts, attachment analysis), EDR telemetry (process trees, file writes, network connections). Collectors: SIEM (Splunk, Microsoft Sentinel, IBM QRadar) β€” ingests all sensor logs, normalizes formats, correlates across sources, generates alerts. Syslog servers aggregate Linux/network device logs. Proprietary vendor consoles provide device-specific views. SIEM's critical function: identifies cross-source patterns that no individual sensor can see.
SIEM
Tap to reveal
Security Information and Event Management β€” the central hub of monitoring infrastructure. Core functions: Log aggregation: collect from firewalls, endpoints, servers, identity providers β€” all sources in one place. Normalization: translate vendor-specific log formats into a common schema so events can be compared and correlated. Correlation: identify attack patterns that span multiple sources and time periods β€” password spraying, lateral movement, data exfiltration. No individual sensor would detect these; cross-source correlation does. Alerting: generate actionable notifications when correlation rules fire. Secondary function: write-protected remote log storage β€” if an attacker deletes local logs, the SIEM copy survives. Log absence is itself an alert indicator.
Least Privilege
Tap to reveal
Every user, application, and service receives only the minimum permissions required for its specific function. Why it matters for endpoints: malware executing in user context inherits the user's permissions. A standard account cannot install drivers, modify security software, or write to system directories β€” malware in that context is severely limited. An admin account running malware has system-level access. Correct model: standard account for daily work; temporary elevation (Windows UAC / Linux sudo) for specific admin tasks only; privileges revert immediately after completion. Service accounts: each service runs as a dedicated account with only the permissions that service requires β€” a compromised service cannot access resources outside its scope.
Configuration Enforcement / Posture Assessment
Tap to reveal
Network admission control that evaluates each device's security state before granting access. Four checks performed at connection time: (1) OS patch level β€” must be current to organizational baseline; (2) EDR version and signature status β€” endpoint detection software must be installed, running, and up to date; (3) Host firewall and EDR configuration β€” host-based controls must be enabled and correctly configured; (4) Machine certificate β€” cryptographic proof of organizational ownership β€” device is a known managed asset with a valid cert stored in the TPM. Pass all 4 β†’ full production network access. Fail any check β†’ quarantine VLAN for remediation.
Quarantine VLAN
Tap to reveal
A restricted network segment for devices that fail posture assessment. Provides just enough access for remediation: Windows Update/WSUS server, antivirus/EDR update server, and the organization's remediation portal. No access to production systems, shared drives, email, or general internet. The quarantine VLAN is not a punishment β€” it is a controlled staging environment that allows the device to achieve compliance without exposing the production network to a potentially vulnerable or unmanaged device. After remediation, the device resubmits for posture assessment. A passing reassessment moves the device to the production VLAN. Failed devices stay in quarantine until compliant.
Decommissioning and Cryptographic Erase
Tap to reveal
Formal process of retiring storage media so all sensitive data is unrecoverable. HDD: NIST SP 800-88 purge-level overwrite (multiple passes of random data). SSD: Cryptographic erase β€” destroy the FDE encryption key; all ciphertext on the drive becomes permanently irrecoverable without the key. Standard overwrite is unreliable for SSDs due to wear leveling (data may persist in hidden over-provisioned areas). Prerequisite for cryptographic erase: drive must have been encrypted from day one. Physical destruction: shredding or degaussing β€” most certain method; used for drives containing highly sensitive data. What deletion and formatting do NOT do: they mark sectors as available but leave data intact β€” recoverable with free tools in minutes. Improper decommissioning = data breach.