CompTIA Security+ SY0-601 – 4.4 Apply mitigation techniques or controls to secure an environment

1. Incident mitigation techniques

In this video I’m going to be talking about techniques to mitigate security incidents. Basically after an incident or even before an incident, what are things that you could have done before an incident occur? What are things you do after an incident occur? And this really goes a lot into reconfiguration of different types of systems, even stop incidents from occurrence. So this is a really important concept to go over and the whole point of working in It security is really going to be about stopping incidents from even occurrence. Our job is to be proactive. Our job is to implement things like application whitelisting so people don’t install bad application that causes incidents in our organization. Let’s take a look, a couple of things here the exam wants us to know.

So the first thing here is to reconfigure endpoint security solutions with application whitelisting, blacklisting and quarantine and applications. So let’s talk about these here. So application whitelisting, application whitelisting is when you say those applications are allowed and those are not. So you’re basically saying only to install those. So you’re creating a whitelist of apps that can be installed. This is a very restrictive setting because now users can only install these set of apps on their computers or their mobile device. This is known as denied by default, which means you get those and everything else is denied. One other way of doing this blacklist and the blacklisting is not very secure, it’s not very restrictive. Blacklisting is when you say don’t install those application, but then everything else is allowed.

So you blacklist certain apps, but then there’s a billion apps out there. So you may not want to configure blacklisting, you should want to configure more whitelisting. More restrictive blacklisting is known as allowed by default and then certain applications may have to be quarantined. In other words, quarantine means to put it to a site into a sandboxed environment and be tested out. Now, when it comes to configuration, what are things we can do to mitigate or reduce incidents from affecting our networks, even stopping them? Well, you could implement firewall rules such as blocking certain ports coming in. on’t forget one of the major attacks that comes in into your web servers is when you allow your firewalls to be open.

I’ve seen people that have remote desktop open. You may implement good MDM and changing MDM rules or mobile device management rules. These are going to be rules that can lock up people’s mobile devices. So one good configuration change you can do is force people to have Pins or more complex passwords on their mobile device. Then DLP, the data loss prevention. So DLP software will stop data from exiting your entire organization. DLP software DLP software can stop people from copying USB data to a USB stick, stop people from email and Social Security numbers. So with DLP software, if you reconfigure it, this can really stop an incident of confidentiality because then you can stop people from ever sending that data away.

The other thing here we can do is going to be content URL filtering. So you can use proxy servers for this and proxy servers. Basically what you’re going to have is you can say that, you know what, you can access those websites, but you can’t access this. This is a great addition to It security. I absolutely love this. Earlier in this course I had mentioned, hey, my mother used to tell me, my mother used to tell me what is the more choices, the more mistakes. And basically if we restrict what access they have, the better for us. The less website they go to, the easier it is for manage. The other one now is going to be update and revoke certificates. All right? So update and revocation of certificates is going to be important.

And what that does is that if you find that a web server has been compromised, if you find user accounts has been compromised, your certificates revoke the certificates. Now when there is an incident, you want to reduce that incident. You want to isolate that incident. Isolate and contain the incident maybe to a specific segment. So for example, if there’s a worm that’s spreading on the network, what you want to do is you want to contain that worm and isolate maybe it’s done on one segment of your networks. Remember with VLANs, right. So we set up VLANs earlier in this course. If you had segment your network with VLANs, that’s a great segmentation because now what happens is on those different segments, the worm can spread over to others.

If you have a sales Vlad, it can spread over. So this basically contains and isolates the incidents to just that Vlad. Now the other one here is Security orchestration automation and response. Now I am going to Google this here for you because I want to show you some solutions. I had it there and then I closed it. We’re going to do soar incident. Now there’s a variety of different software that we can use for this. And one of them being FireEye. And this one of them is what I was looking at earlier. FireEye is a very popular platform for this. So let’s talk about what exactly is this because security orchestration automation and response. Let’s take a look here. So this basically allows us to collect threat related data from a range of sources and then automate the responses.

Basically it is run books and playbooks. So here’s what this is. This is a method, by the way, I think we covered this earlier in the beginning of the class. What this does is this allows us to have a more of an automated and fast response to security incidents. Remember something, the longer an incident is taking place is the more damage it’s causing it, the more data it’s deleting it, the more data it’s stealing. In the perfect world, you’re going to have an automated response. In the perfect world, you’re going to be able to respond to incident in a method that is quick, is efficient, is fast, and is automated. Waiting for humans to respond could take a very long time. And this, of course, can let the incident prolong.

So you want this automated response is basically what this is. Now, there is software that you can use to create what’s known as Playbooks and Run books where you automate a response yourself. In other words, you define the steps. When this happens, then these set of actions will be taken in the network to respond to this particular incident. Okay, so in this video, we covered a lot of stuff. Once again, we talk about reconfiguring your endpoints, doing certain configuration changes in your network. You should be segmenting off your network segments leads to more containment and isolation of your incidents. And of course, if you’re big enough and you can afford it, you should have different type of security archiveration and automation response software like we looked at FireEye. Bye.

• Category: Uncategorized