More on this book
Community
Kindle Notes & Highlights
Started reading
June 27, 2019
Detective controls attempt to detect when vulnerabilities have been exploited, resulting in a security incident.
monitoring. Several different logs record details of activity on systems and networks.
Trend analysis. In addition to monitoring logs to detect any single incident, you can also monitor logs to detect trends.
Security audit. Security audits can examine the security posture of an organization.
Video surveillance. A closed-circuit television (CCTV) system can record activity and detect what occurred.
Motion detection. Many alarm systems can detect motion from potential intruders and raise alarms. Remember this
A detective control can’t predict when an incident will occur and it can’t prevent it. In contrast, prevention controls stop the incident from occurring at all.
Corrective controls attempt to reverse the impact of an incident or problem after it has occurred.
IPS. An intrusion prevention system (IPS) attempts to detect attacks and then modify the environment to block the attack from continuing.
Backups and system recovery. Backups ensure that personnel can recover data if it is lost or corrupted.
Deterrent controls attempt to discourage a threat.
Cable locks. Securing laptops to furniture with a cable lock deters thieves from stealing the laptops.
Hardware locks. Other locks such as locked doors securing a wiring closet or a server room also deter attacks.
Compensating controls are alternative controls used instead of a primary control.
As an example, an organization might require employees to use smart cards when authenticating on a system.
Time-based One-Time Password (TOTP)
Virtualization is a popular technology used within large data
centers and can also be used on a regular personal computer (PC).
Hypervisor. The software that creates, runs, and manages the VMs is the hypervisor.
Host. The physical system hosting the VMs is the host.
Guest. Operating systems running on the host system are guests or guest machines.
Host elasticity and scalability. Elasticity and scalability refer to the ability to resize computing capacity based on the load.
Virtualization typically provides the best return on investment (ROI) when an organization has many underutilized servers.
You could convert three physical servers to virtual hosts and run three guest servers on each physical server. Assuming all the servers are similar, this wouldn’t cost any more money for the physical servers.
Type I. Type I hypervisors run directly on the system hardware.
Type II. Type II hypervisors run as software within a host operating system.
One way of doing so is to disable the network interface card (NIC) in the VM. This prevents it from transmitting any data in or out of the VM.
snapshot provides you with a copy of the VM at a moment in time, which you can use as a backup.
Risky operations include applying patches or updates, testing security controls, and installing new applications.
By creating snapshots before these operations, administrators can easily revert or roll back the system to a known good state with a known good configuration.
Additionally, virtualization provides a high level of flexibility when testing security controls, updates, and patches because they can easily be reverted using snapshots.
In a persistent virtual desktop, each user has a custom desktop image.
Virtual desktops that support non-persistence serve the same desktop for all users.
Although users can make changes to the desktop as they’re using it, it reverts to a known state (the original snapshot) when they log off.
Many people consider virtual machine escape (VM escape) to be the most serious threat to virtual system security. Loss of confidentiality and loss of availability can also be a concern.
VM escape is an attack that allows an attacker to access the host system from within the virtual system.
the attacker can run code on the virtual system and interact with the hypervisor.
A successful VM escape attack often gives the attacker unlimited control over the host system and each virtual system within the host.
VM sprawl occurs when an organization has many VMs that aren’t managed properly.
Another challenge with VM sprawl is that each VM adds additional load onto a server.
Although this makes it easy to manage and move virtual machines, it also makes them easy to steal.
For example, a virtual machine can include a database with credit card data, company financial records, or any type of proprietary data.
Ping is a basic command used to test connectivity for remote systems.
The ping command checks connectivity by sending Internet Control Message Protocol (ICMP) echo request packets. Remote systems answer with ICMP echo reply packets and if you receive echo replies, you
Some malware attempts to break the name resolution process for specific hosts. For example, Windows systems get updates from a Windows Update server. In some cases, malware changes the name resolution process to prevent systems from reaching the Windows Update server and getting updates.
Administrators use ping to check connectivity of remote systems and verify name resolution is working. They also use ping to check the security posture of systems and networks by verifying that routers, firewalls, and IPSs block ICMP traffic when configured to do
ipconfig command (short for Internet Protocol configuration) shows the Transmission Control Protocol/Internet Protocol (TCP/IP) configuration information for a system.
Linux-based systems use ifconfig (short for interface configuration) instead of ipconfig.
benefit is that ifconfig has more capabilities than ipconfig, allowing you to use it to configure the NIC in addition to listing the properties of the NIC. The following list shows some common commands:
netstat command (short for network statistics) allows you to view statistics for TCP/IP protocols on a system. It also gives you the ability to view active TCP/IP network connections.
