- Define “ Access Control List (ACL) “:, - This is a list of permitted and denied network connections based on either IP addresses, ports, or applications in use., - What are the four types of Firewall logs that can provide you with useful security data:, - Connections that are permitted or denied., - Port and protocol usage in the network., - Bandwidth utilization with the duration and volume of usage., - An audit log of the address translations (NAT/PAT) that occurred., - Firewall log formats are usually vendor specific., - What are the most common tools:, - iptables:, - This is a Linux-based firewall that uses the syslog file format for its logs., - Define “ Windows Firewall “:, - This is a Windows-based firewall that uses the W3C Extended Log File Format., - You should employ a log collection tool to gather the large volume of firewall logs for later analysis., - Define “ Blinding Attack “:, - This is a condition that occurs when a firewall is under-resourced and cannot log data fast enough, therefore some data is missed., - Log retention is determined by the number of events generated and available storage capacity.

- Firewalls are an essential part of a layered defense strategy., - Define “ Screened Subnet “:, - This is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network like the Internet., - ACLs are processed from top-to-bottom with the most specific rules are the top., - What are the basic principles for configuring firewall ACLs:, - Block incoming requests from internal or private, loopback, and multicast IP address ranges., - Block incoming requests from protocols that should only be used locally (ICMP, DHCP, OSPF, SMB, etc.)., - Configure IPv6 to either block all IPv6 traffic or allow it to authorized hosts and ports only., - Define a “ Drop Versus Reject “:, - A deny rule can either drop a packet or explicitly reject it by sending a TCP RST or an ICMP port/protocol unreachable to the requester., - Dropping traffic makes it harder for an adversary to identify port states accurately., - Define “ Firewalking “:, - Reconnaissance technique to enumerate firewall configuration and attempt to probe hosts behind it., - Define “ Firewalking “:, - This occurs when an attacker can find an open port on the firewall, then sends a packet with a TTL of one past the firewall to find its hosts., - Block outgoing ICMP status messages to prevent firewalking., - Define “ Egress Filtering “:, - ACL rules that are applied to traffic leaving a network to prevent malware from communicating to Command-and-Control servers., - What are the Best practices for configuring egress filters:, - Only allow whitelisted application ports and destination addresses., - Restrict DNS lookups to trusted and authorized DNS services., - Block access to known bad IP address ranges (Block List)., - Block all internet access from host subnets that don’t use it (e.g., ICS/SCADA)., - While all these best practices will help, they cannot eliminate all malware C2 since many operate over social media and cloud-based HTTPS connections., - Define a “ Black Hole “:, - This is a means of mitigating DoS or intrusion attacks by silently dropping (discarding) traffic., - Blackholing can be used to stop a DDoS attack at the routing layer by sending traffic to the null interface., - Blackholing consumes less resources than an ACL but can cause collateral damage for legitimate users., - Define “ Dark Nets “:, - This is Unused physical network ports or unused IP address space within a local network often used by attackers., - Redirect all dark nets to a black hole until they are needed for business operations., - Define “ Sinkhole “:, - This is a DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis., - Sinkholing is better than blackholing if you want to determine the cause of the DDoS attack.

- Define a “ Forward Proxy “:, - This is a server that mediates the communications between a client and another server,, - can filter or modify communications, and provides caching services to improve performance., - Define a “ Nontransparent Proxy “:, - This is a server that redirects requests and responses for clients configured with the proxy address and port., - Define a “ Transparent Proxy (Forced or Intercepting Proxy) “, - This is a server that redirects requests and responses without the client being explicitly configured to use it., - Analysis of proxy logs can reveal the exact nature of HTTP requests including:, - the websites that users visit and the contents of each request., - Proxies that are set up to intercept or block traffic can record the rule that a request matched to determine an employee's intent., - Define a “ Reverse Proxy “:, - This is a type of proxy server that protects servers from direct contact with client requests., - Logs from a reverse proxy can be analyzed for indicators of attack or compromise, such as malicious code in HTTP request headers and URLs.

- Define “ Web Application Firewall (WAF) “:, - This is a firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks., - Web application firewalls are used to prevent web-based exploits and vulnerabilities like SQL injection, XML injection, and cross-site scripting (XSS) attacks., - Many web application firewalls use JavaScript Object Notation (JSON) format to store their logs, these include:, - Time of the event, - Severity of event, - URL parameters, - HTTP method used, - Context for the rule

- Define a “ Intrusion Detection System (IDS) “:, - This is a software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress., - What is the difference between an IDS and IPS?, - This is an IPS is an IDS that can actively block an attack., - Define a “ Intrusion Prevention System (IPS) “:, - This is a software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress and can actively block the attacks., - Define and Categorize “ Common IPSs “:, - Define “ Snort (snort.org)”:, - This is an open-source software available for Windows and selected Linux distributions that can operate as an IDS or IPS mode., - Define “ Oinkcode “:, - Gives you all the latest security threats., - Define “ Zeek (zeek.org) “:, - This is an open-source IDS for UNIX/Linux platforms that contains a scripting engine which can be used to act on significant events (notices) by generating an alert or implementing some sort of shunning mechanism., - Define ” Security Onion (securityonion.net) “:, - This is an open-source Linux-based platform for security monitoring, incident response, and threat hunting that It bundles Snort, Suricata, Zeek, Wireshark, and NetworkMiner with log management and incident management tools.

- A log entry is created every time a rule is matched in an IDS or IPS o IDS/IPS software provides many options for outputting log entries., - Snort provides the following formats:, - Unified output, - Syslog, - Comma Separated Values (CSV), - Tcpdump (pcap), - Input into a SIEM, - Alerts should be monitored in real time to determine if an incident occurred., - An IDS/IPS uses predefined rule signatures to match traffic that security experts have identified as malicious., - Analysts may create custom rules for their specific organizational needs., - Define a “ Snort Rule Format “:, - Action Protocol SourceIP SourcePort Direction DestinationIP DestinationPort (RuleOption; RuleOption; ...), - Action field is usually set to alert, but other options include log, pass (ignore), drop, and reject., - Source and destination address and ports are usually set to a keyword (any) or variable ($EXTERNAL_NET or %HOME_NET) but can also be a static value., - Direction can be unidirectional (-> or <-) or bidirectional (<>)., - There are many rule options that can be set within Snort, these include:, - msg, - flow, - flags, - track, - reference, - classtype, - sid and rev, - Snort Rule for Brute Force Attempts Against IMAP Mailbox Accounts:, - alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP logon brute force attempt"; flow:to_server,established,no_stream; content:"LOGON"; fast_pattern:only; detection_filter:track by_dst, count 30, seconds 30; metadata:ruleset community, service imap; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious-logon; sid:2273; rev:12;), - Define “ Port Security Configuration “:, - Define “ Port Security “:, - This is the blocking of unauthorized application service ports on hosts and firewalls, or the physical and remote access ports used to allow a host to communicate on the local network., - Appliances such as switches, routers, and firewalls are subject to software vulnerabilities and patching shortfalls in the same way as servers., - Many network appliances are still running vulnerable, outdated, or unpatched versions of the Linux kernel., - Disable web administrative interfaces and use SSH shells instead for increase security., - What at the Best practices to secure network appliances:, - Use ACLs to restrict access to designated host devices, - Monitor the number of designated interfaces, - Deny internet access to remote management, - If rogue devices are found on your network, enforce port security., - What are the Types of Port Security:, - Define “ Physical Port Security “:, - Physical access to the switch ports and switch hardware should be restricted to authorized staff., - Define “ MAC Filtering “:, - Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it., - Define a “ Network Access Control (NAC) “:, - This is a general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level.

- Define “ Network Access Control (NAC) “:, - This provides the means to authenticate users and evaluate device integrity before a network connection is permitted., - Define “ 802.1X “:, - This a standard for encapsulating EAP (Extensible Authentication Protocol) communications over a LAN or wireless LAN., - provides port-based authentication, - Define a “ Port-based NAC “:, - A switch (or router) that performs some sort of authentication of the attached device before activating the port., - A broader NAC solution allows administrators to devise policies or profiles describing a minimum-security configuration that devices must meet before being granted network access o Key Features of a NAC solution., - Define “ Posture Assessment “:, - This is the process of assessing the endpoint for compliance with the health policy., - Define “ Remediation “:, - The process and procedures that occur is a device does not meet the minimum-security profile., - Define “ Pre- and Post-admission Control “:, - This is the point at which client devices are granted or denied access based on their compliance with a health policy., - An endpoint health policy is just one of the rule-based methods of granting or denying access, - What are some other features that can be used:, - Time-based:, - This defines access periods for given hosts using a time-based ACL., - Define “ Location-based “:, - Evaluates the location of the endpoint requesting access using geolocation of its IP, GPS, or other mechanisms., - Define “ Role-based “:, - NAC method that re-evaluates a device's authorization when it is used to do something (also called adaptive NAC)., - Define “ Rule-based “:, - A complex admission policy that enforces a series of rules which are written as logical statements (IF .... AND .... OR).

- Appliance monitoring in ISO 27001 falls primarily under:, - Annex A Control 8.16, "Monitoring activities.", - Here's why:, - Annex A is the section of the ISO 27001 standard that provides a comprehensive list of information security controls., - These controls are designed to address the risks identified during the risk assessment process., - Control 8.16:, - specifically focuses on the need to continuously monitor networks, systems, and applications for unusual behavior and potential security incidents., - This directly relates to the concept of appliance monitoring, as appliances are part of these systems and networks., - The purpose of this control is to detect anomalous activity and take appropriate action to evaluate potential information security incidents., - Monitoring appliances helps in identifying deviations from normal operation that could indicate a security issue or a potential threat., - While Annex A Control 8.16 is the most directly relevant, other areas of ISO 27001 might also touch upon aspects of appliance monitoring, depending on the specific context and the nature of the appliances being used:, - Annex A Control 7.4, "Physical security monitoring,":, - would be relevant if the appliance monitoring involves physical security aspects, such as monitoring access to locations where appliances are housed., - Clause 9, "Performance evaluation,":, - requires the organization to monitor, measure, analyze, and evaluate its information security performance, which would include the effectiveness of monitoring activities related to appliances., - Clause 10, "Improvement,":, - emphasizes the need to continually improve the information security management system, , - which would involve reviewing and refining the appliance monitoring processes based on the results of monitoring and any security incidents., - Depending on the function of the appliance, other Annex A controls related to network security (A.8.20), logging (A.8.15), or technical vulnerability management (A.8.8) might also be applicable., - In summary,, - Annex A Control 8.16 is the primary area in ISO 27001 where appliance monitoring is addressed,, - focusing on the continuous monitoring of systems and networks for anomalous behavior, which inherently includes the monitoring of appliances connected to these systems.