WEBVTT

00:00.000 --> 00:03.560
>> Techniques for
risk reduction.

00:03.560 --> 00:05.650
The learning objectives for

00:05.650 --> 00:09.130
this lesson are to define
deceptive technologies,

00:09.130 --> 00:12.400
to describe security
data analytics,

00:12.400 --> 00:14.050
and to utilize endpoint

00:14.050 --> 00:16.495
exploitation risk
reduction techniques.

00:16.495 --> 00:20.020
Let's get started.
The first thing

00:20.020 --> 00:23.320
we're going to discuss are
deceptive technologies.

00:23.320 --> 00:25.885
The first one, it
would be a Decoy File.

00:25.885 --> 00:29.035
These are files that might
look appealing to an attacker,

00:29.035 --> 00:31.465
but we're monitoring them
for signs of access.

00:31.465 --> 00:33.575
They're also known
as honey tokens.

00:33.575 --> 00:35.820
Then we can move
up to a Honeypot.

00:35.820 --> 00:38.530
This pretends to be a
real computer system,

00:38.530 --> 00:40.600
but is actually fake
and it is designed to

00:40.600 --> 00:43.910
monitor any activity that
happens on that system.

00:43.910 --> 00:46.080
Finally, we have a Honeynet,

00:46.080 --> 00:47.630
which uses several Honeypots

00:47.630 --> 00:50.435
together and pretends to
be an entire network.

00:50.435 --> 00:54.710
Now the purpose of
these Honeypots, files,

00:54.710 --> 00:57.545
and nets is to get
attackers redirected

00:57.545 --> 01:00.815
into one direction
and stuck over here,

01:00.815 --> 01:03.485
instead of looking over
for the real systems

01:03.485 --> 01:06.610
is to take time away from them,

01:06.610 --> 01:08.180
but also is designed

01:08.180 --> 01:11.150
to notify us that
something is occurring.

01:11.150 --> 01:12.890
If a device that

01:12.890 --> 01:14.750
should not be accessed by
anyone in the network,

01:14.750 --> 01:15.830
because none of the employees of

01:15.830 --> 01:17.120
the company know that it's there

01:17.120 --> 01:19.940
suddenly is being accessed
and we get alerts for it,

01:19.940 --> 01:21.650
then we can immediately shift

01:21.650 --> 01:24.960
our focus over there to
find out what's going on.

01:26.110 --> 01:28.790
We can also use simulators.

01:28.790 --> 01:31.070
These are less
complicated to deploy,

01:31.070 --> 01:33.065
and they can be as simple as

01:33.065 --> 01:36.890
a single application running
to simulate services.

01:36.890 --> 01:40.100
We can also use dynamic
network configurations.

01:40.100 --> 01:41.900
This is where the
network configurations

01:41.900 --> 01:42.980
can be redeployed

01:42.980 --> 01:46.145
after an attack is noticed
so that we can contain it.

01:46.145 --> 01:48.830
We could automatically enclose

01:48.830 --> 01:50.720
part of the network to
keep them locked in over

01:50.720 --> 01:51.950
there and then isolate

01:51.950 --> 01:56.190
that network now from the rest
of our corporate network.

01:57.170 --> 01:59.790
Instructor side
note. If you want

01:59.790 --> 02:01.535
to play with a Honeypot
for your network,

02:01.535 --> 02:03.845
I would recommend
checking out OpenCanary.

02:03.845 --> 02:05.300
You can quickly deploy

02:05.300 --> 02:08.075
a customizable simulation
for your own network.

02:08.075 --> 02:10.670
You can find out more
information that the URL below.

02:10.670 --> 02:13.070
But you can run it very
lightweight and it can

02:13.070 --> 02:15.965
pretend to be a NAS device,

02:15.965 --> 02:17.225
or a Windows device,

02:17.225 --> 02:21.259
or even a Linux machine running
something simple as SSH.

02:21.259 --> 02:23.750
But you will receive
alerts based on

02:23.750 --> 02:26.345
whatever configurations
you have set up to run.

02:26.345 --> 02:28.580
It just sits quietly
over in the corner,

02:28.580 --> 02:29.630
I tend to run them in

02:29.630 --> 02:32.050
VMs and no one knows
that it's there,

02:32.050 --> 02:33.440
but if that IP address is ever

02:33.440 --> 02:35.780
accessed or scanned with Nmap,

02:35.780 --> 02:37.175
then I'm going to get an alert,

02:37.175 --> 02:38.615
and then that's going
to let me know, hey,

02:38.615 --> 02:41.460
someone's on the network is
not supposed to be there.

02:42.370 --> 02:45.190
Security data analytics.

02:45.190 --> 02:48.260
These are a set of tools that
will help us to collect,

02:48.260 --> 02:50.075
order, and then analyze

02:50.075 --> 02:53.045
the vast amounts of data
available on an enterprise.

02:53.045 --> 02:55.670
That way we can identify

02:55.670 --> 02:57.230
security incidents and then

02:57.230 --> 02:58.970
we can perform threat detection.

02:58.970 --> 03:02.435
Data sources are usually
either static or streaming.

03:02.435 --> 03:04.340
Static sources
would be considered

03:04.340 --> 03:06.200
log files on systems where

03:06.200 --> 03:10.130
streams are live data that
is in near real-time.

03:10.130 --> 03:12.230
These tend to be our
intrusion detection systems

03:12.230 --> 03:14.670
or intrusion prevention systems.

03:15.260 --> 03:18.945
Endpoint exploitation
risk reduction.

03:18.945 --> 03:21.615
This is about
preventative controls.

03:21.615 --> 03:23.285
The first one we're
going to discuss

03:23.285 --> 03:24.950
is antivirus software.

03:24.950 --> 03:26.240
This will detect and then

03:26.240 --> 03:28.865
identify malicious
software on an endpoint.

03:28.865 --> 03:31.610
Most of us are probably
familiar with this already.

03:31.610 --> 03:34.430
Then we can also use
immutable systems.

03:34.430 --> 03:36.935
This is a system that
is unchangeable.

03:36.935 --> 03:39.560
It's also often
referred to as frozen.

03:39.560 --> 03:41.690
You can't make any
changes to it, therefore,

03:41.690 --> 03:44.440
it's very difficult for
it to become compromised.

03:44.440 --> 03:46.275
Next, we can use hardening.

03:46.275 --> 03:47.540
This is where we remove

03:47.540 --> 03:50.060
any unnecessary
elements from a system,

03:50.060 --> 03:52.430
make configuration changes to

03:52.430 --> 03:54.340
make the system less vulnerable.

03:54.340 --> 03:56.955
It often involves using
establish baselines.

03:56.955 --> 03:59.090
For example, on a Linux system,

03:59.090 --> 04:04.160
if you don't need SSH to
administer that machine,

04:04.160 --> 04:06.380
disable the SSH service.

04:06.380 --> 04:09.545
We can also use
sandbox detonation.

04:09.545 --> 04:11.555
This is a segregated system

04:11.555 --> 04:13.730
that can allow for
the execution of

04:13.730 --> 04:16.010
malware so that we can
see what it does without

04:16.010 --> 04:19.650
risking it infecting the rest
of our production systems.

04:20.720 --> 04:23.190
Application controls.

04:23.190 --> 04:25.780
We can use allow
versus Block Lists.

04:25.780 --> 04:29.330
This will control what
can or cannot run.

04:29.330 --> 04:32.570
A good example of this is
AppLocker for Windows.

04:32.570 --> 04:34.445
We can also use licensing,

04:34.445 --> 04:36.350
maintaining licensed software to

04:36.350 --> 04:39.580
avoid costly fines
or ketchup fees.

04:39.580 --> 04:42.575
We can also use
atomic execution.

04:42.575 --> 04:44.480
This is where a task runs with

04:44.480 --> 04:47.340
exclusive access to resources.

04:50.340 --> 04:55.945
We can also use time checks
versus time of use, TOCTOU.

04:55.945 --> 04:57.970
Performing a series of

04:57.970 --> 04:59.890
steps after checking that

04:59.890 --> 05:01.750
an important value has occurred,

05:01.750 --> 05:03.640
a user logs into a system

05:03.640 --> 05:05.860
after which the user
account is disabled,

05:05.860 --> 05:07.150
but the user would still have

05:07.150 --> 05:09.370
system access since the account

05:09.370 --> 05:11.320
was changed after
the authentication.

05:11.320 --> 05:12.610
This is where we
want to make sure

05:12.610 --> 05:14.350
that just because we took

05:14.350 --> 05:17.950
an action by disabling
that user's account,

05:17.950 --> 05:19.180
if they're still logged in,

05:19.180 --> 05:21.445
that's already passed the
authentication process,

05:21.445 --> 05:23.650
they're still
accessing our systems.

05:23.650 --> 05:25.390
You want to be very careful

05:25.390 --> 05:29.295
that any decisions
that are made,

05:29.295 --> 05:30.950
that you're checking the actions

05:30.950 --> 05:33.060
that happen before those.

05:34.670 --> 05:37.375
Security automation tools.

05:37.375 --> 05:38.990
These will help us to automate

05:38.990 --> 05:42.260
the repetitive tasks on systems
and across our networks.

05:42.260 --> 05:44.120
You can use scheduled
tasks such as

05:44.120 --> 05:46.025
cron and Windows scheduled task.

05:46.025 --> 05:47.750
You can also use
scripting languages

05:47.750 --> 05:49.490
such as batch scripts,

05:49.490 --> 05:51.425
batch files on Windows,

05:51.425 --> 05:53.940
and then PowerShell and Python.

05:55.370 --> 05:58.270
Physical Security Requirements.

05:58.270 --> 06:00.875
Physical security is
often overlooked,

06:00.875 --> 06:03.770
but a critical part of our
overall security plan.

06:03.770 --> 06:06.505
We want to make sure that we
have well-planned lighting,

06:06.505 --> 06:08.900
cameras that work
together to ensure

06:08.900 --> 06:11.375
that quality video
images are collected.

06:11.375 --> 06:12.740
We also want to
make sure we have

06:12.740 --> 06:15.395
access control through
the use of locking doors,

06:15.395 --> 06:17.405
visitor sign-ins with badging,

06:17.405 --> 06:19.010
and then access logs.

06:19.010 --> 06:22.055
If we need fencing to make
sure that our building

06:22.055 --> 06:25.775
is surrounded by a protective
barrier of some sort,

06:25.775 --> 06:27.890
we need to make sure
we allocate for that.

06:27.890 --> 06:29.990
Also, we want
procedures for handling

06:29.990 --> 06:32.230
incidents that are
seen on our videos,

06:32.230 --> 06:34.700
so physical security is
going to be different

06:34.700 --> 06:37.235
for every type of organization.

06:37.235 --> 06:38.750
A doctor's office isn't going to

06:38.750 --> 06:42.065
need as much of this as
say a corporation would.

06:42.065 --> 06:45.020
But with the plummeting
cost of video cameras,

06:45.020 --> 06:46.865
there's almost no reason why

06:46.865 --> 06:48.200
the cameras shouldn't be

06:48.200 --> 06:49.670
installed in almost
any business,

06:49.670 --> 06:52.080
especially in key areas.

06:52.670 --> 06:56.885
Let's summarize. We went over
endpoint risk reduction.

06:56.885 --> 06:59.495
We also discussed
disruptive technologies.

06:59.495 --> 07:02.540
We went over security data
analysis and then the use of

07:02.540 --> 07:04.520
security automation tools and

07:04.520 --> 07:07.040
finally, physical
security considerations.

07:07.040 --> 07:10.145
Let's do some example questions.

07:10.145 --> 07:12.455
Question 1, a blank is

07:12.455 --> 07:14.870
a fake computer that
is designed to lure

07:14.870 --> 07:16.850
attackers in and contain
them so they can

07:16.850 --> 07:20.650
be monitored. A Honeypot.

07:20.650 --> 07:25.400
Question 2, this is a system
configured to be frozen and

07:25.400 --> 07:30.405
unable to be changed.
Immutable System.

07:30.405 --> 07:34.805
Question 3, this type
of data source includes

07:34.805 --> 07:37.970
sources such as intrusion
detection systems

07:37.970 --> 07:40.380
or intrusion prevention systems.

07:40.580 --> 07:45.115
Stream data. Finally question 4,

07:45.115 --> 07:48.530
the process of removing
unnecessary services and making

07:48.530 --> 07:53.905
configuration changes to
enhance security is, Hardening.

07:53.905 --> 07:55.520
Hope that lesson was helpful for

07:55.520 --> 07:57.750
you, and I'll see
you in the next one.