CompTIA CySA+ Objective 1.3

Given a network-based threat, implement or recommend the appropriate response and countermeasure.

CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0

For this objective we will explore some potential countermeasures and controls to help secure a network and what kinds of attacks they may thwart.

Network Segmentation

One of the most basic things that can slow and sometimes stop an attack is network segmentation.  Inside of a network Virtual Local Area Networks (VLANs) can be used to separate groups of computers.  Routers or layer-3 switches then provide the connectivity between these VLANs.  Because the layer-3 device becomes the common point, security policies like access control lists (ACLs) can be applied to limit the inter-VLAN traffic.  Firewalls can also be used to segment and isolate hosts from one another.  These firewalls can be either network appliances or software on hosts.

Another form of segmentation is maintaining a separate management network for remotely accessing network devices.  This management network allows authorized computers like jump boxes to access the network equipment while not allowing other hosts access.  

Honeypot

Honeypots are hosts set up to emulate vulnerable systems.  They serve as trip wires to help identify malicious activity on the network.  Because they are purposely made to look like easy targets, the hope is that they will also occupy the time of the hacker while the alert gives the security team time to react.f

Endpoint Security

Endpoint security consists of several technologies that are installed on hosts.  These include antivirus, antimalware, and host intrusion protection systems (HIPS).  Endpoint security solutions provide the final layer of defense in depth.  To be effective they must be maintained, kept updated and their logs should be included in any SIEM or other log analysis.

Group policies

In Windows environments, Active Directory Group Policies can be used as a security tool. They can ensure that operating system settings such as password length requirements and security settings are uniform and enforced across a network.

Access Control Lists (ACLs)

ACLs on network devices like switches, routers and firewalls can be used to limit the type of traffic that can reach certain hosts.  For example, if a web server is only supposed to be allowed to talk to a database server on a certain port or set of ports, this can be enforced with an ACL.  This will limit the attack surface area for both hosts and can help to limit the ability of an attacker to pivot from one compromised host to another.

Hardening

Security hardening consists of countermeasures to make hosts more difficult to attack and compromise.  Access control to objects like files is one way to harden systems.  There are two ways to implement access control.  Mandatory Access Control (MAC) requires that an administrator sets controls for every object and end users are not allowed to override these controls.  Often this is associated with a classification system like that used by the government or military.  Discretionary Access Control (DAC) on the other hand allow end users to assign rights and override classifications.

Another part of hardening systems is to disable or block unused ports and services.  An example would be to disable or block Windows file sharing on a server that should only be serving as a web server.  Any additional service or open port that is unneeded adds to the potential attack surface for a host.  Patching systems to remove vulnerabilities is another method to reduce the attack surface of a host through hardening.  

Network Access Control (NAC)

Network Access Control (NAC) can be used to limit or prevent access to the network based on various contextual information beyond username and password authentication.  This information can include time of day, role of the user, and the location.  Based on the context clues, rules can determine what access is granted.