In networking, when we move data between the internet and a company computer, we do so through three distinct zones:

• Wide Area Network (WAN): A WAN is an external public network that covers a wide geographical area. This is considered an untrusted zone.
• Local Area Network (LAN): A LAN is a network covering a small location such as a building or a company with staff working in close proximity. This is seen as a trusted zone.
• Screened subnet: A screened subnet is a boundary layer owned by a company whose purpose is to protect the company from external hackers. This is a neutral zone that hosts data accessible to people from both the trusted and untrusted zones. An example of this is a mail server. For instance, say Company A (a car manufacturer) has their office staff working from the LAN, but they also have mobile sales staff who travel externally. The company has placed the mail server in the screened subnet so that both office staff and remote users can access...

An Intrusion Detection System (IDS) is known as passive, as it takes no action to protect or defend your network beyond its role as an alarm system. It uses sensors and collectors to detect suspicious or unauthorized activities, sounding the alarm when potential threats are discovered.

Conversely, an Intrusion Prevention System (IPS) is more aggressive and actively protects a network by not only identifying suspicious activities but also taking swift action to actively block or mitigate threats, ensuring that the network remains resilient against potential threats. The network-based IPS (NIPS) is placed very close to the firewall to filter all traffic coming into the network. For this reason, it is considered an inline device.

The network-based versions of the IPS and IDS (called NIPS and NIDS, respectively) can only operate on a network, not on a host device. When the IPS and IDS are placed on computers, they are known as host-based versions. These are called HIDS...

Web filtering refers to the monitoring and blocking (that is, filtering) of traffic to the web server based on URLs, IP addresses, and content. It may involve any of the following methods:

• Agent-based filtering: Agent-based filtering deploys software agents on individual devices to enforce internet filtering rules, ensuring compliance with organizational policies. These agents act like cybersecurity detectives, scanning network components and services to identify potential threats. They also function as firewalls, fortifying network security by blocking connections based on customized rules. Moreover, they offer real-time protection at the host and application level, safeguarding every aspect of the network. These agents play a crucial role in defending against cyber threats by blocking attacks and patching live systems. Importantly, they operate autonomously, not requiring a central host, and can take security actions independently, even when not connected to...

Whether you’re safeguarding a personal computer or managing a network of servers, the principles of Operating System (OS) hardening apply universally to protect your OS from vulnerabilities and attacks. There are several measures you can take to successfully harden your OS, including the following:

• Keep your system updated: The foundation of OS hardening begins with regular updates. Ensure that your OS, along with all software and applications, is up to date with the latest security patches. Follow industry news, subscribe to security mailing lists, and engage with security communities to remain vigilant. Cybercriminals often exploit known vulnerabilities, so keeping your system current is the first step to a successful defense.
• User Account Control (UAC): This feature was introduced to Windows operating systems to bolster system protection by adding an extra layer of defense against unauthorized system changes. UAC ensures that actions...

Secure protocols, often overlooked in favor of more visible security tools, play a pivotal role in enhancing enterprise security. By implementing and enforcing these protocols, organizations can fortify their defenses, safeguard sensitive data, and ensure the integrity and confidentiality of their operations to create a resilient security ecosystem that can withstand the expanding cybersecurity threats.

This section explains various facets of protocol management, which is a critical component in safeguarding sensitive data and ensuring the integrity and confidentiality of operations. These are defined as follows:

• Protocol selection: Protocol selection stands as the first line of defense for enterprises. By carefully choosing the correct secure protocols to govern data exchange within your organization, you establish the groundwork for a secure environment. It is important that cybersecurity personnel know the reason why each of these...

Email filtering, an integral aspect of email security, involves employing various techniques and protocols to safeguard email communications from threats such as phishing, spam, and unauthorized access, using methods such as encryption (S/MIME and PGP), authentication (DKIM and SPF), and gateways to control and protect the flow of emails, ensuring their confidentiality, integrity, and authenticity.

Though convenient, email does present several security concerns. Whether from phishing and spear phishing attacks or spam, ensuring the confidentiality, integrity, and authenticity of email communications is of paramount importance. In this section, we will explore how to secure email using a range of encryption and authentication methods:

• S/MIME: This uses Public Key Infrastructure (PKI) to either encrypt emails or digitally sign emails to prove the integrity of the message. It is very cumbersome, as it requires each user to exchange their public key with others...

File Integrity Monitoring (FIM) safeguards systems by establishing a baseline of normal file and system configurations. It continuously monitors these parameters in real time, promptly alerting the security team or IT administrators when unauthorized changes occur. FIM helps mitigate threats early, ensures compliance with regulations, detects insider threats, protects critical assets, and provides valuable forensic assistance after security incidents.

FIM’s role is to ensure that the digital realm remains secure and impervious to unauthorized alterations. You can use native tools built into a Windows operating system by running the sfc/scannow command using admin privileges.

The following code snippet presents an example of this, running System File Checker to ensure files maintain their integrity. Note that some files were corrupted and repaired:

Figure 18.5: Output of the file integrity monitor

DLP prevents unauthorized or inadvertent leakage of PII and sensitive information, whether it’s through email or a USB drive. DLP operates on a foundation of pattern recognition and regular expressions. It scans the data within your network, searching for predefined patterns or expressions that match the criteria of sensitive information, such as credit card numbers, Social Security numbers, or proprietary business data. Once a match is detected, DLP takes action to prevent data loss.

Note

You can review the Microsoft built-in DLP content inspection on the Microsoft website at the following URL: https://learn.microsoft.com/en-us/defender-cloud-apps/content-inspection-built-in.

It’s important to note that DLP primarily focuses on outbound data protection. This means that it monitors data leaving your organization’s network but does not monitor incoming data. When an email or file leaving the organization contains PII or sensitive...

NAC ensures that every remote device is fully patched so that they are not vulnerable to attacks. The key components of NAC are as follows:

• Agents: Every device subject to NAC has an agent installed so that health assessments can be carried out by the Health Authority (HAuth). There are two types of agents:
  • Permanent agents: These agents are installed on the host device, providing continuous monitoring and assessment
  • Dissolvable agents: Also known as “temporary” or “agentless” agents, these are deployed for single-use health checks, allowing for flexibility in assessment without long-term installations
• Health authority: Following user authentication, the HAuth diligently inspects the client device’s registry to determine whether it is fully patched. A device that is up to date with all the necessary patches is labeled “compliant” and granted seamless access to the LAN. If a device has missing patches...

As cyber threats become more sophisticated, it’s crucial for organizations to employ more advanced security measures to protect their sensitive data and digital assets. Two such technologies at the forefront of this cybersecurity war are Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR).

EDR is a cybersecurity solution designed to protect an organization’s endpoints, which typically include desktops, laptops, servers, mobile devices, and any other devices connected to the corporate network. EDR systems are equipped with advanced monitoring and detection capabilities that focus on endpoints’ activities, seeking out suspicious behavior, and identifying potential threats. Here’s how EDR works:

1. Data collection: EDR solutions continuously collect data from endpoints, including system logs, file changes, network activity, and application behavior.
...

User Behavior Analytics (UBA) observes the digital footprints left by users within an organization’s network. UBA doesn’t merely focus on the superficial; it looks into the depths of user interactions to scrutinize patterns and anomalies that might signal potential threats. Like a skilled detective, UBA seeks to uncover the subtle deviations from the norm, recognizing that threats often disguise themselves as normal daily activities. Any abnormality is reported to the security operation center.

By harnessing the power of machine learning and advanced algorithms, UBA transforms data into insights, empowering organizations to stay one step ahead of malicious actors. Dynatrace is a tool that can provide valuable insights into user behavior indirectly through performance monitoring and session analysis, creating a unique and comprehensive user behavior analysis baseline.

In this chapter, we looked at how to modify enterprise capabilities to enhance security, including the implementation of firewall rules as well as IDS and IPS to protect our perimeter and internal networks, respectively. The final sections examined secure protocols and email security, before exploring DLP and how it can be used to prevent sensitive data from leaving our network.

The knowledge gained in this chapter will prepare you to answer any questions relating to Exam Objective 4.5 in your CompTIA Security+ certification exam.

The next chapter will be Chapter 19, Given a scenario, implement and maintain identity and access management.

Given a scenario, modify enterprise capabilities to enhance security.

• Firewall: Protects networks via traffic filtering
  • Rules: Sets guidelines for network interactions
  • Access lists: Determines who gets entry
  • Ports/protocols: Communication gateways and standards
  • Screened subnets: Isolated network sections for safety
• IDS/IPS: Monitors/prevents suspicious network activities
  • Trends: Emerging patterns in data/behavior
  • Signatures: Recognizable digital patterns
• Web filter: Blocks unwanted online content
  • Agent-based: Software with specific tasks
  • Centralized proxy: Single point web access control
  • URL scanning: Checks URLs for threats
  • Content categorization: Organizes web content types
  • Block rules: Specific content denial directives
  • Reputation: Trustworthiness ranking
• Operating system security: System protection measures
  • Group Policy: Admin-set computer/user regulations
  • SELinux: A Linux-based security module
• Implementation of secure protocols: Adopting safe communication...

The following questions are designed to check that you have understood the information in the chapter. For a realistic practice exam, please check the practice resources in our exclusive online study tools (refer to Chapter 29, Accessing the online practice resources for instructions to unlock them). The answers and explanations to these questions can be found via this link.

1. A company has recently delivered a presentation on the use of secure protocols and is testing the attendees on the information being delivered. Match the insecure protocols (on the left) with their secure replacements (on the right). Choose the correct pairing for each. (SELECT all that apply):