WEBVTT

1
00:00:00.000 --> 00:00:01.830
In this section of the course,

2
00:00:01.830 --> 00:00:04.410
we're going to discuss endpoint and server security.

3
00:00:04.410 --> 00:00:06.120
The endpoint and server security section

4
00:00:06.120 --> 00:00:10.410
of the course focuses on domain 3, security engineering,

5
00:00:10.410 --> 00:00:12.990
specifically objective 3.2,

6
00:00:12.990 --> 00:00:14.940
which states that given a scenario,

7
00:00:14.940 --> 00:00:17.580
you must be able to analyze requirements

8
00:00:17.580 --> 00:00:20.700
to enhance the security of endpoints and servers.

9
00:00:20.700 --> 00:00:21.990
To maintain a secure

10
00:00:21.990 --> 00:00:24.210
and well-functioning enterprise network,

11
00:00:24.210 --> 00:00:26.820
it's important to ensure systems and applications

12
00:00:26.820 --> 00:00:29.190
are properly configured, monitored,

13
00:00:29.190 --> 00:00:30.870
and protected against threats.

14
00:00:30.870 --> 00:00:34.170
This management includes privileges, mobile devices,

15
00:00:34.170 --> 00:00:37.140
and continuously assessing network vulnerabilities

16
00:00:37.140 --> 00:00:38.790
to create a security posture

17
00:00:38.790 --> 00:00:41.820
that safeguards both endpoints and servers.

18
00:00:41.820 --> 00:00:43.410
As we go through this section,

19
00:00:43.410 --> 00:00:46.170
we will cover many topics related to endpoint

20
00:00:46.170 --> 00:00:47.250
and server security,

21
00:00:47.250 --> 00:00:50.310
including configuration and privilege management,

22
00:00:50.310 --> 00:00:53.340
operating system security, threat protection,

23
00:00:53.340 --> 00:00:56.610
application management, monitoring and response,

24
00:00:56.610 --> 00:00:59.880
mobile management, and attack surface management.

25
00:00:59.880 --> 00:01:03.270
First, we'll look at configuration and privilege management.

26
00:01:03.270 --> 00:01:05.370
Configuration and privilege management

27
00:01:05.370 --> 00:01:09.660
are the process and tools used to manage system settings

28
00:01:09.660 --> 00:01:12.507
and user permissions to ensure consistent

29
00:01:12.507 --> 00:01:14.220
and compliant operation

30
00:01:14.220 --> 00:01:17.220
across all enterprise devices and systems.

31
00:01:17.220 --> 00:01:19.800
Configuration and privilege management concepts

32
00:01:19.800 --> 00:01:21.810
include configuration management

33
00:01:21.810 --> 00:01:24.090
and endpoint privilege management.

34
00:01:24.090 --> 00:01:27.480
Configuration management is the control of system settings,

35
00:01:27.480 --> 00:01:30.750
software versions, and updates to maintain security

36
00:01:30.750 --> 00:01:32.790
and operational consistency.

37
00:01:32.790 --> 00:01:33.760
Tools such

38
00:01:33.760 --> 00:01:37.290
as Microsoft's System Center Configuration Manager

39
00:01:37.290 --> 00:01:41.880
or SCCM for Windows are used to automate the deployment

40
00:01:41.880 --> 00:01:44.070
and enforcement of configurations,

41
00:01:44.070 --> 00:01:47.700
ensuring systems are consistently secured and compliant.

42
00:01:47.700 --> 00:01:49.740
Endpoint Privilege Management focuses

43
00:01:49.740 --> 00:01:52.590
on controlling user access levels and permissions

44
00:01:52.590 --> 00:01:56.610
on individual endpoints to prevent unauthorized actions.

45
00:01:56.610 --> 00:02:01.050
For example, Linux's sudo or super user do command,

46
00:02:01.050 --> 00:02:03.990
may be used to control and limit user permissions

47
00:02:03.990 --> 00:02:05.790
on a per-command basis.

48
00:02:05.790 --> 00:02:09.090
This per-command authorization enables users

49
00:02:09.090 --> 00:02:12.210
to execute specific administrative tasks

50
00:02:12.210 --> 00:02:13.590
at the endpoint level

51
00:02:13.590 --> 00:02:16.590
without requiring full administrative rights.

52
00:02:16.590 --> 00:02:20.430
Next, we will explore operating system security.

53
00:02:20.430 --> 00:02:23.460
Operating system security refers to the measures

54
00:02:23.460 --> 00:02:27.090
and mechanisms implemented within an operating system

55
00:02:27.090 --> 00:02:29.670
to protect it from unauthorized access,

56
00:02:29.670 --> 00:02:32.610
malware, and other security threats.

57
00:02:32.610 --> 00:02:36.990
In this section, we will focus on Security-Enhanced Linux

58
00:02:36.990 --> 00:02:39.360
also known as SELinux.

59
00:02:39.360 --> 00:02:42.780
Security-Enhanced Linux is a security module integrated

60
00:02:42.780 --> 00:02:45.960
into the Linux kernel that provides a framework

61
00:02:45.960 --> 00:02:49.230
for supporting access control security policies.

62
00:02:49.230 --> 00:02:51.900
It uses mandatory access control

63
00:02:51.900 --> 00:02:54.570
to enforce predefined security policies

64
00:02:54.570 --> 00:02:57.780
that restrict how processes interact with each other

65
00:02:57.780 --> 00:02:59.280
and with files.

66
00:02:59.280 --> 00:03:00.840
In a server environment,

67
00:03:00.840 --> 00:03:03.450
Security-Enhanced Linux might be configured

68
00:03:03.450 --> 00:03:05.460
to restrict a web server's access

69
00:03:05.460 --> 00:03:07.410
to sensitive files and directories

70
00:03:07.410 --> 00:03:10.500
such as configuration files or databases.

71
00:03:10.500 --> 00:03:12.210
This configuration could ensure

72
00:03:12.210 --> 00:03:14.970
that if an attacker compromises the web server,

73
00:03:14.970 --> 00:03:19.020
they cannot access or modify critical system files.

74
00:03:19.020 --> 00:03:22.080
After that, we will look at threat protection.

75
00:03:22.080 --> 00:03:25.230
Threat protection is the implementation of security measures

76
00:03:25.230 --> 00:03:29.730
to detect, prevent, and respond to threats and attacks.

77
00:03:29.730 --> 00:03:33.000
Threat protection concepts include anti-malware,

78
00:03:33.000 --> 00:03:34.710
host-based firewalls,

79
00:03:34.710 --> 00:03:37.140
host-based intrusion prevention systems,

80
00:03:37.140 --> 00:03:40.380
and host-based intrusion detection systems.

81
00:03:40.380 --> 00:03:42.930
Let's take a minute to discuss these concepts

82
00:03:42.930 --> 00:03:44.310
in further detail.

83
00:03:44.310 --> 00:03:47.490
Anti-malware is designed to detect, prevent,

84
00:03:47.490 --> 00:03:49.500
and remove malicious software,

85
00:03:49.500 --> 00:03:52.710
including viruses, worms, and ransomware.

86
00:03:52.710 --> 00:03:54.950
A host-based firewall is installed

87
00:03:54.950 --> 00:03:58.140
on an individual endpoint to control incoming

88
00:03:58.140 --> 00:04:00.600
and outgoing network traffic based

89
00:04:00.600 --> 00:04:03.480
on preset Access Control Lists.

90
00:04:03.480 --> 00:04:06.690
Host-based intrusion prevention and detection systems

91
00:04:06.690 --> 00:04:09.360
monitor and analyze system activities

92
00:04:09.360 --> 00:04:13.380
for signs of malicious behavior or policy violations.

93
00:04:13.380 --> 00:04:17.880
In application, an anti-malware tool may be used to identify

94
00:04:17.880 --> 00:04:21.450
and quarantine ransomware trying to infect a server

95
00:04:21.450 --> 00:04:23.520
while the host-based firewall

96
00:04:23.520 --> 00:04:25.470
blocks malicious network traffic

97
00:04:25.470 --> 00:04:27.840
attempting to reach the same server.

98
00:04:27.840 --> 00:04:31.800
Simultaneously, host-based intrusion prevention systems

99
00:04:31.800 --> 00:04:35.250
and host-based intrusion detection system devices

100
00:04:35.250 --> 00:04:37.770
may detect abnormal behavior patterns

101
00:04:37.770 --> 00:04:40.950
on the server indicative of a breach attempt.

102
00:04:40.950 --> 00:04:42.720
If a breach is attempted,

103
00:04:42.720 --> 00:04:45.270
host-based intrusion prevention systems

104
00:04:45.270 --> 00:04:48.180
and host-based intrusion detection systems

105
00:04:48.180 --> 00:04:51.030
will trigger alerts and take preventative measures

106
00:04:51.030 --> 00:04:52.560
to address the attack.

107
00:04:52.560 --> 00:04:55.770
Next, we will explore application management.

108
00:04:55.770 --> 00:04:57.810
Application management is overseeing

109
00:04:57.810 --> 00:04:59.400
and controlling applications

110
00:04:59.400 --> 00:05:02.130
to ensure they do not introduce vulnerabilities

111
00:05:02.130 --> 00:05:05.580
into the network or compromise system integrity.

112
00:05:05.580 --> 00:05:09.480
Application management concepts include application control

113
00:05:09.480 --> 00:05:11.130
and browser isolation.

114
00:05:11.130 --> 00:05:14.430
Application control utilizes policies and tools

115
00:05:14.430 --> 00:05:18.240
to restrict what applications can run on a given system.

116
00:05:18.240 --> 00:05:21.930
In this manner, application control prevents unauthorized

117
00:05:21.930 --> 00:05:24.270
or malicious software from executing.

118
00:05:24.270 --> 00:05:27.660
Browser isolation, on the other hand, uses technology

119
00:05:27.660 --> 00:05:30.150
to separate web browsing activities

120
00:05:30.150 --> 00:05:32.490
from the rest of the operating system.

121
00:05:32.490 --> 00:05:35.700
This protects the endpoint from online threats

122
00:05:35.700 --> 00:05:37.950
and prevents malware that has been installed

123
00:05:37.950 --> 00:05:39.330
during browsing activity

124
00:05:39.330 --> 00:05:42.090
from impacting other parts of the system.

125
00:05:42.090 --> 00:05:46.320
For example, an organization might use application control

126
00:05:46.320 --> 00:05:49.350
to restrict the installation of unapproved software

127
00:05:49.350 --> 00:05:51.390
while employing browser isolation

128
00:05:51.390 --> 00:05:53.940
to ensure users safely browse the internet

129
00:05:53.940 --> 00:05:58.110
without exposing the internal network to web-based threats.

130
00:05:58.110 --> 00:06:01.650
Following that, we will look at monitoring and response.

131
00:06:01.650 --> 00:06:03.030
Monitoring and response

132
00:06:03.030 --> 00:06:05.820
is continuously observing system activities

133
00:06:05.820 --> 00:06:09.210
to detect, analyze, and respond to threats.

134
00:06:09.210 --> 00:06:11.220
Monitoring and response concepts

135
00:06:11.220 --> 00:06:13.920
include event logging and monitoring,

136
00:06:13.920 --> 00:06:18.060
as well as endpoint detection and response, or EDR.

137
00:06:18.060 --> 00:06:21.570
Event logging and monitoring is the process of recording

138
00:06:21.570 --> 00:06:24.420
and tracking system and application activities

139
00:06:24.420 --> 00:06:26.640
to identify abnormal behavior.

140
00:06:26.640 --> 00:06:29.730
The identification of abnormal behavior assists

141
00:06:29.730 --> 00:06:32.400
in the early detection of malicious activity

142
00:06:32.400 --> 00:06:35.310
and the follow on forensic analysis.

143
00:06:35.310 --> 00:06:39.300
Endpoint detection and response offers individual endpoints,

144
00:06:39.300 --> 00:06:41.070
real-time visibility,

145
00:06:41.070 --> 00:06:44.640
automated threat detection and remediation to isolate

146
00:06:44.640 --> 00:06:48.450
and quarantine malicious activity as quickly as possible.

147
00:06:48.450 --> 00:06:51.600
Then, we will explore mobile management.

148
00:06:51.600 --> 00:06:55.830
Mobile management includes Mobile Device Management or MDM.

149
00:06:55.830 --> 00:06:58.020
Mobile Device Management is a component

150
00:06:58.020 --> 00:07:01.710
of the Enterprise Mobility Management or EMM.

151
00:07:01.710 --> 00:07:03.270
Enterprise Mobility Management

152
00:07:03.270 --> 00:07:06.120
is a suite of technologies used to manage

153
00:07:06.120 --> 00:07:09.510
and secure mobile devices within an organization.

154
00:07:09.510 --> 00:07:11.820
Mobile Device Management technologies

155
00:07:11.820 --> 00:07:15.720
are used to enforce security policies on mobile devices,

156
00:07:15.720 --> 00:07:19.980
including configuration management, application control,

157
00:07:19.980 --> 00:07:23.730
and data encryption to prevent unauthorized access

158
00:07:23.730 --> 00:07:27.150
and ensure the integrity of mobile environments.

159
00:07:27.150 --> 00:07:30.510
For example, a Mobile Device Management solution

160
00:07:30.510 --> 00:07:34.530
can utilize geofencing to manage device functionalities

161
00:07:34.530 --> 00:07:36.810
based on physical locations.

162
00:07:36.810 --> 00:07:40.680
A geofence is a virtual boundary around a physical area

163
00:07:40.680 --> 00:07:42.900
such as the company's premises,

164
00:07:42.900 --> 00:07:47.160
defined using GPS or RFID technology.

165
00:07:47.160 --> 00:07:48.930
When employees' devices enter

166
00:07:48.930 --> 00:07:51.870
or exit this defined geofence zone,

167
00:07:51.870 --> 00:07:53.700
the Mobile Device Management system

168
00:07:53.700 --> 00:07:56.100
can automatically enforce policies,

169
00:07:56.100 --> 00:08:00.240
such as disabling video and microphone features.

170
00:08:00.240 --> 00:08:03.180
Finally, we will look at Attack Surface Management.

171
00:08:03.180 --> 00:08:06.690
Attack Surface Management is identifying, monitoring

172
00:08:06.690 --> 00:08:10.230
and reducing avenues of attack within the enterprise.

173
00:08:10.230 --> 00:08:12.060
Attack Surface Management concepts

174
00:08:12.060 --> 00:08:15.360
include attack surface monitoring and reduction,

175
00:08:15.360 --> 00:08:18.270
Attack Surface Monitoring is continuously observing

176
00:08:18.270 --> 00:08:21.270
and analyzing all the potential network entry points,

177
00:08:21.270 --> 00:08:24.270
services, and interfaces of a system

178
00:08:24.270 --> 00:08:28.110
to detect vulnerabilities and unauthorized changes.

179
00:08:28.110 --> 00:08:29.790
Attack Service Reduction

180
00:08:29.790 --> 00:08:32.400
minimizes these potential entry points

181
00:08:32.400 --> 00:08:36.870
by removing unnecessary services, closing unused ports,

182
00:08:36.870 --> 00:08:40.260
and implementing security measures to limit exposure.

183
00:08:40.260 --> 00:08:43.650
For example, an organization might use Nmap,

184
00:08:43.650 --> 00:08:45.120
or the network mapper,

185
00:08:45.120 --> 00:08:48.870
to scan for open ports and services on its servers

186
00:08:48.870 --> 00:08:53.520
and then employ firewall rules to close unused ports

187
00:08:53.520 --> 00:08:55.860
and the Center for Internet Security

188
00:08:55.860 --> 00:09:00.210
or CIS benchmarks to disable unnecessary services,

189
00:09:00.210 --> 00:09:02.520
reducing their attack surface.

190
00:09:02.520 --> 00:09:05.100
To finish things off, we'll take a short quiz

191
00:09:05.100 --> 00:09:08.010
to see what you learned during this section of the course,

192
00:09:08.010 --> 00:09:11.550
and we will review each of those quiz questions fully

193
00:09:11.550 --> 00:09:15.000
to ensure you can explain why the right answers were right

194
00:09:15.000 --> 00:09:16.920
and the wrong answers were wrong.

195
00:09:16.920 --> 00:09:19.980
So let's get ready to dive into endpoint

196
00:09:19.980 --> 00:09:23.343
and server security in this section of the course.