Module 5: Defense in Depth Flashcards
(20 cards)
Defense in Depth
General Overview: Multiple, overlapping security controls (firewalls, IDS/IPS, host hardening) so that if one fails, others still protect you.
Simplified Breakdown: Like a castle with a moat, walls, guards, and towers—if one fails, the rest still stand.
Examples:
Perimeter firewall + host-based firewall on every server
Network segmentation + strict access controls
Key Points:
Redundancy of controls
Layers at network, host, application
Mitigates single point of failure
Attack Vector
General Overview: The specific method or path an attacker uses to infiltrate a system (e.g., phishing, malware, open ports).
Simplified Breakdown: The “door” or “window” a burglar uses to break in—email link, USB drop, unpatched service.
Examples:
Phishing email with malicious link
Exploiting unpatched server vulnerability
Key Points:
Entry point for an attack
Can be technical (software) or human (social engineering)
Attack Surface
General Overview: The sum total of all possible attack vectors in a system or network.
Simplified Breakdown: All the “doors, windows, and vents” a burglar could use—APIs, open ports, user accounts, and services.
Examples:
A web app with many APIs has a larger attack surface than a static site
Unused services (FTP, Telnet) left running expand it unnecessarily
Key Points:
Measure of exposure
You minimize it by disabling unused features
Host-Based Firewall
General Overview: Software firewall on an individual host that filters inbound/outbound traffic to that machine.
Simplified Breakdown: A security guard at the front door of a single computer.
Examples:
Windows Defender Firewall on a laptop
ufw or iptables on a Linux server
Key Points:
Protects one device
Works alongside network firewalls
Customizable rules per application/port
Bastion Host
General Overview: A hardened, minimal server exposed to untrusted networks, serving as a controlled gateway.
Simplified Breakdown: A small, tough “fortress” server that attackers see first and must go through.
Examples:
SSH jump box in a DMZ
Remote management server with only necessary services running
Key Points:
Runs only essential services
Located in DMZ or between firewalls
Centralized logging and strict access controls
Antimalware Protection
General Overview: Tools and practices to detect, block, and remove malicious software.
Simplified Breakdown: A digital security guard watching for bad programs.
Examples:
Windows Defender, Malwarebytes
Real-time scans plus scheduled full-disk scans
Key Points:
Covers viruses, trojans, ransomware, spyware
Real-time and on-demand scanning
Automatic signature/database updates
Software Patch Management
General Overview: The lifecycle of identifying, testing, deploying, and verifying software updates.
Simplified Breakdown: Regular “fixes” that keep programs safe, fast, and compatible.
Examples:
Windows Update deployment via WSUS
Automated patching of Linux servers with yum-cron or apt unattended-upgrades
Key Points:
Closes known vulnerabilities
Improves stability and performance
Requires testing to prevent disruptions
Disabling Unnecessary Components
General Overview: Turning off or removing services, ports, and features you don’t need.
Simplified Breakdown: Locking unused doors/windows so burglars have fewer entry points.
Examples:
Disabling RDP if remote access isn’t used
Removing unused printer services on servers.
Key Points:
Reduces attack surface
Improves performance
Simplifies configuration
Application Policies
General Overview: Rules governing which software can be installed or run and how it’s used.
Simplified Breakdown: “House rules” for applications—what’s allowed and what isn’t.
Examples:
Whitelisting only approved business apps via Intune
Blocking peer-to-peer file-sharing clients
Key Points:
Enforces compliance and security
Prevents unauthorized/unsafe software
Implemented via MDM or endpoint protection
Zero-Day Vulnerabilities
General Overview: Flaws unknown to vendors and unpatched—attackers exploit them before fixes exist.
Simplified Breakdown: Bugs you had zero days to defend against because nobody knew they existed.
Examples:
Stuxnet used multiple zero-days in Windows
2021 PrintNightmare remote code execution flaw.
Key Points:
Highly critical
Require rapid detection and mitigation
Often drive coordinated disclosure and patch rush
Logging and Auditing
General Overview: Recording and reviewing system events to detect issues or compliance violations.
Simplified Breakdown: A security camera (logging) plus reviewing the tapes (auditing).
Examples:
Windows Event Logs for login attempts
Linux /var/log/auth.log for sudo usage
Key Points:
Enables troubleshooting and forensics
Supports regulatory compliance
Needs secure storage to prevent tampering
Centralized Logging
General Overview: Aggregating logs from all systems into one repository for management and analysis.
Simplified Breakdown: All security cameras feed into one central control room.
Examples:
Sending syslog to a Splunk or ELK cluster
Storing Windows logs in Azure Monitor
Key Points:
Easier correlation and search
Protects logs from local tampering
Improves incident detection and response
SIEM
General Overview: Security Information and Event Management platforms ingest, correlate, and alert on logs/events.
Simplified Breakdown: A “smart control room” that watches your entire digital estate.
Examples:
Splunk Enterprise Security
IBM QRadar, Microsoft Sentinel
Key Points:
Real‑time monitoring and alerting
Event correlation across sources
Supports threat hunting and compliance reporting
Normalization
General Overview: Converting varied log formats into a consistent structure for analysis.
Simplified Breakdown: Convert all temperatures to Celsius before you can compare them.
Examples:
Firewall logs and Windows logs normalized to fields like Source_IP and Event_Time
Allows SIEM queries to span multiple device types
Key Points:
Essential fordevice correlation
Standardizes field names and data types
Improves search and reporting accuracy
Full Disk Encryption (FDE)
General Overview: Encrypts an entire drive so data is unreadable without the decryption key.
Simplified Breakdown: A vault that locks everything inside until you unlock it with your key.
Examples:
BitLocker on Windows
FileVault on macOS
Key Points:
Protects against theft/loss
Requires pre-boot authentication
Minimal performance impact on modern hardware
File-Based Encryption
General Overview: Encrypts individual files or directories instead of the whole disk.
Simplified Breakdown: Locking each important file in its own safe.
Examples:
Windows EFS (Encrypting File System)
7-Zip encrypted archives or VeraCrypt containers
Key Points:
Granular control over what’s encrypted
Useful when full-disk encryption isn’t possible
Requires careful key management
Home Directory Encryption
General Overview: Encrypts a user’s entire home folder on a multi-user system.
Simplified Breakdown: Locking only your room in the house.
Examples:
Linux eCryptfs or LUKS-based home encryption
Protects personal files even if /home partition is stolen
Key Points:
Tied to user credentials
Decrypts automatically at login
Prevents other users from reading your data
Key Escrow
General Overview: Storing encryption keys with a trusted third party for recovery.
Simplified Breakdown: Giving a spare house key to a safekeeping service.
Examples:
Corporate key escrow for BitLocker recovery keys
Government proposals like the historical Clipper Chip
Key Points:
Enables data recovery if keys are lost
Raises privacy and trust concerns
Must secure the escrow repository
Secure Boot & Platform Key
General Overview: UEFI feature that only allows signed bootloaders to run; the Platform Key (PK) establishes trust.
Simplified Breakdown: A gate only opens for VIP badges (signed software).
Examples:
Windows devices boot only signed Microsoft loaders
Linux distributions can add their own keys to PK list
Key Points:
Prevents boot-level malware (bootkits)
PK controls which signing keys are trusted
Managed via UEFI firmware settings
Browser Hardening
General Overview: Configuring browsers and practices to reduce web-based risks (malvertising, phishing).
Simplified Breakdown: Reinforcing your front door, windows, and locks to keep out drive-by burglars.
Examples:
Use HTTPS-only mode, disable unneeded plugins
Install blockers and anti-malware extensions
Clear cache, enable private/incognito mode
Key Points:
Verify SSL certificates (padlock + https://)
Validate domains and reviews before downloading
Leverage password managers and pop-up blockers
