Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

• Remove unnecessary write permissions on sensitive files and directories.
• Use file ownership and groups to control access for specific roles. Example (Windows): Right-click the shared folder.
• Properties.
• Security tab.
• Adjust permissions for NTFS ACLs.

• Disable anonymous access to shared folders.
• Enforce NTFS permissions for shared folders on Windows. Example: Set permissions to restrict write access to critical files, such as system executables (e.g., /bin or /sbin on Linux). Use tools like chown and chmod to assign file ownership and limit access. On Linux, apply: chmod 750 /etc/sensitive.conf `chown root:admin /etc/sensitive.

• Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.

• Enable auditing to track permission changes or unauthorized access attempts.
• Use auditd (Linux) or Event Viewer (Windows) to log activities.

• Configure permissions to prevent unauthorized writes to directories like C:\ProgramData\Microsoft\Windows\Start Menu. Example: Restrict write access to critical directories like /etc/, /usr/local/, and Windows directories such as C:\Windows\System32.
• On Windows, use icacls to modify permissions: icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F.
• On Linux, monitor permissions using tools like lsattr or auditd.

Remote Data Storage focuses on moving critical data, such as security logs and sensitive files, to secure, off-host locations to minimize unauthorized access, tampering, or destruction by adversaries. By leveraging remote storage solutions, organizations enhance the protection of forensic evidence, sensitive information, and monitoring data.

• Configure endpoints to forward security logs to a centralized log collector or SIEM.
• Use tools like Splunk Graylog, or Security Onion to aggregate and store logs.
• Example command (Linux): sudo auditd | tee /var/log/audit/audit.log | nc <remote-log-server> 514 Remote File Storage Solutions:.
• Utilize cloud storage solutions like AWS S3, Google Cloud Storage, or Azure Blob Storage for sensitive data.
• Ensure proper encryption at rest and access control policies (IAM roles, ACLs).

• Forward logs from IDS/IPS systems (e.g., Zeek/Suricata) to a remote security information system.

• type: syslog protocol: tls address: <remote-syslog-server>` Immutable Backup Configurations:.
• Enable immutable storage settings for backups to prevent adversaries from modifying or deleting data.
• Example: AWS S3 Object Lock.

• Ensure encryption for sensitive data using AES-256 at rest and TLS 1.2+ for data in transit. Tools: OpenSSL, BitLocker, LUKS for Linux.

Network segmentation involves dividing a network into smaller, isolated segments to control and limit the flow of traffic between devices, systems, and applications. By segmenting networks, organizations can reduce the attack surface, restrict lateral movement by adversaries, and protect critical assets from compromise. Effective network segmentation leverages a combination of physical boundaries, logical separation through VLANs, and access control policies enforced by network appliances like firewalls, routers, and cloud-based configurations.

• Identify and group systems based on their function, sensitivity, and risk. Examples include payment systems, HR databases, production systems, and internet-facing servers.
• Use VLANs, firewalls, or routers to enforce logical separation.

• Host web servers, DNS servers, and email servers in a DMZ to limit their access to internal systems.
• Apply strict firewall rules to filter traffic between the DMZ and internal networks.

• In cloud environments, use VPCs, subnets, and security groups to isolate applications and enforce traffic rules.
• Apply AWS Transit Gateway or Azure VNet peering for controlled connectivity between cloud segments.

• Use software-defined networking (SDN) tools to implement workload-level segmentation and prevent lateral movement.

• Apply Access Control Lists (ACLs) to network devices to enforce "deny by default" policies.
• Use firewalls to restrict both north-south (external-internal) and east-west (internal-internal) traffic.

• Regularly review firewall rules, ACLs, and segmentation policies.
• Monitor network flows for anomalies to ensure segmentation is effective.

• Perform periodic penetration tests to verify that unauthorized access is blocked between network segments.

Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering.

• Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices.
• Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.

• Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks.
• Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.

• Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access.
• Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.

• Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults.
• Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.

• Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems.
• Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.