3.2 - Host and Application Security

Question 1

What is anti-virus?

Answer 1

Works to stop and prevent trojans, worms, and macro viruses.

Question 2

What is anti-malware?

Answer 2

Stops spyware, ransomware, and fileless malware

All malware

Question 3

What is Endpoint detection and response (EDR)?

Answer 3

Uses behavioral analysis, machine learning, and process monitoring to identify malicious actions on an endpoint.

It investigates the threat then responds based on above.

Question 4

What is Data Loss Prevention (DLP)?

Answer 4

A set of tools designed to stop the data before an attacker can get to it.

It can be on the endpoint or in cloud-based systems.

Question 5

What is a Next-generation firewall (NGFW)?

Answer 5

A firewall that handles the OSI Application layer.

AKA
Application layer gateway
Stateful multilayer inspection
Deep packet inspection

Can:
Allow or disallow application features
Identify attacks and malware
Examine encrypted data
Prevent access to URLs or URL categories

Question 6

What is a host-based firewall?

Answer 6

A software-based firewall that runs on every endpoint.

It can allow or disallow incoming or outgoing application traffic. It is controlled by an application process.

Can identify and block unknown processes.
It can be managed centrally.

Question 7

What is a Host-based Intrusion Detection System (HIDS)?

Answer 7

Software that uses log files to identify intrusions and can reconfigure firewalls to block.

Question 8

What is a Host-based Intrusion Prevention System (HIPS)?

Answer 8

Software that recognizes and blocks known attacks. It is often built into an endpoint protection software.

It uses signatures, heuristics, and behavior to identify threats.

It monitors buffer overflows, registry updates, and files being written to the Windows folder. It can access non-encrypted data.

Question 9

What is a Trusted Platform Module (TPM)?

Answer 9

A cryptographic processor that is often on clients. It can include persistent memory. TPM is password protected.

It can generate random numbers and keys.

A specification for cryptographic functions (hardware to help with encryption functions.

Question 10

What is Secure Boot?

Answer 10

Part of the UEFI specification that verifies the bootloader.

Checks the bootloader’s digital signature
Bootloader must be signed with a trusted certificate
or a manually approved digital signature

Question 11

What are some of the protections of a UEFI BIOS?

Answer 11

BIOS includes manufacturer’s public key
Digital signature is checked during a BIOS update
BIOS prevents unauthorized writes to the flash

Question 12

What is Trusted Boot?

Answer 12

A part of the UEFI BIOS boot process in which the bootloader verifies digital signature of the OS kernel and all other startup components (boot drivers, startup files, etc.)

ELAM (Early Launch Anti-Malware) starts before loading the drivers to check and make sure that they are all trusted. Windows won’t load an untrusted driver.

Question 13

What is Measure Boot?

Answer 13

A part of the UEFI BIOS boot process that makes sure that nothing on the computer has changed.

UEFI stores a hash of the firmware, boot drivers, and everything else loaded during the Secure Boot and Trusted Boot process. (all stored in TPM)

Remote attestation is done, in which a device provides an operational report to a verification server.

Question 14

What is tokenization?

Answer 14

Data is replaced with sensitive data with a non-sensitive placeholder. The original data and the token are not mathematically related.

This is used in databases and credit card purchases.

EX. A SSN 266-12-1112 becomes 691-61-8539

Question 15

What are some ways to protect a database?

Answer 15

1) Tokenization
2) Hashing a password
3) Adding some salt

Question 16

What are some ways to validate input in an application?

Answer 16

1) Validate actual input vs expected
2) Document all input methods
3) Check and correct all input (normalization)
- If something should only be x characters, make
sure it can only be x characters

Question 17

What is Dynamic analysis and what are some other names for it?

Answer 17

Sending random input to an application to look for something out of the ordinary (application crash, server error, exception, etc.).

Other names: Fuzzing, Fault-injecting, robustness testing, syntax testing, negative testing

Question 18

What are cookies?

Answer 18

Information stored on your computer by the browser. They are used for tracking, personalization, and session management.

Question 19

What are secure cookies?

Answer 19

Cookies that have the secure attribute set. The browser will only send them over HTTPS.

Question 20

Why should sensitive information not be stored in a cookie?

Answer 20

They aren’t designed to be secure storage.

Question 21

What are some ways to secure an application?

Answer 21

1) Input Validation
2) Don’t store sensitive info in a cookie
3) Enforce HTTPS communication
4) Only allow scripts, stylesheets, or images from the
local site
- Prevent data from loading into an inline frame
(iframe)
- Cross site scripting prevention
5) Code Signing
- A trusted CA signs the developer’s public key
- Developer signs the code with their private key
6) Have an Allow list/ Deny list
7) Static code analyzers

Question 22

What is a static code analyzer?

Answer 22

A tool that analyzes source code without executing the code. Can help to find security flaws in coding.

Question 23

What are some ways to harden an application?

Answer 23

1) Close all ports except those that are required
2) Know what an application modifies in the registry
3) Encrypt disk (Full Disk Encryption (Bitlocker) or Self-
encrypting drive)
4) Harden OS (Updates, user accounts, network
access and security, anti-malware)
5) Patch Management
6) Sandboxing - applications cannot access unrelated
resources