3.2 Flashcards
(27 cards)
What is EDR?
-Endpoint Detection and Response
-A different method of threat protection
–Scale to meet the increasing number of threats
-Detect a threat
–Signatures aren’t the only detection tool
–Behavioral analysis, machine Learning, process monitoring
–Lightweight agent on the endpoint
-Investigate the threat
–Root cause analysis
-Respond to the threat
–Isolate the system, quarantine the threat, rollback to a previous config
–API driven, no user or technician intervention required
What is NGFW?
-Next-Generation firewall
- The OSI Apllication Layer
–All data in every packet
-Can be called different names
–Application layer gateway
–Stateful multilayer inspection
–Deep packet inspection
-Broad security controls
–Allow or disallow application features
–identify attacks and malware
–Examine encrypted data
–Prevent access to URLs or URL categories
What is Host-based firewall?
-Software-based firewall
–Personal firewall, runs on every enpoint
-Allow or disallow incoming or outgoing application traffic
–Control by application process
–View all data
-Identify and block unknown processes
–Stop malware before it can start
-Manage Centrally
What are methods to finding intrusions for endpoint?
-Host-based intrusion Detection System (HIDS)
–Uses log files to identify intrusion
–Can reconfigure firewalls to block
-Host-based intrusion Prevention System (HIPS)
–Recognize and block known attacks
–Secure OS and application configs, validate incoming service requests
–Often built into endpoint protection software
-HIPS identification
–Signatures, heuristics, behavioral
–Buffer overflows, registry updates, writing files to the Windows folder
–Access to non-encrypted data
What is Boot Integrity?
-The attack on our systems is constant
–Techniques are constantly changing
-Attackers compromise a device
–And want it to stay compromised
-The boot process is a perfect infection point
–Rootkits run in kernel mode
–Have the same rights as the operating system
-Protecting the boot process is important
–Secure boot, trusted boot, and measured boot
–A chain of trust
What is Hardware root of Trust?
-Security is based on trust
–Is your data safely encrypted?
–Is this web site legitimate?
Has the operating system been infected?
-The trust has to start somewhere
–Trusted Platform Module (TPM), Hardware Security Module (HSM)
–Designed to be the hardware root of the trust
-Difficult to change or avoid
–It’s hardware
–Won’t work without the hardware
What is the TPM?
-Trusted Platform Module
-A specification for cryptographic functions
–Hardware to help with encryption functions
-Cryptographic processor
–Random number generator, key generators
-Persistent memory
–Comes with unique keys burned in during production
-Versatile memory
–Storage keys, hardware configuration information
-Password Protected
–No dictionary attacks
What is Secure Boot?
-Secure Boot
–Part of the UEFI specification
-UEFI BIOS protections
–BIOS includes the manufacturer’s public key
–Digital signature is checked during a BIOS update
–BIOS prevents unauthorized writes to the flash
-Secure Boot verifies the bootloader
–Checks the bootloader’s digital signature
–Bootloader must be signed with a trusted certificate
–Or a manually approved digital signature
What is Trusted Boot?
-Bootloader verifies digital signature of the OS kernel
–A corrupted kernel will halt the boot process
-The kernel verifies all of the other startup components
–Boot drivers, startup files
-Just before loading the drivers, ELAM (Early Launch Anti-Malware) starts
–Checks every driver to see if it’s trusted
–Windows won’t load an untrusted driver
What is Measured Boot?
-Nothing on this computer has changed
–There have been no malware infections
–How do you know?
-Easy when it’s just your computer
–More difficult when there are 1,000
-UEFI stores a hash of the firmware, boot drivers, and everything else loaded during the Secure Boot and Trusted Boot process
–Stored in the TPM
-Remote Attestation
–Device provides an operational report to a verification server
–Encrypted and digitally signed with the TPM
-Attestation server receives the boot report
–Changes are identified and managed
What is Toeknization
-Replace sensitive data with aa no-sensitive placeholder
–SSN 226-12-1112 is now 691-61-8539
-Common with credit card processing
–Use a temporary token during payment
–An attacker capturing the card numbers can’t use them later
-This isn’t encryption or hashing
–The original data and token aren’t mathematically related
–No encryption overhead
What is hashing passwords?
-Hashes represent data as a fixed-length string of text
–A message digest, or “fingerprint”
-Will not have a collision (hopefully)
–Different inputs will not have the same hash
-One-way trip
–Impossible to recover the original message from the digest
–A common way to store passwords
What is salt
-Salt
–Random data added to a password when hashing
-Every user gets their own random salt
–The salt is commonly stored with the password
-Rainbow tables won’t work with salted hashes
–Additional random value added to the original password
-This slows things down in the brute force process
–It doesn’t completely stop the reverse engineering
What is input validation?
-What is the expected input?
–Validate actual vs expected
-Document all input methods
–Forms, fields, type
-Check and correct all input (normalization)
–A zip code should be only X characters long with a letter in the X column
–Fix any data with improper input
-The fuzzers will find what you missed
–Don’t give them an opening
What is Dynamic Analysis (Fuzzing)?
- Send random input to an application
–Fault-injecting, robustness testing, syntax testing, negative testing
-Looking for something out of the ordinary
–Application crash, server error, exception
-1988 class project at the University of Wisconsin
–“Operating System Utility Program Reliability
–Professor Barton Miller
–The Fuzz Generator
What are cookies?
-Cookies
–Information stored on your computer by the browser
- Used for tracking, personalization, session management
–Not executable, not generally a security risk unless someone gets access to them
-Secure cookies have a Secure attribute set
–Browser will only send it over HTTPS
-Sensitive information should not be saved in a cookie
–This isn’t designed to be a secure storage
What are HTTP Secure Headers?
-An Additional Layer of security
–Add these to the web server configuration
–You can’t fix every bad application
-Enforce HTTPS communication
–Ensure encrypted communication
-Only allow scripts, stylesheets, or images from the local site
–Prevent XSS attacks
What is code signing?
- An application is deployed
–Users run application executable or scripts
-So many security questions
–Has the application been modified in any way?
– Can you confirm that the application was written by a specific developer?
-The application code can be digitally signed by the developer
–Asymmetric encryption
–A trusted CA signs the developer’s public key
–A developer signs the code with their private key
–For internal apps, use your own CA
What is the difference between allow/deny list?
-Any application can be dangerous
–Vulnerabilities, trojan horse, malware
-Security policy can control app execution
–Allow list, deny/block list
-Allow list
–Nothing runs unless it’s approved
-Very restrictive
-Deny List
–Nothing on the “bad list” can be executed
–Anti-virus, anti-malware
What are static code analyzers?
-Static Application Security Testing (SAST)
–Help to identify security flaws
-Many security vulnerabilities found easily
–Buffer overflows, database injection, etc.
Not everything can be identified through analysis
-Authentication security, insecure cryptography, etc.
–Don’t rely on automation for everything
-Still have to verify each finding
–False positives are an issue
What is Application hardening?
-Minimize the attack surface
–Remove all possible entry points
-Remove the potential for all known vulnerabilities
–As well as the unknown
-Some hardening may have compliance mandates
–IPPA servers, PCI DSS, etc.
_There are many different resources
–Center for Internet Security (CIS)
–Network and security Institute (SANS)
National Institute of Standards and Technology (NIST)
How should you deal with Open ports and services?
-Every open port is a possible entry point
–Close everything except required ports
-Control access with a firewall
–NGFW would be ideal
-Unused or unknown services
–Installed with the OS or from other applications
-Applications with broad port ranges
–Open port 0 through 65,535
-Use Nmap or similar port scanner to verify
-Ongoing monitoring is important
What is “Registry”?
-The primary configuration database for Windows
–Almost everything can be configured from the registry
-Useful to know what an application modifies
–Many third-party tools can show registry changes
-Some registry changes are important security settings
–Configure registry permissions
–Disable SMBv1
What is Disk Encryption?
-Prevent access to application data files
–File system encryption
-Full disk Encryption (FDE)
– Encrypt everything on the drive
–BitLocker, FileVault, etc.
-Self-Encrypting Drive (SED)
–Hardware-based full disk encryption
–No operating system software needed
-Opal storage specification
–The standard for of SED storage
