3.2 Given a scenario, implement host or application security solutions

Question 1

Endpoint Protection

Answer 1

It refers to the system for network security management that focuses on network endpoints, or individual devices such as workstations and mobile devices from which the network is accessed.

Question 2

Antivirus

Answer 2

Look for exam questions specifically addressing the output from antivirus software. Just substitute anti-malware software and you’ll see the obvious answer.

Question 3

Anti-malware

Answer 3

It wasn’t uncommon for a single anti-malware tool to possess five or six different scanning types.

Question 4

Endpoint Detection and Response(EDR)

Answer 4

Very sophisticated systems called endpoint detection and response (EDR) essentially combine an NGFW with a NIPS on steroids to provide end-to-end monitoring, analysis, response to threat, and forensics for additional research. Full EDR systems have rolled out since 2017 and will undoubtedly gain market share, at least at the high-end enterprise level.

Question 5

DLP

Answer 5

Most DLP solutions are designed not only to keep your data’s integrity at 100 percent but also to do several other jobs. Some DLP packages verify backups exist and are in good order. Some DLP packages monitor if data is being moved or copied

Question 6

Next-generated firewall(NGFW)

Answer 6

A next-generation firewall (NGFW) functions at multiple layers of the OSI model to tackle traffic no traditional firewall can filter alone. A Layer 3 firewall can filter packets based on IP addresses, for example. A Layer 5 firewall can filter based on port numbers. Layer 7 firewalls understand different application protocols and can filter on the contents of the application data. An NGFW handles all of this and more.

Question 7

Host-based intrusion system(HIPS)

Answer 7

A host-based intrusion prevention system (HIPS) actively scans incoming packets and blocks potentially harmful ones aggressively.

Question 8

Host-based intrusion detection system(HIDS)

Answer 8

A host-based intrusion detection system (HIDS) serves to detect patterns of malicious traffic, such as those that may target certain protocols or services that appear to cause excessive amounts of traffic, or other types of intrusion.

Question 9

Host-based firewall

Answer 9

A host-based firewall, like the excellent Windows Defender Firewall, blocks unwanted access based on port numbers and other criteria.

Question 10

Boot Integrity

Answer 10

Modern personal computers rely on Unified Extensible Firmware Interface (UEFI) for firmware, as you’ll recall from your CompTIA A+ studies. Look for a question on the CompTIA Security+ exam that points to boot security/Unified Extensible Firmware Interface (UEFI) as the preferred method for assuring boot integrity.

Question 11

Boot Security/Unified Extensible Firmware Interface (UEFI)

Answer 11

Modern personal computers rely on Unified Extensible Firmware Interface (UEFI) for firmware, as you’ll recall from your CompTIA A+ studies. Look for a question on the CompTIA Security+ exam that points to boot security/Unified Extensible Firmware Interface (UEFI) as the preferred method for assuring boot integrity.

Question 12

Measured boot

Answer 12

With Windows 10, Microsoft added another tool called Measured Boot that interacts with UEFI and TPM over a network to verify the integrity of the boot files. This architecture blocks malware such as rootkits.

Question 13

Boot Attestation

Answer 13

During the boot process, the TPM and UEFI generate reports about the process and can send those reports to a remote system, like a central authentication server. This process is called boot attestation.

Question 14

Tokenization

Answer 14

It’s up to the developers to determine which fields in which database tables need to be tokenized. They must also make sure that the tokenization isn’t broken in other indexed tables the database may use.

Question 15

Salting

Answer 15

If your database stores passwords, odds are good you will store the password’s hash value. But rainbow tables are powerful attack tools, so you’ll need to introduce some sort of salting mechanism to the plaintext password before you hash it. It’s the developer’s job to make this determination and to ensure the salting mechanism isn’t in any way visible to an attacker.

Question 16

Hashing

Answer 16

IT security professionals use hashes with databases in two ways. First, they hash a static database (one that isn’t being updated) to ensure that it hasn’t been altered. Second, they use hashing to find a data record without relying on indexing, something you’ll see employed in very large databases.

Question 17

Application Security

Answer 17

Application security not only means hardening an application, much like you would a network device, operating system, or host, but also means considering security throughout the software design and development processes.

Question 18

Input Validations

Answer 18

Common types of these attacks include command insertion, cross-site scripting, buffer overflows, and SQL injection. Proper input validation helps prevent these types of attacks.

Question 19

Secure cookies

Answer 19

Secure cookies have a special “secure” attribute that tells the system to never send unless it has a secure connection.

Question 20

Hypertext Transfer Protocol (HTTP) headers

Answer 20

HTTP headers come with every Web page and give the browser critical information. HTTP headers are susceptible to cross-site scripting attacks, however, so to defend headers, most Web solutions employ features such as content security policy to thwart requests from unauthorized URLs.

Question 21

Code Signing

Answer 21

Code signing means to sign an individual executable/interpreted code digitally so that users have confidence the code they run is the actual code from the developer.

Question 22

Allow List

Answer 22

Whitelisting (or configuring an allow list) works similarly to blacklisting, except that a whitelist contains applications that are allowed on the network or that are okay to install and use on hosts. A whitelist would be useful in an environment where, by default, applications are not allowed unless approved by an administrator. This ensures that only certain applications can be installed and executed on the host.

Question 23

Block list/Deny list

Answer 23

Blacklisting (or configuring a block list/deny list) involves an administrator adding an undesirable piece of software or an application to a list on a content filtering device, in Active Directory group policy, or on another type of mechanism, so that users are not allowed to download, install, or execute these applications.

Question 24

Secure Coding Practices

Answer 24

Whether the platform is client side or server side, good development practices require thinking about security from the moment the application is first considered.

Question 25

Static Code Analysis

Answer 25

Static code analysis is a debugging process where the source code is read but the code is not run. All applications use some form of static code analyzer, and most IDEs have one built in to the IDE itself.

Question 26

Manual Code Review

Answer 26

The first test of any code starts with a manual code review, usually by the coder who just wrote the code. This is normally done within the development environment.

Question 27

Dynamic Code Analysis

Answer 27

Dynamic code analysis is the process of checking an application, or at least a piece of an application, by running the code and observing the logic, inputs, interface, and memory management. Unlike static code analysis, a proper dynamic code analysis is far more manual; most, if not all, of the application’s functionality is tested.

Question 28

Fuzzing

Answer 28

Fuzzing means to enter unexpected data into the Web app’s input fields to see how the app reacts. Fuzzing can use simple random data (sometimes called monkey fuzzing) or it can use intentionally dangerous injection commands.

Question 29

Hardening

Answer 29

Hardening an operating system means several things, but mostly it’s about configuring the operating system and setting security options appropriately. Security professionals should adhere to the golden rule for hardening:

If you don’t need it, remove it. If you can’t remove it, turn it off.

Question 30

Open Ports and Services

Answer 30

Almost every host runs services that it doesn’t need. In addition to wasting processing power and resources, a host that runs unnecessary services poses security risks. Services can be vulnerable to attacks for a variety of reasons, including unchecked privilege use, accessing sensitive resources, and so on. DISABLE THEM!!!!!!!!

Question 31

Registry

Answer 31

For the most part, applying hardening techniques discussed in this module will lock down access to the Registry to only those accounts that need to access it—administrators, in short—and provide more than adequate security.

Question 32

Patch Management

Answer 32

Operating system vendors release patches and security updates to address issues such as unforeseen vulnerabilities. For the most part today, operating systems auto-update, meaning they seek out and download patches from their manufacturers automatically, although in some cases this must be done manually. This process is called patch management.

Question 33

Third-Party Updates

Answer 33

Improper or weak patch management can lead to vulnerabilities that bad people can and will exploit. IT managers should update everything properly, including firmware, operating systems (OS), and applications. That includes third-party updates as well, especially any custom software applications or utilities used by the organization.

Question 34

Auto-Update

Answer 34

For the most part today, operating systems auto-update, meaning they seek out and download patches from their manufacturers automatically, although in some cases this must be done manually.

Question 35

Self-Encrypting Drive(SED)

Answer 35

You can go even more secure with disk encryption by using a self-encrypting drive (SED) that automatically encrypts and decrypts all data on the drive. From the outside, a SED looks exactly like any other drive. It works on both traditional hard disk drives (HDDs) and solid state drives (SSDs). A SED often comes with extra features, such as instantaneous drive wiping, that high-security folks really enjoy.

Question 36

Full-Disk Encryption(FDE)

Answer 36

Every operating system supports full disk encryption (FDE), which typically means every part of a drive is encrypted except the boot sector. The FDE tool that comes with Windows Pro versions is called BitLocker.

Question 37

Opal

Answer 37

The Trusted Computing Group publishes the specifications for the Opal Storage Specification that enables SED for Linux as well as Windows.

Question 38

Hardware Root of Trust

Answer 38

The operating system relies on this hardware root of trust to check for low-level changes at bootup. These changes can happen from malware, for example. Depending on the system, any tampering could lead to automatic loading of a last known-good system or a system stop.

Question 39

Trusted Platform Module (TPM)

Answer 39

Most modern computers ship with a chip called a Trusted Platform Module (TPM) that works with system firmware—UEFI in current PCs, for example—to provide a baseline level of security and trust.

Question 40

Sandboxing

Answer 40

Staging often employs sandboxing, the use of virtual machines (VMs) to enable aggressive testing of the application without risking any problems with the rest of the network.