3.2 - Given a scenario, implement host or application security solutions.

Question 1

Antivirus

Answer 1

– Refers specifically to a type of malware

– Trojans, worms, macro viruses

– Anti-virus software is also anti-malware software now

Question 2

Anti-malware

Answer 2

– Anti-malware stops spyware, ransomware,
fileless malware

Question 3

EDR

Answer 3

-Endpoint detection and response

A different method of threat protection
– Scale to meet the increasing number of threats

Detect a threat
– Signatures aren’t the only detection tool
– Behavioral analysis, machine learning,
process monitoring
– Lightweight agent on the endpoint

Investigate the threat
– Root cause analysis

Respond to the threat
– Isolate the system, quarantine the threat, rollback
to a previous config
– API driven, no user or technician intervention required

Question 4

DLP

Answer 4

Stop the data before the attacker gets it
– Data “leakage”

So many sources, so many destinations
– Often requires multiple solutions
– Endpoint clients
– Cloud-based systems
– Email, cloud storage, collaboration tools

Question 5

NGFW

Answer 5

-Next-generation firewall

The OSI Application Layer - All data in every packet

Can be called different names
– Application layer gateway
– Stateful multilayer inspection, deep packet inspection

Broad security controls
– Allow or disallow application features
– Identify attacks and malware
– Examine encrypted data
– Prevent access to URLs or URL categories

Question 6

HIPS

Answer 6

-Host-based intrusion prevention system

– Recognize and block known attacks

– Secure OS and application configs, validate
incoming service requests

– Often built into endpoint protection software

HIPS identification
– Signatures, heuristics, behavioral

– Buffer overflows, registry updates, writing files to the Windows folder

– Access to non-encrypted data

Question 7

HIDS

Answer 7

• Host-based intrusion detection
  system

-Uses log files to identify intrusions

-Can reconfigure firewalls to block

Question 8

Host-based firewall

Answer 8

Software-based firewall
– Personal firewall, runs on every endpoint

Allow or disallow incoming or outgoing
application traffic
– Control by application process
– View all data

Identify and block unknown processes
– Stop malware before it can start

Manage centrally

Gibson 88
-monitors traffic going in/out of single host (server/workstation/etc)
-monitors traffic passing thru NIC + can prevent intrusion into comp via the NIC
-allow u to configure rules to allow/restrict inbound + outbound traffic
-many orgs use personal firewalls along with network firewalls (important to use personal firewalls when accessing internet in public place)

Question 9

Boot integrity

Answer 9

*
The attack on our systems is constant
– Techniques are constantly changing
*
Attackers compromise a device
– And want it to stay compromised
*
The boot process is a perfect infection point
– Rootkits run in kernel mode
– Have the same rights as the operating system
*
Protecting the boot process is important
– Secure boot, trusted boot, and measured boot
– A chain of trust

Question 10

Boot security/Unified Extensible Firmware Interface (UEFI)

Answer 10

*
Secure Boot
– Part of the UEFI specification
*
UEFI BIOS protections
– BIOS includes the manufacturer’s public key
– Digital signature is checked during a BIOS update
– BIOS prevents unauthorized writes to the flash
*
Secure Boot verifies the bootloader
– Checks the bootloader’s digital signature
– Bootloader must be signed with a trusted certificate
– Or a manually approved digital signature

Question 11

Measured boot

Answer 11

-nothing on computer has changed

UEFI stores a hash of the firmware, boot drivers, and
everything else loaded during the Secure Boot and
– Trusted Boot process
– Stored in the TPM

Remote attestation
– Device provides an operational report to a
verification server
– Encrypted and digitally signed with the TPM
*
Attestation server receives the boot report
– Changes are identified and managed

Question 12

Boot attestation

Answer 12

Remote attestation
– Device provides an operational report to a
verification server
– Encrypted and digitally signed with the TPM

Attestation server receives the boot report
– Changes are identified and managed

Question 13

Database

Answer 13

Protecting stored data + transmission of that data

Intellectual property storage

Compliance issues
– PCI DSS, HIPAA, GDPR, etc.

Keep business running
– sec provides continuity

Breaches r expensive - Keep costs low

Question 14

Tokenization

Answer 14

Replace sensitive data wth a non-sensitive placeholder
– SSN 266-12-1112 is now 691-61-8539

Common wth credit card processing
– Use a temp token during payment
– perp capturing the card #s can’t use them later

ISN’T encryption OR hashing
– The OG data + token aren’t mathematically related
– No encryption overhead

Question 15

Salting

Answer 15

Salt = Random data added to a password when hashing

Every usr gets their own random salt
->salt is commonly stored wth the pswd

Rainbow tables won’t work with salted hashes
->Additional random value added to OG pswd

Slows things down the brute force process
->doesn’t completely stop reverse engineering

Question 16

Hashing

Answer 16

Hashes represent data as fixed-length string of text

Won’t have a collision (hopefully)
– diff inputs won’t have same hash

One-way trip
– Impossible to recover the OG message from the digest
– common way to store pswds

Question 17

Application security

Question 18

Input validations

Answer 18

What is the expected input?
->Validate actual vs. expected

Document all input methods
->Forms, fields, type

Check and correct all input (normalization)
-> EX: zip code should be only X characters long
with a letter in the X column
->Fix any data with improper input

-The fuzzers will find what you missed

Question 19

Secure cookies

Answer 19

Cookies = info stored on ur comp by the browser

-Used 4;
->tracking
->personalization
->session mgmt

-Not executable, generally not a sec risk UNLESS someone gets access to them

-sec cookies have a sec attribute set
->Browser will only send it over HTTPS

-Sensitive info shouldn’t be saved in a cookie
->This isn’t designed to be secure storage

Question 20

Hypertext Transfer
Protocol (HTTP) headers

Answer 20

*
An additional layer of security
*
Add these to the web server configuration
*
You can’t fix every bad application
*
Enforce HTTPS communication
*
Ensure encrypted communication
*
Only allow scripts, stylesheets, or images from
the local site
*
Prevent XSS attacks
*
Prevent data from loading into an inline frame
(iframe)
*
Also helps to prevent XSS attacks

Question 21

Code signing

Answer 21

-app deployed, usrs run app executable or scripts
->need to confirm that app was written by a specific developer

-app code can be digitally signed by the dev
->Asymmetric encryption
->A trusted CA signs the devs public key
->Dev signs code with their priv key
->4 internal apps, use your own CA

Question 22

Allow list

Answer 22

Nothing runs unless it’s approved - Very restrictive

Question 23

Block list/deny list

Answer 23

Nothing on the “bad list” can be executed

Anti-virus, anti-malware

Question 24

Secure coding practices

Question 25

Static code analysis

Answer 25

-aka source code analysis -type of white box testing ->full visibility of testers -allows testers to find problems other tests miss -doesn't run the program ->focuses on understanding how program is written + what code is intended to do -conducted via automated tools or manually review -automated static code analysis can be v effective at finding known issues -manual static code analysis help identify programmer induced errors

Question 26

Manual code review

Question 27

Dynamic code analysis

Answer 27

-aka Fuzzing -relies on execution of code while providing it wth input to test software -via automated tools or manually

Question 28

Fuzzing

Answer 28

-sending invalid/random data to app to test its ability to handle unexpected data -app monitored to determine if it crashes, fails, responds incorrectly -typically automated -useful 4 detecting input validation, logic issues, mem leaks, error handling -tends to only identify simple problems ->doesn't acct 4 complex logic or business process issues -may not provide complete code coverage if its progress isn't monitored

Question 29

Hardening

Answer 29

* Minimize the attack surface – Remove all possible entry points * Remove the potential for all known vulnerabilities – As well as the unknown * Some hardening may have compliance mandates – HIPAA servers, PCI DSS, etc. * There are many different resources – Center for Internet Security (CIS) – Network and Security Institute (SANS) – National Institute of Standards and Technology (NIST)

Question 30

Open ports and services

Answer 30

* Every open port is a possible entry point – Close everything except required ports * Control access with a firewall – NGFW would be ideal * Unused or unknown services – Installed with the OS or from other applications * Applications with broad port ranges – Open port 0 through 65,535 * Use Nmap or similar port scanner to verify – Ongoing monitoring is important

Question 31

Registry

Answer 31

* The primary configuration database for Windows – Almost everything can be configured from the registry * Useful to know what an application modifies – Many third-party tools can show registry changes * Some registry changes are important security settings – Configure registry permissions – Disable SMBv1

Question 32

Disk encryption

Answer 32

*Prevent access to application data files – File system encryption *Full disk encryption (FDE) *Self-encrypting drive (SED) *Opal storage specification

Question 33

OS hardening

Answer 33

*Updates – Operating system updates/service packs, security patches *User accounts – Minimum password lengths and complexity – Account limitations *Network access and security – Limit network access *Monitor and secure – Anti-virus, anti-malware

Question 34

Patch management

Answer 34

System stability, security fixes Monthly updates – Incremental (and important) Third-party updates – App devs, device drivers Auto-update - Not always best option Emergency out-of-band updates – Zero-day + important sec discoveries

Question 35

Third-party updates

Question 36

Auto-update

Question 37

SED

Answer 37

Self-encrypting drive – Hardware-based full disk encryption – No operating system software needed Chapple 339 Gibson 153 Weiss 323

Question 38

FDE

Answer 38

full disk encryption – Encrypt everything on the drive – BitLocker, FileVault, etc.

Question 39

Opal (disk encryption)

Answer 39

Opal storage specification – The standard for of SED storage

Question 40

Hardware root of trust

Answer 40

* Security is based on trust – Is your data safely encrypted? – Is this web site legitimate? – Has the operating system been infected? * The trust has to start somewhere – Trusted Platform Module (TPM), – Hardware Security Module (HSM) – Designed to be the hardware root of the trust * Difficult to change or avoid – It’s hardware – Won’t work without the hardware

Question 41

Trusted Platform Module (TPM)

Answer 41

* A specification for cryptographic functions – Hardware to help with encryption functions * Cryptographic processor – Random number generator, key generators * Persistent memory – Comes with unique keys burned in during production * Versatile memory – Storage keys, hardware configuration information * Password protected – No dictionary attacks

Question 42

Sandboxing

Answer 42

Apps can't access unrelated resources – They play in their own sandbox Commonly used during development – Can be a useful production technique Used in many diff deployments – Virtual machines – Mobile devices – Browser iframes (Inline Frames) – Windows User Account Control (UAC)