3.2 Flashcards
Endpoint Protection
It is the concept of extending security perimeters to the devices that are connecting to the network. Endpoint protection solutions include HIDS/HIPS, firewalls, antivirus, DLP solutions, etc.
Antivirus
Antivirus attempts to identify, neutralize, or remove malicious programs, macros, and files. Signature-based looks for known signatures of malware. Heuristic-based searches for suspicious behavior from programs that allude to malware.
Anti-Malware
It is a product that is designed to protect your machine from malicious software or malware.
Endpoint Detection and Response (EDR)
EDR combines individual endpoint security functions into a complete package. It can include antivirus, anti-malware, software patching, firewall, and DLP solutions.
Data loss prevention (DLP)
DLP serves to prevent data from leaving a network unnoticed. DLP monitoring will take whatever file activity and send the reports to a centralized system.
Next-Generation Firewall (NGFW)
NGFW will actually analyze the content of the traffic that is coming through and not just the source and destination IPs or ports. The challenge is to make sure the rulesets are up-to-date and able to catch the anomalous traffic coming in.
Host-based Intrusion Detection System (HIDS)
HIDS will detect undesired elements that are affecting the hosts endpoints that it is assigned to. It tailors it’s detection to the host OS.
Host-based Intrusion Prevention System (HIPS)
A HIPS is able to act like a HIDS but is capable of acting on it and respond automatically to a threat condition. It detects and prevents.
Host-based Firewall
These are software-based firewalls that monitor and control traffic passing and and out of a single system.
Linux has IPTables, TCP Wrapper, IPChains
Windows has Windows Defender Firewall
Boot Integrity
Process of a system powering up and loading and running the correct hardware/firmware/software needed in compliance with the expected state.
Boot Security/Unified Extensible Firmware Interface (UEFI)
UEFI offers Secure Boot, which only will boot signed drivers and OS loaders. It also uses attestation to ensure that these drivers and loaders haven’t been changed since approved to use.
Measured Boot
Measured boot depends on the Root of Trust in starting the system, but uses hashes of the processes running to compare to known-good hashes. This is good because signatures are harder to come by.
Boot Attestation
Boot attestation reports the state of a system between components and Root of Trust through digital signatures.
Database
Databases can have encryption that protects against any database compromise while performance hits are negligible.
Tokenization
Tokenization is substituting a value instead of the actual sensitive data to guard against disclosing that data. It is a referential integrity option.
Salting
Salting is adding a random value to the end of a password before performing hashing. This will change the outcome hash even if two users have identical passwords.
Hashing
Mathematical operation of reducing a data element into an outcome that is not reversible.
Application security
We need application security since OSs and infrastructure software has addressed many of the vulnerabilities over the years. In-house software is much less likely to have security reviews and this means they are more likely to have vulnerabilities.
Input Validations
Having comprehensive and stringent validation of inputs will help guard against any unwanted outcomes for an attacker to exploit. It will prevent many types of attacks.
Secure Cookies
Cookies have an attribute that secures cookies to send the data over HTTPS and thus, encrypts the data from attackers seeing it.
Hypertext Transfer Protocol (HTTP) Headers
These HTTP headers are vulnerable to risks such as protocol downgrade attacks, clickjacking, cookie hijacking and other attacks. That’s why HTTPS is better because it encrypts your data.
Code Signing
Code signing is adding a digital signature to code to verify the integrity of the code and show evidence of the source of the software.
Allow List
Allow lists are lists of applications that are allowed to run on a machine using hashes to verify they are not corrupted. These are easy to use on a single-purpose machine but a multi-purpose one makes these lists a lot more complex.
Block List/Deny List
A block list/deny list is a list the explicitly states what applications are not allow to run on a machine. This list is easier to exploit by making minor changes to the software and thus changing the hashes.
Secure Coding Practices
In order for your code to be secure, you need to have a set of standards and procedures in place that allow for the code to properly run while maintaining the highest level of security possible. input validation, proper error and handling, cross-site scripting and cross-site request forgery mitigations can all improve code.
Static Code Analysis
Static Code Analysis is when code is examined without being executed. There are automated tools that will go through and analyze the code. It’ll search for weaknesses and vulnerablities.
Manual Code Review
It can be directed or undirected. Undirected uses a program to proof-read the code while directed is a person talking through the code so that the people watching can see if there are any issues that are present.
Dynamic Code Analysis
Code analysis done while the program is running. The program is fed specific inputs to see if the program runs the desired outcomes and has no odd behaviors.
Fuzzing
It is the brute force method for testing input validation issues and vulnerabilities. You want to see if you can cause a fault that is exploitable.
Hardening
Only running the items necessary will improve system throughput and increase security. It’ll decrease the attack surface area associated with system reduces vulnerabilities.
Open ports
Any service that is not going to be used on the system should be disabled, and any unnecessary ports should be blocked by the firewall.
Registry
The registry is a repository for all information related to configurations. Keeping backups of known good copies of your registry will be useful when comparing it to a later iteration that may have malicious activity.
Disk Encryption
Having a disk encrypted will render it unusable without the proper keys.
OS
No matter what the OS, updates and patches should be applied where and when possible. Any nonessential services and software should be disabled and/or removed. Unnecessary open ports should be blocked or closed. All users should implement strong passwords and change them on a regular basis. Access policies and permissions should be implemented based on least privilege, where appropriate. Privileged user accounts should be used only when necessary, and there should be no local administrative accounts on Windows boxes. Also, logging should be implemented. In domain-based environments, group policies should be deployed to maintain security settings.
Patch Management
Making sure you keep your systems up to date. This comes in the form of hotfixes, patches, service pack, etc.
Third-party Updates
Third-party vendors offer services that will automatically check for you if it becomes an issue to manage updates.
Auto-Update
Self-Encrypting Drive (SED)/ Full Disk Encryption (FDE)
SEDs and FDE offer a way to protect data on a drive in devices like laptops or other portable devices. This will make it harder for an attacker to run offline attacks at their leisure. The data stays encrypted.
Opal
Opal is a hardware-based standard that does the same thing as SED/FDE. It provide shard-based encryption to mass storage devices, hard drives, SSDs, optical drives, etc. Since, it is hardware, it has better performance than the software-based SEDs/FDEs.
Hardware Root of Trust
Concept that if one has trust in a source’s specific security functions, this layer is then used to promote security to higher levels of a system.
Trusted Platform Module (TPM)
Hardware solution on a motherboard that assists with key generation and storage as well as random number generation. This hardware is separate from the software so it makes it secure from any tampering done to the software side trying to access this TPM.
Sandboxing
It is quarantining or isolating of a system from its surroundings. Can be used to test configurations, software updates, software deployment, etc.
