3.2 - Given a scenario, implement host or application security solutions. Flashcards
Antivirus
– Refers specifically to a type of malware
– Trojans, worms, macro viruses
– Anti-virus software is also anti-malware software now
Anti-malware
– Anti-malware stops spyware, ransomware,
fileless malware
EDR
-Endpoint detection and response
A different method of threat protection
– Scale to meet the increasing number of threats
Detect a threat
– Signatures aren’t the only detection tool
– Behavioral analysis, machine learning,
process monitoring
– Lightweight agent on the endpoint
Investigate the threat
– Root cause analysis
Respond to the threat
– Isolate the system, quarantine the threat, rollback
to a previous config
– API driven, no user or technician intervention required
DLP
Stop the data before the attacker gets it
– Data “leakage”
So many sources, so many destinations
– Often requires multiple solutions
– Endpoint clients
– Cloud-based systems
– Email, cloud storage, collaboration tools
NGFW
-Next-generation firewall
The OSI Application Layer - All data in every packet
Can be called different names
– Application layer gateway
– Stateful multilayer inspection, deep packet inspection
Broad security controls
– Allow or disallow application features
– Identify attacks and malware
– Examine encrypted data
– Prevent access to URLs or URL categories
HIPS
-Host-based intrusion prevention system
– Recognize and block known attacks
– Secure OS and application configs, validate
incoming service requests
– Often built into endpoint protection software
HIPS identification
– Signatures, heuristics, behavioral
– Buffer overflows, registry updates, writing files to the Windows folder
– Access to non-encrypted data
HIDS
- Host-based intrusion detection
system
-Uses log files to identify intrusions
-Can reconfigure firewalls to block
Host-based firewall
Software-based firewall
– Personal firewall, runs on every endpoint
Allow or disallow incoming or outgoing
application traffic
– Control by application process
– View all data
Identify and block unknown processes
– Stop malware before it can start
Manage centrally
Gibson 88
-monitors traffic going in/out of single host (server/workstation/etc)
-monitors traffic passing thru NIC + can prevent intrusion into comp via the NIC
-allow u to configure rules to allow/restrict inbound + outbound traffic
-many orgs use personal firewalls along with network firewalls (important to use personal firewalls when accessing internet in public place)
Boot integrity
*
The attack on our systems is constant
– Techniques are constantly changing
*
Attackers compromise a device
– And want it to stay compromised
*
The boot process is a perfect infection point
– Rootkits run in kernel mode
– Have the same rights as the operating system
*
Protecting the boot process is important
– Secure boot, trusted boot, and measured boot
– A chain of trust
Boot security/Unified Extensible Firmware Interface (UEFI)
*
Secure Boot
– Part of the UEFI specification
*
UEFI BIOS protections
– BIOS includes the manufacturer’s public key
– Digital signature is checked during a BIOS update
– BIOS prevents unauthorized writes to the flash
*
Secure Boot verifies the bootloader
– Checks the bootloader’s digital signature
– Bootloader must be signed with a trusted certificate
– Or a manually approved digital signature
Measured boot
-nothing on computer has changed
UEFI stores a hash of the firmware, boot drivers, and
everything else loaded during the Secure Boot and
– Trusted Boot process
– Stored in the TPM
Remote attestation
– Device provides an operational report to a
verification server
– Encrypted and digitally signed with the TPM
*
Attestation server receives the boot report
– Changes are identified and managed
Boot attestation
Remote attestation
– Device provides an operational report to a
verification server
– Encrypted and digitally signed with the TPM
Attestation server receives the boot report
– Changes are identified and managed
Database
Protecting stored data + transmission of that data
Intellectual property storage
Compliance issues
– PCI DSS, HIPAA, GDPR, etc.
Keep business running
– sec provides continuity
Breaches r expensive - Keep costs low
Tokenization
Replace sensitive data wth a non-sensitive placeholder
– SSN 266-12-1112 is now 691-61-8539
Common wth credit card processing
– Use a temp token during payment
– perp capturing the card #s can’t use them later
ISN’T encryption OR hashing
– The OG data + token aren’t mathematically related
– No encryption overhead
Salting
Salt = Random data added to a password when hashing
Every usr gets their own random salt
->salt is commonly stored wth the pswd
Rainbow tables won’t work with salted hashes
->Additional random value added to OG pswd
Slows things down the brute force process
->doesn’t completely stop reverse engineering
Hashing
Hashes represent data as fixed-length string of text
Won’t have a collision (hopefully)
– diff inputs won’t have same hash
One-way trip
– Impossible to recover the OG message from the digest
– common way to store pswds
Application security
Input validations
What is the expected input?
->Validate actual vs. expected
Document all input methods
->Forms, fields, type
Check and correct all input (normalization)
-> EX: zip code should be only X characters long
with a letter in the X column
->Fix any data with improper input
-The fuzzers will find what you missed
Secure cookies
Cookies = info stored on ur comp by the browser
-Used 4;
->tracking
->personalization
->session mgmt
-Not executable, generally not a sec risk UNLESS someone gets access to them
-sec cookies have a sec attribute set
->Browser will only send it over HTTPS
-Sensitive info shouldn’t be saved in a cookie
->This isn’t designed to be secure storage
Hypertext Transfer
Protocol (HTTP) headers
*
An additional layer of security
*
Add these to the web server configuration
*
You can’t fix every bad application
*
Enforce HTTPS communication
*
Ensure encrypted communication
*
Only allow scripts, stylesheets, or images from
the local site
*
Prevent XSS attacks
*
Prevent data from loading into an inline frame
(iframe)
*
Also helps to prevent XSS attacks
Code signing
-app deployed, usrs run app executable or scripts
->need to confirm that app was written by a specific developer
-app code can be digitally signed by the dev
->Asymmetric encryption
->A trusted CA signs the devs public key
->Dev signs code with their priv key
->4 internal apps, use your own CA
Allow list
Nothing runs unless it’s approved - Very restrictive
Block list/deny list
Nothing on the “bad list” can be executed
Anti-virus, anti-malware
Secure coding practices
Static code analysis
-aka source code analysis
-type of white box testing
->full visibility of testers
-allows testers to find problems other tests miss
-doesn’t run the program
->focuses on understanding how program is written + what code is intended to do
-conducted via automated tools or manually review
-automated static code analysis can be v effective at finding known issues
-manual static code analysis help identify programmer induced errors
Manual code review
Dynamic code analysis
-aka Fuzzing
-relies on execution of code while providing it wth input to test software
-via automated tools or manually
Fuzzing
-sending invalid/random data to app to test its ability to handle unexpected data
-app monitored to determine if it crashes, fails, responds incorrectly
-typically automated
-useful 4 detecting input validation, logic issues, mem leaks, error handling
-tends to only identify simple problems
->doesn’t acct 4 complex logic or business process issues
-may not provide complete code coverage if its progress isn’t monitored
Hardening
*
Minimize the attack surface
– Remove all possible entry points
*
Remove the potential for all known vulnerabilities
– As well as the unknown
*
Some hardening may have compliance mandates
– HIPAA servers, PCI DSS, etc.
*
There are many different resources
– Center for Internet Security (CIS)
– Network and Security Institute (SANS)
– National Institute of Standards and Technology (NIST)
Open ports and services
*
Every open port is a possible entry point
– Close everything except required ports
*
Control access with a firewall
– NGFW would be ideal
*
Unused or unknown services
– Installed with the OS or from other applications
*
Applications with broad port ranges
– Open port 0 through 65,535
*
Use Nmap or similar port scanner to verify
– Ongoing monitoring is important
Registry
*
The primary configuration database for Windows
– Almost everything can be configured from the registry
*
Useful to know what an application modifies
– Many third-party tools can show registry changes
*
Some registry changes are important security settings
– Configure registry permissions
– Disable SMBv1
Disk encryption
*Prevent access to application data files
– File system encryption
*Full disk encryption (FDE)
*Self-encrypting drive (SED)
*Opal storage specification
OS hardening
*Updates
– Operating system updates/service packs,
security patches
*User accounts
– Minimum password lengths and complexity
– Account limitations
*Network access and security
– Limit network access
*Monitor and secure
– Anti-virus, anti-malware
Patch management
System stability, security fixes
Monthly updates
– Incremental (and important)
Third-party updates
– App devs, device drivers
Auto-update
- Not always best option
Emergency out-of-band updates
– Zero-day + important sec discoveries
Third-party updates
Auto-update
SED
Self-encrypting drive
– Hardware-based full disk encryption
– No operating system software needed
Chapple 339
Gibson 153
Weiss 323
FDE
full disk encryption
– Encrypt everything on the drive
– BitLocker, FileVault, etc.
Opal (disk encryption)
Opal storage specification
– The standard for of SED storage
Hardware root of trust
*
Security is based on trust
– Is your data safely encrypted?
– Is this web site legitimate?
– Has the operating system been infected?
*
The trust has to start somewhere
– Trusted Platform Module (TPM),
– Hardware Security Module (HSM)
– Designed to be the hardware root of the trust
*
Difficult to change or avoid
– It’s hardware
– Won’t work without the hardware
Trusted Platform Module (TPM)
*
A specification for cryptographic functions
– Hardware to help with encryption functions
*
Cryptographic processor
– Random number generator, key generators
*
Persistent memory
– Comes with unique keys burned in during production
*
Versatile memory
– Storage keys, hardware configuration information
*
Password protected
– No dictionary attacks
Sandboxing
Apps can’t access unrelated resources
– They play in their own sandbox
Commonly used during development
– Can be a useful production technique
Used in many diff deployments
– Virtual machines
– Mobile devices
– Browser iframes (Inline Frames)
– Windows User Account Control (UAC)
