3.2 - Given a scenario, implement host or application security solutions.

Question 1

Antivirus

Answer 1

– Refers specifically to a type of malware

– Trojans, worms, macro viruses

– Anti-virus software is also anti-malware software now

Question 2

Anti-malware

Answer 2

– Anti-malware stops spyware, ransomware,
fileless malware

Question 3

EDR

Answer 3

-Endpoint detection and response

A different method of threat protection
– Scale to meet the increasing number of threats

Detect a threat
– Signatures aren’t the only detection tool
– Behavioral analysis, machine learning,
process monitoring
– Lightweight agent on the endpoint

Investigate the threat
– Root cause analysis

Respond to the threat
– Isolate the system, quarantine the threat, rollback
to a previous config
– API driven, no user or technician intervention required

Question 4

DLP

Answer 4

Stop the data before the attacker gets it
– Data “leakage”

So many sources, so many destinations
– Often requires multiple solutions
– Endpoint clients
– Cloud-based systems
– Email, cloud storage, collaboration tools

Question 5

NGFW

Answer 5

-Next-generation firewall

The OSI Application Layer - All data in every packet

Can be called different names
– Application layer gateway
– Stateful multilayer inspection, deep packet inspection

Broad security controls
– Allow or disallow application features
– Identify attacks and malware
– Examine encrypted data
– Prevent access to URLs or URL categories

Question 6

HIPS

Answer 6

-Host-based intrusion prevention system

– Recognize and block known attacks

– Secure OS and application configs, validate
incoming service requests

– Often built into endpoint protection software

HIPS identification
– Signatures, heuristics, behavioral

– Buffer overflows, registry updates, writing files to the Windows folder

– Access to non-encrypted data

Question 7

HIDS

Answer 7

• Host-based intrusion detection
  system

-Uses log files to identify intrusions

-Can reconfigure firewalls to block

Question 8

Host-based firewall

Answer 8

Software-based firewall
– Personal firewall, runs on every endpoint

Allow or disallow incoming or outgoing
application traffic
– Control by application process
– View all data

Identify and block unknown processes
– Stop malware before it can start

Manage centrally

Gibson 88
-monitors traffic going in/out of single host (server/workstation/etc)
-monitors traffic passing thru NIC + can prevent intrusion into comp via the NIC
-allow u to configure rules to allow/restrict inbound + outbound traffic
-many orgs use personal firewalls along with network firewalls (important to use personal firewalls when accessing internet in public place)

Question 9

Boot integrity

Answer 9

*
The attack on our systems is constant
– Techniques are constantly changing
*
Attackers compromise a device
– And want it to stay compromised
*
The boot process is a perfect infection point
– Rootkits run in kernel mode
– Have the same rights as the operating system
*
Protecting the boot process is important
– Secure boot, trusted boot, and measured boot
– A chain of trust

Question 10

Boot security/Unified Extensible Firmware Interface (UEFI)

Answer 10

*
Secure Boot
– Part of the UEFI specification
*
UEFI BIOS protections
– BIOS includes the manufacturer’s public key
– Digital signature is checked during a BIOS update
– BIOS prevents unauthorized writes to the flash
*
Secure Boot verifies the bootloader
– Checks the bootloader’s digital signature
– Bootloader must be signed with a trusted certificate
– Or a manually approved digital signature

Question 11

Measured boot

Answer 11

-nothing on computer has changed

UEFI stores a hash of the firmware, boot drivers, and
everything else loaded during the Secure Boot and
– Trusted Boot process
– Stored in the TPM

Remote attestation
– Device provides an operational report to a
verification server
– Encrypted and digitally signed with the TPM
*
Attestation server receives the boot report
– Changes are identified and managed

Question 12

Boot attestation

Answer 12

Remote attestation
– Device provides an operational report to a
verification server
– Encrypted and digitally signed with the TPM

Attestation server receives the boot report
– Changes are identified and managed

Question 13

Database

Answer 13

Protecting stored data + transmission of that data

Intellectual property storage

Compliance issues
– PCI DSS, HIPAA, GDPR, etc.

Keep business running
– sec provides continuity

Breaches r expensive - Keep costs low

Question 14

Tokenization

Answer 14

Replace sensitive data wth a non-sensitive placeholder
– SSN 266-12-1112 is now 691-61-8539

Common wth credit card processing
– Use a temp token during payment
– perp capturing the card #s can’t use them later

ISN’T encryption OR hashing
– The OG data + token aren’t mathematically related
– No encryption overhead

Question 15

Salting

Answer 15

Salt = Random data added to a password when hashing

Every usr gets their own random salt
->salt is commonly stored wth the pswd

Rainbow tables won’t work with salted hashes
->Additional random value added to OG pswd

Slows things down the brute force process
->doesn’t completely stop reverse engineering

Question 16

Hashing

Answer 16

Hashes represent data as fixed-length string of text

Won’t have a collision (hopefully)
– diff inputs won’t have same hash

One-way trip
– Impossible to recover the OG message from the digest
– common way to store pswds

Question 17

Application security

Question 18

Input validations

Answer 18

What is the expected input?
->Validate actual vs. expected

Document all input methods
->Forms, fields, type

Check and correct all input (normalization)
-> EX: zip code should be only X characters long
with a letter in the X column
->Fix any data with improper input

-The fuzzers will find what you missed

Question 19

Secure cookies

Answer 19

Cookies = info stored on ur comp by the browser

-Used 4;
->tracking
->personalization
->session mgmt

-Not executable, generally not a sec risk UNLESS someone gets access to them

-sec cookies have a sec attribute set
->Browser will only send it over HTTPS

-Sensitive info shouldn’t be saved in a cookie
->This isn’t designed to be secure storage

Question 20

Hypertext Transfer
Protocol (HTTP) headers

Answer 20

*
An additional layer of security
*
Add these to the web server configuration
*
You can’t fix every bad application
*
Enforce HTTPS communication
*
Ensure encrypted communication
*
Only allow scripts, stylesheets, or images from
the local site
*
Prevent XSS attacks
*
Prevent data from loading into an inline frame
(iframe)
*
Also helps to prevent XSS attacks

Question 21

Code signing

Answer 21

-app deployed, usrs run app executable or scripts
->need to confirm that app was written by a specific developer

-app code can be digitally signed by the dev
->Asymmetric encryption
->A trusted CA signs the devs public key
->Dev signs code with their priv key
->4 internal apps, use your own CA

Question 22

Allow list

Answer 22

Nothing runs unless it’s approved - Very restrictive

Question 23

Block list/deny list

Answer 23

Nothing on the “bad list” can be executed

Anti-virus, anti-malware

Question 24

Secure coding practices

Question 25

Static code analysis

Answer 25

-aka source code analysis
-type of white box testing
->full visibility of testers
-allows testers to find problems other tests miss
-doesn’t run the program
->focuses on understanding how program is written + what code is intended to do
-conducted via automated tools or manually review

-automated static code analysis can be v effective at finding known issues

-manual static code analysis help identify programmer induced errors

Question 26

Manual code review

Question 27

Dynamic code analysis

Answer 27

-aka Fuzzing
-relies on execution of code while providing it wth input to test software
-via automated tools or manually

Question 28

Fuzzing

Answer 28

-sending invalid/random data to app to test its ability to handle unexpected data
-app monitored to determine if it crashes, fails, responds incorrectly
-typically automated
-useful 4 detecting input validation, logic issues, mem leaks, error handling
-tends to only identify simple problems
->doesn’t acct 4 complex logic or business process issues
-may not provide complete code coverage if its progress isn’t monitored

Question 29

Hardening

Answer 29

*
Minimize the attack surface
– Remove all possible entry points
*
Remove the potential for all known vulnerabilities
– As well as the unknown
*
Some hardening may have compliance mandates
– HIPAA servers, PCI DSS, etc.
*
There are many different resources
– Center for Internet Security (CIS)
– Network and Security Institute (SANS)
– National Institute of Standards and Technology (NIST)

Question 30

Open ports and services

Answer 30

*
Every open port is a possible entry point
– Close everything except required ports
*
Control access with a firewall
– NGFW would be ideal
*
Unused or unknown services
– Installed with the OS or from other applications
*
Applications with broad port ranges
– Open port 0 through 65,535
*
Use Nmap or similar port scanner to verify
– Ongoing monitoring is important

Question 31

Registry

Answer 31

*
The primary configuration database for Windows
– Almost everything can be configured from the registry
*
Useful to know what an application modifies
– Many third-party tools can show registry changes
*
Some registry changes are important security settings
– Configure registry permissions
– Disable SMBv1

Question 32

Disk encryption

Answer 32

*Prevent access to application data files
– File system encryption

*Full disk encryption (FDE)
*Self-encrypting drive (SED)
*Opal storage specification

Question 33

OS hardening

Answer 33

*Updates
– Operating system updates/service packs,
security patches

*User accounts
– Minimum password lengths and complexity
– Account limitations

*Network access and security
– Limit network access

*Monitor and secure
– Anti-virus, anti-malware

Question 34

Patch management

Answer 34

System stability, security fixes

Monthly updates
– Incremental (and important)

Third-party updates
– App devs, device drivers

Auto-update
- Not always best option

Emergency out-of-band updates
– Zero-day + important sec discoveries

Question 35

Third-party updates

Question 36

Auto-update

Question 37

SED

Answer 37

Self-encrypting drive

– Hardware-based full disk encryption
– No operating system software needed

Chapple 339
Gibson 153
Weiss 323

Question 38

FDE

Answer 38

full disk encryption

– Encrypt everything on the drive
– BitLocker, FileVault, etc.

Question 39

Opal (disk encryption)

Answer 39

Opal storage specification
– The standard for of SED storage

Question 40

Hardware root of trust

Answer 40

*
Security is based on trust
– Is your data safely encrypted?
– Is this web site legitimate?
– Has the operating system been infected?
*
The trust has to start somewhere
– Trusted Platform Module (TPM),
– Hardware Security Module (HSM)
– Designed to be the hardware root of the trust
*
Difficult to change or avoid
– It’s hardware
– Won’t work without the hardware

Question 41

Trusted Platform Module (TPM)

Answer 41

*
A specification for cryptographic functions
– Hardware to help with encryption functions
*
Cryptographic processor
– Random number generator, key generators
*
Persistent memory
– Comes with unique keys burned in during production
*
Versatile memory
– Storage keys, hardware configuration information
*
Password protected
– No dictionary attacks

Question 42

Sandboxing

Answer 42

Apps can’t access unrelated resources
– They play in their own sandbox

Commonly used during development
– Can be a useful production technique

Used in many diff deployments
– Virtual machines
– Mobile devices
– Browser iframes (Inline Frames)
– Windows User Account Control (UAC)