3.2 - Host and Application Security Flashcards
1
Q
The endpoint
A
- The user’s access (application and data)
2
Q
Defense in Depth
A
- Layered protection
- Multi-faceted protection
- Defense strategy
- This is needed b/c there are so many different platforms (mobile, desktop) and attackers can target inbound and outbound data and the user’s access (applications and data)
3
Q
Anti-virus
A
- Among the most common types of defenses
- Added to user’s endpoints
- Anti-virus is the popular term (ppl often use it to mean also including anti-malware)
- Refers to a specific type of malware: trojans, worms, macro viruses, other malicious attacks
4
Q
Anti-malware
A
- Malware refers to the broad malicious software category
- Anti-malware stops spyware, ransomware, fileless malware
5
Q
Antivirus + Antimalware
A
- Term effectively the same these days, names more of a marketing tool
- Anti-virus software is now also anti-malware
- Make sure your system is using a comprehensive solution
- Tend to work by identifying the use of malicious code through the use of signatures (this can pose challenges)
6
Q
Signatures
A
- Set pattern that may be within the file or memory that is being used by malicious software
- Anti- virus/ malware often rely on signatures for identifying malicious code
- Challenge: Attackers have found ways around using signatures so new techniques are needed (like EDR (Endpoint Detection and Response)
7
Q
EDR
A
- Endpoint Detection and Response
- A different method of threat protection (from using signatures)
- Can scale to meet the increasing number of threats
- Instead of only looking at signatures in a file, can look at what the file is doing (Behavior analysis, machine learning, process monitoring)
- Can often perform root cause analysis (determine why behavior happened in the first place and identify the code use in running the malicious software)
- it can then respond to the threat (isolate the system, quarantine the software, rollback to a previous config)
- API driven, no user or technician intervention required
- Lightweight agent on the endpoint
8
Q
DLP
A
- Data Loss Prevention
- Designed to stop data leakage before the attacker gets it (prevent data being sent across the network in the clear or in encrypted form)
- Challenge: So many sources, destinations
- Therefore, DLP often involves multiple solutions (Ex: could be in a firewall, in client software, in a cloud=based system)
9
Q
NGFW
A
- Next Generation Firewall
- Able to identify the applications (and individual features in app) that are flowing over the network, regardless of the IP address or port numbers that may be in use
- Security personnel can set policies to allow/disallow applications on the network (or features in apps) (ex: can allow someone to view info on twitter but not post)
- The OSI Application layer
- aka Application Layer Gateway, Stateful multilayer inspection, Deep packet inspection
- usually have anti-virus/ malware too that can block at the network level
- Often has SSL encryption functionality, so that it can decrypt any information being sent, examine it, and re-encrypt it
- often have a url filtering capability ( can block base on categorization too)
10
Q
Host-Base Firewall
A
- In addition to the network firewalls, also useful to have these, which are on the individual end points
- Software-based firewall
- Personal firewall, runs on every endpoint
- Can see all applications incoming / outgoing traffic and can set controls
- It can see all data in the clear at the endpoint
- It can see everything happening in the OS (can see unknown processes trying to start and stop malware before it can start)
- Common to manage it centrally (so you can put host-based firewalls on all endpoints but have one central place to mange)
11
Q
HIDS
A
- Host-Based Intrusion Detection System
- Uses log files to identify intrusions
- Can reconfigure firewalls to block
- secondary type of security
- less common these days (HIPS (host-based intrusion prevention system) more common)
12
Q
HIPS
A
- Host-based intrusion prevention system
- more common these days
- Recognize and block known attacks
- Secure OS and application configs, validate incoming service requests
- often built into endpoint protection software (that’s being used by anti-virus/malware)
13
Q
HIPS Identification
A
- HIPS (host-based intrusion prevention system) often uses signatures, heuristics (when large changes are occurring and why) , behavioral indicators
- Ex: could have buffer overflows with a known signature, or registry update unexpectedly occurs, which would fire the heuristics engine, or writing files to the Windows folder might set of the behavioral indicators
- Access to non-encrypted data that may be running in memory (b/c it’s running on the endpoint)
14
Q
Boot integrity
A
- Boot process is a perfect infection point
- Ex: rootkits run in kernel mode, have the same rights as the OS
- Remember it’s very difficult for attackers to get into the OS (they don’t want to get kicked out b/c it’s even harder the second time). They want to get in and stay in.
- Protecting every part of the boot process is so critical
15
Q
Chain of trust
A
- Secure boot, Trusted boot, and Measured boot
- Security is based on trust
- Of course trust is based on things (like TPM Trusted Platform Module, HSM - Hardware Security Module)
16
Q
TPM
A
- Trusted Platform Module
- A specification for cryptographic functions
- hardware to help with encryption functions
- On an individual system
- Can include a cryptographic processor, Persistent memory, versatile memory
- all info is password protected (w/ anti-brute force technology)
17
Q
HSM
A
- Hardware Security Module
- This hardware root of trust provides the foundation of the trust model
- Significant security advantage of hardware, is that it’s hardware, have to physically change it
- Hardware must be installed for the trust to be installed
- So there should be a TPM on OS (Trusted Platform Module) to give you that HSM
18
Q
Persistent Memory
A
- Comes with unique keys, burned in during production -
19
Q
Cryptographic processor
A
- Random number generator, key generator
- often found on TPMs (Trusted Platform Module)
20
Q
Versatile memory
A
- Storage keys, hardware configuration information
21
Q
UEFI BIOS - Secure Boot
A
- Part of the UEFI specification
-
22
Q
UEFI BIOS - Secure Boot
A
- Part of the UEFI specification
- BIOS includes the manufacturers public key
- Digital signature is checked during a BIOS update
- BIOS prevents unauthorized writes to the flash
23
Q
Bootloader
A
- Secure Boot verifies the bootloader
- checks the boot loaders digital signature
- Boot loader must be signed with a trusted certificate
- Or a manually approved the digital signature