Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CompTia Security+ SY0-601 Definitions > 3.2 - Host and Application Security > Flashcards

3.2 - Host and Application Security Flashcards

1
Q

The endpoint

A
  • The user’s access (application and data)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Defense in Depth

A
  • Layered protection
  • Multi-faceted protection
  • Defense strategy
  • This is needed b/c there are so many different platforms (mobile, desktop) and attackers can target inbound and outbound data and the user’s access (applications and data)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Anti-virus

A
  • Among the most common types of defenses
  • Added to user’s endpoints
  • Anti-virus is the popular term (ppl often use it to mean also including anti-malware)
  • Refers to a specific type of malware: trojans, worms, macro viruses, other malicious attacks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Anti-malware

A
  • Malware refers to the broad malicious software category

- Anti-malware stops spyware, ransomware, fileless malware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Antivirus + Antimalware

A
  • Term effectively the same these days, names more of a marketing tool
  • Anti-virus software is now also anti-malware
  • Make sure your system is using a comprehensive solution
  • Tend to work by identifying the use of malicious code through the use of signatures (this can pose challenges)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Signatures

A
  • Set pattern that may be within the file or memory that is being used by malicious software
  • Anti- virus/ malware often rely on signatures for identifying malicious code
  • Challenge: Attackers have found ways around using signatures so new techniques are needed (like EDR (Endpoint Detection and Response)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

EDR

A
  • Endpoint Detection and Response
  • A different method of threat protection (from using signatures)
  • Can scale to meet the increasing number of threats
  • Instead of only looking at signatures in a file, can look at what the file is doing (Behavior analysis, machine learning, process monitoring)
  • Can often perform root cause analysis (determine why behavior happened in the first place and identify the code use in running the malicious software)
  • it can then respond to the threat (isolate the system, quarantine the software, rollback to a previous config)
  • API driven, no user or technician intervention required
  • Lightweight agent on the endpoint
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

DLP

A
  • Data Loss Prevention
  • Designed to stop data leakage before the attacker gets it (prevent data being sent across the network in the clear or in encrypted form)
  • Challenge: So many sources, destinations
  • Therefore, DLP often involves multiple solutions (Ex: could be in a firewall, in client software, in a cloud=based system)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

NGFW

A
  • Next Generation Firewall
  • Able to identify the applications (and individual features in app) that are flowing over the network, regardless of the IP address or port numbers that may be in use
  • Security personnel can set policies to allow/disallow applications on the network (or features in apps) (ex: can allow someone to view info on twitter but not post)
  • The OSI Application layer
  • aka Application Layer Gateway, Stateful multilayer inspection, Deep packet inspection
  • usually have anti-virus/ malware too that can block at the network level
  • Often has SSL encryption functionality, so that it can decrypt any information being sent, examine it, and re-encrypt it
  • often have a url filtering capability ( can block base on categorization too)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Host-Base Firewall

A
  • In addition to the network firewalls, also useful to have these, which are on the individual end points
  • Software-based firewall
  • Personal firewall, runs on every endpoint
  • Can see all applications incoming / outgoing traffic and can set controls
  • It can see all data in the clear at the endpoint
  • It can see everything happening in the OS (can see unknown processes trying to start and stop malware before it can start)
  • Common to manage it centrally (so you can put host-based firewalls on all endpoints but have one central place to mange)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

HIDS

A
  • Host-Based Intrusion Detection System
  • Uses log files to identify intrusions
  • Can reconfigure firewalls to block
  • secondary type of security
  • less common these days (HIPS (host-based intrusion prevention system) more common)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

HIPS

A
  • Host-based intrusion prevention system
  • more common these days
  • Recognize and block known attacks
  • Secure OS and application configs, validate incoming service requests
  • often built into endpoint protection software (that’s being used by anti-virus/malware)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

HIPS Identification

A
  • HIPS (host-based intrusion prevention system) often uses signatures, heuristics (when large changes are occurring and why) , behavioral indicators
  • Ex: could have buffer overflows with a known signature, or registry update unexpectedly occurs, which would fire the heuristics engine, or writing files to the Windows folder might set of the behavioral indicators
  • Access to non-encrypted data that may be running in memory (b/c it’s running on the endpoint)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Boot integrity

A
  • Boot process is a perfect infection point
  • Ex: rootkits run in kernel mode, have the same rights as the OS
  • Remember it’s very difficult for attackers to get into the OS (they don’t want to get kicked out b/c it’s even harder the second time). They want to get in and stay in.
  • Protecting every part of the boot process is so critical
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Chain of trust

A
  • Secure boot, Trusted boot, and Measured boot
  • Security is based on trust
  • Of course trust is based on things (like TPM Trusted Platform Module, HSM - Hardware Security Module)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

TPM

A
  • Trusted Platform Module
  • A specification for cryptographic functions
  • hardware to help with encryption functions
  • On an individual system
  • Can include a cryptographic processor, Persistent memory, versatile memory
  • all info is password protected (w/ anti-brute force technology)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

HSM

A
  • Hardware Security Module
  • This hardware root of trust provides the foundation of the trust model
  • Significant security advantage of hardware, is that it’s hardware, have to physically change it
  • Hardware must be installed for the trust to be installed
  • So there should be a TPM on OS (Trusted Platform Module) to give you that HSM
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Persistent Memory

A
  • Comes with unique keys, burned in during production -
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Cryptographic processor

A
  • Random number generator, key generator

- often found on TPMs (Trusted Platform Module)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Versatile memory

A
  • Storage keys, hardware configuration information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

UEFI BIOS - Secure Boot

A
  • Part of the UEFI specification

-

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

UEFI BIOS - Secure Boot

A
  • Part of the UEFI specification
  • BIOS includes the manufacturers public key
  • Digital signature is checked during a BIOS update
  • BIOS prevents unauthorized writes to the flash
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Bootloader

A
  • Secure Boot verifies the bootloader
  • checks the boot loaders digital signature
  • Boot loader must be signed with a trusted certificate
  • Or a manually approved the digital signature
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

UEFI BIOS - Secure Boot

A
  • Part of the UEFI specification
  • BIOS includes the manufacturers public key
  • Digital signature is checked during a BIOS update
  • BIOS prevents unauthorized writes to the flash
  • Secure Boot verifies the bootloader
  • checks the boot loaders digital signature
  • Boot loader must be signed with a trusted certificate
  • Or a manually approved the digital signature
  • Anything updated during this process will have a secure hash that is stored in the TPM (like the trusted boot process, which can then be looked at in the measured boot process)
25
Trusted Boot
- Once Secure bootloader is complete, move on to Trusted - Bootloader verifies digital signature of the OS kernel - a corrupted kernel will stop the process - the kernel of OS will verify other parts ( boot drivers, start up files) - starts ELAM (Early Launch Anti- Malware) - Anything updated during this process will have a secure hash that is stored in the TPM (like the UEFI boot process, which can then be looked at in the measured boot process)
26
Measured Boot process
- Allows us to see if any changes happened to OS - Easy if it's just your computer, difficult when there are many - Automated way to see if anything on computer has been by malware - UEFI stores a hash on the firmware, boot drivers and everything else loaded during the Secure Boot and Trusted boot process (has created is stored within the TPM of the system) - Now that this information has been gathered, can begin Remote Attestation.
27
Remote Attestation
- Device provides an operational report to a verification server ( a central attestation server) - Encrypted and digitally signed with the TPM - Attestation server receives the boot report and any changes are identified (if software /hardware has been modified then sys admins can turn off until changes can be reviewed by a tecchnician)
28
Remote Attestation
- Device provides an operational report to a verification server ( a central attestation server) - Encrypted and digitally signed with the TPM - Attestation server receives the boot report and any changes are identified (if software /hardware has been modified then sys admins can turn off until changes can be reviewed by a technician)
29
Database security
- Protecting DB and the transmission of DB is key - Intellectual property storage (it's valuable) - Might be compliance rules: PCI DSS, HIPAA, GDPR, etc. - Secure DB storage keeps business running smoothly (continuity) - Breaches are expensive - Ways to store DB securely: (Ex: tokenization, hashing a password, adding salt
30
Tokenization
- Replace sensitive data with non-sensitive placeholder (ex: SSN 123-45-6789 is replaced with 342-11-2343) - completely different number with no representation to original data - common during CC processing (temporary token during payment, an attacker capturing these can't use them later, it is verified and then thrown away) - limit the use of the tokens - not hashing or encrypting (so no overhead)
31
Hash
- Represents data as a fixed- length string of text - message digest or 'finger print' - will not have a collision (hopefully) - no way to retrieve value from a hash (not an encrypted representation) - no way to reverse the process - SHA256 is a hashing algorithm (the hash is a 256 bit fixed length string)
32
Salt
- Random data added to a password when hashing - every user gets their own random salt - limits the effectiveness of rainbow tables (pre-computed set of hashes + original values) - slows down the brute force process
33
Input validation
- Developer needs to document everywhere information is going into an application (forms, fields, type) - If anything is outside the scope of what it should be, should be resolved (normalization) - Prevents an attacker from Fuzzing
34
Dynamic Analysis
- Send random input to an application - fault-injecting, robustness testing, syntax testing, negative testing - attackers looking for something unusual to occur (like a buffer overflow, server error) - aka Fuzzing
35
Fuzzing tests
- May be specific to a platform or application - Take a lot of time and processing power (fuzzing engine tries a lot of different things, usually optimized to find the most likely vulnerabilities) - Almost always automated
36
BFF
- CERT Basic Fuzzing Framework | - Can see if there are any vulnerabilities
37
CERT
- Carnegie Mellon Computer Emergency Response Team | - developed a BFF to identify fuzzing opportunities
38
Cookies
- Information stored on your computer by the browswer - Used for tracking, personalization, session management - not an executable, generally not a security concern - but need to make sure they're protected - Most cookies have an attribute on them to make them as secure, tells browser needs to be sent over HTTPs - Sensitive information should not be saved in a cookie (not designed to be secure storage)
39
HTTP Secure Headers
- Way to configure a webserver to restrict capabilities of browswer to be able to perform certain functions - A way to make our applications more secure - Ex: Enforce HTTPS communication or might try to prevent a XSS attack by telling browser to only allow scripts, stylesheets, or images from a local site, or prevent data from loading into an iframe
40
iframe
- inline frame | - Data loaded into an inline frame are often targeted by attackers during a XSS attack
41
Code Signing
- Need a trusted CA (certificate authority) to sign the developer's public key - then the developer uses their private key to digitally sign - Then when you download it you can verify it with the developer's public key - very similar to the process of providing encryption certificates to webservers - Every time you run a new application, need to verify that there is no malicious software in the executable - Want to confirm that the application we're running is the same one deployed by the application developer
42
Allow list
- many admins will configure OS or security software settings to only allow certain apps from executing - more restrictive than the 'deny list' - Any application can be dangerous (vulnerabilities, trojan horses, malware)
43
Deny list
- Nothing on the 'bad list' can be executed | - slightly more open list than the allow list
44
Allow and Deny lists
- Often things are built into the OS to create the allow / deny lists - Ex: Application Hash - Only allows applications with this unique identifier - Ex: Certificate - Allow digitally signed apps from certain publishers (like Microsoft, adobe, etc) - Ex: Path - Only run applications that are stored in certain folders - Ex: Network Zone - apps can only from this network zone (internal server vs internet for example)
45
SAST
- Statistic Application Security Testing - Automate the process to help identify security flaws - ID places there might be security vulnerabilities (ex: buffer overflows, database injections, etc.) - Not everything can be identified through analysis (Ex: authentication security, insecure cryptography, etc) - Output could have false positives (each instance needs to be examined and confirmed)
46
Application Hardening
- Minimize the attack surface - Remove all possible entry points - Want to remove known and unknown attack points - Sometimes it comes from a third party or compliance mandates (ex: HIPAA servers, PCSS DSS, etc) - Resources to help you harden your application: CIS (Center for Internet Security), SANS (Network and Security Institutes) , NIST (National Institutes of Standards and Technology)
47
Open Ports
- Want to close all port on device, except the ones that provide exactly the services need by the application - Commonly done by Firewall (controls the IP Addresses and port numbers that can be used) - Next-gen Firewall is ideal b/c also restricts which applications can flow over that particular IP and port number - Every open port is a possible entry point - In order to harden your application you'll want to limit these - Ports might open without knowledge, don't' want to provide every port (0 - 65,535)
48
NMap scan
- Or a similar port scanner is a good idea when hardening your application to see what ports are open - ongoing monitoring is important
49
Registry
- Large Windows DB that contains configuration settings for windows OS and applications that run on the OS - Challenge: when we install new application, don't know what's been changed in the registry - Common to use third- party tools to see what the registry looked like pre-installation and post installation to show registry changes - Some registries can allow applications to configure permissions to make changes - Sometimes you can disable vulnerabilities (ex: a vulnerability was found in SMBv1 so now it's common to disable the registry for this in every windows computer) - hierarchical structure and thousands of settings (always want to backup registry before making changes)
50
Disk Encryption
- Prevent access to application data files | - file system encryption
51
FDE
- Full Disk Encryption - A type of Disk Encryption - Ex: BitLocker, FileVault, etc (these are full disk utilities built into the Windows OS)
52
SED
- Self-Encrypting Drive - Hardware-based full disk encryption (built into hardware, not specific to OS ) - No-operating system software needed - Used in some highly secure environments - Opal storage specification applies
53
Opal Storage Specification
- Standard for SED (Self-encrypting drive) | - You want to be sure this drives follows this standard
54
OS Hardening
- Many different types of OS - Each one has a different set of techniques to make it more hardened - Common technique: Make sure everything is up to date (ex: OS Updates/ service packs, security patches) - still need anti-virus/ anti malware - user account, network hardening
55
User Account Hardening
- Minimum password lengths and complexity | - Account limitations, only allow them to perform tasks necessary to their jobs
56
Network hardening
- Limit network access / input and output from other devices across the network
57
Patch magnement
- Incredibly important - standard part of OS, built into scheduling and automatically deployed - system stability and security fixes - many OS has monthly updates (batch updates) - Keep update processes manageable and keeps systems up to date - Third party updates, device drivers all need to be kept up to date - However, auto-updates are not always the best option even though you want to keep everything updated - Emergency, out of band updates (might have been in response to a 0 day attack)
58
Sandboxing
- Applications cannot access unrelated resources - Often used in development process - But also has value in a production environment - Ex: in VMs, or mobile devices (browswer wouldn't have access to other types of data on device. data is sandboxed) - Ex: browsers can also erect sandboxes inside the browser, esp important with iframes (inline frames)
59
UAC
- User Account Control - Application doesn't have access to other types of data unless specifically granted - Ex: in Windows, there is extensive sandboxing for UACs

CompTia Security+ SY0-601 Definitions (47 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions