3.2 - Host and Application Security Flashcards

1
Q

The endpoint

A
  • The user’s access (application and data)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Defense in Depth

A
  • Layered protection
  • Multi-faceted protection
  • Defense strategy
  • This is needed b/c there are so many different platforms (mobile, desktop) and attackers can target inbound and outbound data and the user’s access (applications and data)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Anti-virus

A
  • Among the most common types of defenses
  • Added to user’s endpoints
  • Anti-virus is the popular term (ppl often use it to mean also including anti-malware)
  • Refers to a specific type of malware: trojans, worms, macro viruses, other malicious attacks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Anti-malware

A
  • Malware refers to the broad malicious software category

- Anti-malware stops spyware, ransomware, fileless malware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Antivirus + Antimalware

A
  • Term effectively the same these days, names more of a marketing tool
  • Anti-virus software is now also anti-malware
  • Make sure your system is using a comprehensive solution
  • Tend to work by identifying the use of malicious code through the use of signatures (this can pose challenges)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Signatures

A
  • Set pattern that may be within the file or memory that is being used by malicious software
  • Anti- virus/ malware often rely on signatures for identifying malicious code
  • Challenge: Attackers have found ways around using signatures so new techniques are needed (like EDR (Endpoint Detection and Response)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

EDR

A
  • Endpoint Detection and Response
  • A different method of threat protection (from using signatures)
  • Can scale to meet the increasing number of threats
  • Instead of only looking at signatures in a file, can look at what the file is doing (Behavior analysis, machine learning, process monitoring)
  • Can often perform root cause analysis (determine why behavior happened in the first place and identify the code use in running the malicious software)
  • it can then respond to the threat (isolate the system, quarantine the software, rollback to a previous config)
  • API driven, no user or technician intervention required
  • Lightweight agent on the endpoint
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

DLP

A
  • Data Loss Prevention
  • Designed to stop data leakage before the attacker gets it (prevent data being sent across the network in the clear or in encrypted form)
  • Challenge: So many sources, destinations
  • Therefore, DLP often involves multiple solutions (Ex: could be in a firewall, in client software, in a cloud=based system)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

NGFW

A
  • Next Generation Firewall
  • Able to identify the applications (and individual features in app) that are flowing over the network, regardless of the IP address or port numbers that may be in use
  • Security personnel can set policies to allow/disallow applications on the network (or features in apps) (ex: can allow someone to view info on twitter but not post)
  • The OSI Application layer
  • aka Application Layer Gateway, Stateful multilayer inspection, Deep packet inspection
  • usually have anti-virus/ malware too that can block at the network level
  • Often has SSL encryption functionality, so that it can decrypt any information being sent, examine it, and re-encrypt it
  • often have a url filtering capability ( can block base on categorization too)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Host-Base Firewall

A
  • In addition to the network firewalls, also useful to have these, which are on the individual end points
  • Software-based firewall
  • Personal firewall, runs on every endpoint
  • Can see all applications incoming / outgoing traffic and can set controls
  • It can see all data in the clear at the endpoint
  • It can see everything happening in the OS (can see unknown processes trying to start and stop malware before it can start)
  • Common to manage it centrally (so you can put host-based firewalls on all endpoints but have one central place to mange)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

HIDS

A
  • Host-Based Intrusion Detection System
  • Uses log files to identify intrusions
  • Can reconfigure firewalls to block
  • secondary type of security
  • less common these days (HIPS (host-based intrusion prevention system) more common)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

HIPS

A
  • Host-based intrusion prevention system
  • more common these days
  • Recognize and block known attacks
  • Secure OS and application configs, validate incoming service requests
  • often built into endpoint protection software (that’s being used by anti-virus/malware)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

HIPS Identification

A
  • HIPS (host-based intrusion prevention system) often uses signatures, heuristics (when large changes are occurring and why) , behavioral indicators
  • Ex: could have buffer overflows with a known signature, or registry update unexpectedly occurs, which would fire the heuristics engine, or writing files to the Windows folder might set of the behavioral indicators
  • Access to non-encrypted data that may be running in memory (b/c it’s running on the endpoint)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Boot integrity

A
  • Boot process is a perfect infection point
  • Ex: rootkits run in kernel mode, have the same rights as the OS
  • Remember it’s very difficult for attackers to get into the OS (they don’t want to get kicked out b/c it’s even harder the second time). They want to get in and stay in.
  • Protecting every part of the boot process is so critical
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Chain of trust

A
  • Secure boot, Trusted boot, and Measured boot
  • Security is based on trust
  • Of course trust is based on things (like TPM Trusted Platform Module, HSM - Hardware Security Module)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

TPM

A
  • Trusted Platform Module
  • A specification for cryptographic functions
  • hardware to help with encryption functions
  • On an individual system
  • Can include a cryptographic processor, Persistent memory, versatile memory
  • all info is password protected (w/ anti-brute force technology)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

HSM

A
  • Hardware Security Module
  • This hardware root of trust provides the foundation of the trust model
  • Significant security advantage of hardware, is that it’s hardware, have to physically change it
  • Hardware must be installed for the trust to be installed
  • So there should be a TPM on OS (Trusted Platform Module) to give you that HSM
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Persistent Memory

A
  • Comes with unique keys, burned in during production -
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Cryptographic processor

A
  • Random number generator, key generator

- often found on TPMs (Trusted Platform Module)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Versatile memory

A
  • Storage keys, hardware configuration information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

UEFI BIOS - Secure Boot

A
  • Part of the UEFI specification

-

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

UEFI BIOS - Secure Boot

A
  • Part of the UEFI specification
  • BIOS includes the manufacturers public key
  • Digital signature is checked during a BIOS update
  • BIOS prevents unauthorized writes to the flash
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Bootloader

A
  • Secure Boot verifies the bootloader
  • checks the boot loaders digital signature
  • Boot loader must be signed with a trusted certificate
  • Or a manually approved the digital signature
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

UEFI BIOS - Secure Boot

A
  • Part of the UEFI specification
  • BIOS includes the manufacturers public key
  • Digital signature is checked during a BIOS update
  • BIOS prevents unauthorized writes to the flash
  • Secure Boot verifies the bootloader
  • checks the boot loaders digital signature
  • Boot loader must be signed with a trusted certificate
  • Or a manually approved the digital signature
  • Anything updated during this process will have a secure hash that is stored in the TPM (like the trusted boot process, which can then be looked at in the measured boot process)
25
Q

Trusted Boot

A
  • Once Secure bootloader is complete, move on to Trusted
  • Bootloader verifies digital signature of the OS kernel
  • a corrupted kernel will stop the process
  • the kernel of OS will verify other parts ( boot drivers, start up files)
  • starts ELAM (Early Launch Anti- Malware)
  • Anything updated during this process will have a secure hash that is stored in the TPM (like the UEFI boot process, which can then be looked at in the measured boot process)
26
Q

Measured Boot process

A
  • Allows us to see if any changes happened to OS
  • Easy if it’s just your computer, difficult when there are many
  • Automated way to see if anything on computer has been by malware
  • UEFI stores a hash on the firmware, boot drivers and everything else loaded during the Secure Boot
    and Trusted boot process (has created is stored within the TPM of the system)
  • Now that this information has been gathered, can begin Remote Attestation.
27
Q

Remote Attestation

A
  • Device provides an operational report to a verification server ( a central attestation server)
  • Encrypted and digitally signed with the TPM
  • Attestation server receives the boot report and any changes are identified (if software /hardware has been modified then sys admins can turn off until changes can be reviewed by a tecchnician)
28
Q

Remote Attestation

A
  • Device provides an operational report to a verification server ( a central attestation server)
  • Encrypted and digitally signed with the TPM
  • Attestation server receives the boot report and any changes are identified (if software /hardware has been modified then sys admins can turn off until changes can be reviewed by a technician)
29
Q

Database security

A
  • Protecting DB and the transmission of DB is key
  • Intellectual property storage (it’s valuable)
  • Might be compliance rules: PCI DSS, HIPAA, GDPR, etc.
  • Secure DB storage keeps business running smoothly (continuity)
  • Breaches are expensive
  • Ways to store DB securely: (Ex: tokenization, hashing a password, adding salt
30
Q

Tokenization

A
  • Replace sensitive data with non-sensitive placeholder (ex: SSN 123-45-6789 is replaced with 342-11-2343)
  • completely different number with no representation to original data
  • common during CC processing (temporary token during payment, an attacker capturing these can’t use them later, it is verified and then thrown away)
  • limit the use of the tokens
  • not hashing or encrypting (so no overhead)
31
Q

Hash

A
  • Represents data as a fixed- length string of text
  • message digest or ‘finger print’
  • will not have a collision (hopefully)
  • no way to retrieve value from a hash (not an encrypted representation)
  • no way to reverse the process
  • SHA256 is a hashing algorithm (the hash is a 256 bit fixed length string)
32
Q

Salt

A
  • Random data added to a password when hashing
  • every user gets their own random salt
  • limits the effectiveness of rainbow tables (pre-computed set of hashes + original values)
  • slows down the brute force process
33
Q

Input validation

A
  • Developer needs to document everywhere information is going into an application (forms, fields, type)
  • If anything is outside the scope of what it should be, should be resolved (normalization)
  • Prevents an attacker from Fuzzing
34
Q

Dynamic Analysis

A
  • Send random input to an application
  • fault-injecting, robustness testing, syntax testing, negative testing
  • attackers looking for something unusual to occur (like a buffer overflow, server error)
  • aka Fuzzing
35
Q

Fuzzing tests

A
  • May be specific to a platform or application
  • Take a lot of time and processing power (fuzzing engine tries a lot of different things, usually optimized to find the most likely vulnerabilities)
  • Almost always automated
36
Q

BFF

A
  • CERT Basic Fuzzing Framework

- Can see if there are any vulnerabilities

37
Q

CERT

A
  • Carnegie Mellon Computer Emergency Response Team

- developed a BFF to identify fuzzing opportunities

38
Q

Cookies

A
  • Information stored on your computer by the browswer
  • Used for tracking, personalization, session management
  • not an executable, generally not a security concern
  • but need to make sure they’re protected
  • Most cookies have an attribute on them to make them as secure, tells browser needs to be sent over HTTPs
  • Sensitive information should not be saved in a cookie (not designed to be secure storage)
39
Q

HTTP Secure Headers

A
  • Way to configure a webserver to restrict capabilities of browswer to be able to perform certain functions
  • A way to make our applications more secure
  • Ex: Enforce HTTPS communication or might try to prevent a XSS attack by telling browser to only allow scripts, stylesheets, or images from a local site, or prevent data from loading into an iframe
40
Q

iframe

A
  • inline frame

- Data loaded into an inline frame are often targeted by attackers during a XSS attack

41
Q

Code Signing

A
  • Need a trusted CA (certificate authority) to sign the developer’s public key
  • then the developer uses their private key to digitally sign
  • Then when you download it you can verify it with the developer’s public key
  • very similar to the process of providing encryption certificates to webservers
  • Every time you run a new application, need to verify that there is no malicious software in the executable
  • Want to confirm that the application we’re running is the same one deployed by the application developer
42
Q

Allow list

A
  • many admins will configure OS or security software settings to only allow certain apps from executing
  • more restrictive than the ‘deny list’
  • Any application can be dangerous (vulnerabilities, trojan horses, malware)
43
Q

Deny list

A
  • Nothing on the ‘bad list’ can be executed

- slightly more open list than the allow list

44
Q

Allow and Deny lists

A
  • Often things are built into the OS to create the allow / deny lists
  • Ex: Application Hash - Only allows applications with this unique identifier
  • Ex: Certificate - Allow digitally signed apps from certain publishers (like Microsoft, adobe, etc)
  • Ex: Path - Only run applications that are stored in certain folders
  • Ex: Network Zone - apps can only from this network zone (internal server vs internet for example)
45
Q

SAST

A
  • Statistic Application Security Testing
  • Automate the process to help identify security flaws
  • ID places there might be security vulnerabilities (ex: buffer overflows, database injections, etc.)
  • Not everything can be identified through analysis (Ex: authentication security, insecure cryptography, etc)
  • Output could have false positives (each instance needs to be examined and confirmed)
46
Q

Application Hardening

A
  • Minimize the attack surface
  • Remove all possible entry points
  • Want to remove known and unknown attack points
  • Sometimes it comes from a third party or compliance mandates (ex: HIPAA servers, PCSS DSS, etc)
  • Resources to help you harden your application: CIS (Center for Internet Security), SANS (Network and Security Institutes) , NIST (National Institutes of Standards and Technology)
47
Q

Open Ports

A
  • Want to close all port on device, except the ones that provide exactly the services need by the application
  • Commonly done by Firewall (controls the IP Addresses and port numbers that can be used)
  • Next-gen Firewall is ideal b/c also restricts which applications can flow over that particular IP and port number
  • Every open port is a possible entry point
  • In order to harden your application you’ll want to limit these
  • Ports might open without knowledge, don’t’ want to provide every port (0 - 65,535)
48
Q

NMap scan

A
  • Or a similar port scanner is a good idea when hardening your application to see what ports are open
  • ongoing monitoring is important
49
Q

Registry

A
  • Large Windows DB that contains configuration settings for windows OS and applications that run on the OS
  • Challenge: when we install new application, don’t know what’s been changed in the registry
  • Common to use third- party tools to see what the registry looked like pre-installation and post installation to show registry changes
  • Some registries can allow applications to configure permissions to make changes
  • Sometimes you can disable vulnerabilities (ex: a vulnerability was found in SMBv1 so now it’s common to disable the registry for this in every windows computer) - hierarchical structure and thousands of settings (always want to backup registry before making changes)
50
Q

Disk Encryption

A
  • Prevent access to application data files

- file system encryption

51
Q

FDE

A
  • Full Disk Encryption
  • A type of Disk Encryption
  • Ex: BitLocker, FileVault, etc (these are full disk utilities built into the Windows OS)
52
Q

SED

A
  • Self-Encrypting Drive
  • Hardware-based full disk encryption (built into hardware, not specific to OS )
  • No-operating system software needed
  • Used in some highly secure environments
  • Opal storage specification applies
53
Q

Opal Storage Specification

A
  • Standard for SED (Self-encrypting drive)

- You want to be sure this drives follows this standard

54
Q

OS Hardening

A
  • Many different types of OS
  • Each one has a different set of techniques to make it more hardened
  • Common technique: Make sure everything is up to date (ex: OS Updates/ service packs, security patches)
  • still need anti-virus/ anti malware
  • user account, network hardening
55
Q

User Account Hardening

A
  • Minimum password lengths and complexity

- Account limitations, only allow them to perform tasks necessary to their jobs

56
Q

Network hardening

A
  • Limit network access / input and output from other devices across the network
57
Q

Patch magnement

A
  • Incredibly important
  • standard part of OS, built into scheduling and automatically deployed
  • system stability and security fixes
  • many OS has monthly updates (batch updates)
  • Keep update processes manageable and keeps systems up to date
  • Third party updates, device drivers all need to be kept up to date
  • However, auto-updates are not always the best option even though you want to keep everything updated
  • Emergency, out of band updates (might have been in response to a 0 day attack)
58
Q

Sandboxing

A
  • Applications cannot access unrelated resources
  • Often used in development process
  • But also has value in a production environment
  • Ex: in VMs, or mobile devices (browswer wouldn’t have access to other types of data on device. data is sandboxed)
  • Ex: browsers can also erect sandboxes inside the browser, esp important with iframes (inline frames)
59
Q

UAC

A
  • User Account Control
  • Application doesn’t have access to other types of data unless specifically granted
  • Ex: in Windows, there is extensive sandboxing for UACs