3.2 Host or Application Security Solutions

Question 1

• The user’s access - Applications and data
• Stop the attackers - Inbound attacks, outbound attacks
• Many different platforms - Mobile, desktop
• Protection is multi-faceted - Defense in depth

Answer 1

The endpoint

Question 2

• Anti-virus is the popular term
– Refers specifically to a type of malware
– Trojans, worms, macro viruses
• Malware refers to the broad malicious
software category
– Anti-malware stops spyware, ransomware,
fileless malware
• The terms are effectively the same these days
– The names are more of a marketing tool
– Anti-virus software is also anti-malware software now
– Make sure your system is using
– a comprehensive solution

Answer 2

Anti-virus and anti-malware

Question 3

• A different method of threat protection
– Scale to meet the increasing number of threats
• Detect a threat
– Signatures aren’t the only detection tool
– Behavioral analysis, machine learning,
process monitoring
– Lightweight agent on the endpoint
• Investigate the threat
– Root cause analysis
• Respond to the threat
– Isolate the system, quarantine the threat, rollback
to a previous config
– API driven, no user or technician intervention required

Answer 3

Endpoint detection and response (EDR)

Question 4

• Where’s your data?
– Social Security numbers, credit card numbers,
medical records
• Stop the data before the attacker gets it
– Data “leakage”
• So many sources, so many destinations
– Often requires multiple solutions
– Endpoint clients
– Cloud-based systems
– Email, cloud storage, collaboration tools

Answer 4

Data Loss Prevention (DLP)

Question 5

• The OSI Application Layer - All data in every packet
• Can be called different names
– Application layer gateway
– Stateful multilayer inspection, deep packet inspection
• Broad security controls
– Allow or disallow application features
– Identify attacks and malware
– Examine encrypted data
– Prevent access to URLs or URL categories

Answer 5

Next-generation firewall (NGFW)

Question 6

• Software-based firewall
– Personal firewall, runs on every endpoint
• Allow or disallow incoming or outgoing
application traffic
– Control by application process
– View all data
• Identify and block unknown processes
– Stop malware before it can start
• Manage centrally

Answer 6

Host-based firewall

Question 7

• Host-based Intrusion Detection System (HIDS)
– Uses log files to identify intrusions
– Can reconfigure firewalls to block
• Host-based Intrusion Prevention System (HIPS)
– Recognize and block known attacks
– Secure OS and application configs, validate
incoming service requests
– Often built into endpoint protection software
• HIPS identification
– Signatures, heuristics, behavioral
– Buffer overflows, registry updates, writing files
to the Windows folder
– Access to non-encrypted data

Answer 7

Finding intrusions

Question 8

• Security is based on trust
– Is your data safely encrypted?
– Is this web site legitimate?
– Has the operating system been infected?
• The trust has to start somewhere
– Trusted Platform Module (TPM),
– Hardware Security Module (HSM)
– Designed to be the hardware root of the trust
• Difficult to change or avoid
– It’s hardware
– Won’t work without the hardware

Answer 8

Hardware root of trust

Question 9

• A specification for cryptographic functions
– Hardware to help with encryption functions
• Cryptographic processor
– Random number generator, key generators
• Persistent memory
– Comes with unique keys burned in during production
• Versatile memory
– Storage keys, hardware configuration information
• Password protected
– No dictionary attacks

Answer 9

Trusted Platform Module (TPM)

Question 10

• The attack on our systems is constant
– Techniques are constantly changing
• Attackers compromise a device
– And want it to stay compromised
• The boot process is a perfect infection point
– Rootkits run in kernel mode
– Have the same rights as the operating system
• Protecting the boot process is important
– Secure boot, trusted boot, and measured boot
– A chain of trust

Answer 10

Boot integrity

Question 11

• Secure Boot
– Part of the UEFI specification
• UEFI BIOS protections
– BIOS includes the manufacturer’s public key
– Digital signature is checked during a BIOS update
– BIOS prevents unauthorized writes to the flash
• Secure Boot verifies the bootloader
– Checks the bootloader’s digital signature
– Bootloader must be signed with a trusted certificate
– Or a manually approved digital signature

Answer 11

UEFI BIOS Secure Boot

Question 12

• Bootloader verifies digital signature of the OS kernel
– A corrupted kernel will halt the boot process
• The kernel verifies all of the other startup components
– Boot drivers, startup files
• Just before loading the drivers,
– ELAM (Early Launch Anti-Malware) starts
– Checks every driver to see if it’s trusted
– Windows won’t load an untrusted driver

Answer 12

Trusted Boot

Question 13

• Nothing on this computer has changed
– There have been no malware infections
– How do you know?
• Easy when it’s just your computer
– More difficult when there are 1,000
• UEFI stores a hash of the firmware, boot drivers, and
everything else loaded during the Secure Boot and
– Trusted Boot process
– Stored in the TPM
• Remote attestation
– Device provides an operational report to a
verification server
– Encrypted and digitally signed with the TPM
• Attestation server receives the boot report
– Changes are identified and managed

Answer 13

Measured Boot

Question 14

• Protecting stored data
– And the transmission of that data
• Intellectual property storage
– Data is valuable
• Compliance issues
– PCI DSS, HIPAA, GDPR, etc.
• Keep the business running
– Security provides continuity
• Breaches are expensive - Keep costs low

Answer 14

Database security

Question 15

• Replace sensitive data with a non-sensitive placeholder
– SSN 266-12-1112 is now 691-61-8539
• Common with credit card processing
– Use a temporary token during payment
– An attacker capturing the card numbers
can’t use them later
• This isn’t encryption or hashing
– The original data and token aren’t mathematically related
– No encryption overhead

Answer 15

Tokenization

Question 16

• Hashes represent data as a fixed-length string of text
– A message digest, or “fingerprint”
• Will not have a collision (hopefully)
– Different inputs will not have the same hash
• One-way trip
– Impossible to recover the original message
from the digest
– A common way to store passwords

Answer 16

Hashing a password

Question 17

• Salt
– Random data added to a password when hashing
• Every user gets their own random salt
– The salt is commonly stored with the password
• Rainbow tables won’t work with salted hashes
– Additional random value added to the original
password
• This slows things down the brute force process
– It doesn’t completely stop the reverse engineering

Answer 17

Adding some salt

Question 18

• A balance between time and quality
• Programming with security in mind is often secondary
• Testing, testing, testing
• The Quality Assurance (QA) process
• Vulnerabilities will eventually be found
• And exploited

Answer 18

Secure coding concepts

Question 19

• What is the expected input?
• Validate actual vs. expected
• Document all input methods
• Forms, fields, type
• Check and correct all input (normalization)
• A zip code should be only X characters long
with a letter in the X column
• Fix any data with improper input
• The fuzzers will find what you missed
• Don’t give them an opening

Answer 19

Input validation

Question 20

• Send random input to an application
• Fault-injecting, robustness testing,
syntax testing, negative testing
• Looking for something out of the ordinary
• Application crash, server error, exception
• 1988 class project at the University of Wisconsin
• “Operating System Utility Program Reliability”
• Professor Barton Miller
• The Fuzz Generator

Answer 20

Dynamic analysis (fuzzing)

Question 21

• Many different fuzzing options
• Platform specific, language specific, etc.
• Very time and processor resource heavy
• Many, many different iterations to try
• Many fuzzing engines use high-probability tests
• Carnegie Mellon Computer
• Emergency Response Team (CERT)
• CERT Basic Fuzzing Framework (BFF)
• https://professormesser.link/bff

Answer 21

Fuzzing engines and frameworks

Question 22

• Cookies
• Information stored on your computer by the
browser
• Used for tracking, personalization, session
management
• Not executable, not generally a security risk
• Unless someone gets access to them
• Secure cookies have a Secure attribute set
• Browser will only send it over HTTPS
• Sensitive information should not be saved in a cookie
• This isn’t designed to be secure storage

Answer 22

Secure cookies

Question 23

• An additional layer of security
• Add these to the web server configuration
• You can’t fix every bad application
• Enforce HTTPS communication
• Ensure encrypted communication
• Only allow scripts, stylesheets, or images from
the local site
• Prevent XSS attacks
• Prevent data from loading into an inline frame
(iframe)
• Also helps to prevent XSS attacks

Answer 23

HTTP secure headers

Question 24

• An application is deployed
• Users run application executable or scripts
• So many security questions
• Has the application been modified in any way?
• Can you confirm that the application was written
by a specific developer?
• The application code can be digitally signed by the
developer
• Asymmetric encryption
• A trusted CA signs the developer’s public key
• Developer signs the code with their private key
• For internal apps, use your own CA

Answer 24

Code signing

Question 25

• Any application can be dangerous
• Vulnerabilities, trojan horses, malware
• Security policy can control app execution
• Allow list, deny/block list
• Allow list
• Nothing runs unless it’s approved - Very restrictive
• Deny list
• Nothing on the “bad list” can be executed
• Anti-virus, anti-malware

Answer 25

Allow list / deny list

Question 26

• Decisions are made in the operating system
• Often built-in to the operating system management
• Application hash
• Only allows applications with this unique identifier
• Certificate
• Allow digitally signed apps from certain publishers
• Path - Only run applications in these folders
• Network zone
• The apps can only run from this network zone

Answer 26

Examples of allow and deny lists

Question 27

• Static Application Security Testing (SAST)
• Help to identify security flaws
• Many security vulnerabilities found easily
• Buffer overflows, database injections, etc.
• Not everything can be identified through analysis
• Authentication security, insecure cryptography, etc.
• Don’t rely on automation for everything
• Still have to verify each finding
• False positives are an issue

Answer 27

Static code analyzers

Question 28

• Minimize the attack surface
– Remove all possible entry points
• Remove the potential for all known vulnerabilities
– As well as the unknown
• Some hardening may have compliance mandates
– HIPAA servers, PCI DSS, etc.
• There are many different resources
– Center for Internet Security (CIS)
– Network and Security Institute (SANS)
– National Institute of Standards and Technology (NIST)

Answer 28

Application hardening

Question 29

• Every open port is a possible entry point
– Close everything except required ports
• Control access with a firewall
– NGFW would be ideal
• Unused or unknown services
– Installed with the OS or from other applications
• Applications with broad port ranges
– Open port 0 through 65,535
• Use Nmap or similar port scanner to verify
– Ongoing monitoring is important

Answer 29

Open ports and services

Question 30

• The primary configuration database for Windows
– Almost everything can be configured from the registry
• Useful to know what an application modifies
– Many third-party tools can show registry changes
• Some registry changes are important security settings
– Configure registry permissions
– Disable SMBv1

Answer 30

Registry

Question 31

• Prevent access to application data files
– File system encryption
• Full disk encryption (FDE)
– Encrypt everything on the drive
– BitLocker, FileVault, etc.
• Self-encrypting drive (SED)
– Hardware-based full disk encryption
– No operating system software needed
• Opal storage specification
– The standard for of SED storage

Answer 31

Disk encryption

Question 32

• Many and varied
– Windows, Linux, iOS, Android, et al.
• Updates
– Operating system updates/service packs,
security patches
• User accounts
– Minimum password lengths and complexity
– Account limitations
• Network access and security
– Limit network access
• Monitor and secure
– Anti-virus, anti-malware

Answer 32

Operating system hardening

Question 33

• Incredibly important
– System stability, security fixes
• Monthly updates
– Incremental (and important)
• Third-party updates
– Application developers, device drivers
• Auto-update - Not always the best option
• Emergency out-of-band updates
– Zero-day and important security discoveries

Answer 33

Patch management

Question 34

• Applications cannot access unrelated resources
– They play in their own sandbox
• Commonly used during development
– Can be a useful production technique
• Used in many different deployments
– Virtual machines
– Mobile devices
– Browser iframes (Inline Frames)
– Windows User Account Control (UAC)

Answer 34

Sandboxing