3.2 Implement host & application security solutions

Question 1

Endpoint Protection: what is an endpoint ?

Answer 1

It is any point from where a user can access data (phone, pc, tablet and other devices, application)

Question 2

Endpoint Protection: how to protect endpoint ?

Answer 2

• Use anti-virus / anti-malware
• Use a DLP
• Use host-based firewall
• Use a HIDS / HIPS

Question 3

Endpoint Protection: what is the difference antivirus vs antimalware ?

Answer 3

The terms are the same these days. Antivirus = antimalware:
- Antivirus: popular term that refers to a type of malware (trojans, worm, macroviruses)
- Antimalware: refers to the broad malicious software category (spyware, ransomware, fileless malware)

Question 4

Endpoint Protection: what is a signature based antivirus and why they can be challenging to use?

Answer 4

They identify malicious code through the use of signature. Signatures are a set pattern that may be within the file or within the memory that is being used by the malicious software.
The problem is that attackers founds many ways around signature detection. So we’ve had to change the way that we are looking for a lot of this malicious software.

Question 5

Endpoint Protection: what is EDR type of antivirus ?

Answer 5

Endpoint detection & response (EDR) detect a threat by not only looking at signatures. Instead of looking for a signature to occur within a file, it can look at what the file is doing: behavior analysis, machine learning, process monitoring. This is done with lightweight agent running on the endoing and constantly watching for these types of problems to occur.
EDR can also investigate the threat (root cause) and responde it by isolate the system, quarantine the threat, rollback previous config.
All this can be automated.

Question 6

Endpoint Protection: what is a DLP?

Answer 6

Design to stop data leakage and prevent sentive data from being sent across the nerwork in clear or encrypted form by blocking it from being transferred outside the network.

Question 7

Endpoint Protection: where DLP can be install?

Answer 7

On any endpoint: DLP solution based in a firewall, in a client software, on each system, in the cloud to examine all of the emails

Question 8

Endpoint Protection: why NGFW help for DLP ?

Answer 8

Next-generation firewall (NGFW) is able to identify the application that are flowing (data flowing) across the network, reagrdless of the IP address or port.
NGFW can also identify attacks and malware, examine encrypted data, prevent access to URLs

Question 9

Endpoint Protection: what is a host-based firewall ?

Answer 9

A personal firewall running on every endpoint. It allow or disallow incoming or outgoing application traffic

Question 10

Endpoint Protection: what is an HIDS ?

Answer 10

Host-based Intrusion Detection System (HIDS) look through the log files on a system to identify intrusion that may be occuring and at that point, it can choose to reconfigure firewalls or other type of security devices to prevent additonal attacks

Question 11

Endpoint Protection: what is an HIPS ?

Answer 11

Host-based Intrusion Prevention System (HIPS) recognize and block known attacks to secure OS, application confids and validate incoming service requests.
HIPS use != technic to identify attacks: signatures, heuristics (identify when large changes are occuring), behavioral (spot difference in behavior)

Question 12

Endpoint Protection: what is an HIPS vs HIDS ?

Answer 12

They do the same thing except that the HIPS will take actions to mitigate the spread while HIDS will the administrator do the mitigation

Question 13

Boot integrity: what is boot in computing ?

Answer 13

Booting is basically the process of starting the computer. When the CPU is first switched on it has nothing inside the Memory. In order to start the Computer, load the Operating System into the Main Memory and then Computer is ready to take commands from the User.

Question 14

Boot integrity: why boot security is important ?

Answer 14

Because the boot process is a perfect infection point.
Ex: rootkit run in kernel mode which give the attacker same rights as the OS

Question 15

Boot integrity: what are the different boot process?

Answer 15

The process is named “chain of trust” and is composed of:
1/ Secure boot
2/ Trusted boot
3/ Measured boot

Question 16

Boot integrity: what is a TPM ?

Answer 16

Trusted Platform Module is a hardware cryptographic module that enhances computer security and privacy. Protecting data through encryption and decryption, protecting authentication credentials, and proving which software is running on a system are basic functionalities associated with computer security.

Question 17

Boot integrity: what is a HSM ?

Answer 17

Hardware Security Module is hardened, tamper-resistant hardware devices that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data and creating digital signatures and certificates.

Question 18

Boot integrity: what is the difference HSM vs TPM?

Answer 18

If you want to put it short:

• A TPM is a specific device to keep it’s own keys secure (source of identity)
• while an HSM is a general device to secure foreign keys (verify identity)

Question 19

Boot integrity: what is UEFI BIOS boot mode?

Answer 19

Both BIOS and UEFI are forms of software that kickstart the hardware of your computer before your operating system loads. UEFI is an update to traditional BIOS that supports larger hard drives, quicker boot times, more security features, and more graphics and mouse cursor options.

Question 20

Boot integrity: why UEFI secure boot is important in secure boot process ?

Answer 20

UEFI Secure Boot is a feature specified in UEFI, which provides verification about the state of the boot chain. It is designed to ensure that only cryptographically verified UEFI binaries are executed after the self-initialization of the firmware.

Question 21

Boot integrity: what is the trusted boot process ?

Answer 21

Once the boot is secured, bootloader verifies digital signature of the kernel > the kernel verifies all of the other startup components (boot drivers, startup files) > just before loading the drivers ELAM (Early Launch Antimalware) starts

Question 22

Boot integrity: what is the measured boot process ?

Answer 22

Process allowing the user to measure if any change occured in the OS. UEFI sotres hash of the firmware boot drivers + everything else loaded during the Secure boot and trusted boot process. Then provide remote attestion that the devices provide to a verification server. The server received the boot report and can take action in case of anomaly

Question 23

DB security: what DB security means ?

Answer 23

• Protecting data at rest and in transit
• Response to compliance issues (GDPR, PCI DSS, HIPAA, etc)

Question 24

DB security: how to secure a DB?

Answer 24

You can use:
- Tokenization
- Hash
- Salt

Question 25

DB security: what is tokenization and how it works?

Answer 25

Replace sensitive data with a non-sensitive data (this is not encryption/hash).
The process is to use a temporary token during payment. That token is sent i a server that validates the token during the purchase process and that token is then thrown away and a different token will be used for the next purchase.
If an attacker xapture the token, he cannot use it.

Question 26

DB security: what is a hash?

Answer 26

Fixed-lenght string of text and a one way trip

Question 27

DB security: what is a salt?

Answer 27

Adding some salt means that we add random data at the end of a password to modify the hashing value

Question 28

Application security: what is the starting point to include security in an application ?

Answer 28

Make sure the code is secure: programming with security in mind

Question 29

Application security: how to secure coding?

Answer 29

• Input validation
  -Dynamic analysis
• Secure cookies
• HTTP Secure Headers
• Code signing
• Allow list / deny list
• Static code analyzer

Question 30

Application security: what is input validation ?

Answer 30

Input validation is performed to ensure only properly formed data is entering the workflow in an application, preventing malformed data from persisting in the database and triggering malfunction of various downstream components.

Question 31

Application security: what is dynamic analysis (fuzzing)?

Answer 31

Send random input to an application to test and evaluate the application. This is done to improve correction of bugs, memory issues and cashes

Question 32

Application security: what are cookies?

Answer 32

Cookies are information stored on your computer by the browser and use to keep track of information, personalization, session management

Question 33

Application security: why should we secure cookies?

Answer 33

Because cookies can contain sensitive informations. However this is not a best practise to store sentitive info in a cookie

Question 34

Application security: how to secure cookies?

Answer 34

Many of the cookies stored on our system have a Secure attribute set telling the browser that information being sent across the network needs to be sent over an encrypted connection using HTTPS

Question 35

Application security: what is HTTP Secure Headers?

Answer 35

A way to configure the web server to restrict the capabilities of a browser to be able to perform certain function (allow or disallow certain task to occur when using the app)
EX: enforce HTTPS communication, only allow scripts, stylesheets or image from the local site

Question 36

Application security: what is code signing ?

Answer 36

Application is digitally signed by the developer using asymmetric encryption.
A trusted certificate authority (CA) signs the developer’s public key. Then developer signs the code with their own private key

Question 37

Application security: what is an allow list / deny list ?

Answer 37

• Allow list: anything that is listed on the allow list can run on the system. Nothing runs unless it’s on the list
• Deny list: nothing on the deny list can be executed

Ex: application hash, certificate, path, network zone

Question 38

Application security: what is static code analyzers (SAST)?

Answer 38

A tool that analyzes source code without executing the code. Static code analyzers are designed to review bodies of source code (at the programming language level) or compiled code (at the machine language level) to identify poor coding practices.

Question 39

Application hardening: what application hardening is for ?

Answer 39

The goal is to minimize the attack surface and limit the ability of an attack to exploit an application.

Question 40

Application hardening: how to harden an application ?

Answer 40

• Manage open ports
• Use Windows registry
• Disk encryption
• OS hardening
• Patch management
• Sandboxing

Question 41

Application hardening: why open ports should be limited ?

Answer 41

Because every port is a possible entry point. Therefor, only the required ports should be open.
This can be done with a firewall (NGFW ideally)

Question 42

Application hardening: how to verify what port is open ?

Answer 42

Do a nmap scan

Question 43

Application hardening: what is the Windows registry ?

Answer 43

A large DB that contains configuration settings for the Windows OS and application that run on that OS

Question 44

Application hardening: why the Windows registry should be use in application hardening ?

Answer 44

Because some registry changes are important security settings
Ex; configure registry permission, disabling vulnerability (SMBv1)

Question 45

Application hardening: why disk encryption is important ?

Answer 45

It prevents access to application data files (file system encrption)

Question 46

Application hardening: what is FDE in disk encryption ?

Answer 46

Full Disk Encryption (FDE) encrypt everything on the drive
Ex: Bitlocker, FileVault etc

Question 47

Application hardening: what is SED in disk encryption ?

Answer 47

Self-encrypting drive (SED) is atype of encryption on a storage drive that is built into the hardware of the drive itself. It do not rely on a OS

Question 48

Application hardening: what is include in OS hardening ?

Answer 48

• OS updates / security patches
• User accounts: min password lenght & complexity, account limitations
• Limit network access
• Run & updated antivirus

Question 49

Application hardening: why patch management is important ?

Answer 49

For security and system stability

Question 50

Application hardening: what is sandboxing ?

Answer 50

It limits the scope of an application from accessing to unrelated resources. This is use during development process so that the developers are not changing any data that might be in a production environment

Ex: VM separate from other VMs, etc