3.2 Implement host & application security solutions Flashcards

1
Q

Endpoint Protection: what is an endpoint ?

A

It is any point from where a user can access data (phone, pc, tablet and other devices, application)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Endpoint Protection: how to protect endpoint ?

A
  • Use anti-virus / anti-malware
  • Use a DLP
  • Use host-based firewall
  • Use a HIDS / HIPS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Endpoint Protection: what is the difference antivirus vs antimalware ?

A

The terms are the same these days. Antivirus = antimalware:
- Antivirus: popular term that refers to a type of malware (trojans, worm, macroviruses)
- Antimalware: refers to the broad malicious software category (spyware, ransomware, fileless malware)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Endpoint Protection: what is a signature based antivirus and why they can be challenging to use?

A

They identify malicious code through the use of signature. Signatures are a set pattern that may be within the file or within the memory that is being used by the malicious software.
The problem is that attackers founds many ways around signature detection. So we’ve had to change the way that we are looking for a lot of this malicious software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Endpoint Protection: what is EDR type of antivirus ?

A

Endpoint detection & response (EDR) detect a threat by not only looking at signatures. Instead of looking for a signature to occur within a file, it can look at what the file is doing: behavior analysis, machine learning, process monitoring. This is done with lightweight agent running on the endoing and constantly watching for these types of problems to occur.
EDR can also investigate the threat (root cause) and responde it by isolate the system, quarantine the threat, rollback previous config.
All this can be automated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Endpoint Protection: what is a DLP?

A

Design to stop data leakage and prevent sentive data from being sent across the nerwork in clear or encrypted form by blocking it from being transferred outside the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Endpoint Protection: where DLP can be install?

A

On any endpoint: DLP solution based in a firewall, in a client software, on each system, in the cloud to examine all of the emails

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Endpoint Protection: why NGFW help for DLP ?

A

Next-generation firewall (NGFW) is able to identify the application that are flowing (data flowing) across the network, reagrdless of the IP address or port.
NGFW can also identify attacks and malware, examine encrypted data, prevent access to URLs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Endpoint Protection: what is a host-based firewall ?

A

A personal firewall running on every endpoint. It allow or disallow incoming or outgoing application traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Endpoint Protection: what is an HIDS ?

A

Host-based Intrusion Detection System (HIDS) look through the log files on a system to identify intrusion that may be occuring and at that point, it can choose to reconfigure firewalls or other type of security devices to prevent additonal attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Endpoint Protection: what is an HIPS ?

A

Host-based Intrusion Prevention System (HIPS) recognize and block known attacks to secure OS, application confids and validate incoming service requests.
HIPS use != technic to identify attacks: signatures, heuristics (identify when large changes are occuring), behavioral (spot difference in behavior)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Endpoint Protection: what is an HIPS vs HIDS ?

A

They do the same thing except that the HIPS will take actions to mitigate the spread while HIDS will the administrator do the mitigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Boot integrity: what is boot in computing ?

A

Booting is basically the process of starting the computer. When the CPU is first switched on it has nothing inside the Memory. In order to start the Computer, load the Operating System into the Main Memory and then Computer is ready to take commands from the User.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Boot integrity: why boot security is important ?

A

Because the boot process is a perfect infection point.
Ex: rootkit run in kernel mode which give the attacker same rights as the OS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Boot integrity: what are the different boot process?

A

The process is named “chain of trust” and is composed of:
1/ Secure boot
2/ Trusted boot
3/ Measured boot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Boot integrity: what is a TPM ?

A

Trusted Platform Module is a hardware cryptographic module that enhances computer security and privacy. Protecting data through encryption and decryption, protecting authentication credentials, and proving which software is running on a system are basic functionalities associated with computer security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Boot integrity: what is a HSM ?

A

Hardware Security Module is hardened, tamper-resistant hardware devices that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data and creating digital signatures and certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Boot integrity: what is the difference HSM vs TPM?

A

If you want to put it short:

  • A TPM is a specific device to keep it’s own keys secure (source of identity)
  • while an HSM is a general device to secure foreign keys (verify identity)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Boot integrity: what is UEFI BIOS boot mode?

A

Both BIOS and UEFI are forms of software that kickstart the hardware of your computer before your operating system loads. UEFI is an update to traditional BIOS that supports larger hard drives, quicker boot times, more security features, and more graphics and mouse cursor options.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Boot integrity: why UEFI secure boot is important in secure boot process ?

A

UEFI Secure Boot is a feature specified in UEFI, which provides verification about the state of the boot chain. It is designed to ensure that only cryptographically verified UEFI binaries are executed after the self-initialization of the firmware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Boot integrity: what is the trusted boot process ?

A

Once the boot is secured, bootloader verifies digital signature of the kernel > the kernel verifies all of the other startup components (boot drivers, startup files) > just before loading the drivers ELAM (Early Launch Antimalware) starts

22
Q

Boot integrity: what is the measured boot process ?

A

Process allowing the user to measure if any change occured in the OS. UEFI sotres hash of the firmware boot drivers + everything else loaded during the Secure boot and trusted boot process. Then provide remote attestion that the devices provide to a verification server. The server received the boot report and can take action in case of anomaly

23
Q

DB security: what DB security means ?

A
  • Protecting data at rest and in transit
  • Response to compliance issues (GDPR, PCI DSS, HIPAA, etc)
24
Q

DB security: how to secure a DB?

A

You can use:
- Tokenization
- Hash
- Salt

25
Q

DB security: what is tokenization and how it works?

A

Replace sensitive data with a non-sensitive data (this is not encryption/hash).
The process is to use a temporary token during payment. That token is sent i a server that validates the token during the purchase process and that token is then thrown away and a different token will be used for the next purchase.
If an attacker xapture the token, he cannot use it.

26
Q

DB security: what is a hash?

A

Fixed-lenght string of text and a one way trip

27
Q

DB security: what is a salt?

A

Adding some salt means that we add random data at the end of a password to modify the hashing value

28
Q

Application security: what is the starting point to include security in an application ?

A

Make sure the code is secure: programming with security in mind

29
Q

Application security: how to secure coding?

A
  • Input validation
    -Dynamic analysis
  • Secure cookies
  • HTTP Secure Headers
  • Code signing
  • Allow list / deny list
  • Static code analyzer
30
Q

Application security: what is input validation ?

A

Input validation is performed to ensure only properly formed data is entering the workflow in an application, preventing malformed data from persisting in the database and triggering malfunction of various downstream components.

31
Q

Application security: what is dynamic analysis (fuzzing)?

A

Send random input to an application to test and evaluate the application. This is done to improve correction of bugs, memory issues and cashes

32
Q

Application security: what are cookies?

A

Cookies are information stored on your computer by the browser and use to keep track of information, personalization, session management

33
Q

Application security: why should we secure cookies?

A

Because cookies can contain sensitive informations. However this is not a best practise to store sentitive info in a cookie

34
Q

Application security: how to secure cookies?

A

Many of the cookies stored on our system have a Secure attribute set telling the browser that information being sent across the network needs to be sent over an encrypted connection using HTTPS

35
Q

Application security: what is HTTP Secure Headers?

A

A way to configure the web server to restrict the capabilities of a browser to be able to perform certain function (allow or disallow certain task to occur when using the app)
EX: enforce HTTPS communication, only allow scripts, stylesheets or image from the local site

36
Q

Application security: what is code signing ?

A

Application is digitally signed by the developer using asymmetric encryption.
A trusted certificate authority (CA) signs the developer’s public key. Then developer signs the code with their own private key

37
Q

Application security: what is an allow list / deny list ?

A
  • Allow list: anything that is listed on the allow list can run on the system. Nothing runs unless it’s on the list
  • Deny list: nothing on the deny list can be executed

Ex: application hash, certificate, path, network zone

38
Q

Application security: what is static code analyzers (SAST)?

A

A tool that analyzes source code without executing the code. Static code analyzers are designed to review bodies of source code (at the programming language level) or compiled code (at the machine language level) to identify poor coding practices.

39
Q

Application hardening: what application hardening is for ?

A

The goal is to minimize the attack surface and limit the ability of an attack to exploit an application.

40
Q

Application hardening: how to harden an application ?

A
  • Manage open ports
  • Use Windows registry
  • Disk encryption
  • OS hardening
  • Patch management
  • Sandboxing
41
Q

Application hardening: why open ports should be limited ?

A

Because every port is a possible entry point. Therefor, only the required ports should be open.
This can be done with a firewall (NGFW ideally)

42
Q

Application hardening: how to verify what port is open ?

A

Do a nmap scan

43
Q

Application hardening: what is the Windows registry ?

A

A large DB that contains configuration settings for the Windows OS and application that run on that OS

44
Q

Application hardening: why the Windows registry should be use in application hardening ?

A

Because some registry changes are important security settings
Ex; configure registry permission, disabling vulnerability (SMBv1)

45
Q

Application hardening: why disk encryption is important ?

A

It prevents access to application data files (file system encrption)

46
Q

Application hardening: what is FDE in disk encryption ?

A

Full Disk Encryption (FDE) encrypt everything on the drive
Ex: Bitlocker, FileVault etc

47
Q

Application hardening: what is SED in disk encryption ?

A

Self-encrypting drive (SED) is atype of encryption on a storage drive that is built into the hardware of the drive itself. It do not rely on a OS

48
Q

Application hardening: what is include in OS hardening ?

A
  • OS updates / security patches
  • User accounts: min password lenght & complexity, account limitations
  • Limit network access
  • Run & updated antivirus
49
Q

Application hardening: why patch management is important ?

A

For security and system stability

50
Q

Application hardening: what is sandboxing ?

A

It limits the scope of an application from accessing to unrelated resources. This is use during development process so that the developers are not changing any data that might be in a production environment

Ex: VM separate from other VMs, etc