3.2 Implement host & application security solutions Flashcards
Endpoint Protection: what is an endpoint ?
It is any point from where a user can access data (phone, pc, tablet and other devices, application)
Endpoint Protection: how to protect endpoint ?
- Use anti-virus / anti-malware
- Use a DLP
- Use host-based firewall
- Use a HIDS / HIPS
Endpoint Protection: what is the difference antivirus vs antimalware ?
The terms are the same these days. Antivirus = antimalware:
- Antivirus: popular term that refers to a type of malware (trojans, worm, macroviruses)
- Antimalware: refers to the broad malicious software category (spyware, ransomware, fileless malware)
Endpoint Protection: what is a signature based antivirus and why they can be challenging to use?
They identify malicious code through the use of signature. Signatures are a set pattern that may be within the file or within the memory that is being used by the malicious software.
The problem is that attackers founds many ways around signature detection. So we’ve had to change the way that we are looking for a lot of this malicious software.
Endpoint Protection: what is EDR type of antivirus ?
Endpoint detection & response (EDR) detect a threat by not only looking at signatures. Instead of looking for a signature to occur within a file, it can look at what the file is doing: behavior analysis, machine learning, process monitoring. This is done with lightweight agent running on the endoing and constantly watching for these types of problems to occur.
EDR can also investigate the threat (root cause) and responde it by isolate the system, quarantine the threat, rollback previous config.
All this can be automated.
Endpoint Protection: what is a DLP?
Design to stop data leakage and prevent sentive data from being sent across the nerwork in clear or encrypted form by blocking it from being transferred outside the network.
Endpoint Protection: where DLP can be install?
On any endpoint: DLP solution based in a firewall, in a client software, on each system, in the cloud to examine all of the emails
Endpoint Protection: why NGFW help for DLP ?
Next-generation firewall (NGFW) is able to identify the application that are flowing (data flowing) across the network, reagrdless of the IP address or port.
NGFW can also identify attacks and malware, examine encrypted data, prevent access to URLs
Endpoint Protection: what is a host-based firewall ?
A personal firewall running on every endpoint. It allow or disallow incoming or outgoing application traffic
Endpoint Protection: what is an HIDS ?
Host-based Intrusion Detection System (HIDS) look through the log files on a system to identify intrusion that may be occuring and at that point, it can choose to reconfigure firewalls or other type of security devices to prevent additonal attacks
Endpoint Protection: what is an HIPS ?
Host-based Intrusion Prevention System (HIPS) recognize and block known attacks to secure OS, application confids and validate incoming service requests.
HIPS use != technic to identify attacks: signatures, heuristics (identify when large changes are occuring), behavioral (spot difference in behavior)
Endpoint Protection: what is an HIPS vs HIDS ?
They do the same thing except that the HIPS will take actions to mitigate the spread while HIDS will the administrator do the mitigation
Boot integrity: what is boot in computing ?
Booting is basically the process of starting the computer. When the CPU is first switched on it has nothing inside the Memory. In order to start the Computer, load the Operating System into the Main Memory and then Computer is ready to take commands from the User.
Boot integrity: why boot security is important ?
Because the boot process is a perfect infection point.
Ex: rootkit run in kernel mode which give the attacker same rights as the OS
Boot integrity: what are the different boot process?
The process is named “chain of trust” and is composed of:
1/ Secure boot
2/ Trusted boot
3/ Measured boot
Boot integrity: what is a TPM ?
Trusted Platform Module is a hardware cryptographic module that enhances computer security and privacy. Protecting data through encryption and decryption, protecting authentication credentials, and proving which software is running on a system are basic functionalities associated with computer security.
Boot integrity: what is a HSM ?
Hardware Security Module is hardened, tamper-resistant hardware devices that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data and creating digital signatures and certificates.
Boot integrity: what is the difference HSM vs TPM?
If you want to put it short:
- A TPM is a specific device to keep it’s own keys secure (source of identity)
- while an HSM is a general device to secure foreign keys (verify identity)
Boot integrity: what is UEFI BIOS boot mode?
Both BIOS and UEFI are forms of software that kickstart the hardware of your computer before your operating system loads. UEFI is an update to traditional BIOS that supports larger hard drives, quicker boot times, more security features, and more graphics and mouse cursor options.
Boot integrity: why UEFI secure boot is important in secure boot process ?
UEFI Secure Boot is a feature specified in UEFI, which provides verification about the state of the boot chain. It is designed to ensure that only cryptographically verified UEFI binaries are executed after the self-initialization of the firmware.