3.2 Securing Hosts & Applications

Question 1

What vulnerability exists with anti-virus/malware software?

Answer 1

Relies on known code signatures to detect malware and attackers have figured out ways to bypass this detection

Question 2

Define Endpoint Detection & Response (EDR) and capabilities it provides

Answer 2

1. Uses methods, other than signatures, such as actions to detect malware
2. Uses lightweight AI to take actions, such as quarantining files, isolating system from network, or rolling back to a known good config to remedy/detect malware

Question 3

Define Data Loss Prevention (DLP) (2)

Answer 3

1. Prevents sensitive information from being transported on or outside of the network
2. Can run on a variety of end-points to provide a robust solution

Question 4

Define NGFW (2)

Answer 4

1. Next Generation Firewall, aka Application Layer Gateway, stateful
2. Works at application layer to allow/deny specific applications or sub-features of applications

Question 5

Define HIPS (2)

Answer 5

1. Host-based Intrusion Prevention System
2. Runs on OS to actively monitor and block malicious actions

Question 6

Define HIDS - Host-based Intrusion Detection System

Answer 6

Secondary system that monitors log files for intrusions and can reconfigure host protection to block those

Question 7

3 reasons to use Host-based Firewall

Answer 7

1. Concept Layered Protection - Defense in Depth
2. Has direct access to traffic before it is encrypted and sent over network
3. Has access to monitor the operating system and detect issues

Question 8

What protections does UEFI BIOS provide, relative to the BIOS software?

Answer 8

Uses manufacturer’s public key to prevent malicious BIOS updates

Question 9

4 steps of the UEFI Secure Boot Process

Answer 9

1. Secure Boot Process
2. Trusted Boot Process
3. Measured Boot Process
4. Boot Attestation

Question 10

What does the secure boot process verify?

Answer 10

Verifies that the digital signature of the bootloader matches with the digital signature of the OS to ensure that the bootloader hasn’t been tampered with

Question 11

What 3 things are verified during the trusted boot process?

Answer 11

1. Verifies the digital signature of the OS Kernel
2. OS Kernel verifies boot and start-up files
3. OS runs ELAM (early launch anti-malware) and verifies digital signatures of all drivers before loading them

Question 12

What occurs during the measured boot process?

Answer 12

Generates a hash from all the files loaded in the secure and trusted boot processes that can be compared against the same hash that is stored in the TPM

Question 13

What is boot attestation? (2)

Answer 13

1. Comparing a hash generated from all the files loaded during the boot process to a known good hash previously stored in the TPM
2. Can be done locally or forwarded to a remote system to verify that the OS booted up is trusted

Question 14

Define hardware root of trust

Answer 14

Using physically installed hardware as the basis of trust in a system since unlike software, it can only be modified by physically accessing it

Question 15

TPM - Trusted Platform Module provides (3):

Answer 15

1. hardware root of trust
2. cryptographic functions
3. secure storage of keys and other system info

Question 16

Is the TPM password vulnerable to brute force attacks and why?

Answer 16

No, it has anti-brute force mechanisms that prevent these attacks

Question 17

Define tokenization, relative to database security

Answer 17

Provides database security, instead of storing sensitive information, like a credit card #, a token is stored. The token is temporary and discarded after being sent to the transaction entity to complete the purchase.

Question 18

Define how hashing can provide database security

Answer 18

Instead of storing the actual value in the database, a hash of the value is stored preventing compromise of the database revealing sensitive information

Question 19

Define how salt can be used to enhance database security

Answer 19

Salting hashed values stored in the database complicates brute-force attacks, such as preventing the use of rainbow table attacks

Question 20

Define fuzzing

Answer 20

Automated process to find input validation vulnerabilities in applications, can be used as part of QA or maliciously by an attacker

Question 21

Define secure cookies

Answer 21

Cookies that are flagged and only allowed to transmitted via HTTPS by the browser

Question 22

Define HTTP secure headers

Answer 22

Web servers can define restrictions of what is allowed in HTTP communications

Question 23

Define SED & OPAL

Answer 23

1. Self-Encrypting Drive, drive with encryption built-in running as data is written
2. Only use drives that meet the OPAL storage standards/specifications

Question 24

Define DNS sinkhole

Answer 24

Creating alternate DNS entries for known malicious sites to an internal server for monitoring and access prevention