Chapter 11: Managing Application Security Flashcards
modern version of the Basic Input Output System (BIOS) is more secure and is needed for a secure boot of the OS. The older BIOS cannot provide secure boot.
Unified Extensible Firmware Interface (UEFI)
in a windows computer, the early launch anti malware tests that all drivers that are being loaded are signed and prevents rogue drivers from loading
Early Launch Anti Malware
this was first adopted with Windows 8 where all components from the firmware are up to the applications and software measured and stores this information in a log file—log file is stored in the Trusted Platform Module (TPM) chip
Measured Boot
using an FDE such as BitLocker
Secure Boot and Attestation
monitors websites that are being visited and the files that are being downloaded to ensure they are not infected by viruses or trojans
Antivirus
scans computer for adware and spyware and prevents malicious software from running
Anti Malware
advanced solution that is better than anti virus or anti malware. It is a centralized console that continuously monitors the computer and makes alerts when a threat has been detected
Endpoint Detection and Response (EDR)
an endpoint DLP solution can be setup so that it can protect data on your computer from being stolen by using email or USB drive.
Data Loss Prevention (DLP)
more than a traditional firewall. It can act as a stateful firewall by carrying out deep packet filtering. It can also inspect application traffic to ensure that it is legitimate and use whitelisting to ensure that only approved applications are allowed to run.
Next Generation Firewall (NGFW)
software program that can be installed on a host to protect it against attack. It analyzes the behavior of a computer and looks for any suspicious behavior in log files
Host Intrusion Prevention System (HIPS)
is a passive device that monitors patterns in the behavior of a computer system. Uses a database that contains the setting for the computer including registry, critical file systems, application, Its function is to alert the user to any discrepancies or attacks
Host Intrusion Detection System (HIDS)
can be used to prevent unauthorized access to the desktop and can set up permitted rules for approved applications
Host based Firewall
cookies can be stolen by attackers to carry out a session hijacking attack; ensure cookies are only downloaded when there is a secure HTTPS session.
Secure Cookies
controlling inputs to an application is vital to ensure that buffer overflow, integer overflow, ,and SQL injection attacks cannot be launched against applications and databases.—input validation occurs where data is entered either using a web page or wizard
Input Validation
designed to transfer information from the host and the web server—attacker can carry out a cross site scripting attack and is delivered through injecting HTTP response headers—can be prevented by entering HTTP Strict Transport Security (HSTS) header
Hypertext Transfer Protocol (HTTP) headers
allows you to digitally sign scripts and executables to verify their authenticity and to confirm they are genuine
Code Signing
the code is not executed locally—use static code analyzer tool to check any flaws or weaknesses
Static Code Analyzers
the code is run locally—use a technique called fuzzing where random input is inserted into the application to see what the output will be
Dynamic Code Analysis
developer reads code line by line to ensure it is written properly and no errors
Manual Code Review
put random information to see whether the application crashes or causes memory leaks or error information to be returned.—improper input validation
fuzzing
used on computer systems to encrypt the whole hard drive as it holds data at rest
FDE
______ chip is stored on the motherboard and is used to store encryption keys so that when the system boots, it can compare the keys to ensure no tampering
TPM
when we use certificates for FDE, they use a hardware root of trust that verifies that the keys match before secure boot takes place.
Hardware Root of Trust
solid state drives (SSDs) and are purchased already set to encrypt data at rest
Self Encryption Drives (SEDs)
similar to TPM chips except it is removable. The key escrow uses HSM to store and manage private keys but smaller ones can be used for computer
Hardware Security Module (HSM)
where we can install an application in a virtual environment isolated from our network so we can patch, test, and ensure that it is secure before putting it into a production environment
sandboxing
comprised of small devices, such as ATMs, small robots, and wearable technologies , that can use an IP address and connect to internet capable devices
-smart devices
-home automation (lighting climate enterntainment alarm)
-wearable technology
-sensors
-weak defaults
-facilities automation
IoT
both hardware and software combined in a single device—some devices will have updates but have no update mechanism making them vulnerable to attack
-rasberry pi
Embedded Systems
systems are automated control systems consisting of multiple phases of production
-Energy
-Facilities
-Manufacturing
-Logistics
-Industrial
Supervisory Control and Data Acquisition (SCADA):
used for water, telecommunications, health, chemicals, water supply, treatment
Industrial Control System (ICS
2 models of the Software Development Life Cycle (SDLC
- Waterfall–each stage is completed before thenext
- Agile–several stages of development can occur simultaneously
created to allow systems to be programmed to talk to one another
Application Programming Interface (API
process of increasing resources when they are needed—cloud pay as you go model
Elasticity
where an application can take more users than originally planned with little or no increase in cost
Scalability
Application Lifecycle
- Development
- Testing
- Staging
- Production
where two instructions from different threads try to access the same data at the same time.
Race Condition
process where you take the source code and make it look obscure so that if it was stolen it would not be understood. ______ masks the source code so that it cannot be understood by competitors.
Obfuscation/Camouflage
international not for profit organization that provides an up to date list of the most recent web application security concerns. Rely on donations
Open Web Application Security Project (OWASP)
Incident Response Process
- Preparation– incident response plans written and kept to date
- Identification–appropriate plan is invoked when incident has occurred
- Containment– isolate or quarantine computers
- Eradication–destroy source
- Recovery– RPO
- Lessons Learned
government sponsored company whose aim is to help prevent cyber attack
-Adversarial-behavior of potential attackers
-Tactics—medium by which the attack will be carried out
-Techniques—breakdown of the processes
-Common Knowledge—documentation relating to attackers tactics
MITRE ATT&CK Framework
Cyber Kill Chain—developed by Lockheed Martin
- Reconnaissance- calling employees, sending emails, social engineering, dumpster diving
- Weaponization- create malware payload
- Delivery- medium such as email, web page, usb
- Exploitation- executing code via a vulnerability
- Installation- installing malware on asset
- Command and control- infected system sends back information to attacker
- Action on objectives- hands on keyboard-attack complete
getting the company back up and running so that it can generate income
Disaster Recovery Plan
keep the business up and running no matter what disasters occur.
Business Continuity Plan
4 phases of BCP
- Initial Response
- Relocation–hot warm site
- Recovery
- Site Resiliency
site is up and running with staff loading data into the systems immediately as it is replicated. This is the most expensive to maintain but has fastest recovery
Hot site
similar to hot site but data is sent by courier and maybe 3 to 4 hours behind hot site
Warm Site
cheapest to maintain as it has its power and water but not staff or equipment making it the slowest to get back up and running. It has no Data
Cold Site
documents with information on events and the necessary action that needs to be taken
Runbooks
contain a set of rules and actions to enable the SOAR to identify incidents and take preventative action
Playbooks
is the process when one part of the system fails but we have the ability to keep the system running
Redundancy
uses minimum of 2 disks with a maximum of 32 disks—if one disk fails then all the data will be lost; primarily used when speed is the concern; situations such as transferring large files, like in video editing or gaming (RAID)
RAID 0 (striping)(fastest)
2 disks, mirror set; fault tolerant, so if disk 1 should fail, you could activate disk 2; used when data redundancy and high reliability are crucial; employed for important data storage such as business files or critical system files
RAID 1 (mirroring)(5th fastest)
minimum of 3 disks and is known as a stripe set with parity; used in environments where both speed and data protection are important; commonly employed in small to medium sized businesses for general purpose storage, file servers, or databases.
Raid 5: (striping with parity)(3rd fastest)
has minimum of 4 disks; has double parity; typically used in scenarios where there is a higher risk of multiple drive failures, or when data integrity and fault tolerance are critical; utilized in large scale storage systems, enterprise level databases, or systems handling sensitive info.
Raid 6: (Double parity)(4th fastest)
both mirroring and striping to protect data. It has a mirrored set that is then striped.; implemented in servers or systems that require high performance storage and fault tolerance;
Raid 10: (mirrored striping)(2nd fastest)
normally used by a SAN storage solution where there is more than one network path between the SAN storage and the target server.
Multipath
is basically a battery that is a standby device so that when the computer power fails, it kicks in
Uninterruptible Power Supply (UPS):
most servers will have a ______ so that if the power unit fails, then the other power supply keeps the server running
Dual Supply
managed ______ allows you to remotely connect and monitor the power.
Replication-method for the immediate transfer of data and virtual machines within a network
Managed Power Distribution Units (PDUs)
is a hardware device that contains a large number of fast disks, such as Solid State Drives (SSDs) and is isolated from the LAN as it has its own network.
Storage Area Network (SAN)
is a backup of all your data. This is the *fastest physical backup but uses the most storage space
Full Backup
backs up the data since the last full back up or incremental backup. Uses less storage space than full backup and differential
Incremental
will backup the data since the last full backup. This will always be two tapes—the full back up from the start and the latest differential. It uses more space than incremental but less than full backup.
Differential
Paper Data Destruction
-Burn: incinerator
-Pulping: if burning is not available pulping turns the data into paper mache, is the best option.
-shredding: third best way of disposing of data; a cross cut shredder is best
Media Data Destruction
-shredding: shred a metal hard drive into powder—best method
- pulverizing: sledge hammer and smash into small pieces
-Degaussing: this is where an electrical charge is sent across the drive
when the computer system becomes corrupt, and you can roll it back to a former state.
Non-persistence
you can save the system state and systems settings to removable media. If the computer is corrupt then you can repair the computer and then insert the media and revert system state data
Revert to Known State
this is where the system has recorded the configuration state as you log in. This can be reverted to a later stage
Last Known good Configuration
a copy of the operating system is saved to a USB flash drive or DVD. Then you will be able to boot from the removable media.
Live boot media
