Given a scenario, implement host or application security solutions

Question 1

Endpoint protection

Answer 1

Antivirus
Anti-malware
Endpoint detection and response (EDR)
DLP
Next-generation firewall (NGFW)
Host-based intrusion prevention system (HIPS)
Host-based intrusion detection system (HIDS)
Host-based firewall

Another crucial step in hardening is to configure endpoint protection for automatic detection and prevention of malware threats. There have been many iterations of host-based/endpoint protection suites and agents. It is important to consider the contrasting functions performed, as individual software tools or protection suites often combine multiple functionality.

Question 2

Antivirus

Answer 2

Antivirus is a kind of software used to prevent, scan, detect and delete viruses from a computer. Once installed, most antivirus software runs automatically …

Question 3

Anti-malware

Answer 3

Antimalware is a type of software program created to protect information technology (IT) systems and individual computers from malicious software, or malware. Antimalware programs scan a computer system to prevent, detect and remove malware.

Question 4

Endpoint detection and response (EDR)

Answer 4

Endpoint protection usually depends on an agent running on the local host. If multiple security products install multiple agents (say one for A-V, one for HIDS, another for host-based firewall, and so on), they can impact system performance and cause conflicts, creating numerous technical support incidents and security incident false positives. An endpoint protection platform (EPP) is a single agent performing multiple security tasks, including malware/intrusion detection and prevention, but also other security features, such as a host firewall, web content filtering/secure search and browsing, and file/message encryption.

Question 5

DLP

Answer 5

Many EPPs include a data loss prevention (DLP) agent. This is configured with policies to identify privileged files and strings that should be kept private or confidential, such as credit card numbers. The agent enforces the policy to prevent data from being copied or attached to a message without authorization.

Question 6

Next-generation firewall (NGFW)

Answer 6

An analytics-driven next-gen antivirus product is likely to combine with the perimeter and zonal security offered by next-gen firewalls. For example, detecting a threat on an endpoint could automate a firewall policy to block the covert channel at the perimeter, isolate the endpoint, and mitigate risks of the malware using lateral movement between hosts. This type of functionality is set out in more detail in Sophos’s white paper on synchronized security(sophos.com/en-us/lp/synchronized-security.aspx).

Question 7

Host-based intrusion prevention system (HIPS)

Answer 7

Host-based intrusion detection systems (HIDS) provide threat detection via log and file system monitoring. HIDS come in many different forms with different capabilities, some of them preventative (HIPS). File system integrity monitoring uses signatures to detect whether a managed file image—such as an OS system file, driver, or application executable—has changed. Products may also monitor ports and network interfaces, and process data and logs generated by specific applications, such as HTTP or FTP.

Question 8

Host-based intrusion detection system (HIDS)

Answer 8

Host-based intrusion detection systems (HIDS) provide threat detection via log and file system monitoring. HIDS come in many different forms with different capabilities, some of them preventative (HIPS). File system integrity monitoring uses signatures to detect whether a managed file image—such as an OS system file, driver, or application executable—has changed. Products may also monitor ports and network interfaces, and process data and logs generated by specific applications, such as HTTP or FTP.

Question 9

Host-based firewall

Question 10

Boot integrity

Answer 10

Boot security/Unified Extensible Firmware Interface (UEFI)
Measured boot
Boot attestation

Question 11

Boot security/Unified Extensible Firmware Interface (UEFI)

Question 12

Measured boot

Answer 12

A UEFI feature that gathers secure metrics to validate the boot process in an attestation report.

uses platform configuration registers (PCRs) in the TPM at each stage in the boot process to check whether hashes of key system state data (boot firmware, boot loader, OS kernel, and critical drivers) have changed. This does not usually prevent boot, but it will record the presence of unsigned kernel-level code.

Question 13

Boot attestation

Answer 13

Report of boot state integrity data that is signed by a tamper-proof TPM key and reported to a network server.

Question 14

Database

Answer 14

Tokenization
Salting
Hashing

Question 15

Tokenization

Answer 15

A deidentification method where a unique token is substituted for real data.

Question 16

Salting

Answer 16

A salt is an additional value stored with the hashed data field. The purpose of salt is to frustrate attempts to crack the hashes. It means that the attacker cannot use pre-computed tables of hashes using dictionaries of plaintexts. These tables have to be recompiled to include the salt value.

Question 17

Hashing

Answer 17

A cryptographic hash produces a fixed-length string from arbitrary-length plaintext data using an algorithm such as SHA. If the function is secure, it should not be possible to match the hash back to a plaintext. Hashing is mostly used to prove integrity.

Question 18

Application security

Answer 18

Input validations
Secure cookies
Hypertext Transfer Protocol (HTTP) headers
Code signing
Allow list
Block list/deny list
Secure coding practices
Static code analysis
Dynamic code analysis
Fuzzing

Question 19

Input validations

Answer 19

Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application.

Question 20

Secure cookies

Answer 20

Avoid using persistent cookies for session authentication. Always use a new cookie when the user reauthenticates.
Set the Secure attribute to prevent a cookie being sent over unencrypted HTTP.
Set the HttpOnly attribute to make the cookie inaccessible to document object model/client-side scripting.
Use the SameSite attribute to control from where a cookie may be sent, mitigating request forgery attacks.

Question 21

Hypertext Transfer Protocol (HTTP) headers

Answer 21

HTTP Strict Transport Security (HSTS)—forces browser to connect using HTTPS only, mitigating downgrade attacks, such as SSL stripping.
Content Security Policy (CSP)—mitigates clickjacking, script injection, and other client-side attacks. Note that X-Frame-Options and X-XSS-Protection provide mitigation for older browser versions, but are now deprecated in favor of CSP.
Cache-Control—sets whether the browser can cache responses. Preventing caching of data protects confidential and personal information where the client device might be shared by multiple users.

Question 22

Code signing

Question 23

Allow list

Question 24

Block list/deny list

Question 25

Secure coding practices

Answer 25

The security considerations for new programming technologies should be well understood and tested before deployment. One of the challenges of application development is that the pressure to release a solution often trumps any requirement to ensure that the application is secure. A legacy software design process might be heavily focused on highly visible elements, such as functionality, performance, and cost. Modern development practices use a security development life cycle running in parallel or integrated with the focus on software functionality and usability.

Question 26

Static code analysis

Answer 26

Manual code review

Question 27

Manual code review

Question 28

Dynamic code analysis

Answer 28

Static code review techniques will not reveal vulnerabilities that might exist in the runtime environment, such as exposure to race conditions or unexpected user input. Dynamic analysis means that the application is tested under “real world” conditions using a staging environment.

Question 29

Fuzzing

Answer 29

A dynamic code analysis technique that involves sending a running application random and unusual input so as to evaluate how the app responds.

Question 30

Hardening

Answer 30

Open ports and services
Registry
Disk encryption
OS
Patch management

Question 31

Open ports and services

Answer 31

Application service ports allow client software to connect to applications over a network. These should either be disabled or blocked at a firewall if remote access is not required. Be aware that a server might be configured with a nonstandard port. For example, an HTTP server might be configured to use 8080 rather than 80. Conversely, malware may try to send nonstandard data over an open port. An intrusion detection system should detect if network data does not correspond to the expected protocol format.

Question 32

Registry

Question 33

Disk encryption

Answer 33

Persistent storage holds user data generated by applications, plus cached credentials. Disk encryption is essential to data security. Self encrypting drives can be used so that all data-at-rest is always stored securely.

Question 34

OS

Answer 34

Services provide a library of functions for different types of applications. Some services support local features of the OS and installed applications. Other services support remote connections from clients to server applications. Unused services should be disabled.

Question 35

Patch management

Answer 35

Third-party updates

Auto-update

Question 36

Third-party updates

Question 37

Auto-update

Question 38

Self-encrypting drive (SED)/full-disk encryption (FDE)

Answer 38

Opal

Question 39

Opal

Question 40

Hardware root of trust

Question 41

Trusted Platform Module (TPM)

Question 42

Sandboxing