Given a scenario, implement host or application security solutions Flashcards
Endpoint protection
Antivirus Anti-malware Endpoint detection and response (EDR) DLP Next-generation firewall (NGFW) Host-based intrusion prevention system (HIPS) Host-based intrusion detection system (HIDS) Host-based firewall
Another crucial step in hardening is to configure endpoint protection for automatic detection and prevention of malware threats. There have been many iterations of host-based/endpoint protection suites and agents. It is important to consider the contrasting functions performed, as individual software tools or protection suites often combine multiple functionality.
Antivirus
Antivirus is a kind of software used to prevent, scan, detect and delete viruses from a computer. Once installed, most antivirus software runs automatically …
Anti-malware
Antimalware is a type of software program created to protect information technology (IT) systems and individual computers from malicious software, or malware. Antimalware programs scan a computer system to prevent, detect and remove malware.
Endpoint detection and response (EDR)
Endpoint protection usually depends on an agent running on the local host. If multiple security products install multiple agents (say one for A-V, one for HIDS, another for host-based firewall, and so on), they can impact system performance and cause conflicts, creating numerous technical support incidents and security incident false positives. An endpoint protection platform (EPP) is a single agent performing multiple security tasks, including malware/intrusion detection and prevention, but also other security features, such as a host firewall, web content filtering/secure search and browsing, and file/message encryption.
DLP
Many EPPs include a data loss prevention (DLP) agent. This is configured with policies to identify privileged files and strings that should be kept private or confidential, such as credit card numbers. The agent enforces the policy to prevent data from being copied or attached to a message without authorization.
Next-generation firewall (NGFW)
An analytics-driven next-gen antivirus product is likely to combine with the perimeter and zonal security offered by next-gen firewalls. For example, detecting a threat on an endpoint could automate a firewall policy to block the covert channel at the perimeter, isolate the endpoint, and mitigate risks of the malware using lateral movement between hosts. This type of functionality is set out in more detail in Sophos’s white paper on synchronized security(sophos.com/en-us/lp/synchronized-security.aspx).
Host-based intrusion prevention system (HIPS)
Host-based intrusion detection systems (HIDS) provide threat detection via log and file system monitoring. HIDS come in many different forms with different capabilities, some of them preventative (HIPS). File system integrity monitoring uses signatures to detect whether a managed file image—such as an OS system file, driver, or application executable—has changed. Products may also monitor ports and network interfaces, and process data and logs generated by specific applications, such as HTTP or FTP.
Host-based intrusion detection system (HIDS)
Host-based intrusion detection systems (HIDS) provide threat detection via log and file system monitoring. HIDS come in many different forms with different capabilities, some of them preventative (HIPS). File system integrity monitoring uses signatures to detect whether a managed file image—such as an OS system file, driver, or application executable—has changed. Products may also monitor ports and network interfaces, and process data and logs generated by specific applications, such as HTTP or FTP.
Host-based firewall
Boot integrity
Boot security/Unified Extensible Firmware Interface (UEFI)
Measured boot
Boot attestation
Boot security/Unified Extensible Firmware Interface (UEFI)
Measured boot
A UEFI feature that gathers secure metrics to validate the boot process in an attestation report.
uses platform configuration registers (PCRs) in the TPM at each stage in the boot process to check whether hashes of key system state data (boot firmware, boot loader, OS kernel, and critical drivers) have changed. This does not usually prevent boot, but it will record the presence of unsigned kernel-level code.
Boot attestation
Report of boot state integrity data that is signed by a tamper-proof TPM key and reported to a network server.
Database
Tokenization
Salting
Hashing
Tokenization
A deidentification method where a unique token is substituted for real data.
Salting
A salt is an additional value stored with the hashed data field. The purpose of salt is to frustrate attempts to crack the hashes. It means that the attacker cannot use pre-computed tables of hashes using dictionaries of plaintexts. These tables have to be recompiled to include the salt value.
Hashing
A cryptographic hash produces a fixed-length string from arbitrary-length plaintext data using an algorithm such as SHA. If the function is secure, it should not be possible to match the hash back to a plaintext. Hashing is mostly used to prove integrity.
Application security
Input validations Secure cookies Hypertext Transfer Protocol (HTTP) headers Code signing Allow list Block list/deny list Secure coding practices Static code analysis Dynamic code analysis Fuzzing
Input validations
Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application.
Secure cookies
Avoid using persistent cookies for session authentication. Always use a new cookie when the user reauthenticates.
Set the Secure attribute to prevent a cookie being sent over unencrypted HTTP.
Set the HttpOnly attribute to make the cookie inaccessible to document object model/client-side scripting.
Use the SameSite attribute to control from where a cookie may be sent, mitigating request forgery attacks.
Hypertext Transfer Protocol (HTTP) headers
HTTP Strict Transport Security (HSTS)—forces browser to connect using HTTPS only, mitigating downgrade attacks, such as SSL stripping.
Content Security Policy (CSP)—mitigates clickjacking, script injection, and other client-side attacks. Note that X-Frame-Options and X-XSS-Protection provide mitigation for older browser versions, but are now deprecated in favor of CSP.
Cache-Control—sets whether the browser can cache responses. Preventing caching of data protects confidential and personal information where the client device might be shared by multiple users.
Code signing
Allow list
Block list/deny list
Secure coding practices
The security considerations for new programming technologies should be well understood and tested before deployment. One of the challenges of application development is that the pressure to release a solution often trumps any requirement to ensure that the application is secure. A legacy software design process might be heavily focused on highly visible elements, such as functionality, performance, and cost. Modern development practices use a security development life cycle running in parallel or integrated with the focus on software functionality and usability.
Static code analysis
Manual code review
Manual code review
Dynamic code analysis
Static code review techniques will not reveal vulnerabilities that might exist in the runtime environment, such as exposure to race conditions or unexpected user input. Dynamic analysis means that the application is tested under “real world” conditions using a staging environment.
Fuzzing
A dynamic code analysis technique that involves sending a running application random and unusual input so as to evaluate how the app responds.
Hardening
Open ports and services Registry Disk encryption OS Patch management
Open ports and services
Application service ports allow client software to connect to applications over a network. These should either be disabled or blocked at a firewall if remote access is not required. Be aware that a server might be configured with a nonstandard port. For example, an HTTP server might be configured to use 8080 rather than 80. Conversely, malware may try to send nonstandard data over an open port. An intrusion detection system should detect if network data does not correspond to the expected protocol format.
Registry
Disk encryption
Persistent storage holds user data generated by applications, plus cached credentials. Disk encryption is essential to data security. Self encrypting drives can be used so that all data-at-rest is always stored securely.
OS
Services provide a library of functions for different types of applications. Some services support local features of the OS and installed applications. Other services support remote connections from clients to server applications. Unused services should be disabled.
Patch management
Third-party updates
Auto-update
Third-party updates
Auto-update
Self-encrypting drive (SED)/full-disk encryption (FDE)
Opal
Opal
Hardware root of trust
Trusted Platform Module (TPM)
Sandboxing
