Section 3.2 Host and Application Security Solutions Flashcards
Where should endpoint detection be focused?
Throughout the entire network
What monitors network activity for suspicious behavior and alerts if anything is found?
Intrusion Detection Systems (IDS)
What monitors network activity and attempts to deal with the issue and either disconnects suspicious connections or turn off attacked services?
Intrusion Prevention Systems (IPS)
What monitors network patterns and headers of network patches?
Network Intrusion Detection systems (NIDS)
What component of NIDS collect network data and sends it to the network monitor for analysis?
Detection Agent
What component of NIDS takes data from the detection agent, analyzes it, and sends warning notifications?
Network Monitor
What component of NIDS is used for notifications and alarms which are sent to the administrator?
Notification system
IDS’s are usually located where on the network?
A central point
What mode of IDS deployment analyzes all traffic?
In-band
What mode of IDS deployment only analyzes some of the traffic?
Out-of-band
What do you call a NIDS that uses active detection methods to take immediate steps to halt an intrusion?
NIPS
What prevention system reroutes network traffic in case of network attacks and terminates suspicious network activity?
NIPS
What is a disadvantage of active detection systems?
False positives can shut down the system
What kind of intrusion detection takes steps to mitigate an intrusion?
Active Intrusion Detection
What kind of intrusion detection typically logs the event or generates alarms?
Passive Intrusion Detection
What do you call a deep-packet inspection firewall that moves beyond port/protocol inspection and blocking?
Next Generation Firewall
What kind of monitoring systems contain signature databases that they use to detect attacks?
Signature-Based Monitoring
What kind of monitoring systems rely on the collective knowledge of security vendors but are unable to detect new attacks that haven’t been recorded?
Signature-Based Monitoring
What kind of monitoring systems use a known good baseline and looks for anomolies?
Behavior/Anomaly-Based Monitoring
What kind of monitoring systems are easily and quickly adapted to the environment and can detect new variants of attacks but take time to build a baseline profile?
Behavior/Anomaly-Based Monitoring
What kind of monitoring systems starts with an initial database of known attack types but changes its alert signatures based on learned behavior?
Heuristic-Based Monitoring
What do you call a type of attack that has rarely or never been encountered and takes advantage of previously unknown weaknesses and vulnerabilities in a software program or operating system?
A zero-day attack
What kind of monitoring systems relies on admin to create rules and determine consequences for breaking those rules?
Rule-based monitoring
What kind of monitoring systems require significant manual set-up and continuous updating?
Rule-based monitoring
What detection system monitors a specific host for suspicious behavior that could indicate someone is trying to break into the system?
Host-based Intrusion Detection System (HIDS)
What detection system can detect an attack by a malicious user who is physically accessing the system console?
Host-based Intrusion Detection System (HIDS)
What is an integrated endpoint security solution that combines: REAL-TIME continuous monitoring and collection of endpoint data with rules-based AUTOMATED RESPONSE AND ANALYSIS capabilities?
Endpoint Detection and Response (EDR)
What solutions keep sensitive data from leaving a network by a USB, email, etc.?
Data Loss Prevention Solutions
What solutions tag data with labels that say whether data can leave the network and how it can leave the network?
Data Loss Preventions
What protects both the computers and the networks to which they connect as well as provide a first level of defense to prevent virus spreading?
Antivirus
Most viruses and spyware enter a system how?
through email attachments and internet downloads
What kind of firewall performs critical functions to protect a user’s host computer?
Host-based firewall
What part of the host system contains the program code and instructions for starting a computer and loading the OS?
Basic Input/Output System
What do you call maintaining the BIOS of of a host system?
Boot Integrity
Modern systems use what to boot because it is more secure and is needed for a secure boot of the OS?
Unified Extensible Firmware Interface (UEFI)
What uses an unchangeable piece of hardware that contains cryptographic function keys, and verifies that BIOS is being loaded from a known good version?
Hardware Root of Trust
What do you call adding a suffix of random characters to a password before it is encrypted?
Salting
What creates a ‘unique fingerprint’ for a message?
Hashing
What prevents someone who gains unauthorized access to a database from being able to read the data without an encryption key?
Database Encryption
What makes sure that when applications are deployed, they don’t contain security issues that can expose sensitive data?
Secure coding practices
What do you call the surrounding infrastructure that supports software applications?
Data Center
What manages and provisions data centers through machine readable files instead of the physical hardware?
Infrastructure as Code
What do you call the small text files saved on your computer to store website data?
Cookies
What kind of cookies only transmit over secure channels?
Secure cookies
What disallow connections through HTTP and protects against attacks?
HTTP Strict Transport Security (HSTS) headers
HTTP request and response messages have what that include various HTTP commands, directives, site referral information, and address data?
Headers
What kind of analysis is conducted by executing software on a real or virtual processer to determine how the software will behave in a potentially negative environment?
Dynamic code analysis
What refers to the process of coding applications to accept only certain valid input for user-entered fields?
Input Validation
What determines how the software should react to error conditions and exceptions?
Error and Exception handling
What recognizes specific types of command characters and parses them as simple data rather than executing the text as a command?
Escaping
What do you call the use of existing source code for a new purpose, either for a new program or for a new environment?
Code Reuse
What do you call saved subroutines that can be used within applications accessing databases, saving time and memory by combining the execution of several statements into one stored procedure?
stored procedures
What prevents unauthorized applications from executing by checking each potential execution against a list of applications that have been granted execution rights?
Allow list
What concept refers to keeping the OS and applications current through regular updates and critical software patches and removing unnecessary software services from the system?
Operating system hardening
What do you call an OS that has met a set of standards such as the Common Criteria?
Trusted OS
OS vendors regularly release software updates, which are often rolled into larger software packages called?
service packs, updates, or packages
User interaction with external Internet users can result in viruses or Trojans being downloaded that allow what to the users computer?
Backdoor access
To protect against the use of backdoor access, the network admin should do what to these programs on the main network firewall to keep them from communicating with the Internet?
block the service ports
All software on the workstation should be kept current with what to remove security vulnerabilities from previous versions?
Most recent patches and upgrades
What disallows the ability to execute code from memory locations that are reserved for Windows and other known to be good programs?
Data Execution Prevention (DEP)
What do you call a special hardware chip that provides authentication by storing security mechanisms that are specific to that system hardware?
TPM
What do you call a specialized hardware appliance used to provide onboard cryptographic functions and processing?
Hardware Security Module
What should be used to secure access to the data of removable media?
Encryption and Authentication
What is used to open email attachments or other high risk files in an environment that will be less harmful if they do indeed turn out to be malicious?
Sandboxing
What do you use to protect hosts and applications against a wide variety of malware programs?
Antivirus and Anti-malware software
What protects web applications by filtering and monitoring HTTP traffic between a web application and the internet?
Firewalls
What should be used to protect the data of mobile devices?
passwords and encryption
What should be used to establish a strong, secure foundation for your OS, applications, and web browsers for all your systems, including mobile devices?
security baselines and policies
What should be used to make sure hackers cannot insert malformed input or command requests in application input forms?
Input Validation
What should you do to special characters and command characters so that they are processed as data, not actual commands?
Use Escaping
What should not be displayed in error messages?
filename and directory paths
What should applications handle without crashing or providing unauthorized access?
exceptions
What concepts should be used to prevent confidential data loss and interception?
DLP concepts
What should be used for secure storage of encryption keys and certificates for hardware platforms?
TPM’s
What are used for high-end security applications that require secure key generation and management on a separate hardware appliance?
HSM’s
What can secure data in storage on a database server?
Database Encryption
What is a software program designed to detect and destroy viruses and other malicious software from the system?
Antivirus
What is a program that protects the system from all kinds of malware including viruses, Trojans, worms, and PUPs?
Antimalware
What typically protects web applications from common attacks like XSS, CSRF, and SQL Injections?
Firewalls
What kind of firewall is an application that is built into desktop operating systems, like Windows or Linux?
Host-based firewall
What two types of firewalls are often used together in a layered defense?
Host-based and Network-based
What do you call a boot where all components from the firmware, applications, and software are measured and information is stored on a log file?
Measured Boot
In a measured boot where is the log file stored?
on the TPM chip on the motherboard
What kind of boot is performed at startup where the OS checks that all of the drivers have been signed?
Trusted secure Boot
What is it called where during the software integrity is confirmed during the boot process?
Boot attestation
What is deemed more secure than encryption because it cannot be reversed?
Tokenization
What is used to index and fetch items from a database?
Hashing
What function maps data to where the actual records are held?
Hash function
What renders rainbow tables ineffective?
Salting
What ensures buffer overflow, integer overflow, and SQL injection attacks cannot be launched against applications and databases?
Input validation
What can be stolen by attackers to carry out a session hijacking attack?
Secure cookies
What can help prevent an attacker from carrying out a cross-site scripting attack through HTTP response headers?
HTTP Strict Transport Security headers
What uses a certificate to digitally sign scripts and executables to verify their authenticity and to confirm they are genuine?
Code Signing
What do you call it when the developer who creates software writes code in a manner that ensures that there are no bugs or flaws?
Secure Coding Practices
What concepts intent is to prevent attacks such as buffer overflow or integer injection during code development?
Secure Coding Practices
What do you call analysis where the code is not executed locally but is analyzed by a static code analyzer tool?
Static Code analysis
What is the process of running source code inside the tool that reports any flaws or weaknesses?
Static code analysis
What kind of analysis requires source code access?
Static code analysis
What do you call analysis where the code is executed and fuzzing is used to inject random input into the application?
Dynamic code analysis
What kind of analysis exposes flaws in an application before it is rolled out to production?
Dynamic code analysis
What kind of analysis does not require source code access?
Dynamic code analysis
What is it called when code is reviewed line by line to ensure that the code is well-written and error free? It tends to be tedious and time consuming,
Manual Code Review
What is the hardening process of open ports and services?
listening ports should be restricted to those necessary, filtered to restrict traffic, and disabled entirely if unneeded. (Block through firewalls, disable by disabling underlying service)
What is the hardening process of the registry?
access should be restricted, and updates should be controlled through policy where available (always make a backup first)
What should be used to prevent unwanted access to data in a variety of circumstances?
Drive encryption
What is the hardening process of the OS?
OS hardening can often be implemented through security baselines, applied through group policies or management tools
What kind of device encrypts anything that is written to that drive?
Self-encrypting Drive
What is used for key storage when certificates are used in Full Disk Encryption?
Hardware root of trust
What verifies that the keys match before the secure boot process takes place?
Hardware root of trust
What is often used as the basis for a hardware root of trust?
TPM
What provides the OS with access to keys, but prevents drive removal and data access?
TPM
