3.2 Given a scenario, implement host or application security solutions
Dynamic Code Analysis -Application security Fuzzing
-A code analysis that is done using a running application -Dynamic analysis means that the application is tested under "real world" conditions using a staging environment Fuzzing - A dynamic code analysis technique that involves sending a running application random and unusual input so as to evaluate how the app responds. test or vulnerability scanner generates large amounts of deliberately invalid and/or random input and records the responses made by the application. Dynamic analysis (fuzzing) • Send random input to an application • Fault-injecting, robustness testing, syntax testing, negative testing • Looking for something out of the ordinary • Application crash, server error, exception Fuzzing engines and frameworks • Many different fuzzing options • Platform specific, language specific, etc. • Very time and processor resource heavy • Many, many different iterations to try • Many fuzzing engines use high-probability tests
Tokenization-Database
-A deidentification method where a unique token is substituted for real data The token is stored with the original value on a token server or token vault, separate to the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Tokenization is used as a substitute for encryption, because from a regulatory Replace sensitive data with a non-sensitive placeholder - SSN 266-12-1112 is now 691-61-8539 • Common with credit card processing - Use a temporary token during payment - An attacker capturing the card numbers can't use them later • This isn't encryption or hashing - The original data and token aren't mathematically related - No encryption overhead Replace sensitive data with a non-sensitive placeholder - SSN 266-12-1112 is now 691-61-8539 • Common with credit card processing - Use a temporary token during payment - An attacker capturing the card numbers can't use them later • This isn't encryption or hashing - The original data and token aren't mathematically related - No encryption overhead
Disk encryption -hardening
-Persistent storage holds user data generated by applications, plus cached credentials. Disk encryption is essential to data security. Self encrypting drives can be used so that all data-at-rest is always stored securely. Disk encryption can be applied to both hard disk drives (HDDs) and solid state drives (SSDs). FDE requires the secure storage of the key used to encrypt the drive contents. Normally, this is stored in a TPM. The TPM chip has a secure storage area that a disk encryption program, such as Windows BitLocker, can write its keys to. It is also possible to use a removable USB drive (if USB is a boot device option). As part of the setup process, you create a recovery password or key. This can be used if the disk is moved to another computer or the TPM is damaged. One of the drawbacks of FDE is that, because the OS performs the cryptographic operations, performance is reduced. This issue is mitigated by self-encrypting drives (SED), where the cryptographic operations are performed by the drive controller Prevent access to application data files - File system encryption - • Full disk encryption (FDE) -Encryption of all data on a disk (including system files, temporary files, and the pagefile) can be accomplished via a supported OS, thirdparty software, or at the controller level by the disk device itself. - Encrypt everything on the drive - BitLocker, FileVault, etc. • Self-encrypting drive (SED) -A disk drive where the controller can automatically encrypt data that is written to it.The SED uses a symmetric data/media encryption key (DEK/MEK) for bulk encryption and stores the DEK securely by encrypting it with an asymmetric key pair called either the authentication key (AK) or key encryption key (KEK)-In storage encryption, the private key that is used to encrypt the symmetric bulk media encryption key (MEK). This means that a user must authenticate to decrypt the MEK and access the media. - Hardware-based full disk encryption - No operating system software needed • Opal storage specification -Standards for implementing device encryption on storage devices. operational control A category of security control that is implemented by people. - The standard for of SED storage
code signing -Application security
-The process of assigning a certificate to code. The certificate includes a digital signature and validates the code. -The method of using a digital signature to ensure the source and integrity of programming code. -A code signing certificate is issued to a software publisher, following some sort of identity check and validation process by the CA. The publisher then signs the executables or DLLs that make up the program to guarantee the validity of a software application or browser plug-in. -Code signing is the principal means of proving the authenticity and integrity of code (an executable or a script). The developer creates a cryptographic hash of the file then signs the hash using his or her private key. The program is shipped with a copy of the developer's code signing certificate, which contains a public key that the destination computer uses to read and verify the signature • An application is deployed • Users run application executable or scripts • So many security questions • Has the application been modified in any way? • Can you confirm that the application was written by a specific developer? • The application code can be digitally signed by the developer • Asymmetric encryption • A trusted CA signs the developer's public key • Developer signs the code with their private key • For internal apps, use your own CA
hardening
-the process of modifying the default configuration of endpoints to eliminate unnecessary settings and services -The process of putting an operating system or application in a secure configuration -The process of making a host or app configuration secure by reducing its attack surface, through running only necessary services, installing monitoring software to protect against malware and intrusions, and establishing a maintenance schedule to ensure the system is patched to be secure against software exploits
Measured Boot - Boot integrity
A UEFI firmware feature that logs the startup process. Antimalware software can analyze this to log to determine if malware is on the computer or or if the boot components were tampered with. uses platform configuration registers (PCRs) in the TPM at each stage in the boot process to check whether hashes of key system state data (boot firmware, boot loader, OS kernel, and critical drivers) have changed. This does not usually prevent boot, but it will record the presence of unsigned kernel-level code Nothing on this computer has changed - There have been no malware infections - How do you know? • Easy when it's just your computer - More difficult when there are 1,000 • UEFI stores a hash of the firmware, boot drivers, and everything else loaded during the Secure Boot and - Trusted Boot process - Stored in the TPM • Remote attestation - Device provides an operational report to a verification server - Encrypted and digitally signed with the TPM • Attestation server receives the boot report - Changes are identified and managed
Salting-Database
A cryptographic hash produces a fixed-length string from arbitrary-length plaintext data using an algorithm such as SHA. If the function is secure, it should not be possible to match the hash back to a plaintext. Hashing is mostly used to prove integrity A salt is an additional value stored with the hashed data field. The purpose of salt is to frustrate attempts to crack the hashes. It means that the attacker cannot use pre-computed tables of hashes using dictionaries of plaintexts. These tables have to be recompiled to include the salt value. The salt is not kept secret, because any system verifying the hash must know the value of the salt. It simply means that an attacker cannot use pre-computed tables of hashes. The hash values must be recompiled with the specific salt value for each password Adding some salt • Salt - Random data added to a password when hashing • Every user gets their own random salt - The salt is commonly stored with the password • Rainbow tables won't work with salted hashes - Additional random value added to the original password • This slows things down the brute force process - It doesn't completely stop the reverse engineering • Each user gets a different random hash - The same password creates a different hash Adding some salt • Salt - Random data added to a password when hashing • Every user gets their own random salt - The salt is commonly stored with the password • Rainbow tables won't work with salted hashes - Additional random value added to the original password • This slows things down the brute force process - It doesn't completely stop the reverse engineering • Each user gets a different random hash - The same password creates a different hash Salt - Random data added to a password when hashing • Every user gets their own random salt - The salt is commonly stored with the password • Rainbow tables won't work with salted hashes - Additional random value added to the original password • This slows things down the brute force process - It doesn't completely stop the reverse engineering • Each user gets a different random hash - The same password creates a different hash
hashing-Database
A function that converts an arbitrary length string input to a fixed length string output. A cryptographic hash function does this in a way that reduces the chance of collisions, where two different inputs produce the same output. Also known as message digest • Hashes represent data as a fixed-length string of text - A message digest, or "fingerprint" • Will not have a collision (hopefully) - Different inputs will not have the same hash • One-way trip - Impossible to recover the original message from the digest - A common way to store passwords Represent data as a short string of text - A message digest • One-way trip - Impossible to recover the original message from the digest - Used to store passwords / confidentiality • Verify a downloaded document is the same as the original - Integrity Can be a digital signature - Authentication, non-repudiation, and integrity • Will not have a collision (hopefully) - Different messages will not have the same hash Represent data as a short string of text - A message digest • One-way trip - Impossible to recover the original message from the digest - Used to store passwords / confidentiality • Verify a downloaded document is the same as the original - Integrity • Can be a digital signature - Authentication, non-repudiation, and integrity • Will not have a collision (hopefully) - Different messages will not have the same hash
Endpoint Detection & Response (EDR) - (Endpoint Protection)
A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats product's aim is not to prevent initial execution, but to provide real-time and historical visibility into the compromise, contain the malware within a single host, and facilitate remediation of the host to its original state Where earlier endpoint protection suites report to an on-premises management server, next-generation endpoint agents are more likely to be managed from a cloud portal and use artificial intelligence (AI) and machine learning to perform user and entity behavior analysis. These analysis resources would be part of the security service provider's offering A different method of threat protection - Scale to meet the increasing number of threats • Detect a threat - Signatures aren't the only detection tool - Behavioral analysis, machine learning, process monitoring - Lightweight agent on the endpoint • Investigate the threat - Root cause analysis • Respond to the threat - Isolate the system, quarantine the threat, rollback to a previous config - API driven, no user or technician intervention required
host-based firewall (Endpoint protection)
A software application running on a single host and designed to protect only that host. implemented as a software application running on a single host designed to protect that host only. As well as enforcing packet filtering ACLs, a personal firewall can be used to allow or deny software processes from accessing the network. Software-based firewall - Personal firewall, runs on every endpoint • Allow or disallow incoming or outgoing application traffic - Control by application process - View all data • Identify and block unknown processes - Stop malware before it can start • Manage centrally
unified extensible firmware interface (UEFI) - Boot integrity
A type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security Secure Boot - Part of the UEFI specification • UEFI BIOS protections - BIOS includes the manufacturer's public key - Digital signature is checked during a BIOS update - BIOS prevents unauthorized writes to the flash • Secure Boot verifies the bootloader - Checks the bootloader's digital signature - Bootloader must be signed with a trusted certificate - Or a manually approved digital signature
Allow / block / deny list -Application security
Allow list-A security configuration where access is denied to any entity (software process, IP/domain, and so on) unless the entity appears on the list. is a highly restrictive policy that means only running authorized processes and scripts. Allowing only specific applications that have been added to a list will inevitably hamper users at some point and increase support time and costs. For example, a user might need to install a conferencing application at short notice. Block list -A security configuration where access is generally permitted to any entity (software process, IP/domain, and so on) unless the entity appears on a list Any application can be dangerous • Vulnerabilities, trojan horses, malware • Security policy can control app execution • Allow list, deny/block list • Allow list • Nothing runs unless it's approved - Very restrictive • Deny list • Nothing on the "bad list" can be executed • Anti-virus, anti-malware Examples of allow and deny lists • Decisions are made in the operating system • Often built-in to the operating system management • Application hash • Only allows applications with this unique identifier • Certificate • Allow digitally signed apps from certain publishers • Path - Only run applications in these folders • Network zone • The apps can only run from this network zone
Hypertext Transfer Protocol (HTTP) headers -Application security
An additional layer of security • Add these to the web server configuration • You can't fix every bad application • Enforce HTTPS communication • Ensure encrypted communication • Only allow scripts, stylesheets, or images from the local site • Prevent XSS attacks • Prevent data from loading into an inline frame (iframe) • Also helps to prevent XSS attacks ????
Input validations-Application Security
Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application. What is the expected input? - Validate actual vs. expected • Document all input methods - Forms, fields, type • Check and correct all input (normalization) - A zip code should be only X characters long with a letter in the X column - Fix any data with improper input • The fuzzers will find what you missed - Don't give them an opening Server-side validation main issue with server-side validation is that it can be time-consuming, as it may involve multiple transactions between the server and client - All checks occur on the server - Helps protect against malicious users - Attackers may not even be using your interface • Client-side validation main issue with client-side validation is that the client will always be more vulnerable to some sort of malware interfering with the validation process - The end-user's app makes the validation decisions - Can filter legitimate input from genuine users - May provide additional speed to the user • Use both - But especially server-side validation
Patch management - Hardening
Automated vulnerability scanners can be effective at discovering missing Patches -A small unit of supplemental code meant to address either a security problem or a functionality flaw in a software package or operating system patch management suite-Identifying, testing, and deploying OS and application updates. Patches are often classified as critical, security-critical, recommended, and optional. On residential and small networks, hosts will be configured to auto-update, meaning that they check for and install patches automatically Patch management • Incredibly important - System stability, security fixes • Monthly updates - Incremental (and important) • Third-party updates - Application developers, device drivers • Auto-update - Not always the best option • Emergency out-of-band updates - Zero-day and important security discoveries
Secure Cookies-Application Security
Cookies can be a vector for session hijacking and data exposure if not configured correctly Avoid using persistent cookies for session authentication. Always use a new cookie when the user reauthenticates. Set the Secure attribute to prevent a cookie being sent over unencrypted HTTP. Set the HttpOnly attribute to make the cookie inaccessible to document object model/client-side scripting. Use the SameSite attribute to control from where a cookie may be sent, mitigating request forgery attacks. Cookies • Information stored on your computer by the browser • Used for tracking, personalization, session management • Not executable, not generally a security risk • Unless someone gets access to them • Secure cookies have a Secure attribute set • Browser will only send it over HTTPS • Sensitive information should not be saved in a cookie • This isn't designed to be secure storage
host-based intrusion detection/prevention system (HIDS/HIPS) -(Endpoint protection)
HIDS provide threat detection via log and file system monitoring. HIDS come in many different forms with different capabilities, some of them preventative (HIPS). -captures information from a single host, such as a server, router, or firewall -HIDS software produces similar output to an anti-malware scanner. If the software detects a threat, it may just log the event or display an alert. The log should show you which process initiated the event and what resources on the host were affected Major feature of HIDS is **** ***file integrity monitoring (FIM)-A type of software that reviews system files to ensure that they have not been tampered with File system integrity monitoring uses signatures to detect whether a managed file image—such as an OS system file, driver, or application executable—has changed. Products may also monitor ports and network interfaces, and process data and logs generated by specific applications, such as HTTP or FTP (HIDS) provide threat detection via log and file system monitoring. Host-based Intrusion Detection System (HIDS) - Uses log files to identify intrusions - Can reconfigure firewalls to block • Host-based Intrusion Prevention System (HIPS) - Recognize and block known attacks - Secure OS and application configs, validate incoming service requests - Often built into endpoint protection software • HIPS identification - Signatures, heuristics, behavioral - Buffer overflows, registry updates, writing files to the Windows folder - Access to non-encrypted data
Endpoint Protection
Idea that we would call antivirus software (looks more holistically at everything that is necessary to protect) • The user's access - Applications and data • Stop the attackers - Inbound attacks, outbound attacks • Many different platforms - Mobile, desktop • Protection is multi-faceted - Defense in depth
DLP Data Loss Prevention (Endpoint Protection)
Many EPPs include a data loss prevention (DLP) agent. This is configured with policies to identify privileged files and strings that should be kept private or confidential, such as credit card numbers. The agent enforces the policy to prevent data from being copied or attached to a message without authorization. ***Content Filter - A software application or gateway that filters client requests for various types of internet content (web, FTP, IM, and so on). designed to apply a number of user-focused filtering rules, such as blocking uniform resource locators (URLs) that appear on content blacklists or applying time-based restrictions to browsing. Content Filters are now ussually implemented as a class of product called ---> --->***SWG - software application or gateway: that filters client requests for various types of internet content (web, FTP, IM, and so on). Content filters are now usually implemented as a class of product called a secure web gateway (SWG). SWG performs threat analysis and often integrates the functionality of data loss prevention (DLP) and cloud access security brokers (CASB) to protect against the full range of unauthorized egress threats, including malware command and control and data exfiltration. Where's your data? - Social Security numbers, credit card numbers, medical records • Stop the data before the attacker gets it - Data "leakage" • So many sources, so many destinations - Often requires multiple solutions - Endpoint clients - Cloud-based systems - Email, cloud storage, collaboration tools
hardware root of trust (ROT) Trusted platform module (TPM) - hardening
ROT-A set of functions in the trusted computing module that is always trusted by the computer's operating system (OS). -cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics -secure subsystem that is able to provide attestation. Attestation means that a statement made by the system can be trusted by the receiver. For example, when a computer joins a network, it might submit a report to the network access control (NAC) server declaring, "My operating system files have not been replaced with malicious versions." The hardware root of trust is used to scan the boot metrics and OS files to verify their signatures, then it signs the report. The NAC server can trust the signature and therefore the report contents if it can trust that the signing entity's private key is secure. The RoT is usually established by a type of cryptoprocessor called a trusted platform module (TPM)-A specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information. TPM is a specification for hardware-based storage of encryption keys, hashed passwords, and other user and platform identification information. The TPM is implemented either as part of the chipset or as an embedded function of the CPU Each TPM is hard-coded with a unique, unchangeable asymmetric private key called the endorsement key. This endorsement key is used to create various other types of subkeys used in key storage, signature, and encryption operations
Boot Attestation - Boot integrity
Report of boot state integrity data that is signed by a tamper-proof TPM key and reported to a network server. is the capability to transmit a boot log report signed by the TPM via a trusted process to a remote server, such as a network access control server. The boot log can be analyzed for signs of compromise, such as the presence of unsigned drivers. The host can be prevented from accessing the network if it does not meet the required health policy or if no attestation report is received
Sandboxing
Sandboxing is a technique that isolates an untrusted host or app in a segregated environment to conduct tests. Sandbox environments intentionally limit interfaces with the host environment. The analysis of files sent to a sandbox can include determining whether the file is malicious, how it might have affected certain systems if run outside of the sandbox, and what dependencies it might have with external files and hosts. Sandboxes offer more than traditional anti-malware solutions because you can apply a variety of different environments to the sandbox instead of just relying on how the malware might exist in your current configuration. -Sandboxing, isolating trusted processes, and proper handling of errors and exceptions Sandboxing • Applications cannot access unrelated resources - They play in their own sandbox • Commonly used during development - Can be a useful production technique • Used in many different deployments - Virtual machines - Mobile devices - Browser iframes (Inline Frames) - Windows User Account Control (UAC)
Secure coding practices-Application security
Secure coding concepts • A balance between time and quality - Programming with security in mind is often secondary • Testing, testing, testing - The Quality Assurance (QA) process • Vulnerabilities will eventually be found - And exploited Stored procedures • SQL databases - Client sends detailed requests for data - 'SELECT * FROM wp_options WHERE option_id = 1' • Client requests can be complex - And sometimes modified by the user - This would not be good • Stored procedures limit the client interactions - 'CALL get_options' - That's it. No modifications to the query are possible. • To be really secure, use only stored procedures - The application doesn't use any SQL queries Obfuscation/camouflage • Obfuscate - Make something normally understandable very difficult to understand • Take perfectly readable code and turn it into nonsense - The developer keeps the readable code and gives you the chicken scratch - Both sets of code perform exactly the same way Helps prevent the search for security holes - Makes it more difficult to figure out what's happening - But not impossible Code reuse/dead code • Code reuse - Use old code to build new applications - Copy and paste • If the old code has security vulnerabilities, reusing the code spreads it to other applications - You're making this much more difficult for everyone • Dead code - Calculations are made, code is executed, results are tallied - The results aren't used anywhere else in the application • All code is an opportunity for a security problem - Make sure your code is as alive as possible Input validation • What is the expected input? - Validate actual vs. expected • Document all input methods - Forms, fields, type • Check and correct all input (normalization) - A zip code should be only X characters long with a letter in the X column - Fix any data with improper input • The fuzzers will find what you missed - Don't give them an opening Validation points • Server-side validation - All checks occur on the server - Helps protect against malicious users - Attackers may not even be using your interface • Client-side validation - The end-user's app makes the validation decisions - Can filter legitimate input from genuine users - May provide additional speed to the user • Use both - But especially server-side validation Memory management • As a developer, you must be mindful of how memory is used - Many opportunities to build vulnerable code • Never trust data input - Malicious users can attempt to circumvent your code • Buffer overflows are a huge security risk - Make sure your data matches your buffer sizes • Some built-in functions are insecure - Use best practices when designing your code Third-party libraries and SDKs • Your programming language does everything - Almost • Third-party libraries and software development kits - Extend the functionality of a programming language • Security risk - Application code written by someone else - Might be secure. Might not be secure. - Extensive testing is required • Balancing act - Application features vs. unknown code base Data exposure • So much sensitive data - Credit card numbers, social security numbers, medical information, address details, email information • How is the application handling the data? - No encryption when stored - No encryption across the network - Displaying information on the screen • All input and output processes are important - Check them all for data exposure Version control • Create a file, make a change, make another change, and another change - Track those changes, revert back to a previous version • Commonly used in software development - But also in operating systems, wiki software, and cloud-based file storage • Useful for security - Compare versions over time - Identify modifications to important files - A security challenge - Historical information can be a security risk
Open ports and services -hardening
Services will open ports - It's important to manage access • Often managed with a firewall - Manage traffic flows - Allow or deny based on port number or application • Firewall rulesets can be complex - It's easy to make a mistake • Always test and audit - Double and triple check Every open port is a possible entry point - Close everything except required ports • Control access with a firewall - NGFW would be ideal • Unused or unknown services - Installed with the OS or from other applications • Applications with broad port ranges - Open port 0 through 65,535 • Use Nmap or similar port scanner to verify - Ongoing monitoring is important
The following has been discovered in an internally developed application: Error - Memory allocated but not freed: char *myBuffer = malloc(BUFFER_SIZE); if (myBuffer != NULL) { *myBuffer = STRING_WELCOME_MESSAGE; printf("Welcome to: %s\n", myBuffer); } exit(0); Which of the following security assessment methods are likely to reveal this security weakness? (Select TWO). A. Static code analysis B. Memory dumping C. Manual code review D. Application sandboxing E. Penetration testing F. Black box testing
Static code analysis Manual code review
Static code analysis Manual code review
Static code analysis The process of reviewing uncompiled source code either manually or using automated tools Human analysis of software source code is described as a manual code review. It is important that the code be reviewed by developers (peers) other than the original coders to try to identify oversights, mistaken assumptions, or a lack of knowledge or experience. It is important to establish a collaborative environment in which reviews can take place effectively
Antivirus\ Anti-Malware (Endpoint Protection)
The first generation of antivirus (A-V) software is characterized by signature-based detection and prevention of known viruses. An "A-V" product will now perform generalized malware detection, meaning not just viruses and worms, but also Trojans, spyware, PUPs, cryptojackers, and so on. While A-V software remains important, signature-based detection is widely recognized as being insufficient for the prevention of data breaches Anti-virus is the popular term - Refers specifically to a type of malware - Trojans, worms, macro viruses • Malware refers to the broad malicious software category - Anti-malware stops spyware, ransomware, fileless malware • The terms are effectively the same these days - The names are more of a marketing tool - Anti-virus software is also anti-malware software now - Make sure your system is using - a comprehensive solution on-access antivirus scanner or intrusion prevention system works by identifying when processes or scripts are executed and intercepting (or hooking) the call to scan the code first. If the code matches a signature of known malware or exhibits malware-like behavior that matches a heuristic profile, the scanner will prevent execution and attempt to take the configured action on the host file (clean, quarantine, erase, and so on). An alert will be displayed to the user and the action will be logged (and also may generate an administrative alert). The malware will normally be tagged using a vendor proprietary string and possibly by a CME (Common Malware Enumeration) identifier. These identifiers can be used to research the symptoms of and methods used by the malware. This may help to confirm the system is fully remediated and to identify whether other systems have been infected. It is also important to trace the source of the infection and ensure that it is blocked to prevent repeat attacks and outbreaks.
OS hardening
The process of applying all security patches and fixes to an operating system to make it as secure as possible. Many of the requirements can be applied automatically via a configuration baseline template. The essential principle is of least functionality; that a system should run only the protocols and services required by legitimate users and no more. This reduces the potential attack surface. The need for hardening must be balanced against the access requirements and usability in a particular situation. Many and varied - Windows, Linux, iOS, Android, et al. • Updates - Operating system updates/service packs, security patches • User accounts - Minimum password lengths and complexity - Account limitations • Network access and security - Limit network access • Monitor and secure - Anti-virus, anti-malware
Registry -hardening
You will have separate configuration baselines for desktop clients, file and print servers, Domain Name System (DNS) servers, application servers, directory services servers, and other types of systems. In Windows, configuration settings are stored in the registry Rights to modify the registry should only be issued to user and service accounts on a least privilege basis. A host-based intrusion detection system can be configured to alert suspicious registry events The primary configuration database for Windows - Almost everything can be configured from the registry • Useful to know what an application modifies - Many third-party tools can show registry changes • Some registry changes are important security settings - Configure registry permissions - Disable SMBv1
Next-Generation Firewall (NGFW) - (Endpoint Protection)
combined application-aware filtering with user account-based filtering and the ability to act as an intrusion prevention system (IPS). -An analytics-driven next-gen antivirus product is likely to combine with the perimeter and zonal security offered by next-gen firewalls. For example, detecting a threat on an endpoint could automate a firewall policy to block the covert channel at the perimeter, isolate the endpoint, and mitigate risks of the malware using lateral movement between hosts. This type of functionality is set out in more detail in Sophos's white paper on synchronized security The OSI Application Layer - All data in every packet • Can be called different names - Application layer gateway - Stateful multilayer inspection, deep packet inspection • Broad security controls - Allow or disallow application features - Identify attacks and malware - Examine encrypted data - Prevent access to URLs or URL categories