3.2: Given a Scenario, Implement Host or Application Security Solutions
Static Code Analyzers
- Static Application Security Testing (SAST) -> help to ID security flows - many security vulnerabilities found easily -> buffer overflows, database injections, etc - not everything can be ID'd through analysis -> authentication security, insecure cryptography, etc; don't rely on automation for everything - still have to verify all findings -> false positives are an issue
HTTP Secure Headers
- additional layer of security -> add to web server configuration (can't fix every bad application) - enforce HTTPS comms -> ensures encrypted comms - only allow scripts, stylesheets, or images from local site -> prevent XSS attacks - prevent data from loading into an inline frame (iframe) -> prevent XSS attacks
Measured Boot
- allows us to measure if any changes have occurred with OS - easy to check with only 1 computer; harder when there's 1,000 - UEFI stores a hash of the firmware, boot drivers, and everything else loaded during the Secure Boot and Trusted Boot process -> stored in the TPM - remote attestation -> device gives an operational report to a verification server; encrypted & digitally signed with TPM - attestation server receives the boot report -> changes are ID'd and managed
Code Signing
- an app is deployed -> users run app executable or scripts - many security questions -> has the app been modified in any way?; confirm that app was written by a specific developer? app code can be digitally signed by the developer - asymmetric encryption - trusted CA signs developer's public key - developer signs code with their private key - for internal apps, use your own CA
Anti-Virus and Anti-Malware
- anti-virus is the popular term -> refers specifically to a type of malware; trojans, worms, macro viruses - malware refers to broad malicious software category -> anti-malware stops spyware, ransomware, fillers malware - terms are effectively the same today -> names are more of a marketing tool; anti-virus is also anti-malware software now; make sure your system is using a comprehensive solution
Allow / Deny List
- any app can be dangerous -> vulnerabilities, trojan horses, malware - security policy can control app execution -> allow list, deny / block list - allow list -> nothing runs unless its approved, which is very restrictive - deny list -> nothing can be executed (anti-virus, anti-malware) Examples: - decisions made in the OS -> often built-in to OS management - app hash: only allows apps with this unique identifier - certificate: allow digitally signed apps from certain publishers - path: only runs apps in specific folders - network zone: apps only run from specific network zones
Sandboxing
- apps can't access unrelated resources - commonly used during development -> can be a useful production technique - used in many different deployments -> VMs, mobile devices, browser iframes (inline frames), Windows User Account Control (UAC)
Boot Integrity
- attack on systems is constant -> techniques are constantly changing - attackers compromise a device and want it to stay compromised -> very difficult to find a way to exploit a system; even more difficult to try to get back in a second time - boot process is a perfect infection point -> rootkits run in kernel mode; kernel level has full control of OS and can infect the system before OS starts; has same rights as OS - protecting boot process is important -> secure boot, trusted boot, and measured boot; chain of trust
Secure Coding Concepts
- balance between time & quality -> programming with security in mind comes secondary often - QA process - vulnerabilities will eventually be found and exploited
Trusted Boot
- bootloader verifies digital signature of OS kernel -> corrupted kernel will halt boot process - kernel verifies all of the other startup components -> boot drives, startup files - just before loading the drivers, Early Launch Anti-Malware (ELAM) starts -> checks every driver to see if it's trusted; Windows won't load untrusted driver
Secure Cookies
- cookies information stored on computer by the browser -> used for tracking, personalization, session management; not executable, not generally a security risk (unless someone gets access to them) - secure cookies have a secure attribute set -> browser will only send it over HTTPS - sensitive information should not be saved in a cookie -> not designed to be secure storage
Endpoint Protection
- endpoint: user's access (apps & data) - stop the attacks -> inbound/outbound attacks - many different platforms -> mobile, desktop - protection is multi-faceted -> defense in depth
Open Ports & Services
- every open port is a possible entry port -> only required ports are open - control access with a firewall -> NGFW would be ideal - unused or unknown services -> installed with OS or from other apps - apps with broad port ranges -> open port 0 through 65,535 - use Map or similar port scanner to verify -> ongoing monitoring is important
Hashing a Password
- hashes represent data as a fixed-length string of text -> message digest or "fingerprint" - won't have a collision (hopefully) -> different inputs won't have same hash - one-way trip -> impossible to recover original message from digest (common way to store passwords)
Patch Management
- incredibly important -> system stability, security fixes - monthly updates -> incremental (and important) - 3rd party updates -> app developers, device drivers - auto-update -> not always the best option - emergency out-of-band updates -> zero-day and important security discoveries
OS Hardening
- many and varied -> Windows, Linux, iOS, Android, etc - updates -> OS updates / service packs, security patches - user accounts -> minimum password lengths and complexity; account limitations - network access and security -> limit network access - monitor and secure -> anti-virus, anti-malware
Fuzzing Engines & Frameworks
- many different options -> platform specific, language specific, etc. - very time and processor resource heavy -> many, many different iterations to try; many fuzzing engines use high-probability tests - Carnegie Mellon Computer Emergency Response Team (CERT) -> CERT Basic Fuzzing Framework (BFF)
Application Hardening
- minimize attack surface -> remove all possible extra points - remove potential for all know vulnerabilities -> as well as the unknown - some hardening may have compliance mandates -> HIPAA servers, PCI DSS, etc resources: - Center for Internet Security (CIS) - Network and Security Institute (SANS) - National Institute of Standards & Technology (NIST)
Disk Encryption
- prevent access to app data files -> File System Encryption - Full Disk Encryption (FDE) -> everything on drive is encrypted; ex: BitLocker, FileVault, etc - Self-Encrypting Drive (SED) -> hardware-based full disk encryption; no OS software needed - opal storage specification -> standard for SED storage
Registry
- privacy configuration database for Windows -> almost everything can be configured here - useful to know what an app modifies -> many third party tools can show registry changes - some registry changes are important security settings -> configure registry permissions; disable SMBv1 - always backup before making any changes
Database Security
- protecting stored data and transmission of that data - intellectual property storage -> data is valuable - compliance issues -> PCI DSS, HIPAA, GDPR, etc - keep business running -> security provides continuuity - breaches are expensive -> keeps costs low
Tokenization
- replace sensitive data with a non-sensitive placeholder -> ex: SSN 266-12-1112 -> 691-61-8539 - common with credit card processing -> use a temporary token during payment; an attacker capturing card #'s can't use them later - not encryption or hashing -> original data and token aren't mathematically related; no encryption overhead
Adding Some Salt
- salt: random data added to a password when hashing - every user gets their own random salt -> salt is commonly stored with password - rainbow tables won't work with salted hashes -> additional value added to original password - slows down brute force process -> does not completely stop reverse engineering salting the has - each user gets a different random hash -> same password creates a different hash
UEFI BIOS Secure Boot
- secure boot -> part of UEFI specification UEFI BIOS protections - BIOS includes the manufacturer's public key - digital signature is checked during a BIOS update - BIOS prevents unauthorized writes to the flash secure boot verifies the bootloader - checks bootloader's digital signature - boot loader must be signed with a trusted certificate or a manually approved the digital signature
Hardware Root of Trust
- security is based on trust - trust has to start somewhere -> Trusted Platform Module (TPM), Hardware Security Module (HSM); designed to hardware root of trust - difficult to change or avoid -> it's hardware, won't work without hardware
Dynamic Analysis (Fuzzing)
- sending random input to an app -> fault-injecting, robustness testing, syntax testing, negative testing - looking for something out of the ordinary -> app crash, server error, exception 1988 University of Wisconsin class project - "Operating System Utility Program Reliability" - Professor Barton Miller - The Fuzz Generator
Endpoint Detection & Response (EDR)
- signatures are a set pattern that may be within the file or within the memory that is being used by malicious software - different method of threat protection -> scale to meet increasing # of threats - attacks have found a way outside of signature-based protection detect a threat - signatures aren't only detection tool - behavioral analysis, machine learning, process monitoring - lightweight agent on endpoint - investigate the threat -> root cause analysis - respond to threat -> isolate the system, quarantine the threat, rollback to a previous configuration; API driven, no user or technician intervention required
Host-Based Firewall
- software-based firewall -> personal firewall, runs on every endpoint - allow / disallow incoming / outgoing app traffic -> control by app process; view all data - ID & block unknown processes -> stops malware before it starts - manage centrally
Trusted Platform Module (TPM)
- specification for cryptographic functions -> hardware to help with encryption functions - cryptographic processor -> random # generator, key generator - persistent memory -> comes with unique keys burned in during production - versatile memory -> storage keys, hardware configuration information - password protected -> no dictionary attacks; anti brute force technology
Data Loss Prevention (DLP)
- stop data before attacker gets it -> data "leakage" so many sources, so many destinations - often requires multiple solutions - endpoint clients - cloud-based systems -> email, cloud storage, collaboration tools
Next-Generation Firewall (NGFW)
- traditionally, firewalls allow or block traffic based on an IP address and port # - can identify the apps that are flowing across the network, regardless or IP address or port - OSI Application Layer -> all data in every packet - aka Application Layer Gateway, Stateful Multilayer Inspection, Deep Packer Inspection broad security controls - allow / disallow app features - ID attacks & malware - examine encrypted data - prevent access to URLs or URL categories
Input Validation
- validate actual vs. expected input - document all input methods -> forms, fields, type - check and correct all input (normalization) -> fix any data with improper input - fuzzers will find what was missed
Finding Intrusions
Host-Based Intrusion Detection System (HIDS) - uses log files to ID intrusions - can reconfigure firewalls to block Host-Based Intrusion Prevention System (HIPS) - recognize and block known attacks - secure OS & app configs, validate incoming service requests - often built into endpoint protection software HIPS Identification - signatures, heuristics, behavioral -> signatures: look at flow of data itself as it goes across the network -> heuristic: ID when large changes may be occurring and investigate why they're happening -> behavioral: if certain behavior occurs, even though we don't have a signature and though no major change to alert heuristics, can ID things out of the ordinary - buffer overflows, registry updates, writing files to Windows folder - access to non-encrypted data