CompTIA3.2
An __product's aim is not to prevent initial execution, but to provide real-time and historical *visibility into the compromise, contain the malware *within a single host, and facilitate remediation of the host to its original state.
Endpoint detection and response (EDR)
Another crucial step in hardening is to configure__for automatic detection and prevention of malware threats. There have been many iterations of host-based/endpoint protection suites and agents. It is important to consider the contrasting functions performed, as individual software tools or protection suites often combine multiple functionality.
Endpoint protection
__is a permissive policy that *only prevents execution of listed processes and scripts. *It is vulnerable to software that has not previously been identified as malicious (or capable of or vulnerable to malicious use).
Block list/deny list
Boot Integrity
Boot Integrity
___is the capability to transmit a boot log report signed by the TPM via a trusted process to a remote server, such as a network access control server..(report boot metrics and signatures)
Boot attestation
Most PCs and smartphones implement the __ provides code that allows the host to boot to an OS__can enforce a number of boot integrity checks.
Boot security/Unified Extensible Firmware Interface (UEFI)
__is the principal means of proving the authenticity and integrity of code (an executable or a script). The developer creates a cryptographic hash of the file then signs the hash using his or her private key. The program is shipped with a copy of the developer's code signing certificate, which contains a public key that the destination computer uses to read and verify the signature. The OS then prompts the user to choose whether to accept the signature and run the program.
Code signing
The agent enforces the policy to prevent data from being copied or attached to a message without authorization___
Data Loss Prevention(DLP)
Hashing is used for two main purposes within a database: • As an indexing method to speed up searches and provide deidentified references to records. • As a storage method for data such as passwords where *the original plaintext does not need to be retained.*(discarding the original data for identifier)
Database
*Persistent storage* holds user data generated by applications, plus cached credentials. *__* is essential to data security. Self encrypting drives can be used so that all data-at-rest is always stored securely.
Disk encryption
___means that the application is tested under "real world" conditions using a staging environment.
Dynamic code analysis
___is a highly restrictive policy that means only running authorized processes and scripts. *Allowing only specific applications that have been added to a list *will inevitably hamper users at some point and increase support time and costs.
Allow list
An "A-V" product will now perform generalized __ detection, meaning not just viruses and worms, but also Trojans, spyware, *PUPs(potentially unwanted programs) *, cryptojackers, and so on.
Anti-malware
The first generation of __ software is characterized by signature-based detection and prevention of known viruses.
Antivirus(A-V)
Web Application Security With web application, special attention must be paid to secure cookies and options for HTTP response header security.//(The header identifies the source and destination of the packet, while the actual data is referred to as the payload.)
Application security
be configured to ___, meaning that they check for and install patches automatically....need to be cautious about this sort of automated deployment, however, as a patch that is incompatible with an application or workflow can cause availability issues.
Auto-update
___g is a means of testing that an application's input validation routines work well. __means that the test or vulnerability scanner generates large amounts of deliberately invalid and/or random input and records the responses made by the application. This is a form of "stress testing".There are generally three types of fuzzers, representing different ways of injecting manipulated input into the application: • Application UI—identify input streams accepted by the application, such as input boxes, command line switches, or import/export functions. • Protocol—transmit manipulated packets to the application, perhaps using unexpected values in the headers or payload. • File format—attempt to open files whose format has been manipulated, perhaps manipulating specific features of the file.
Fuzzing
The process of putting an operating system or application in a secure configuration(reducing attack surface) is called __.
Hardening
A___or trust anchor is a secure subsystem that is able to provide attestation. Attestation means that a statement made by the system can be trusted by the receiver. For example, when a computer joins a network, it might submit a report to the network access control (NAC) server declaring, "My operating system files have not been replaced with malicious versions." The hardware root of trust is used to scan the boot metrics and OS files to verify their signatures, then it signs the report. The NAC server can trust the signature and therefore the report contents if it can trust that the signing entity's private key is secure
Hardware root of trust
A cryptographic hash produces a fixed-length string from arbitrary-length plaintext data using an algorithm such as SHA. If the function is secure, it should not be possible to match the hash back to a plaintext.Hashing is mostly used to prove integrity. If two sources have access to the same plaintext, they should derive the same hash value
Hashing
__HIDS come in many different forms with different capabilities, some of them preventative (___).File system integrity monitoring uses signatures to detect whether a managed file image—such as an OS system file, driver, or application executable—has changed.
Host-based intrusion detection system (HIDS)
___provide threat detection via log and file system monitoring.
Host-based intrusion prevention system (HIPS)
___.Some of the most important security-relevant header options are:•HTTP Strict Transport Security (HSTS)—forces browser to connect using HTTPS only, mitigating downgrade attacks, such as SSL stripping. • Content Security Policy (CSP)—mitigates clickjacking(//that is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page), script injection, and other client-side attacks. Note that X-Frame-Options and X-XSS-Protection provide mitigation for older browser versions, but are now deprecated in favor of CSP. • Cache-Control—sets whether the browser can cache responses. Preventing caching of data protects confidential and personal information where the client device might be shared by multiple users.
Hypertext Transfer Protocol (HTTP) headers
A primary vector for attacking applications is to exploit faulty __.Input could include user data entered into a form or URL passed by another application as a URL or HTTP header....There must be routines to check user input(/API input), and anything that does not conform to what is required must be rejected.
Input validations
Human analysis of software source code is described as a___
Manual code review
A trusted or ___process uses platform configuration registers (PCRs) in the TPM at each stage in the boot process to check whether hashes of key systemstate data (boot firmware, boot loader, OS kernel, and critical drivers) have changed.
Measured boot
___product is likely to combine with the perimeter and zonal security offered by next-gen firewalls. For example, *detecting a threat on an endpoint could automate a firewall policy to block the covert channel(&fileless threats)* at the perimeter, isolate the endpoint, and *mitigate risks of the malware using lateral movement between hosts.*
Next-generation firewall (NGFW)
Early types of SEDs used proprietary mechanisms, but many vendors now develop to the __(standards for implementing device encryption on storage devices)Storage Specification(opal specification compliant)
Opal
No operating system, software application, or firmware implementation is wholly free from vulnerabilities....Scanning is only useful if effective procedures are in-place to apply the missing patches, however....configured to auto-update, meaning that they check for and install patches automatically....be cautious about this sort of automated deployment, however, as a patch that is incompatible with an application or workflow can cause availability issues....These issues can be mitigated by deploying an enterprise patch management suite.
Patch management
You will have separate configuration baselines for desktop clients, file and print servers, Domain Name System (DNS) servers, application servers, directory services servers, and other types of systems. In Windows, configuration settings are stored in the registry. On a Windows domain network, each domain-joined computer will receive *policy settings from one or more group policy objects (GPOs)*. These policy settings are applied to the registry each time a computer boots. Where hosts are centrally managed and running only authorized apps and services, there should be relatively little reason for security-relevant registry values to change. Rights to modify the registry should only be issued to user and service accounts on a least privilege basis(//The Principle of Least Privilege states that a subject should be given only those privileges needed for it to complete its task. If a subject does not need an access right, the subject should not have it). A host-based intrusion detection system can be configured to alert *suspicious registry events.*
Registry
A salt is an additional value stored with the hashed data field. The purpose of salt is to frustrate attempts to crack the hashes. It means that the attacker cannot use pre- computed tables of hashes using dictionaries of plaintexts. These tables have to be recompiled to include the salt value.
Salting
__is a technique that isolates an untrusted host or app in a segregated environment to conduct tests.
Sandboxing
14CSecure Coding Practices
Secure coding practices
Secure Cookies Cookies can be a vector for session hijacking and data exposure if not configured correctly .... Some of the key parameters for the SetCookie header are: • *Avoid using persistent cookies for session authentication.* Always use a new cookie when the user reauthenticates. • *Set the Secure attribute* to prevent a cookie being sent over unencrypted HTTP. • *Set the HttpOnly attribute* to make the cookie inaccessible to document object model(//is a programming interface for web documents.)/client-side scripting. • *Use the SameSite attribute* to control from where a cookie may be sent, mitigating request forgery attacks.
Secure cookies
___(or source code analysis) is performed against the application code before it is packaged as an executable process. The analysis software must support the programming language used by the source code. The software will scan the source code for signatures of known issues
Static code analysis
__means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate to the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so___ is a reversible technique.
Tokenization
The RoT is usually established by a type of cryptoprocessor called__.__ is a specification for *hardware-based storage of encryption keys*, hashed passwords, and other user and platform identification information.....Each___ is hard-coded with a unique, unchangeable asymmetric private key called the *endorsement key*. This endorsement key is used to create various other types of *sub-keys used in key storage, signature, and encryption operations*. The__also supports the concept of an *owner, usually identified by a password* (
Trusted Platform Module (TPM)
•___means that the entire contents of the drive (or volume), including system files and folders, are encrypted....__requires the secure storage of the key used to encrypt the drive contents. Normally, this is stored in a TPM....It is also possible to use a removable USB drive (if USB is a boot device option)). As part of the setup process, you create a recovery password or key.(encryption key secured with user password)•___where the cryptographic operations are performed by the drive controller. The SED uses a symmetric data/media encryption key (DEK/MEK) for bulk encryption and stores the DEK securely by encrypting it with an asymmetric key pair called either the authentication key (AK) or key encryption key (KEK).Use of the AK is authenticated by the user password. This means that the user password can be changed without having to decrypt and re-encrypt the drive.
full-disk encryption (FDE)/self-encrypting drives (SED)