Security+ SY0-601: 3.2: Host and Application Security

Chapter 18: Host and Application Security

Endpoint protection

Antivirus

Anti-malware

EDR: Endpoint detection and response

DLP: Data Lost Prevention

Cloud

Email

USB

Next-generation firewall (NGFW)

Host-based firewall

IDS / IPS

Signature-based

Heuristic

Anomaly

Inline vs. Passive

In-band vs. Out-of-band

Detection and notification vs. detection and prevention

Snort

Host-based intrusion prevention system (HIPS)

Host-based intrusion detection system (HIDS)

Network-based vs host-based

False positive

False negative

Boot integrity

Boot security

Unified Extensible Firmware Interface (UEFI)

Measured boot

Boot attestation

Database

Tokenization

Salting

Hashing

Application security

Input validations

Secure cookies

Hypertext Transfer Protocol (HTTP) headers

Code signing

Allow list

Block list/deny list

Secure coding practices

Static code analysis

Manual code review

Dynamic code analysis

Fuzzing

Hardening

Open ports and services

Registry

Disk encryption

OS

Patch management

Third-party updates

Auto-update

–> See “Hardening Servers” below for individual services.

Self-encrypting drive (SED)/full-disk encryption (FDE)

Opal

Hardware root of trust

Trusted Platform Module (TPM)

Sandboxing

Hardening Servers and Services

You are personally responsible for staying current with vulnerabilities. Subscribe to security bulletins such as Shavlik Technologies [[email protected]].

      • Tightly configure ACLs.
      • Delete sample files.
      • Delete sample scripts!
      • Delete unused or obsolete scripts and software.
      • Use IPSec, SSL (port 22, TCP and UDP) or HTTPS to encrypt sensitive traffic.

Web Servers

Web servers (HTTP, port 80, TCP and UDP) should provide only this service.

Web servers should live in a DMZ, not inside a network’s main firewall.

Use HTTPS or Secure HTTP (port 443 TCP) to encrypt sensitive traffic.

Email Servers

E-mail servers should live in a DMZ, not inside a network’s main firewall.

E-mail servers (POP, port 110, SMTP, port 25) should provide only this service.

E-mail system administrators must know what an “open relay” is, and must make sure their server is not an open relay.

Visit http://www.abuse.net/relay.html and enter the name of your email server, and click “Test for relay” for independent verification.

FTP Servers

Old-fashioned FTP is highly vulnerable because it passes login names and passwords as unencrypted traffic.

Use Passive FTP rather than  the older Active FTP, because Active FTP forces the client to act like a server!

https://stackoverflow.com/questions/1699145/what-is-the-difference-between-active-and-passive-ftp

Turn off Anonymous Login unless it is critical to provide it.

Set the ACL to read-only whenever possible.

Limit the number of login attempts.

Limit the number of sessions.

DNS Servers

DNS servers are the most potentially toxic servers on the Internet.

DNS servers update each other through Zone Transfers, which is a major vulnerability.

DNS servers can be attacked by cache poisoning.

      • Prevent this by closing port 53 (used for zone transfers), or
      • Rejecting inbound connections on port 53, or
      • Explicitly designating which servers are trusted to receive zone transfers, or
      • Using DNSSEC for trusted, verified zone transfers.

File and Print Servers

Require authentication for access.

Let users pause or cancel only their own print jobs.

Give users ACL permissions to their own folders and files, but no others.

Whenever possible, allow only read-only access to public folders.

Give read and write access only for group folders.

Be very cautious with execute permissions for folders:

        • In Windows, denying execute will prevent software execution
        • In Linux, denying execute will prevent browsing and listing

DHCP Servers

Disable this service unless you specifically  need it.

Keep DHCP servers patched.

Enable DHCP Snooping to exclude unauthorized DHCP servers.

https://en.wikipedia.org/wiki/DHCP_snooping