1. Endpoint Protection
In this video I’m going to be talking about endpoint protection. So first of all, let’s talk about what are endpoints. Endpoints are basically any computer in your organization. Every single computer in my organization, including my laptop in front of me, including my desktop, including that computer over there. All computers within the organization is a potential endpoint to allow malware or malicious software into your organization that includes desktops, laptops, tablets, phones and so on. So what we want is we want to be able to protect our endpoint. Remember, for your exam, when you think of endpoint protection, think of securing all computers in the organization with a suite of software or a single software that does it all.
That includes our total protection of all malware. Now let’s go back to 15 years ago. All right, 15 years ago you were securing your computers. You would have had to install many different types of software back in the days in order to get good endpoint protection onto your devices, you would have to install a firewall, you would have to install intrusion detection and prevention systems, you would have to install antivirus, anti malware software and even some host based DLP software. Basically you had to install four, five, six software onto every single computer in order for these machines to be protected. And now we come with endpoint protection. Now endpoint protection software is basically a single software that’s going to give me all of what I just mentioned.
So when I say endpoint protection, we’re going to take one single piece of software, we’re going to install it on all the hosts and all the clients within the organization that’s going to give us antivirus antimalware. Now there is this term called endpoint detection and response. That means that when the software detect some kind of intrusion or some kind of malware on the computer, it should be able not just to detect it, but in order to respond and eradicate it or quarantine it.
The next thing is they may have a hostbased DLP software on them so they could detect if someone is trying to send out confidential information such as credit cards or Social Security number, the next thing that they’re going to have is they’re going to have firewalls on them. Whether it’s a next gen firewall or just a regular host based firewall. Now, I know I have not got to these terms yet, such as next gen firewalls or IPS and ideas, so just keep in mind that these are included in endpoint protection. I’m going to cover these a little bit later in the course. We’ll actually take a look like this is a next gen firewall sitting next to me network. These are going to be host based devices. So here we go with host based prevention systems, host based IDs system. So this endpoint protection software has given me all of these things. Now you do have the option of just going to each individual computer and installing individual software. Like for example, Windows comes with a decent set of tools. Windows Defender now includes antivirus anti malware and the Windows Firewall is not so bad. It’s okay for something that’s home. But with endpoint protection software, we want to be able to monitor each computer in a centralized station. We want to have a server set up where I can deploy these endpoint protection software. And I want to go back and then monitor these stations. So I have a few of these vendors that are very popular. I’ll start with the most popular one here. This is going to be semantics endpoint. I believe these people are the biggest player in this game right now. And this is a very good we use semantics endpoint security. I’ve been using semantics endpoint security for at least the last eight years on our computers at our physical locations. And basically you buy it as a package.
It comes with a bunch of license and then you install it on a server and then you deploy the clients to all the workstation and it gives you everything. Antivirus, anti malware, firewalls IDs is on all the computers in your network. So I think semantics endpoint security is good. I’m not going to be biased and just give you one solution. Here another one that’s very good, that I taught is very good and I’ve tried this one out, is a webroot. Webroot is very popular. This is their endpoint protection software. Comes with a great server console, comes with a great host base set up. You can really monitor things. It does pick up a lot of different intrusion. And another one is McAfee.
This one I have not tried, but I’ve had some students say that this is also very good. So McAfee endpoint security really helps to do the same thing as basically semantics and web route all competitors, they’re all going to be closely matched up. But this one would also to include a server management console. It’ll also allow you to have that antivirus, anti malware, firewalls IDs systems all built into one. Okay? So for your example, please remember, endpoint protection means every computer in the organization is secure and it has that suite of software that we need to keep our machines secure.
2. Boot integrity
In this video we’re going to be talking about boot integrity. Now one of the most dangerous things that can ever happen to a computer is if someone installs a root kit into the UEFI or the BIOS of the computer. This allows them to take control old from the lowest level of the actual machine before the operating system even boots. So rootkits operate in this level. First of all, most of you guys, when you guys think of a virus, most of you guys think of a software that infects Windows or Linux. But there are viruses out there, especially rootkits, that infects the bias of the computer and give them complete control of everything that’s running on top of it, including your operating system.
So we have some terms that we need to quickly run through. Your exam is not going to go in depth into these things, but you do need to know that they exist in order to help protect against these kinds of malware. And let’s take a look at what I got here. So the first thing that we’re going to talk about is what is known as boot security. Further UEFI, this is going to be secure boot. Now the way this thing works is that it basically is going to be using digital signatures in it. So basically you go into your UEFI and you enable secure boot. And what it does is that it has a stored set of signatures that if there’s any kind of modifications or changes it has to be verified with that signature. And if there is no verification to those digital signatures in there and if there’s any modification, remember, digital signature contains a hash. If there’s any kind of modifications it will not allow it. And if there is and it does detect it, you can know that the machine BIOS has been compromised. The next one here we’re going to talk about is something called a measured boot. So measured boot basically stores what’s called points and TPM chips. So the trust trusted platform module chips that we generally use to do a hard drive based encryption like with BitLocker. But in what they do in measured boot is they basically has these store points. Now these points are basically hashes of the system and if any type of modification or malware gets in there and changes up the bias itself, you’ll be able to detect it in that sense.
Also the other one here is boot attestation basically this is third party verify. And basically what happens is when a system boots up, these are going to be used mostly in IoT devices. When the system boots up they basically also does a verification of checks and sends it off to third party to be stored and verified. If the third party then reports that hey, machines have been compromised or something has changed since the last boot cycle, it’ll tell you what that is. Okay? So just know these things exist they’re not going to go in depth on them for your exam, so you just want to be familiar with them, just in case you might see a word or two pop up in a question here and there.
3. Databases
In this video we’re going to be talking about databases and particularly a few secure things you can do in order to help secure your databases. So let’s get something straight, databases are not security objects. Databases needs to be secured. Databases will not help you secure anything. So we have to implement things to secure our databases. And that’s what we’re going to talk of. A few different things. Some of these things here, we basically talked about them already, we just put them together quickly. So the first thing we’ll talk of is something called tokenization. So this is something that I had mentioned.
Where is this pen here today? Where is my pen? Here we go. Okay, so tokenization, this is something that I had mentioned earlier in the class. First of all, what exactly is a token? So a token basically represents generally user authentication information in a random set of digits or characters that basically represents data. So let’s say my username is Andy and my password is password. Basically we could make a token of this and this token represents this. So there is a link between this token and the username and the password. So now I can use this token to log into other systems and the database basically says, hey, I know that token, that token belongs to Andy, let him in. As long as the token characters are matching, the system will let me in.
So that’s talk tokenization. The other one here that we want to mention is called salton. So if you guys remember from the cryptography section, we talked about password saltin. So Salton basically adds a random set of characters generally to a password before you hash it, basically increasing the complexity of your password. So Salton is generally what you’re going to be stored in your databases, especially when storing your passwords. And the other one is Hashen. Now database hashes. So what they do is, this is going to be done really when indexing databases. So databases have tables with a whole bunch of records inside of them and trying to sort those records sometimes can be difficult. So what they do is they create hashes of the record. And basically because the hash is much smaller than the entire system than the entire index keys, it basically is a lot quicker to sort it and index and store information about your databases. Okay, these are just a few database terminology that we need to know for our exam. Let’s keep going.
4. Application Security
In this video, I’m going to be talking about application security and a variety of different things we should know, not just for exam, but when it comes to application programming as an administrator, these are things that you should know when you’re speaking with programmers. You want to be able to understand what they’re talking about and you want to make sure that when they build their applications, some of these things are in there. Let’s get started. Started. Now, some of these things, by the way, I mentioned already as I went through some of the attack sections in the course.
So let’s take a look here at a whole bunch of terms. The first thing we’re going to have is input validation. So input validation, if you guys can remember, input validation is like when you build application, the fields within them, whether it’s this search field in Amazon or when I try to sign in, it’s ensuring that it doesn’t take all type of information. So if I come in here and I type in an invalid email address and I say continue, it’s saying, hey, we can’t find that, that’s not a valid email address. You may see some things like that. Remember what input validation does. So I could show you here on the T Iedu. com website if I go to contact us.
So if I go in here and I put in a name, it’s not a valid email. I’m just going to put some text in here and I try to send it. Notice that it’s saying, hey, that’s not a valid email address. So this is input validation. You can also see that if I come here and it limits how much characters we can type in there. So this is also input validation. Basically what you’re doing is you’re limiting and you’re validating the inputs that they’re putting into fields. Now remember, input validation can solve things like cross site scripting buffer overflows SQL injections or different forms of injection attacks is what you would use input validation for. Okay, the next thing here I have our secure cookies.
So cookies is what the designers are going to be using. The web developers are going to be using in order, I should say, web applications are going to be using to keep track of what you’re doing, such as when you log in, what products you put on a shopping cart, what different pages you’ve been to, what you clicked on. So this is going to have some PII associated with it or personal identifiable information. You want to be able to secure those cookies so people can’t sniff out the cookies or modify them, things like using SSL encryption. Now the other thing here I have is what’s known as Http headers. So Http header, I got a link here that I can show you guys what this is. I’m not a code person, so I don’t like writing codes. Guys, here’s an article I got here, Http headers. For dummies. And this is code trust by the way. You can get this by just Http headers. Example.
I just wanted some example to show you what these looks like. So Http headers are basically the top of the, it’s basically the top of your web page. It’s basically going to say, hey, I need a web page and the server is going to respond back to you. Here’s an example. It’s saying here’s the get respond that says, hey, I want to be able to get a particular web page from this particular website. Then the server says, oh, that’s the web page you want. So they’re going to respond back. So that’s going to be Http headers. You want to make sure that these are written well and secure. Now code sign it. When application programmers or programmers write code, what they could do is digitally sign the code. Now you got to remember digital signatures, which we talked about earlier in the class.
If you guys remember, digital signatures allows us to take a hash of the data and then we encrypt that hash with our private key. This is going to be done to ensure that when you receive code from someone you know it came from, then it was never modified. So let’s say Malware got into someone’s code and changed it to include malicious attacks on you. Well if the code was signed now the signature is invalid and you’ll be able to detect that. So code signing is a good practice when it comes to following good secure programming. Another thing here we can do in organizations today are whitelisting and blacklisting. Understand these terms here.
So application whitelisting is when the organization has a policy that says those applications are allowed and nothing else is. So whitelisting is denied by default. So what that means is, hey, you can install only those apps. You can only install Microsoft Office and Adobe PDF reader and everything else is denied. Blacklisting is less restrictive. This is called default allow because in that one you’re saying you cannot install those apps but then everything else is allowed. So they may say, well you can install Microsoft Office as your Office application so we blacklist Microsoft Office but then you’re allowing every other version of an Office product on your computer. Blacklisting is not restrictive. Blacklisting allows you to install more things. Of course in security we want the most restrictive option. So we’ll go with whitelisting. The other thing here we have is secure code in practice. Now I did find a great article on this and there’s so many articles.
This is one from WhiteSource Software and to get this one here, what I did was I just Googled secure code in practices and there’s so many different ones that I went through and this one I thought did the best. When programmers are programming application you want them to follow good principles when it comes to programming their application. Now you as a security administrator may not go out and a security analyst is not going to go out and program the app for them, but you’re going to make sure that here they’re following good coding practices. So number one, don’t trust the users, right? You don’t want to trust users. You want to be able to implement things into the application to keep them secure. So it’s just input validation. Keep it simple.
The more simple your code is, the easier it is to look at, the easier it is to implement it and of course to secure it. Automation. The more we automate, the less manual things we do, the less vulnerabilities could be there. Threat model. So threat model is what you’re going to do to help find things in your code that attackers can exploit and take advantage of your software. And of course, make sure you’re using the right cryptographic algorithms, the right cryptographic processes in the application. We take cryptography for granted in the applications. But remember, somebody had to program those steps in there. Somebody had to determine what algorithm to use and when to use them and how to use them. So if the programmers weren’t doing that correctly, we know as administrators, oh, it’s encrypted. But who’s to say it was programmed correctly? The encryption is programmed correctly. So we want to make sure that as good secure programming, secure coding practice, they follow good practice and get those algorithms correct.
Okay, so they have five things there that I just quickly wanted to go through. So let’s talk about what is considered static and dynamic code analysis. Static code analysis, also known as static testing, is when you’re reviewing the code and analyzing the code by looking at the source code. Now static code testing is generally done using an automated tool. Basically, the tool reviews the source code of the application and see if there’s any kind of bad code in practice or places where the code had errors. And then you have what’s called manual code review. So static code analysis is more of an automated process, but then you have humans reviewing the code, looking for things like backdoors or problems that can arise later because of malware injected into the code.
So manual code review, this is more for like humans going through it. Then dynamic code analysis is when you’re running the code. Dynamic analysis is running the actual software in a runtime environment and then analyzing the software as it’s being run. And so take, for example, I have PowerPoint running here, that one note run in here. I can then go in and change and manipulate and test this application because it’s running, the code is being executed. Now the other one here is a Fuzzing or fuzzer. So let’s say you build an application and the application is done.
What happens if I inject random data into this application? What happens? Is it crashed? Does it get corrupted? Does nothing happen? We need to find that out. So a Fuzzer is basically a software that injects random or semi random data into an application to see how it responds. Now, ideally, nothing will happen. Ideally it’ll take it just fine, it’ll just keep on going. Worst case scenario, it crashes it or corrupts the application. So fuzzy is a common security test that’s done in application security. Okay, so these are some things here that we should be familiar with. For example, you may see some words pop up here and dear on your exam. Then I’m going to get in depth. This is not an application security exam. They’re not going to get in depth into this, but just make sure and review the terms so you better understand what they are.
