Chapter 9 - 04 - Application Security Testing Techniques and Tools - 03_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Application Security Application Blacklisting Application b...

Certified Cybersecurity Technician Exam 212-82 Application Security Application Blacklisting Application blacklisting is a security practice to prepare Blacklisting Approach a list of undesirable applications (blacklisted applications) and prevent their execution A —»l /\/ —» Threat Centric © It automatically allows access to all applications other than the blacklisted applications ‘ Allow By Default (Run the the Application) Is Allow The blacklisting approach is implemented by most Application (Run the on Blacklist? Application) antivirus programs, IDS/IPS, and spam filters Knowledge of the threats associated with programs or applications is required to prepare an application Deny (Do Not Run the blacklist Application) Copyright Copyright ©© by by EECC- HIl. All Rights Reserved. Reproduction is Strictly Prohibited Application Blacklisting Application blacklisting is a security practice of blocking the running and execution of a list of undesirable programs. Application blacklisting is threat centric. By default, it allows all applications that are not in the blacklist to be executed. To block any program or application, the security professional must add it in the application blacklist. @ _I——» _|—> Threat Centric o~ % - b RS ma— — Allow By Default (Run the Application) Is Allow Application (Run the on Blacklist? Application) Deny (Do Not Run the Application) Figure 9.13: Blacklisting approach Module 09 Page 1199 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Most antivirus programs, spam filters and other intrusion prevention or detection systems use the application blacklisting method. A blacklist often comprises malware, users, IP addresses, applications, email addresses, domains, etc. Knowledge of the threats associated with programs or applications is required to prepare an application blacklist Advantages of Application Blacklisting Application blacklisting provides security professionals and organizations the following benefits. = |tis simple to implement. A blacklist simply identifies the blacklisted applications, denies them access, and allows the execution of all other applications not in the blacklist. = Blacklists need low maintenance since the security software compiles lists and do not ask users for inputs often. Disadvantages of Application Blacklisting The following are some of the disadvantages of implementing application blacklisting. = A blacklist cannot be comprehensive, and the effectiveness of a blacklist is limited as the number of different and complex threats is continuously increasing. Sharing threat information can help make application blacklisting more effective. = Blacklisting can tackle known attacks well but will not be able to protect against zero- day attacks. If an organization is the first target of new threats, blacklisting cannot stop them. = QOccasionally, hackers create malware to evade detection using blacklisting tools. In these cases, blacklisting fails to recognize the malware and add it to the blacklist. Module 09 Page 1200 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Using AppLocker for Application Whitelisting Q AppLocker is a Windows in-built security component used to control applications (executables, scripts, Windows Installer files, and dynamic-link libraries (DLLs)) users can run O The default executable rules are based on folder paths, and all files under those paths will be allowed Q Group Policy AppLocker can be used to set rules for applications in a domain i Local Secunity Palicy Fle Acten View Help s a2 Em Conttion taceptin] T Securey Settings »h Accours Polees s Local Pobeies s LD Windows Defender Frewal with Adve | | Getting Staried 1 etk Lat Manages Povcies > [ » Publc Key Palicies Actlocherbyuses fubes and e frogetes ~r of lies 1o friwde accen contrslfor becten e e Thes ribsded n Pese L Setmamre Bestnction Peiscies vy 16 ol ectern of Hirdews v Aggheaton Contrel Poloes T Appiocker » B 1P Security Peficieson Lecal Compute B Mo ot Kplocker » L2 &dvanced Aude Pobcy Contiguration B Wt ections of Windows siggot KoLocke? B8 sty Pobom T mdametdap B Vew Cemfigure Fude Enforcemert gt Lt For e goLocker pocy 10 b erforomd on 8 computer e pkcation Bpsmmedy geerend Vsectly secvce rud be arveny e e erfoecermt o eetorond o qudtnd ¥ ty detak administrator [ o pyape— €3 Mo st e erforcmment Copyright © by Al Rights Reserved. Reproduction is Strictly Prohibited Using AppLocker for Application Whitelisting AppLocker is an in-built Windows security component that can be used to control which applications users can run. When AppLocker rules are enforced, apps excluded from the list of allowed apps are prevented from running. The files include executables, Windows Installer files, and dynamic-link library (DLL) files. The default executable rules are based on paths, and all files under those paths are allowed. Group Policy AppLocker is used to set rules for applications in a domain. Module 09 Page 1201 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security 55 Local Local Security Security Policy Policy File Action View Help L= Aol 7 Ho 2@ Em ?:::?of::’::l‘icis ?::?osu:::;cies lF ApplLocker provides access control for applications > 4 [@ Local Policies >> ||1] Windows Windows Defender Defender Firewall Firewall with with Adve Adve [0 Network List Manager Policies > @ [ Key Policies Public Key AppLocker uses rules and the the properties of files toto provide access control for....- applcations. ¥ rnules applications. nies are present present in a nule rule collection, only the the files included in those »» [[ Software Software Restriction Restriction Policies Policies nules will rules will bebe permitted permitted toto run. AppLocker ndes run. AppLocker es dodo notnot apply apply toto alaf ediions edtions ofof Windows. Windows. v [ || Application Control Policies >> [{3 Applocker Applocker > &, & IP Security Policies on Local Computel| Compute|| | BB3 More sbout Applocker » [ Advanced Audit Policy Configuration n Which edtions of Windows support AppLocker? Applocker? == -L Forthe AppLocker policy policy 1oto be enforced on a& computer, the Application Application Identity service must be running. running. Use the erforcement settings settings for each rule collection to corfigure whether niles are are m«w.rmmmmm ;im«w,lmmn-mm rfigured, réfigured, nies wil be enforced a Configure rule nie enforcement u More about rule enforcement Figure 9.14: AppLocker for application whitelisting ilif Local Security Policy - ] X File Action View Help eo aml == 2m BEm T Security Security Settings Action User Name Condition Exceptior > [|44 Account Policies |4 Local Policies > [a items to show in this view. There are no items »> |1 ] Windows Defender FirewallFirewall with with Adv: Adv: [ Network List Manager Policies > [ Public Key Policies » [ Software Restriction Policies vv ()| Application Application Control Control Policies Policies v fi [T§ Applocker 5> [[# Executable Prtar Pritar > [ () Windows Windows Ir Create New Create New Rule... Script Rulet > 5] Rule: Automatically Generate Rules... Automatically > [B Packegeda Packageda Create Default Rules > &, 8, IP Security Policies >» [(1 Advanced Audit P« View View > | Automatically Automatically generate generate rul Helo Helo " Figure 9.15: Generate an executable rule automatically This app has been blocked by your system administrator. tem administrator for more in Copy to clipboard Figure 9.16: App gets blocked Module 09 Page 1202 Certified Cybersecurity Technician Copyright © by EC-Gouncil EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser