Chapter 9 - 04 - Application Security Testing Techniques and Tools - 03_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Application Security

Application Blacklisting
Application blacklisting is a security practice to prepare
Blacklisting Approach
a list of undesirable applications (blacklisted
applications) and prevent their execution
A
—»l /\/
—» Threat Centric

©
It automatically allows access to all applications
other than the blacklisted applications ‘ Allow By Default (Run the
the Application)

Is Allow
The blacklisting approach is implemented by most Application (Run the
on Blacklist? Application)
antivirus programs, IDS/IPS, and spam filters

Knowledge of the threats associated with programs
or applications is required to prepare an application Deny
(Do Not Run the
blacklist Application)

Copyright
Copyright ©© by
by EECC- HIl. All Rights Reserved. Reproduction is Strictly Prohibited

Application Blacklisting
Application blacklisting is a security practice of blocking the running and execution of a list of
undesirable programs. Application blacklisting is threat centric. By default, it allows all
applications that are not in the blacklist to be executed. To block any program or application,
the security professional must add it in the application blacklist.

@ _I——»
_|—> Threat Centric
o~
% - b
RS ma—
—
Allow By Default (Run the Application)

Is Allow
Application (Run the
on Blacklist? Application)

Deny
(Do Not Run the
Application)

Figure 9.13: Blacklisting approach

Module 09 Page 1199 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Application Security

Most antivirus programs, spam filters and other intrusion prevention or detection systems use
the application blacklisting method. A blacklist often comprises malware, users, IP addresses,
applications, email addresses, domains, etc. Knowledge of the threats associated with programs
or applications is required to prepare an application blacklist

Advantages of Application Blacklisting

Application blacklisting provides security professionals and organizations the following benefits.
= |tis simple to implement. A blacklist simply identifies the blacklisted applications, denies
them access, and allows the execution of all other applications not in the blacklist.
= Blacklists need low maintenance since the security software compiles lists and do not
ask users for inputs often.
Disadvantages of Application Blacklisting
The following are some of the disadvantages of implementing application blacklisting.
= A blacklist cannot be comprehensive, and the effectiveness of a blacklist is limited as the
number of different and complex threats is continuously increasing. Sharing threat
information can help make application blacklisting more effective.
= Blacklisting can tackle known attacks well but will not be able to protect against zero-
day attacks. If an organization is the first target of new threats, blacklisting cannot stop
them.

= QOccasionally, hackers create malware to evade detection using blacklisting tools. In
these cases, blacklisting fails to recognize the malware and add it to the blacklist.

Module 09 Page 1200 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Application Security

Using AppLocker for Application Whitelisting
Q AppLocker is a Windows in-built security component used to control applications (executables, scripts,
Windows Installer files, and dynamic-link libraries (DLLs)) users can run
O The default executable rules are based on folder paths, and all files under those paths will be allowed
Q Group Policy AppLocker can be used to set rules for applications in a domain

i Local Secunity Palicy
Fle Acten View Help

s a2 Em
Conttion taceptin]
T Securey Settings
»h Accours Polees
s Local Pobeies
s LD Windows Defender Frewal with Adve | | Getting Staried
1 etk Lat Manages Povcies
> [ »
Publc Key Palicies Actlocherbyuses fubes and e frogetes
~r of lies 1o friwde accen contrslfor
becten e e Thes ribsded n Pese
L Setmamre Bestnction Peiscies vy 16 ol ectern of Hirdews
v Aggheaton Contrel Poloes
T Appiocker
» B 1P Security Peficieson Lecal Compute B Mo ot Kplocker
» L2 &dvanced Aude Pobcy Contiguration B Wt ections of Windows siggot KoLocke? B8 sty Pobom
T mdametdap B Vew
Cemfigure Fude Enforcemert gt Lt
For e goLocker pocy 10 b erforomd on 8 computer e pkcation Bpsmmedy geerend
Vsectly secvce rud be arveny

e e erfoecermt o
eetorond
o qudtnd ¥
ty detak
administrator
[ o pyape—
€3 Mo st e erforcmment

Copyright © by Al Rights Reserved. Reproduction is Strictly Prohibited

Using AppLocker for Application Whitelisting
AppLocker is an in-built Windows security component that can be used to control which
applications users can run. When AppLocker rules are enforced, apps excluded from the list of
allowed apps are prevented from running. The files include executables, Windows Installer files,
and dynamic-link library (DLL) files. The default executable rules are based on paths, and all files
under those paths are allowed. Group Policy AppLocker is used to set rules for applications in a
domain.

Module 09 Page 1201 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Application Security

55 Local
Local Security
Security Policy
Policy
File Action View Help
L=
Aol 7 Ho
2@ Em
?:::?of::’::l‘icis
?::?osu:::;cies lF ApplLocker provides access control for applications

> 4
[@ Local Policies
>> ||1] Windows
Windows Defender
Defender Firewall
Firewall with
with Adve
Adve
[0 Network List Manager Policies
> @
[ Key Policies
Public Key AppLocker uses rules and the
the properties of files toto provide access control for....- applcations. ¥ rnules
applications. nies are present
present in a nule
rule collection, only the
the files included in those
»» [[ Software
Software Restriction
Restriction Policies
Policies nules will
rules will bebe permitted
permitted toto run. AppLocker ndes
run. AppLocker es dodo notnot apply
apply toto alaf ediions
edtions ofof Windows.
Windows.
v [
|| Application Control Policies
>> [{3 Applocker
Applocker
> &,
& IP Security Policies on Local Computel|
Compute|| | BB3 More sbout Applocker
» [ Advanced Audit Policy Configuration n Which edtions of Windows support AppLocker?
Applocker?
== -L
Forthe AppLocker policy
policy 1oto be enforced on a& computer, the Application
Application
Identity service must be running.
running.

Use the erforcement settings
settings for each rule collection to corfigure whether niles are
are
m«w.rmmmmm
;im«w,lmmn-mm rfigured,
réfigured, nies
wil be enforced

a Configure rule
nie enforcement

u More about rule enforcement

Figure 9.14: AppLocker for application whitelisting

ilif
Local Security Policy - ] X
File Action View Help

eo aml ==
2m BEm
T Security
Security Settings Action User Name Condition Exceptior
> [|44 Account Policies
|4 Local Policies
> [a items to show in this view.
There are no items
»> |1
] Windows Defender FirewallFirewall with
with Adv:
Adv:
[ Network List Manager Policies
> [ Public Key Policies
» [ Software Restriction Policies
vv ()| Application
Application Control
Control Policies
Policies
v fi [T§ Applocker
5> [[# Executable Prtar
Pritar
> [
() Windows
Windows Ir Create New
Create New Rule...
Script Rulet
> 5] Rule: Automatically Generate Rules...
Automatically
> [B Packegeda
Packageda Create Default Rules
> &,
8, IP Security Policies
>» [(1 Advanced Audit P« View
View >

| Automatically
Automatically generate
generate rul Helo
Helo
"

Figure 9.15: Generate an executable rule automatically

This app has been blocked by your system
administrator.
tem administrator for more in

Copy to clipboard

Figure 9.16: App gets blocked

Module 09 Page 1202 Certified Cybersecurity Technician Copyright © by EC-Gouncil
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.