Chapter 9 - 04 - Application Security Testing Techniques and Tools - 03_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Application Security Exam 212-82 Application Blacklisting Application blacklisting is a security practice to prepare a list of undesirable applications (blacklisted applications) and prevent their execution © Blacklisting Approach A —»l /\/ Threat Centric It automatically allows access to all applications other than the blacklisted applications ‘ Allow By Default (Run the Application) Is The blacklisting approach is implemented by most Application on Blacklist? antivirus programs, IDS/IPS, and spam filters Knowledge of the threats associated with programs or applications is required to prepare an application Allow (Run the Application) Deny (Do Not Run the Application) blacklist Copyright © by EC- Il All Rights Reserved. Reproduction is Strictly Prohibited Application Blacklisting Application blacklisting is a security practice of blocking the running and execution of a list of undesirable programs. Application blacklisting is threat centric. By default, it allows all applications that are not in the blacklist to be executed. To block any program or application, the security professional must add it in the application blacklist. @ o~ _I——» - b Threat Centric ma— Allow By Default (Run the Application) Allow Is Application on Blacklist? (Run the Application) Deny (Do Not Run the Application) Figure 9.13: Blacklisting approach Module 09 Page 1199 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Most antivirus programs, spam filters and other intrusion prevention or detection systems use the application blacklisting method. A blacklist often comprises malware, users, IP addresses, applications, email addresses, domains, etc. Knowledge of the threats associated with programs or applications is required to prepare an application blacklist Advantages of Application Blacklisting Application blacklisting provides security professionals and organizations the following benefits. = |tis simple to implement. A blacklist simply identifies the blacklisted applications, denies them access, and allows the execution of all other applications not in the blacklist. = Blacklists need low maintenance since the security software compiles lists and do not ask users for inputs often. Disadvantages of Application Blacklisting The following are some of the disadvantages of implementing application blacklisting. = A blacklist cannot be comprehensive, and the effectiveness of a blacklist is limited as the number of different and complex threats is continuously increasing. Sharing threat information can help make application blacklisting more effective. = Blacklisting can tackle known attacks well but will not be able to protect against zero- day attacks. If an organization is the first target of new threats, blacklisting cannot stop them. = QOccasionally, hackers create malware to evade detection using blacklisting tools. In these cases, blacklisting fails to recognize the malware and add it to the blacklist. Module 09 Page 1200 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Using AppLocker for Application Whitelisting Q AppLocker is a Windows in-built security component used to control applications (executables, scripts, Windows Installer files, and dynamic-link libraries (DLLs)) users can run O The default executable rules are based on folder paths, and all files under those paths will be allowed Q Group Policy AppLocker can be used to set rules for applications in a domain i Local Secunity Palicy Fle Acten s View a2 Help Em Conttion T Securey Settings »h L v taceptin] Accours Polees s s LD 1 > [ Local Pobeies Windows Defender Frewal with Adve | | Getting Staried etk Lat Manages Povcies » Actlocherby uses fubes and e frogetes Publc Key Palicies ~r of lies 1o friwde accen contrslfor becten e e Thes ribsded n Pese Setmamre Bestnction Peiscies vy 16 ol ectern of Hirdews Aggheaton Contrel Poloes T Appiocker » B 1P Security Peficies on Lecal Compute » L2 &dvanced Aude Pobcy Contiguration B Mo ot Kplocker B Wt ections of Windows siggot KoLocke? B8 sty Pobom T mdametdap B Cemfigure Fude Enforcemert For e goLocker pocy 10 b erforomd on 8 computer Vsectly secvce rud e e erfoecermt eetorond o qudtnd ¥ be arveny e pkcation Bpsmmedy geerend Vew gt Lt o ty detak administrator [ o pyape— €3 Mo st e erforcmment Copyright © by Al Rights Reserved. Reproduction is Strictly Prohibited Using AppLocker for Application Whitelisting AppLocker is an in-built Windows security component that can be used to control which applications users can run. When AppLocker rules are enforced, apps excluded from the list of allowed apps are prevented from running. The files include executables, Windows Installer files, and dynamic-link library (DLL) files. The default executable rules are based on paths, and all files under those paths are allowed. Group Policy AppLocker is used to set rules for applications in a domain. Module 09 Page 1201 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 5 Local Security Policy File Action View = 2@ Help Em ?:::?of::’::l‘icis lF ApplLocker provides access control for applications > [@ Local Policies > | ] Windows Defender Firewall with Adve [0 Network List Manager Policies > @ Public Key Policies.. AppLocker uses rules and the properties of files to provide access control for applications. ¥ rnules are present in a rule collection, only the files included in those - » [ Software Restriction Policies v [ Application Control Policies > {3 Applocker > & IP Security Policies on Local Compute|| » [ ] Advanced Audit Policy Configuration rules will be permitted to run. AppLocker ndes do not apply to al ediions of Windows. | B3 More sbout Applocker n = Which edtions of Windows support Applocker? L Forthe AppLocker policy 1o be enforced on & computer, the Application Identity service must be running. Use the erforcement settings for each rule collection to corfigure whether niles are m«w.rmmmmm rfigured, nies wil be enforced a Configure nie enforcement u More about rule enforcement Figure 9.14: AppLocker for application whitelisting if Local Security Policy File o Action View aml = Help X Em T Security Settings > [ 4 Account Policies > |4 Local Policies > ] [ > [ » [ v | v ] Action User Name Condition Exceptior There are no items to show in this view. Windows Defender Firewall with Adv: Network List Manager Policies Public Key Policies Software Restriction Policies Application Control Policies [T§ Applocker > [# Executable Pritar > () Windows Ir Create New Rule... > Script Rule: Automatically Generate Rules... > B Packageda Create Default Rules > &, IP Security Policies > (1 Advanced Audit P« View > Helo Figure 9.15: Generate an executable rule automatically This app has been blocked by your system administrator. Copy to clipboard Figure 9.16: App gets blocked Module 09 Page 1202 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.