Chapter 9 - 04 - Application Security Testing Techniques and Tools - 05_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Application Security

Additional Application Whitelisting and Blacklisting Tools

fii_rlosk
fihirloc‘:k Digital
Dlgital ‘ Kaspersky
Ml(a;s:!?rsky Whitelist

Digital Guardian PolicyPak
https://digitalguardion.com https://www.policypak.com

Ivanti Application Control PowerBroker
https://www.ivanti.com https://www.beyondtrust.com

Thycotic Faronics Anti-executable
https://thycotic.com https://www.foronics.com

RiskAnalytics
RiskAnalytics McAfee Application Control
https://riskanalytics.com
https://riskanalytics.com https://www.mcofee.com
https://www.mcafee.com

Additional Application Whitelisting and Blacklisting Tools
Some additional application whitelisting and blacklisting tools are listed below:
Airlock Digital (https://www.airlockdigital.com)
(https.//www.airlockdigital.com)
Digital Guardian (https.//digitalguardian.com)
Ivanti Application Control (https://www.ivanti.com)
Thycotic (https://thycotic.com)
RiskAnalytics (https://riskanalytics.com)
Kaspersky Whitelist (https://whitelist.kaspersky.com)
PolicyPak (https.//www.policypak.com)
PowerBroker (https://www.beyondtrust.com)
Faronics Anti-executable (https://www.faronics.com)
McAfee Application Control (https://www.mcafee.com)

Module 09 Page 1212 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Application Security

Application Sandboxing
such that they cannof

Q Security |

Running an Application Without a Sandbox ! Running an Application With a Sandbox

All User Other Sandbox
Data User
Data
Data

T Unrestricted Access
l1 Unrestricted Access No Access v

Application -
! T Unrestricted Access
Unrestricted Access L
Other
All System
All System System Resources
e
Resources
Resources

Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited

Application Sandboxing (Cont’d)

Isolation-based Sandbox Rule-based Sandbox

[ )h 4
/ \
Permitted
Permitted Permitted
RResources
esources Resources

Sandboxed
Process

Sandboxed.,o..,.../
Access Based on
l’olkln/
Process

/ Access
Access
Resources Processes

Copyright
Copyright ©© by
by All Rights
All Rights Reserved.
Reserved. Reproduction isis Strictly
Reproduction Strictly Prohibited
Prohibited

Application Sandboxing
Application sandboxing is the process of running applications in a sealed container (sandbox) so
that the applications cannot access critical system resources and other programs. It provides an
extra layer of security and protects apps and the system from malicious apps. It is often used to
execute untrusted or untested programs or code from untrusted or unverified third parties

Module 09 Page 1213 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Application Security

without risking the host system or OS. The protection provided by the sandbox is not
sufficiently robust against advanced malware that target the OS kernel.

When an application is executed without a sandbox, it has unrestricted access to system
resources and all user data. In contrast, an application executed within a sandbox has restricted
access to the system resources and data outside the sandbox.

Installing a sandboxed app in a system creates a specific directory (sandboxed directory). By
default, the app has unlimited read and write access to the directory. However, apps within the
directory are not allowed to read or write the files outside the directory or access other system
resources, unless authorized.

Running an Application Without a Sandbox Running an Application
With a Sandbox

o
User
Data
Data
l T Unrestricted Access
| Unrestricted Access No Access
= Application
' Application I
l T Unrestricted Access
Unrestricted Access
Other
All System System Resources
Resources Resources

Figure 9.25: Execution of an application with and without a sandbox

The following approaches can be used to implement an application sandbox.
= |solation-based approach: In this approach, a program running in the sandbox is
isolated from the system resources and programs running outside the sandbox.

Y
Sandbox Sandbox

i i
Permitted Permitted
Resources Resources

Sandboxed Sandboxed
Process Process

\) y 4 4

Processes Resources

Figure 9.26: Isolation-based sandbox

Module 09 Page 1214 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Application Security

= Rule-based approach: In this approach, the sandbox controls what each application can
do and permits applications to share resources based on the set rules.

Sandbox

Sandboxed
Process
Access Based on
Policies

Access r
Resources {
L Processes

Figure 9.27: Rule-based sandbox

Module 09 Page 1215 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Application Security

Application Sandboxing Tools
®© ®o L4
®

[ ]
dboxie Sandboxie keeps the browser isolated and blocks malicious T|
software, viruses, ransomware, and zero-day threats Q BUFFERZONE
Q https://bufferzonesecurity.com
https://bufferzonesecurity.com

Fide View Sandbox Configure Help |’
Program Name PID Vindow Title
Vindow ~A a SHADE Sandbox

E= @ Sandbox
Sandbex DelaultBox
Defaultbon Actrve
Actve https.//www.shadesandbox.com
https://www.shadesandbox.com

l_f; SendboneRpcSs exe
'._T\ SendbomeRpcSs.exe 12024
12008
|
|

F1.—T‘ SandboxieDcomLaunch.exe 1350
1350

‘ " fi
P Shadow Defender
- http://www.shodowdefender.com
B ' cvome.exe Q64
|. | T\7\("0"\!-0(
chrome.ore 13948 |’

WW) ) civome.
chvome. 1332
15332
——
— L)
T Browserinin the Box
Browser BoxTSTS
B | cvome.cne
civome.cre =
26 https://www.rohde-schwarz.com
F‘
—F\ chrome.exe na
nas ’

—_T‘
E‘ chrome.cxe
chrome.exe 127
1274

W] cwome.cne
chome.one 15722 c) Toolwiz Time Freeze
B 1 rvome.svs
cvnmese 11028
11028 https.//www.sandboxie.com http://www.toolwiz.com
< > I

Copyright © by EC All Rights Reserved. Reproduction isis Strictly Prohibited

Application Sandboxing Tools
= Sandboxie

Source: https://www.sandboxie.com
Sandboxie is a sandboxing tool developed by Sophos. It keeps the browser isolated and
blocks malicious software, viruses, ransomware, and zero-day threats. It prevents
websites from modifying files and folders on the system.
The following are the steps to allow already installed programs (e.g., a browser) in
Sandboxie:

o Select Sandbox = Default Box = Run Sandboxed = Run Web browser.
o Select Run Any Program to allow any other application.

Module 09 Page 1216 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Application Security

Sandboxie Control — O X
File View Sandbox Configure Help
Program Name PID Window Title oA

=
S Sandbox DefaultBox Active
W[E'" SandboxieRpcSs.exe
SandboxieRpcss.exe 12024
12024

@
[fl SandboxieDcomLaunch.exe
SandboxieDcomLaunch.exe 1360
1360

chrome.exe 32
324 [#]
[¥] New Tab - Google Chrome [#]

W@ 7 chrome.exe
chrome.exe a264
4264

W[E] | chrome.exe
chrome.exe 13048
13948

W[fl | chrome.exe
chrome.exe 15332
15332

W@ | chrome.exe
chrome.exe 2260
2260

B[E] | chrome.exe
chrome.exe 11244
11244

[fl chrome.exe 12744

B 7 chrome.exe 15732
l. ||II chrome.exe
chrome.eve 11048 ] Y

Figure 9.28: Working of Sandboxie Control
Some additional application sandboxing tools are listed below:
*= BUFFERZONE (https://bufferzonesecurity.com)
= SHADE Sandbox (https://www.shadesandbox.com)
= Shadow Defender (http://www.shadowdefender.com)
(http.//www.shadowdefender.com)
= Browser in the Box TS (https.//www.rohde-schwarz.com)
* Toolwiz Time Freeze (http://www.toolwiz.com)
(http.//www.toolwiz.com)

Module 09 Page 1217 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.