Security+: Establishing Host Security (SY0-401) [DECOMMISSIONED ARTICLE]

December 19, 2017 by Fakhar Imam

NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.


Host security should be one of your network’s top security priorities, along with server and network security. The end user is the most dangerous element in any organization because he/she interacts directly with company resources and network. Therefore, enterprises must secure their networks and resources against potential threats posed by end users, peripherals, and removable media. Doing so will require some important security measures, including OS hardening, patch management, whitelisting vs. blacklisting applications, host-based firewalls, host-based intrusion detection, and hardware security.

How Will OS Hardening Protect My System?

The out-of-the-box installation of the operating system (OS) can be inherently insecure due to some potential oversights, including backdoors, code issues, and the age of the product. Although the out-of-the-box experience is being improved and security implications are being addressed, you must still try to protect your OS after the installation.

OS hardening allows security experts to configure an OS securely and update it periodically. In addition, experts must create rules and policies to help govern the system securely and avoid potential vulnerabilities. Unnecessary services should also be ended and unwanted applications should be uninstalled. OS hardening includes more security measures, including configuration baselines, security templates, group policies, hotfixes, service packs, and patch management. A hotfix is an urgent and immediate patch in response to a serious security issue, while a patch is a non-urgent fix that provides some additional functionality. Service packs are a cumulative assortment of the patches and hotfixes to date.

What Do I Need to Know about Patch Management?

Patch management is the practice of planning, testing, implementing, and auditing patches to a system. Security is the changing target because today’s secured system can become vulnerable tomorrow. Malicious parties are creating new threats and sophisticated ways to attack systems every day. Therefore, the best solution is to stay vigilant against newly emerging threats and vulnerabilities; for example, using updates provided by the vendor. Installing updates to operating systems, applications, device drivers, protocols, and services is essential to protect your IT environment from known threats and vulnerabilities. Updates not only prevent attacks that can directly affect the system but also remove bugs, errors, or any flaw that can provide an illegitimate channel to the intruders for accessing the systems. Moreover, the effective patch management system involves several steps, including:

  1. Always watch your vendor’s website for updates.
  2. Never forget to perform sign up for newsletters, notifications, or discussion groups.
  3. Make sure that you are downloading the updates only from vendor’s website and that your application blocks any malicious update.
  4. Test all the updates on nonproduction systems and document a report.
  5. Make backups before applying updates.
  6. Apply tested updates on production systems.
  7. Evaluate the effects of the updates.
  8. Always prepare to roll back the updates if negative effects are discovered.

The administrator can apply patches in two ways, either using a software tool to automate this activity or via a manual process. For example, Microsoft provides Windows Server Update Services (WSUS) software that enables experts to manage the distribution of updates.

What Are Whitelisting vs. Blacklisting Applications?

Application whitelisting is the process of prohibiting unauthorized software from being able to execute, also known as implicit deny or deny by default. The administrator creates a preapproved exception list, called a whitelist, that prevents viruses, malware, or any other unlicensed software from executing automatically unless it is on the whitelist. However, the whitelisting solution cannot guarantee 100% protection because the attackers often exploit an application’s configuration issues and kernel-level vulnerabilities to bypass the whitelist. Nevertheless, the implementation of whitelisting has paramount importance throughout the security deployment lifecycle. According to the NIST Special Publication 800-167, Guide to Application Whitelisting, there are three types of application whitelisting, including files and folder attributes, application resources, and whitelist generation and maintenance. This document also contains a detailed description of application whitelisting planning and implementation.

Application blacklisting also prevents the execution of unauthorized applications by maintaining a list of illegitimate applications. Blacklisted applications are disallowed from running or installing to the system. However, the blacklist is not completely effective due to ratios of false positives of blacklist applications.

What Are Host-Based Firewalls?

Most companies frequently use perimeter-based firewalls to protect their IT environments. History indicates that this approach is often insufficient due to configuration issues when managing an enormous number of protocols and services. Besides, the perimeter-based firewalls aren’t effective in the face of threats such as viruses and worms and they are also ineffective against threats from inside an enterprise network.

On the other hand, a host-based firewall is the best alternative to a perimeter-based firewall. A host-based firewall, also known as a personal software firewall, is an application that protects each individual system from unwanted internet traffic by using a predefined set of rules and policies. Some host-based firewalls can also detect and block attempted intrusions. Moreover, they are configurable on a per-machine basis and offer maximum flexibility. Linux operating systems support a kernel-based packet filter that is an appropriate tool for building host-based firewall systems. Unlike perimeter-based firewalls, host-based firewalls can be configured easily because the host typically requires support for just a few protocols to function properly. Some popular host-based firewalls include Kerio Personal Firewall, Agnitum Outpost Firewall, Tiny Personal Firewall, and ZoneAlarm.

What Do I Know about Host-based Intrusion Detection?

In general, an intrusion detection system (IDS) is used to monitor and detect the presence of malicious activities. An IDS can only detect intrusions rather than eliminating them.

A host-based IDS (HIDS) watches the log files and audit trails of a host system. It is limited to logging capabilities and auditing of the host system, which includes the OS, installed applications, and services. It can detect intrusions only if adequate information is acquired by the auditing capabilities of the host. Moreover, a HIDS can detect malicious activities, whether they are perpetuated by the user through locally performed login to the host or are originated from the external source. In addition, a HIDS can help to defend against rootkits on initial installation by testing the following conditions.

  • Unauthorized listening processes and ports
  • Network anomaly detection
  • Watch for network cards that are listening to network traffic
  • Files that match a predefined list of rootkit fingerprints
  • Files with permissions that are uncommon for the file type

The examples of HIDS include security anomaly detectors, anti-spyware scanners, and antivirus software. However, an HIDS also has some disadvantages. For example, if a disaster occurs to the system, the HIDS database will be unavailable. Furthermore, HIDS is difficult to manage because information has to be managed and configured for every host. Besides, it’s not very effective in the face of Denial-of-Service (DoS) attacks.

What Do I Know about Hardware Security?

Hardware security is a prerequisite to the overall security of the system because, without access control over the physical environment and facility, otherwise secure systems can be compromised quickly. System peripherals and hardware require protection and physical access control to maintain the logical security applied by the software program. Logical protection defends against logical attacks, while physical protection provides security against physical attacks. Either type needs layers of protection; otherwise, effective security is out of the question.

One of the important components of hardware is the basic input/output system (BIOS), which is low-end firmware embedded into the hardware’s EEPROM (electronically erasable programmable read-only memory). The BIOS initiate the boot process by loading the operating system. If attackers successfully alter the BIOS, they will be able to initiate otherwise prohibited activities or bypass security features. Intel security published a document in 2015 and highlighted some BIOS attacks, including Jolly Ghosts, Rainbows, and Devil’s Cabbage, each of which could pose various types of attacks. The experts can use some methods for preventing BIOS attacks. The BIOS should be physically set to non-writeable form. Also, a hardware cryptographic key can be programmed onto a BIOS chip during its manufacture to prevent BIOS modification. Securing the system with an updated antivirus program is also essential in this regard.

Moreover, USB devices are common today and protecting them is a need of the hour. A USB device can be used to steal proprietary and/or confidential data from outside the secure environment. In addition, a bootable USB can be used to compromise the system. Also, some malware uses Windows’ autorun feature to spread from an infected USB device to the host computer. Real protection against USB attacks can only be ensured by disallowing USB devices or locking down all the USB ports. Some enterprises even physically block USB ports with epoxy, silicon, or similar materials. However, if the use of USBs is inevitable, Windows’ autorun feature should be disabled. Before opening, a USB port should be scanned with an updated antivirus program.

InfoSec Security+ Boot Camp

The InfoSec Institute offers a Security+ Boot Camp that teaches you the information theory and reinforces that theory with hands-on exercises that help you learn by doing.

Moreover, InfoSec has been one of the most awarded (42 industry awards) and trusted information security training vendors for 17 years.

InfoSec also offers thousands of articles on all manner of security topics.

Posted: December 19, 2017
Fakhar Imam
View Profile

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.