11 Endpoint Security Flashcards
What is the importance of using appropriate cryptographic solutions?
Ensures data confidentiality, integrity, and authenticity.
Tools include Trusted Platform Module (TPM), Hardware Security Module (HSM), Key Management System, and Secure Enclave.
What are the types of vulnerabilities?
Operating system (OS)-based, Hardware (Firmware, End-of-life, Legacy), Misconfiguration.
Each type presents different risks that need to be managed.
What is the purpose of mitigation techniques in securing the enterprise?
To reduce risk and enhance security through strategies such as patching, encryption, and configuration enforcement.
Other techniques include decommissioning and hardening techniques.
List some hardening techniques.
- Encryption
- Installation of endpoint protection
- Host-based firewall
- Host-based intrusion prevention system (HIPS)
- Disabling ports/protocols
- Default password changes
- Removal of unnecessary software
Hardening techniques are critical for securing systems.
What are the security implications of different architecture models?
Architecture models can affect the security posture of IoT, Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), Real-time Operating Systems (RTOS), and Embedded Systems.
Understanding these implications is crucial for security planning.
What are secure baselines?
Establish, Deploy, Maintain.
Secure baselines help ensure consistent security configurations across systems.
What does proper hardware, software, and data asset management entail?
- Acquisition/procurement process
- Assignment/accounting (Ownership, Classification)
- Monitoring/asset tracking (Inventory, Enumeration)
- Disposal/decommissioning (Sanitization, Destruction, Certification, Data retention)
Effective asset management is key to maintaining security.
What tools are used for security alerting and monitoring?
- Antivirus
- Data Loss Prevention (DLP)
These tools help detect and respond to security incidents.
What is endpoint detection and response (EDR)?
A security solution for detecting, investigating, and responding to endpoint threats.
EDR is part of enhancing overall security capabilities.
True or False: Endpoints significantly outnumber servers and network devices in most organizations.
True
This makes endpoint protection a major task for security professionals.
What are some techniques to secure a system’s boot process?
Secure boot, firmware validation, and integrity checks.
These techniques help prevent unauthorized access at startup.
Fill in the blank: _______ involves the practices of detecting, preventing, and remediating malware infections.
Antimalware and antivirus tools
These tools are essential for maintaining system integrity.
What specialized systems are discussed in relation to security requirements?
Embedded systems, Real-time Operating Systems (RTOS), SCADA, and Industrial Control Systems (ICS).
They have different security needs compared to traditional systems.
What is the role of asset inventories in organizational security?
To track and manage assets effectively, ensuring accountability and security compliance.
Asset inventories are critical for security operations.
What is a key element in security operations related to operating systems?
Properly securing operating systems
This includes workstations, mobile devices, servers, and other types of devices.
What can be exploited by attackers in operating systems?
Vulnerabilities in the operating system itself
This drives the need for ongoing patching.
What is meant by minimizing an operating system’s attack footprint?
Reducing the number of exposed services that can be targeted
This involves configuring systems appropriately.
What are potential paths for attackers in operating systems?
Defaults like default passwords and insecure settings
Insecure defaults can lead to vulnerabilities.
What are configuration baselines?
Security practices intended to avoid insecure defaults
They help ensure that systems are set up securely from the start.
What is the difference between configurations and defaults?
Configurations are intentional but may be insecure, while defaults are pre-set values
Both can lead to vulnerabilities if not managed properly.
What type of security tools can help limit configuration issues?
Tools that support mandatory access control
These tools help mitigate potential vulnerabilities introduced by configurations.
What is misconfiguration?
A mistake made in system configuration
It is a common way for attackers to exploit systems.
What remains a consistent way for attackers to overcome security measures?
Human error
Misconfiguration often results from mistakes made by individuals.
What does the Security+ exam outline say about operating system-based vulnerabilities?
It is vague and just lists ‘OS-based’
This requires deeper understanding during study.
What factors impact an organization’s security regarding operating systems?
Choice of operating system, its defaults, security configuration, and support model
Each of these elements plays a crucial role in overall security.
What are hardware vulnerabilities?
Hardware vulnerabilities are weaknesses in hardware components that can be exploited, affecting security designs.
What are compensating controls?
Compensating controls are alternative security measures implemented to mitigate the impact of vulnerabilities.
What types of vulnerabilities should test takers explain according to the Security+ exam outline?
Hardware vulnerabilities related to firmware, end-of-life hardware, and legacy hardware.
What is firmware?
Firmware is the embedded software that allows devices to function, closely tied to hardware.
Can firmware be updated?
Firmware can often be updated but may require manual updates depending on device design.
What are some paths through which firmware attacks may occur?
- Executable updates
- User downloads of malicious firmware
- Remote network-enabled updates
Why are firmware vulnerabilities particularly concerning?
Malicious firmware persists even after reinstalling the operating system or other software.
What is an example of a firmware attack?
2022’s MoonBounce malware targets a computer’s Serial Peripheral Interface (SPI) flash memory.
What is the significance of firmware validation?
Firmware validation is crucial for security practitioners to ensure the integrity of device firmware.
What does ‘end-of-life’ hardware indicate?
End-of-life hardware is no longer sold but may still receive support for a limited time.
What is meant by ‘end of support’?
End of support is the last date on which the vendor provides support or updates for a product.
Define ‘end of sales’.
End of sales is the last date a specific model or device will be sold, though it may still be available through resellers.
What does the term ‘legacy’ refer to?
Legacy describes hardware, software, or devices that are no longer supported.
Fill in the blank: Firmware attacks may occur through _______.
[any path that allows access to the firmware]
True or False: Firmware attacks can be removed by reinstalling the operating system.
False
What is a critical security control mentioned for firmware protection?
Trusted boot.
What is meant by the term ‘endpoints’ in a network?
Endpoints refer to devices like desktops, mobile devices, and servers that are the endpoints of a network.
What are the two techniques modern UEFI firmware uses to ensure boot integrity?
- Secure Boot
- Measured Boot
What is the purpose of Secure Boot?
Secure Boot ensures that the system boots using only software that the original equipment manufacturer (OEM) trusts.
What does Measured Boot do?
Measured Boot measures each component of the boot process and relies on UEFI firmware to hash firmware, bootloader, and drivers.
What is the role of the Trusted Platform Module (TPM) in boot integrity?
TPM stores the data gathered from the boot process and allows validation of the boot state remotely.
What are the three major functions of TPM chips?
- Remote attestation
- Binding
- Sealing
What are hardware security modules (HSMs) used for?
HSMs are used to create, store, and manage digital keys for cryptographic functions and authentication.
What is a key management service (KMS)?
KMS is a service used to manage cryptographic keys and secrets centrally.
What methods do antimalware tools use to detect malware?
- Signature-based detection
- Heuristic-based detection
- AI and machine learning
What is sandboxing in the context of antimalware tools?
Sandboxing is an isolated environment where potentially dangerous software can be run to observe its actions.
True or False: Allow lists are more secure than deny lists.
True
What is the main function of Endpoint Detection and Response (EDR) tools?
EDR tools monitor endpoint devices and systems to collect, correlate, and analyze events for suspicious activity.
What distinguishes Extended Detection and Response (XDR) from EDR?
XDR takes a broader perspective, considering the entire technology stack of an organization, not just endpoints.
What are key elements of Data Loss Prevention (DLP) systems?
- Data classification
- Data labeling/tagging
- Policy management and enforcement
- Monitoring and reporting
Fill in the blank: A _______ is a list of software that is allowed to run on a system.
[allow list]
What is the primary purpose of host-based firewalls?
Host-based firewalls protect endpoints from unwanted network traffic.
What challenge do organizations face when maintaining allow lists and deny lists?
The effort required to maintain the lists is a significant challenge.
What is the function of the hardware root of trust?
The hardware root of trust contains cryptographic keys that secure the boot process.
List two examples of secure elements similar to TPM.
- Apple’s Secure Enclave
- Google’s Titan M
What is the primary goal of DLP systems?
To protect organizational data from theft and inadvertent exposure.
What is the significance of policy management in DLP systems?
Policy management ensures that data handling meets organizational standards.
True or False: EDR tools do not provide capabilities for manual investigation.
False
What feature of EDR systems helps in detecting suspicious data?
The ability to search and explore collected data.
What does EDR stand for?
Endpoint Detection and Response
EDR is a security solution that helps organizations detect and respond to threats on endpoints.
What is the purpose of XDR?
Extended Detection and Response
XDR integrates multiple security products into a cohesive system for improved threat detection and response.
What significant threats have led to the adoption of EDR and XDR?
Ransomware and other malicious software
What does DLP stand for?
Data Loss Prevention
DLP tools are used to ensure sensitive data does not leave the organization.
What is a host-based firewall?
A firewall built into most modern operating systems that stops unwanted traffic.
How do host-based firewalls typically operate?
They block or allow specific applications, services, ports, or protocols.
What is the function of a host intrusion prevention system (HIPS)?
Analyzes traffic before services or applications process it and can take action on that traffic.
What can a HIPS do with malicious traffic?
Filter out malicious traffic or block specific elements of the data received.
What problem can occur if a HIPS misidentifies legitimate traffic?
It can block legitimate traffic, potentially causing an outage.
What incident occurred when a HIPS was deployed in a datacenter?
The HIPS blocked backend traffic due to unrecognized protocol changes from a Windows update.
What is the main difference between a host-based intrusion detection system (HIDS) and a HIPS?
A HIDS can only report and alert on issues, while a HIPS can take action to block traffic.
What is a key consideration before deploying HIPS or HIDS?
How to manage them and what would happen if problems occurred.
What role do granular controls play in security?
They are an important part of a zero-trust design.
What can prevent network security devices from seeing traffic?
Network switches that allow traffic to move from system to system.
What is a potential issue with using a HIDS in real-time security?
It has a limited use for real-time security due to its inability to block traffic.
Fill in the blank: A HIPS can analyze traffic _______ services or applications process it.
before
What is hardening in the context of systems and applications?
Changing settings on the system to increase overall security and reduce vulnerability to attack.
The concept of a system’s attack surface is important when performing system hardening.
What are common organizations that provide hardening guides?
- Center for Internet Security (CIS)
- National Institute of Standards and Technology (NIST)
Guides are available for operating systems, browsers, and various other hardening targets.
What are key hardening items listed in the Security+ exam outline?
- Encryption
- Installing endpoint protection
- Host-based firewalls
- Host-based intrusion prevention systems
- Disabling ports and protocols
- Changing default passwords
- Removing unnecessary software
These are essential concepts to understand for the exam.
How can the attack surface of a system be decreased?
By reducing the number of open ports and services.
Disabling unnecessary ports and protocols makes it harder for attackers to exploit systems.
What is the purpose of port scanners in security?
To quickly assess which ports are open on systems on a network.
This allows security practitioners to identify and prioritize hardening targets.
What is the rule of thumb for hardening services and ports?
Only services and ports that must be available should be open, limited to necessary networks or systems.
This minimizes potential attack vectors.
Which port is commonly used for Secure Shell (SSH) in Linux systems?
22/TCP.
SSH is more common in Linux than in Windows.
Which command in Ubuntu can check which services are running?
service –status-all.
This command helps identify services for starting or stopping.
What is a common technique used in hardening networks?
Using VLANs (virtual local area networks) to segment different trust levels or user groups.
This practice helps protect vulnerable devices and manage network security.
Why is changing default passwords important in hardening practices?
Default passwords are often documented and publicly available, creating significant risk.
Databases of default passwords can be found online.
What is a key practice in hardening efforts regarding software?
Removing unnecessary software.
This reduces potential vulnerabilities and the need for patching.
What is a challenge with mobile devices in terms of hardening?
Vendor-supplied tools can create vulnerabilities.
Mobile device management platforms can help address these issues.
Fill in the blank: The best option for unneeded services is to ______ them entirely.
disable.
This is preferable to merely blocking them using a firewall.
True or False: You need to know OS-specific commands for the Security+ exam.
False.
Understanding the concept of disabling services is sufficient.
What is the primary purpose of operating system hardening?
To reduce the attack surface for your operating system.
What benchmarks can be used for hardening operating systems?
Center for Internet Security (CIS) benchmarks.
What is the recommended password history setting according to CIS benchmarks for Windows?
Remember 24 or more passwords.
What is the maximum password age recommended by CIS benchmarks?
365 or fewer days, but not 0.
What is the minimum password length recommended by CIS benchmarks?
14 or more characters.
What type of encryption should be disabled according to CIS benchmarks?
Reversible encryption for password storage.
What is the Windows Registry’s role in the operating system?
It tracks system activities and configurations.
What is one method to harden the Windows Registry?
Disallow remote Registry access if not required.
What is a Group Policy Object (GPO)?
A tool to control settings in Windows systems and domains.
What does the Security Compliance Toolkit (SCT) do?
Works with security configuration baselines for Windows and other Microsoft applications.
What is SELinux?
A Linux kernel-based security module providing additional security capabilities.
What type of access control does SELinux enforce?
Mandatory access control (MAC).
What is AppArmor in relation to Linux hardening?
Another tool implementing mandatory access controls for Linux.
What is the first phase of a baseline’s life cycle in configuration management?
Establishing a baseline.
What is the importance of patch management?
To ensure systems and software are up to date and secure.
What is full-disk encryption (FDE)?
Encryption that protects the entire disk and requires a decryption key for access.
What is a common risk associated with patching systems?
Patches may introduce new flaws.
What is the common practice regarding patch installation after release?
Delay installation for a few days to assess potential issues.
What happens if the encryption key for a disk is lost?
The data on the drive will likely be unrecoverable.
What is the advantage of self-encrypting drives (SED)?
Implement encryption capabilities in hardware and firmware.
Fill in the blank: The process of managing configurations in an enterprise environment is called _______.
Configuration management.
True or False: The CIS benchmarks provide a single, unmodifiable standard for all organizations.
False.
What is the role of configuration management tools?
To enforce standards, manage systems, and report on security settings.
What is the impact of disk encryption on lost or stolen systems?
It can be treated as a loss of the system rather than a data breach.
What is one key feature of enterprise patch management?
The ability to force updates to be installed.
What is the primary purpose of operating system hardening?
To reduce the attack surface for your operating system.
What benchmarks can be used for hardening operating systems?
Center for Internet Security (CIS) benchmarks.
What is the recommended password history setting according to CIS benchmarks for Windows?
Remember 24 or more passwords.
What is the maximum password age recommended by CIS benchmarks?
365 or fewer days, but not 0.
What is the minimum password length recommended by CIS benchmarks?
14 or more characters.
What type of encryption should be disabled according to CIS benchmarks?
Reversible encryption for password storage.
What is the Windows Registry’s role in the operating system?
It tracks system activities and configurations.
What is one method to harden the Windows Registry?
Disallow remote Registry access if not required.
What is a Group Policy Object (GPO)?
A tool to control settings in Windows systems and domains.
What does the Security Compliance Toolkit (SCT) do?
Works with security configuration baselines for Windows and other Microsoft applications.
What is SELinux?
A Linux kernel-based security module providing additional security capabilities.
What type of access control does SELinux enforce?
Mandatory access control (MAC).
What is AppArmor in relation to Linux hardening?
Another tool implementing mandatory access controls for Linux.
What is the first phase of a baseline’s life cycle in configuration management?
Establishing a baseline.
What is the importance of patch management?
To ensure systems and software are up to date and secure.
What is full-disk encryption (FDE)?
Encryption that protects the entire disk and requires a decryption key for access.
What is a common risk associated with patching systems?
Patches may introduce new flaws.
What is the common practice regarding patch installation after release?
Delay installation for a few days to assess potential issues.
What happens if the encryption key for a disk is lost?
The data on the drive will likely be unrecoverable.
What is the advantage of self-encrypting drives (SED)?
Implement encryption capabilities in hardware and firmware.
Fill in the blank: The process of managing configurations in an enterprise environment is called _______.
Configuration management.
True or False: The CIS benchmarks provide a single, unmodifiable standard for all organizations.
False.
What is the role of configuration management tools?
To enforce standards, manage systems, and report on security settings.
What is the impact of disk encryption on lost or stolen systems?
It can be treated as a loss of the system rather than a data breach.
What is one key feature of enterprise patch management?
The ability to force updates to be installed.
What are embedded systems?
Computer systems built into other devices, often specialized and with specific functions.
What is a real-time operating system (RTOS)?
An operating system that processes data as it comes in without waiting for other tasks.
What is the primary purpose of assessing embedded systems?
To ensure they remain secure and usable without causing malfunctions.
List the steps involved in assessing embedded systems.
- Identify the manufacturer and acquire documentation
- Determine how it interfaces with the world
- Identify services and secure connections
- Learn about updates and patching cycles
- Document response to security issues
What types of devices can include embedded systems?
- Medical systems
- Smart meters
- Vehicles
- Drones and autonomous vehicles
- VoIP systems
- Printers
- Surveillance systems
What does SCADA stand for?
Supervisory Control and Data Acquisition
What are the components commonly found in SCADA systems?
- Remote telemetry units (RTUs)
- Programmable logic controllers (PLCs)
- System control and monitoring interfaces
True or False: SCADA systems are designed with security as a primary consideration.
False
What are some common security concerns for IoT devices?
- Poor security practices
- Short support lifespans
- Vendor data-handling practices
Fill in the blank: Many embedded systems operate using _______ connectivity.
[cellular]
What is a significant risk associated with fitness trackers in sensitive areas?
They can reveal GPS data and routes used by personnel.
What is the role of the subscriber identity module (SIM) in cellular-enabled devices?
It provides identity and connectivity for the device.
What are Zigbee and Z-Wave?
Network protocols designed for personal area networks and home automation.
What are some constraints of embedded systems that impact security?
- Limited computational power
- Potential lack of network connectivity
- Low memory and storage capacity
What is the risk of using default configurations in specialized systems?
They may contain vulnerabilities that can be exploited.
What is the importance of documenting findings when assessing embedded systems?
To ensure appropriate practices are included in operational procedures.
What does the acronym RTU stand for?
Remote Terminal Unit, Remote Telemetry Unit, or Remote Telecontrol Unit.
What is a critical security measure for vehicles connected to the Internet?
Encrypting command-and-control channels.
What security challenges do low-power, specialized devices present?
They may not receive patches or support and can have long lifespans.
What is a common usage for SCADA systems?
Monitoring and controlling industrial processes.
Fill in the blank: ICS stands for _______.
[Industrial Control Systems]
What is a potential consequence of a compromised vehicle?
Shutting down safety features or taking control of the vehicle.
What is a significant concern when securing IoT devices?
Weak default settings and lack of network security.
How can printers be a security risk in a network?
They can act as access points to protected networks and may leak data.
What issues may arise due to limited connectivity in embedded systems?
Inability to patch, monitor, or maintain devices remotely
Embedded systems are often deployed in areas with limited connectivity, affecting their management.
What factors can prevent authentication to an embedded system?
Lack of network connectivity, CPU and memory capacity
Authentication may also be undesirable for safety or usability reasons.
What types of devices commonly utilize embedded systems?
- Industrial machinery
- Sensors and monitoring systems
- Household appliances
These devices often operate without traditional network connectivity.
Why might replacing a vulnerable embedded device be challenging?
It is often a component in a larger specialized device
This necessitates compensating controls or special design decisions.
What does implied trust in embedded devices refer to?
Presumption that operators interacting with the device are trusted
Physical access is viewed as authorization to use or modify the device.
What security implications arise from the implied trust model in embedded devices?
Potential vulnerability for organizations
This model must be reviewed and designed for before deployment.
True or False: Embedded systems are always connected to a traditional network.
False
Many embedded systems are deployed outside of traditional networks.
Fill in the blank: Without authentication, other _______ need to be identified for embedded systems.
[security models]
This is crucial to ensure authorized changes to the system.
What are the consequences of deploying embedded devices without considering their security?
They may become a potential vulnerability for organizations
Security design considerations are essential during deployment.
What is the primary purpose of asset management?
To ensure the security of assets throughout their life cycle
This includes hardware, software, and data.
What should acquisition and procurement processes include?
Security best practices and assessment
Ensures appropriate security controls and practices.
What is the significance of asset inventories?
They help track assets through their lifespan and ensure security
Includes identifying owners and classifying sensitive data.
What does enumeration typically involve?
Scanning to identify assets
Some organizations use port and vulnerability scans.
True or False: Maintaining asset inventories helps organizations understand their assets.
True
Lack of inventories can lead to uncontrolled risks.
What is decommissioning in asset management?
The process of removing a device or system from service and inventory
Ensures no sensitive data remains on the system.
What are the two processes for sanitizing drives or media?
- Wiping the data
- Destroying the media
Both methods are important for secure disposal.
How does a degausser work?
Exposes magnetic media to strong electromagnetic fields to scramble data
It is used to wipe tapes and similar magnetic media.
What is data remanence?
Data still present on a disk after an attempted wipe
Particularly concerning with SSDs due to wear-leveling algorithms.
What is a recommended method for ensuring data is not recoverable on SSDs?
Use full-disk encryption and discard the encryption key
This prevents data recovery even by advanced threats.
What is one popular option for organizations wanting to eliminate the risk of data exposure?
Destroying drives by shredding, pulverizing, or incinerating
Third-party vendors often provide these services.
What is the purpose of certification processes in asset management?
To document that assets were decommissioned properly
Certificates of destruction provide proof of disposal.
Fill in the blank: If drives aren’t wiped, sensitive data may remain _______.
[on the system]
This can lead to significant security incidents.
What are common reasons for data retention in organizations?
- Legal purposes
- Business purposes
- Compliance or audit components
Retention periods can be determined by law.
What should disposal processes be aware of?
Retention policies and procedures
Ensures compliance with legal and organizational requirements.
What risks can arise from retaining assets longer than necessary?
- Data breaches
- Increased data availability during legal cases
Proper disposal is critical to mitigate these risks.
What is the port number for FTP?
21
What is the port number for SSH?
22
What is the port number for Telnet?
23
What is the port number for HTTP?
80
What is the port number for HTTPS?
443
Which services are considered secure options for remote shell access?
- SSH (Port 22)
- HTTPS (Port 443)
True or False: HTTPS can be used for secure file transfer.
True
Naomi’s best option is to disable which three likely unsecure protocols?
- FTP (port 21)
- Telnet (port 23)
- HTTP (port 80)
Fill in the blank: Secure mode FTP is also known as _______.
[FTP/S]
What is the primary concern regarding FTP, Telnet, and HTTP?
They are likely unsecure protocols.
