11 Endpoint Security Flashcards

Question

What factors impact an organization's security regarding operating systems?

Answer 1

Choice of operating system, its defaults, security configuration, and support model ## Footnote Each of these elements plays a crucial role in overall security.

Answer 2

Hardware vulnerabilities are weaknesses in hardware components that can be exploited, affecting security designs.

Answer 3

Compensating controls are alternative security measures implemented to mitigate the impact of vulnerabilities.

Answer 4

Hardware vulnerabilities related to firmware, end-of-life hardware, and legacy hardware.

Answer 5

Firmware is the embedded software that allows devices to function, closely tied to hardware.

Answer 6

Firmware can often be updated but may require manual updates depending on device design.

Answer 7

* Executable updates * User downloads of malicious firmware * Remote network-enabled updates

Answer 8

Malicious firmware persists even after reinstalling the operating system or other software.

Answer 9

2022's MoonBounce malware targets a computer's Serial Peripheral Interface (SPI) flash memory.

Answer 10

Firmware validation is crucial for security practitioners to ensure the integrity of device firmware.

Answer 11

End-of-life hardware is no longer sold but may still receive support for a limited time.

Answer 12

End of support is the last date on which the vendor provides support or updates for a product.

Answer 13

End of sales is the last date a specific model or device will be sold, though it may still be available through resellers.

Answer 14

Legacy describes hardware, software, or devices that are no longer supported.

Answer 15

[any path that allows access to the firmware]

Answer 16

Trusted boot.

Answer 17

Endpoints refer to devices like desktops, mobile devices, and servers that are the endpoints of a network.

Answer 18

* Secure Boot * Measured Boot

Answer 19

Secure Boot ensures that the system boots using only software that the original equipment manufacturer (OEM) trusts.

Answer 20

Measured Boot measures each component of the boot process and relies on UEFI firmware to hash firmware, bootloader, and drivers.

Answer 21

TPM stores the data gathered from the boot process and allows validation of the boot state remotely.

Answer 22

* Remote attestation * Binding * Sealing

Answer 23

HSMs are used to create, store, and manage digital keys for cryptographic functions and authentication.

Answer 24

KMS is a service used to manage cryptographic keys and secrets centrally.

Answer 25

* Signature-based detection * Heuristic-based detection * AI and machine learning

Answer 26

Sandboxing is an isolated environment where potentially dangerous software can be run to observe its actions.

Answer 27

EDR tools monitor endpoint devices and systems to collect, correlate, and analyze events for suspicious activity.

Answer 28

XDR takes a broader perspective, considering the entire technology stack of an organization, not just endpoints.

Answer 29

* Data classification * Data labeling/tagging * Policy management and enforcement * Monitoring and reporting

Answer 30

[allow list]

Answer 31

Host-based firewalls protect endpoints from unwanted network traffic.

Answer 32

The effort required to maintain the lists is a significant challenge.

Answer 33

The hardware root of trust contains cryptographic keys that secure the boot process.

Answer 34

* Apple's Secure Enclave * Google's Titan M

Answer 35

To protect organizational data from theft and inadvertent exposure.

Answer 36

Policy management ensures that data handling meets organizational standards.

Answer 37

The ability to search and explore collected data.

Answer 38

Endpoint Detection and Response ## Footnote EDR is a security solution that helps organizations detect and respond to threats on endpoints.

Answer 39

Extended Detection and Response ## Footnote XDR integrates multiple security products into a cohesive system for improved threat detection and response.

Answer 40

Ransomware and other malicious software

Answer 41

Data Loss Prevention ## Footnote DLP tools are used to ensure sensitive data does not leave the organization.

Answer 42

A firewall built into most modern operating systems that stops unwanted traffic.

Answer 43

They block or allow specific applications, services, ports, or protocols.

Answer 44

Analyzes traffic before services or applications process it and can take action on that traffic.

Answer 45

Filter out malicious traffic or block specific elements of the data received.

Answer 46

It can block legitimate traffic, potentially causing an outage.

Answer 47

The HIPS blocked backend traffic due to unrecognized protocol changes from a Windows update.

Answer 48

A HIDS can only report and alert on issues, while a HIPS can take action to block traffic.

Answer 49

How to manage them and what would happen if problems occurred.

Answer 50

They are an important part of a zero-trust design.

Answer 51

Network switches that allow traffic to move from system to system.

Answer 52

It has a limited use for real-time security due to its inability to block traffic.

Answer 53

Changing settings on the system to increase overall security and reduce vulnerability to attack. ## Footnote The concept of a system's attack surface is important when performing system hardening.

Answer 54

* Center for Internet Security (CIS) * National Institute of Standards and Technology (NIST) ## Footnote Guides are available for operating systems, browsers, and various other hardening targets.

Answer 55

* Encryption * Installing endpoint protection * Host-based firewalls * Host-based intrusion prevention systems * Disabling ports and protocols * Changing default passwords * Removing unnecessary software ## Footnote These are essential concepts to understand for the exam.

Answer 56

By reducing the number of open ports and services. ## Footnote Disabling unnecessary ports and protocols makes it harder for attackers to exploit systems.

Answer 57

To quickly assess which ports are open on systems on a network. ## Footnote This allows security practitioners to identify and prioritize hardening targets.

Answer 58

Only services and ports that must be available should be open, limited to necessary networks or systems. ## Footnote This minimizes potential attack vectors.

Answer 59

22/TCP. ## Footnote SSH is more common in Linux than in Windows.

Answer 60

service --status-all. ## Footnote This command helps identify services for starting or stopping.

Answer 61

Using VLANs (virtual local area networks) to segment different trust levels or user groups. ## Footnote This practice helps protect vulnerable devices and manage network security.

Answer 62

Default passwords are often documented and publicly available, creating significant risk. ## Footnote Databases of default passwords can be found online.

Answer 63

Removing unnecessary software. ## Footnote This reduces potential vulnerabilities and the need for patching.

Answer 64

Vendor-supplied tools can create vulnerabilities. ## Footnote Mobile device management platforms can help address these issues.

Answer 65

disable. ## Footnote This is preferable to merely blocking them using a firewall.

Answer 66

False. ## Footnote Understanding the concept of disabling services is sufficient.

Answer 67

To reduce the attack surface for your operating system.

Answer 68

Center for Internet Security (CIS) benchmarks.

Answer 69

Remember 24 or more passwords.

Answer 70

365 or fewer days, but not 0.

Answer 71

14 or more characters.

Answer 72

Reversible encryption for password storage.

Answer 73

It tracks system activities and configurations.

Answer 74

Disallow remote Registry access if not required.

Answer 75

A tool to control settings in Windows systems and domains.

Answer 76

Works with security configuration baselines for Windows and other Microsoft applications.

Answer 77

A Linux kernel-based security module providing additional security capabilities.

Answer 78

Mandatory access control (MAC).

Answer 79

Another tool implementing mandatory access controls for Linux.

Answer 80

Establishing a baseline.

Answer 81

To ensure systems and software are up to date and secure.

Answer 82

Encryption that protects the entire disk and requires a decryption key for access.

Answer 83

Patches may introduce new flaws.

Answer 84

Delay installation for a few days to assess potential issues.

Answer 85

The data on the drive will likely be unrecoverable.

Answer 86

Implement encryption capabilities in hardware and firmware.

Answer 87

Configuration management.

Answer 88

To enforce standards, manage systems, and report on security settings.

Answer 89

It can be treated as a loss of the system rather than a data breach.

Answer 90

The ability to force updates to be installed.

Answer 91

To reduce the attack surface for your operating system.

Answer 92

Center for Internet Security (CIS) benchmarks.

Answer 93

Remember 24 or more passwords.

Answer 94

365 or fewer days, but not 0.

Answer 95

14 or more characters.

Answer 96

Reversible encryption for password storage.

Answer 97

It tracks system activities and configurations.

Answer 98

Disallow remote Registry access if not required.

Answer 99

A tool to control settings in Windows systems and domains.

Answer 100

Works with security configuration baselines for Windows and other Microsoft applications.

Answer 101

A Linux kernel-based security module providing additional security capabilities.

Answer 102

Mandatory access control (MAC).

Answer 103

Another tool implementing mandatory access controls for Linux.

Answer 104

Establishing a baseline.

Answer 105

To ensure systems and software are up to date and secure.

Answer 106

Encryption that protects the entire disk and requires a decryption key for access.

Answer 107

Patches may introduce new flaws.

Answer 108

Delay installation for a few days to assess potential issues.

Answer 109

The data on the drive will likely be unrecoverable.

Answer 110

Implement encryption capabilities in hardware and firmware.

Answer 111

Configuration management.

Answer 112

To enforce standards, manage systems, and report on security settings.

Answer 113

It can be treated as a loss of the system rather than a data breach.

Answer 114

The ability to force updates to be installed.

Answer 115

Computer systems built into other devices, often specialized and with specific functions.

Answer 116

An operating system that processes data as it comes in without waiting for other tasks.

Answer 117

To ensure they remain secure and usable without causing malfunctions.

Answer 118

* Identify the manufacturer and acquire documentation * Determine how it interfaces with the world * Identify services and secure connections * Learn about updates and patching cycles * Document response to security issues

Answer 119

* Medical systems * Smart meters * Vehicles * Drones and autonomous vehicles * VoIP systems * Printers * Surveillance systems

Answer 120

Supervisory Control and Data Acquisition

Answer 121

* Remote telemetry units (RTUs) * Programmable logic controllers (PLCs) * System control and monitoring interfaces

Answer 122

* Poor security practices * Short support lifespans * Vendor data-handling practices

Answer 123

[cellular]

Answer 124

They can reveal GPS data and routes used by personnel.

Answer 125

It provides identity and connectivity for the device.

Answer 126

Network protocols designed for personal area networks and home automation.

Answer 127

* Limited computational power * Potential lack of network connectivity * Low memory and storage capacity

Answer 128

They may contain vulnerabilities that can be exploited.

Answer 129

To ensure appropriate practices are included in operational procedures.

Answer 130

Remote Terminal Unit, Remote Telemetry Unit, or Remote Telecontrol Unit.

Answer 131

Encrypting command-and-control channels.

Answer 132

They may not receive patches or support and can have long lifespans.

Answer 133

Monitoring and controlling industrial processes.

Answer 134

[Industrial Control Systems]

Answer 135

Shutting down safety features or taking control of the vehicle.

Answer 136

Weak default settings and lack of network security.

Answer 137

They can act as access points to protected networks and may leak data.

Answer 138

Inability to patch, monitor, or maintain devices remotely ## Footnote Embedded systems are often deployed in areas with limited connectivity, affecting their management.

Answer 139

Lack of network connectivity, CPU and memory capacity ## Footnote Authentication may also be undesirable for safety or usability reasons.

Answer 140

* Industrial machinery * Sensors and monitoring systems * Household appliances ## Footnote These devices often operate without traditional network connectivity.

Answer 141

It is often a component in a larger specialized device ## Footnote This necessitates compensating controls or special design decisions.

Answer 142

Presumption that operators interacting with the device are trusted ## Footnote Physical access is viewed as authorization to use or modify the device.

Answer 143

Potential vulnerability for organizations ## Footnote This model must be reviewed and designed for before deployment.

Answer 144

False ## Footnote Many embedded systems are deployed outside of traditional networks.

Answer 145

[security models] ## Footnote This is crucial to ensure authorized changes to the system.

Answer 146

They may become a potential vulnerability for organizations ## Footnote Security design considerations are essential during deployment.

Answer 147

To ensure the security of assets throughout their life cycle ## Footnote This includes hardware, software, and data.

Answer 148

Security best practices and assessment ## Footnote Ensures appropriate security controls and practices.

Answer 149

They help track assets through their lifespan and ensure security ## Footnote Includes identifying owners and classifying sensitive data.

Answer 150

Scanning to identify assets ## Footnote Some organizations use port and vulnerability scans.

Answer 151

True ## Footnote Lack of inventories can lead to uncontrolled risks.

Answer 152

The process of removing a device or system from service and inventory ## Footnote Ensures no sensitive data remains on the system.

Answer 153

* Wiping the data * Destroying the media ## Footnote Both methods are important for secure disposal.

Answer 154

Exposes magnetic media to strong electromagnetic fields to scramble data ## Footnote It is used to wipe tapes and similar magnetic media.

Answer 155

Data still present on a disk after an attempted wipe ## Footnote Particularly concerning with SSDs due to wear-leveling algorithms.

Answer 156

Use full-disk encryption and discard the encryption key ## Footnote This prevents data recovery even by advanced threats.

Answer 157

Destroying drives by shredding, pulverizing, or incinerating ## Footnote Third-party vendors often provide these services.

Answer 158

To document that assets were decommissioned properly ## Footnote Certificates of destruction provide proof of disposal.

Answer 159

[on the system] ## Footnote This can lead to significant security incidents.

Answer 160

* Legal purposes * Business purposes * Compliance or audit components ## Footnote Retention periods can be determined by law.

Answer 161

Retention policies and procedures ## Footnote Ensures compliance with legal and organizational requirements.

Answer 162

* Data breaches * Increased data availability during legal cases ## Footnote Proper disposal is critical to mitigate these risks.

Answer 163

* SSH (Port 22) * HTTPS (Port 443)

Answer 164

* FTP (port 21) * Telnet (port 23) * HTTP (port 80)

Answer 165

They are likely unsecure protocols.