3.8 Attacks & exploits: Attacks on Specialized Systems

Question 1

Internet of Things (IoT) Devices: what is it? is it secure?

Answer 1

▪ A group of objects that can be electronic or not, which are all connected to the wider internet by using embedded electronic components
▪ IoT devices are not always secured

Question 2

Internet of Things (IoT) Devices: what protocols the IoT use (7)? Explain each of them

Answer 2

▪ Wi-Fi: can be operated in either infrastructure mode or ad hoc mode to create a local area network or a personal area network
▪ Bluetooth: short-range wireless networking technology that can be used by IoT devices
▪ Radio Frequency ID (RFID): Used to interconnect badges and card keys to the network
▪ Near Field Communication (NFC): Enables two electronic devices to communicate when they come within about 4 cm of each other
▪ Infrared: Used for devices that need to communicate using a line of sight communication using light beams inside of the infrared spectrum. Infrared only covers a distance on a relatively low bandwidth solution
▪ Zwave: A short range, low latency data transfer technology that uses less power and has lower data rates than Wi-Fi
▪ ANT+: A technology used for the collection of sensor data from different IoT devices

Question 3

Internet of Things (IoT) Devices: how IoT devices communicate with each others (2)?

Answer 3

▪ Machine to Machine (M2M): Involves communication between the IoT device and some other traditional system like a server or a gateway
▪ Machine to Person (M2P): Involves communication between an IoT device and the end user

Question 4

Internet of Things (IoT) Vulnerabilities: what is the most used OS in IoT devices? is there an issue with the hardware component?

Answer 4

o Most IOT devices use an embedded version of Linux or Android as their OS
o Many manufacturers use outdated or insecure hardware components

Question 5

Internet of Things (IoT) Vulnerabilities: how to prevent vulnerabilities on IoT devices?

Answer 5

Properly install, secure, and segment IOT devices into their own subnet, VLAN, or network outside of the normal IT production network

Question 6

Internet of Things (IoT) Vulnerabilities: what are the group of vulnerability (5) and give precise vulnerability for each group?

Answer 6

1/ Insecure defaults:
● Default login credentials
● No password set
● Number of open ports
● Unauthorized connection
● Firewall being turned off
2/ Hard-coded configurations:
● Self-registering device
● Usernames and passwords in plain text
● Unchangeable settings
3/ Cleartext communication
● Sending data in plain text
4/ Data leakage
5/ Attackers also monitor Bluetooth frequencies being transmitted and conduct eavesdropping: Data modification, Data exfiltration

Question 7

Internet of Things (IoT) Vulnerabilities: what issue can you have when exploit a vulnerability on IoT?

Answer 7

Be careful in which exploits you use since you can inadvertently cause the device to go offline, crash, or malfunction

Question 8

Embedded Systems: what is an Embedded Systems?

Answer 8

▪ A computer system that is designed to perform a specific, dedicated function
▪ Embedded systems can be a simple device or fully complex with the use of operating systems

Question 9

Embedded Systems: what is Programmable Logic Controller (PLC)?

Answer 9

▪ A type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems
▪ PLC firmware can be patched and reprogrammed to fix vulnerabilities

Question 10

Embedded Systems: what is a Programmable Logic Controller (PLC)?

Answer 10

▪ A type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems
▪ PLC firmware can be patched and reprogrammed to fix vulnerabilities

Question 11

Embedded Systems: what is a System-on-Chip (SoC)?

Answer 11

▪ A processor that integrates the platform functionality of multiple logical controllers onto a single chip
▪ System-on-Chip are power efficient and used with embedded systems

Question 12

Embedded Systems: what is a Real-Time Operating System (RTOS)?

Answer 12

▪ A type of OS that prioritizes deterministic execution of operations to ensure consistent response for time-critical tasks
▪ Embedded systems typically cannot tolerate reboots or crashes and must have response times that are predictable to within millisecond tolerances

Question 13

ICS and SCADA Devices: what is an Operational Technology (OT)?

Answer 13

▪ Designed to implement an industrial control system rather than business and data networking systems
▪ Technology that interacts with the real world

Question 13

Embedded Systems: what is a Field Programmable Gate Array (FPGA)?

Answer 13

▪ A processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture
▪ End customer can configure the programming logic to run a specific application instead of using an ASIC (application-specific integrated circuit)

Question 14

ICS and SCADA Devices: what is Industrial Control System (ICS)?

Answer 14

● Provides the mechanisms for workflow and process automation by using embedded devices
● Interconnected ICSs create a distributed control system (DCS)

Question 15

ICS and SCADA Devices: what is Fieldbus?

Answer 15

Links different programmable logic controllers together

Question 16

ICS and SCADA Devices: what is a Programmable Logic Controller (PLC)?

Answer 16

Enables automation in assembly lines, autonomous field operations, robotics, and other applications

Question 17

ICS and SCADA Devices: what is a Human-Machine Interface (HMI)?

Answer 17

Input and output controls on a PLC that allow a user to configure and monitor the system

Question 18

ICS and SCADA Devices: what is Ladder Logic?

Answer 18

Programming language entered into the system through the creation of a graphical diagram used in the PLCs

Question 19

ICS and SCADA Devices: what is Data Historian?

Answer 19

Aggregates and catalogs data from multiple sources within an ICS by collecting all the event generated from the control loop

Question 20

ICS and SCADA Devices: what is Supervisory Control and Data Acquisition (SCADA)?

Answer 20

▪ A type of ICS that manages large-scale, multiple-site devices and equipment spread over a geographic region from a host computer
▪ Gathers data from and manage plant devices and equipment with embedded PLCs

Question 21

ICS Protocols and Vulnerabilities: what is Controller Area Network (CAN)? What is it vulnerable to?

Answer 21

▪ Designed to allow communications between embedded programmable logic controllers
▪ CAN bus protocol operates like an ethernet network
▪ Does not have source addressing or message authentication
▪ Vulnerabilities:
● OBD-II port
● Cellular modem
● Wi-Fi network

Question 22

ICS Protocols and Vulnerabilities: what is Modbus?

Answer 22

▪ Gives control servers and the SCADA host the ability to query and change configurations of each PLC over a network
▪ Modbus looks and functions differently than TCP/IP does
▪ Originally known as Modbus RTU and was run over fieldbus networks

Question 23

ICS Protocols and Vulnerabilities: what is Data Distribution Service (DDS)?

Answer 23

Provides network interoperability and facilitates the required scalability, performance, and QoS features

Question 24

ICS Protocols and Vulnerabilities: what is Safety Instrumented System (SIS)?

Answer 24

▪ Returns an industrial process to a safe state after a predetermined condition was detected
▪ Reduces the severity of an emergency by taking quick action

Question 25

Data Storage Vulnerabilities: what is Direct Attach Storage?

Answer 25

Any kind of storage that is attached to a system

Question 26

Data Storage Vulnerabilities: what is Network Attach Storage (NAS)?

Answer 26

file-level storage device that is connected to a network. NAS devices are accessed using standar file protocols (NFS, CIFS, SMB). This allow clients to mount (attacher/render dispo) the NAS device as a network drive and access the files stored on the device

Question 27

Data Storage Vulnerabilities: what is Storage Area Network (SAN)?

Answer 27

high-speed network that is used to connect storage devices to servers. SAN use block level storage protocols (Fibre Channel, ISCSI) to transport data between storage devices and servers. This allows servers to access data on storage devices as if it were local storage

Question 28

Data Storage Vulnerabilities: what are the vulnerabilities that data storage system are vulnerable to (5)?

Answer 28

▪ Misconfigurations: Improper access rights or permissions, Use of default or blank usernames and passwords, Network exposure
▪ Underlying Software Vulnerabilities
▪ Improper Error Messages and Debug Handling
▪ Injection Vulnerability: Command Line Injection, DLL Injection, SQL Injections
▪ Lack of User Input Sanitization

Question 29

Virtual Environments: explain Virtualization

Answer 29

A host computer installed with a hypervisor that can be used to install and manage multiple guest OSs or VMs

Question 30

Virtual Environments: explain Hypervisor

Answer 30

▪ Manages the distribution of the physical resources of a server to the VMs
▪ Ensure that each VM runs its own OS copy

Question 31

Virtual Environments: explain Virtual Desktop Infrastructure (VDI)

Answer 31

▪ Hosts desktop OSs within a virtualized environment hosted by a centralized server or server farm
▪ The server is going to perform all the application processing and data storage

Question 32

Virtual Environments: what are the different type of VDI model (3)?

Answer 32

▪ Centralized Model: Hosts all the desktop instances on a single server or server farm
▪ Hosted Model/Desktop as a Service (DAAS): Maintained by a service provider and provided to the end user as a service
▪ Remote Virtual Desktop Model: Copies the desktop image to a local machine prior to being used by the end user

Question 33

Virtual Environments: what is VM Escape type of attack?

Answer 33

▪ Occurs when a threat actor attempts to get out of an isolated VM and directly sends commands to the underlying hypervisor
▪ Easier to perform on a Type II hypervisor than a Type I hypervisor
▪ Ensure guest OS, host OS, and hypervisor are patched and up to date
▪ VM to hypervisor or host OS

Question 34

Virtual Environments: what is VM Hopping type of attack?

Answer 34

▪ Occurs when a threat actor attempts to move from one VM to another on the same host
▪ VM to VM
▪ Ensure guest OS and hypervisor are patched, up-to-date, and securely configured

Question 35

Virtual Environments: what is Sandbox?

Answer 35

Separates running programs to mitigate system failures or software vulnerabilities from spreading

Question 36

Virtual Environments: what is Sandbox Escape type of attack?

Answer 36

Occurs when an attacker circumvents sandbox protections to gain access to the protected OS or other privileged processes

Question 37

Virtual Environments: what is Live Migration type of attack? How to prevent from it?

Answer 37

▪ Migration of a VM from one host to another even while it is running
▪ VM images should be encrypted prior to being sent from one server to another over the network

Question 38

Virtual Environments: what is Data Remnants type of attack? How to prevent from it?

Answer 38

▪ Leftover pieces of data that may exist in the hard drive which are no longer needed
▪ Always encrypt VM storage locations and ensure encryption key is destroyed

Question 39

Virtual Environments: what is VM Sprawl type of attack?

Answer 39

Refers to creating Virtual Machine without proper change control procedures

Question 40

Virtual Environments: what is VM Repositories type of attack? How to prevent from it?

Answer 40

▪ A place where all VM images and templates are being stored
▪ Always make sure that the templates and images are digitally signed

Question 41

Containerization: what is it?

Answer 41

A type of virtualization applied by a host OS to provision an isolated execution environment for an application
● Docker
● Parallels Virtuozzo
● OpenVZ