4.1 Secure Baselines Flashcards

1
Q

Secure baselines

A

The security of an application environment should be
well defined
– All application instances must follow this baseline
– Firewall settings, patch levels, OS file versions
– May require constant updates
* Integrity measurements check for the secure baseline
– These should be performed often
– Check against well-documented baselines
– Failure requires an immediate correction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Establish baselines

A

Create a series of baselines
– Foundational security policies
* Security baselines are often available from the
manufacturer
– Application developer
– Operating system manufacturer
– Appliance manufacturer
* Many operating systems have extensive options
– There are over 3,000 group policy settings in Windows 10
– Only some of those are associated with security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Deploy baselines

A

We now have established detailed security baselines
– How do we put those baselines into action?
* Deploy the baselines
– Usually managed through a centrally
administered console
* May require multiple deployment mechanisms
– Active Directory group policy, MDM, etc.
* Automation is the key
– Deploy to hundreds or thousands of devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Maintain baselines

A

Many of these are best practices
– They rarely change
* Other baselines may require ongoing updates
– A new vulnerability is discovered
– An updated application has been deployed
– A new operating system is installed
* Test and measure to avoid conflicts
– Some baselines may contradict others
– Enterprise environments are complex

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Hardening targets

A

No system is secure with the default configurations
– You need some guidelines to keep everything safe
* Hardening guides are specific to the software or
platform
– Get feedback from the manufacturer or
Internet interest group
– They’ll have the best details
* Other general-purpose guides are available online

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Mobile devices

A

Always-connected mobile technologies
– Phones, tablets, etc.
– Hardening checklists are available from manufacturers
* Updates are critical
– Bug fixes and security patches
– Prevent any known vulnerabilities
* Segmentation can protect data
– Company and user data are separated
* Control with an MDM - Mobile Device Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Workstations

A

User desktops and laptops - Windows, macOS, Linux, etc.
* Constant monitoring and updates
– Operating systems, applications, firmware, etc.
* Automate the monthly patches
– There’s likely an existing process
* Connect to a policy management system
– Active Directory group policy
* Remove unnecessary software - Limit the threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Network infrastructure devices

A

Switches, routers, etc.
– You never see them, but they’re always there
* Purpose-built devices
– Embedded OS, limited OS access
* Configure authentication
– Don’t use the defaults
* Check with the manufacturer
– Security updates
– Not usually updated frequently
– Updates are usually important

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Cloud infrastructure

A

Secure the cloud management workstation
– The keys to the kingdom
* Least privilege
– All services, network settings, application rights
and permissions
* Configure Endpoint Detection and Response (EDR)
– All devices accessing the cloud should be secure
* Always have backups
– Cloud to Cloud (C2C)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Servers

A

Many and varied
– Windows, Linux, iOS, Android, etc.
* Updates
– Operating system updates/service packs,
security patches
* User accounts
– Minimum password lengths and complexity
– Account limitations
* Network access and security
– Limit network access
* Monitor and secure
– Anti-virus, anti-malware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SCADA / ICS

A

Supervisory Control and Data Acquisition System
– Large-scale, multi-site Industrial Control Systems (ICS)
* PC manages equipment
– Power generation, refining, manufacturing equipment
– Facilities, industrial, energy, logistics
* Distributed control systems
– Real-time information
– System control
* Requires extensive segmentation
– No access from the outside

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Embedded systems

A

Hardware and software designed for a
specific function
– Or to operate as part of a larger system
* Can be difficult to upgrade
– Watches and televisions are relatively easy
– Other devices may not be easily modified
* Correct vulnerabilities
– Security patches remove potential threats
* Segment and firewall
– Prevent access from unauthorized users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

RTOS (Real-Time Operating System)

A

An operating system with a deterministic processing
schedule
– No time to wait for other processes
– Industrial equipment, automobiles, military
environments
* Isolate the system
– Prevent access from other areas
* Run with the minimum services
– Prevent the potential for exploit
* Use secure communication
– Protect with a host-based firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

IoT devices

A

Heating and cooling, lighting, home automation,
wearable technology, etc.
* Weak defaults
– IOT manufacturers are not security professionals
– Change those passwords
* Deploy updates quickly
– Can be a significant security concern
* Segmentation - Put IoT devices on their own VLAN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Site surveys

A

Determine existing wireless landscape
– Sample the existing wireless spectrum
* Identify existing access points
– You may not control all of them
* Work around existing frequencies
– Layout and plan for interference
* Plan for ongoing site surveys
– Things will certainly change
* Heat maps
– Identify wireless signal strengths

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Wireless survey tools

A

Signal coverage
* Potential interference
* Built-in tools
* 3rd-party tools
* Spectrum analyzer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Mobile Device Management (MDM)

A

Manage company-owned and user-owned mobile devices
– BYOD - Bring Your Own Device
* Centralized management of the mobile devices
– Specialized functionality
* Set policies on apps, data, camera, etc.
– Control the remote device
– The entire device or a “partition”
* Manage access control
– Force screen locks and PINs on these single user devices

18
Q

BYOD

A

Bring Your Own Device
– Bring Your Own Technology
* Employee owns the device
– Need to meet the company’s requirements
* Difficult to secure
– It’s both a home device and a work device
– How is data protected?
– What happens to the data when a device is sold or
traded in?

19
Q

COPE

A

Corporate owned, personally enabled
– Company buys the device
– Used as both a corporate device and a personal device
* Organization keeps full control of the device
– Similar to company-owned laptops and desktops
– Information is protected using corporate policies
– Information can be deleted at any time
* CYOD - Choose Your Own Device
– Similar to COPE, but with the user’s choice of device

20
Q

Cellular networks

A

Mobile devices
– “Cell” phones
– 4G, 5G
* Separate land into “cells”
– Antenna coverages a cell with certain frequencies
* Security concerns
– Traffic monitoring
– Location tracking
– Worldwide access to a mobile device

21
Q

Wi-Fi

A

Local network access
– Local security problems
* Same security concerns as other Wi-Fi devices
* Data capture
– Encrypt your data!
* On-path attack
– Modify and/or monitor data
* Denial of service
– Frequency interference

22
Q

Bluetooth

A

High speed communication over short distances
– PAN (Personal Area Network)
* Connects our mobile devices
– Smartphones
– Tethering
– Headsets and headphones
– Health monitors
– Automobile and phone integration
– Smartwatches
– External speakers

23
Q

Securing a wireless network

A

An organization’s wireless network can contain
confidential information
– Not everyone is allowed access
* Authenticate the users before granting access
– Who gets access to the wireless network?
– Username, password, multi-factor authentication
* Ensure that all communication is confidential
– Encrypt the wireless data
* Verify the integrity of all communication
– The received data should be identical to the original
sent data
– A message integrity check (MIC)

24
Q

The WPA2 PSK problem

A

WPA2 has a PSK brute-force problem
– Listen to the four-way handshake
– Some methods can derive the PSK hash without the
handshake
– Capture the hash
* With the hash, attackers can brute force the
pre-shared key (PSK)
* This has become easier as technology improves
– A weak PSK is easier to brute force
– GPU processing speeds
– Cloud-based password cracking
* Once you have the PSK, you have everyone’s wireless
key
– There’s no forward secrecy

25
WPA3 and GCMP
Wi-Fi Protected Access 3 (WPA3) – Introduced in 2018 * GCMP block cipher mode – Galois/Counter Mode Protocol – A stronger encryption than WPA2 * GCMP security services – Data confidentiality with AES – Message Integrity Check (MIC) with – Galois Message Authentication Code (GMAC)
26
SAE
WPA3 changes the PSK authentication process – Includes mutual authentication – Creates a shared session key without sending that key across the network – No more four-way handshakes, no hashes, no brute force attacks * Simultaneous Authentication of Equals (SAE) – A Diffie-Hellman derived key exchange with an authentication component – Everyone uses a different session key, even with the same PSK – An IEEE standard - the dragonfly handshake
27
Wireless authentication methods
Gain access to a wireless network – Mobile users, temporary users * Credentials – Shared password / pre-shared key (PSK) – Centralized authentication (802.1X) * Configuration – Part of the wireless network connection – Prompted during the connection process
28
Wireless security modes
Configure the authentication on your wireless access point / wireless router * Open System – No authentication password is required * WPA3-Personal / WPA3-PSK – WPA2 or WPA3 with a pre-shared key – Everyone uses the same 256-bit key * WPA3-Enterprise / WPA3-802.1X – Authenticates users individually with an authentication server (i.e., RADIUS
29
AAA framework
Identification – This is who you claim to be - Usually your username * Authentication – Prove you are who you say you are – Password and other authentication factors * Authorization – Based on your identification and authentication, what access do you have? * Accounting – Resources used: Login time, data sent and received, logout time
30
RADIUS (Remote Authentication Dial-in User Service)
One of the more common AAA protocols – Supported on a wide variety of platforms and devices – Not just for dial-in * Centralize authentication for users – Routers, switches, firewalls – Server authentication – Remote VPN access – 802.1X network access * RADIUS services available on almost any server operating system
31
IEEE 802.1X
Port-based Network Access Control (NAC) – You don’t get access to the network until you authenticate * Used in conjunction with an access database – RADIUS, LDAP, TACACS+
32
EAP
Extensible Authentication Protocol (EAP) – An authentication framework * Many different ways to authenticate based on RFC standards – Manufacturers can build their own EAP methods * EAP integrates with 802.1X – Prevents access to the network until the authentication succeeds
33
IEEE 802.1X and EAP
Supplicant - the client * Authenticator - The device that provides access * Authentication server - Validates the client credentials
34
Secure coding concepts
A balance between time and quality – Programming with security in mind is often secondary * Testing, testing, testing – The Quality Assurance (QA) process * Vulnerabilities will eventually be found – And exploited
35
Input validation
What is the expected input? – Validate actual vs. expected * Document all input methods - Forms, fields, type * Check and correct all input (normalization) – A zip code should be only X characters long with a letter in the X column – Fix any data with improper input * The fuzzers will find what you missed – Don’t give them an opening
36
Secure cookies
Information stored on your computer by the browser * Used for tracking, personalization, session management – Not executable, not generally a security risk – Unless someone gets access to them * Secure cookies have a Secure attribute set – Browser will only send it over HTTPS * Sensitive information should not be saved in a cookie – This isn’t designed to be secure storage
37
Static code analyzers
Static Application Security Testing (SAST) – Help to identify security flaws * Many security vulnerabilities found easily – Buffer overflows, database injections, etc. * Not everything can be identified through analysis – Authentication security, insecure cryptography, etc. – Don’t rely on automation for everything * Still have to verify each finding – False positives are an issue
38
Code signing
An application is deployed – Users run application executable or scripts * So many security questions – Has the application been modified in any way? – Can you confirm that the application was written by a specific developer? * The application code can be digitally signed by the developer – Asymmetric encryption – A trusted CA signs the developer’s public key – Developer signs the code with their private key – For internal apps, use your own CA
39
Sandboxing
Applications cannot access unrelated resources – They play in their own sandbox * Commonly used during development – Can be a useful production technique * Used in many different deployments – Virtual machines – Mobile devices – Browser iframes (Inline Frames) – Windows User Account Control (UAC)
40
Application security monitoring
Real-time information – Application usage, access demographics * View blocked attacks – SQL injection attempts, patched vulnerabilities * Audit the logs – Find the information gathering and hidden attacks * Anomaly detection – Unusual file transfers – Increase in client access