4.1 Secure Baselines Flashcards
Secure baselines
The security of an application environment should be
well defined
– All application instances must follow this baseline
– Firewall settings, patch levels, OS file versions
– May require constant updates
* Integrity measurements check for the secure baseline
– These should be performed often
– Check against well-documented baselines
– Failure requires an immediate correction
Establish baselines
Create a series of baselines
– Foundational security policies
* Security baselines are often available from the
manufacturer
– Application developer
– Operating system manufacturer
– Appliance manufacturer
* Many operating systems have extensive options
– There are over 3,000 group policy settings in Windows 10
– Only some of those are associated with security
Deploy baselines
We now have established detailed security baselines
– How do we put those baselines into action?
* Deploy the baselines
– Usually managed through a centrally
administered console
* May require multiple deployment mechanisms
– Active Directory group policy, MDM, etc.
* Automation is the key
– Deploy to hundreds or thousands of devices
Maintain baselines
Many of these are best practices
– They rarely change
* Other baselines may require ongoing updates
– A new vulnerability is discovered
– An updated application has been deployed
– A new operating system is installed
* Test and measure to avoid conflicts
– Some baselines may contradict others
– Enterprise environments are complex
Hardening targets
No system is secure with the default configurations
– You need some guidelines to keep everything safe
* Hardening guides are specific to the software or
platform
– Get feedback from the manufacturer or
Internet interest group
– They’ll have the best details
* Other general-purpose guides are available online
Mobile devices
Always-connected mobile technologies
– Phones, tablets, etc.
– Hardening checklists are available from manufacturers
* Updates are critical
– Bug fixes and security patches
– Prevent any known vulnerabilities
* Segmentation can protect data
– Company and user data are separated
* Control with an MDM - Mobile Device Manager
Workstations
User desktops and laptops - Windows, macOS, Linux, etc.
* Constant monitoring and updates
– Operating systems, applications, firmware, etc.
* Automate the monthly patches
– There’s likely an existing process
* Connect to a policy management system
– Active Directory group policy
* Remove unnecessary software - Limit the threats
Network infrastructure devices
Switches, routers, etc.
– You never see them, but they’re always there
* Purpose-built devices
– Embedded OS, limited OS access
* Configure authentication
– Don’t use the defaults
* Check with the manufacturer
– Security updates
– Not usually updated frequently
– Updates are usually important
Cloud infrastructure
Secure the cloud management workstation
– The keys to the kingdom
* Least privilege
– All services, network settings, application rights
and permissions
* Configure Endpoint Detection and Response (EDR)
– All devices accessing the cloud should be secure
* Always have backups
– Cloud to Cloud (C2C)
Servers
Many and varied
– Windows, Linux, iOS, Android, etc.
* Updates
– Operating system updates/service packs,
security patches
* User accounts
– Minimum password lengths and complexity
– Account limitations
* Network access and security
– Limit network access
* Monitor and secure
– Anti-virus, anti-malware
SCADA / ICS
Supervisory Control and Data Acquisition System
– Large-scale, multi-site Industrial Control Systems (ICS)
* PC manages equipment
– Power generation, refining, manufacturing equipment
– Facilities, industrial, energy, logistics
* Distributed control systems
– Real-time information
– System control
* Requires extensive segmentation
– No access from the outside
Embedded systems
Hardware and software designed for a
specific function
– Or to operate as part of a larger system
* Can be difficult to upgrade
– Watches and televisions are relatively easy
– Other devices may not be easily modified
* Correct vulnerabilities
– Security patches remove potential threats
* Segment and firewall
– Prevent access from unauthorized users
RTOS (Real-Time Operating System)
An operating system with a deterministic processing
schedule
– No time to wait for other processes
– Industrial equipment, automobiles, military
environments
* Isolate the system
– Prevent access from other areas
* Run with the minimum services
– Prevent the potential for exploit
* Use secure communication
– Protect with a host-based firewall
IoT devices
Heating and cooling, lighting, home automation,
wearable technology, etc.
* Weak defaults
– IOT manufacturers are not security professionals
– Change those passwords
* Deploy updates quickly
– Can be a significant security concern
* Segmentation - Put IoT devices on their own VLAN
Site surveys
Determine existing wireless landscape
– Sample the existing wireless spectrum
* Identify existing access points
– You may not control all of them
* Work around existing frequencies
– Layout and plan for interference
* Plan for ongoing site surveys
– Things will certainly change
* Heat maps
– Identify wireless signal strengths
Wireless survey tools
Signal coverage
* Potential interference
* Built-in tools
* 3rd-party tools
* Spectrum analyzer
Mobile Device Management (MDM)
Manage company-owned and user-owned mobile devices
– BYOD - Bring Your Own Device
* Centralized management of the mobile devices
– Specialized functionality
* Set policies on apps, data, camera, etc.
– Control the remote device
– The entire device or a “partition”
* Manage access control
– Force screen locks and PINs on these single user devices
BYOD
Bring Your Own Device
– Bring Your Own Technology
* Employee owns the device
– Need to meet the company’s requirements
* Difficult to secure
– It’s both a home device and a work device
– How is data protected?
– What happens to the data when a device is sold or
traded in?
COPE
Corporate owned, personally enabled
– Company buys the device
– Used as both a corporate device and a personal device
* Organization keeps full control of the device
– Similar to company-owned laptops and desktops
– Information is protected using corporate policies
– Information can be deleted at any time
* CYOD - Choose Your Own Device
– Similar to COPE, but with the user’s choice of device
Cellular networks
Mobile devices
– “Cell” phones
– 4G, 5G
* Separate land into “cells”
– Antenna coverages a cell with certain frequencies
* Security concerns
– Traffic monitoring
– Location tracking
– Worldwide access to a mobile device
Wi-Fi
Local network access
– Local security problems
* Same security concerns as other Wi-Fi devices
* Data capture
– Encrypt your data!
* On-path attack
– Modify and/or monitor data
* Denial of service
– Frequency interference
Bluetooth
High speed communication over short distances
– PAN (Personal Area Network)
* Connects our mobile devices
– Smartphones
– Tethering
– Headsets and headphones
– Health monitors
– Automobile and phone integration
– Smartwatches
– External speakers
Securing a wireless network
An organization’s wireless network can contain
confidential information
– Not everyone is allowed access
* Authenticate the users before granting access
– Who gets access to the wireless network?
– Username, password, multi-factor authentication
* Ensure that all communication is confidential
– Encrypt the wireless data
* Verify the integrity of all communication
– The received data should be identical to the original
sent data
– A message integrity check (MIC)
The WPA2 PSK problem
WPA2 has a PSK brute-force problem
– Listen to the four-way handshake
– Some methods can derive the PSK hash without the
handshake
– Capture the hash
* With the hash, attackers can brute force the
pre-shared key (PSK)
* This has become easier as technology improves
– A weak PSK is easier to brute force
– GPU processing speeds
– Cloud-based password cracking
* Once you have the PSK, you have everyone’s wireless
key
– There’s no forward secrecy