Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Security+ > Chapter 11 Endpoint Security > Flashcards

Chapter 11 Endpoint Security Flashcards

1
Q

What are endpoints?

A

Devices such as desktops, mobile devices, servers, etc. anything that is the literal end point of a network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Boot Integrity

  1. What are the two firmware options?
  2. What are the two boot techniques and what do they do?
A
  1. UEFI and BIOS (Unified Extensible Firmware Interface and Basic Input/Output System)
  2. Secure boot ensures the system boots using only OEM trusted software, and Measured Boot processes measure each component and hashes everything involved in the boot process. The data is then stored in the TPM and can be compared against known good states.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Boot integrity begins with the hardware root of trust, which contains cryptographic keys that secure the boot process. This means the system inherently trusts the hardware root of trust.

  1. What is a common implementation of hardware root of trust? (frequently provides built-in encryption)
  2. What are its three major functions?
A
  1. TPM chip
  2. Remote attestation, binding which encrypts data, and sealing which sets requirements for the TPM chip before decryption.
    HSMs are another related technology that are frequently used in high security environments.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Anti-malware methods

A
  • Signature-based detection - uses signature detection (like a thumbprint) of common attacks.
  • Heuristic, or behavior based detection - looks at the actions taken by malicious software and identifies them that way.
  • AI and ML systems - leverage large amounts of data to find ways to identify malware.
  • Sandboxing - sandbox is a protected environment for testing unknown (possibly malicious code) so it can be observed.
    Anti-malware packages are a last line of defense against systems being infected or compromised.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are Allow and Deny Lists?

Which provides more security?

A

Allow lists are a set list of software, apps, etc. that are allowed to exist/run on a system. anything not on the list will be removed or disabled.
Deny lists (block lists) are a set list of software, apps, etc. that are NOT allowed on the system and they will be removed or disabled.
Allow lists provide a greater level of security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is EDR?

A

Endpoint Detection and Response tools monitor devices to collect data and analyze events. Key features of EDR systems is the ability to search collected data to investigate or delete suspicious data.
EDR systems look for IoCs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is DLP?

A

Data Loss Prevention tools are used to protect organizational data from theft or inadvertent exposure.
DLPs classify and label data and can be set to notify admins under certain conditions. Some can encrypt data when it’s sent outside of internal network.
Like antimalware and EDR systems, DLPs can track questionable behavior.
Always implement data classification scheme before using DLP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a HIPS? How is it different from a HIDS?

A

Host Intrusion Prevention Systems analyze traffic before services on the host process it. HIPS can take direct action against requests. Misidentifying traffic as malicious is a problem and can cause outages.
Host Intrusion Detection Systems do the same thing as a HIPS, but cannot block traffic. They can only report issues to admins.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a NGFW?

A

Next Generation Firewalls go beyond traditional firewall capabilities:

  • Built in IPS/IDS functionality.
  • Antimalware/antivirus (am/av)
  • Geo IP/geolocation capabilities
  • Proxying
  • Webapp firewall capabilities
  • sandboxing
  • You are likely to deploy a NGFW to protect a network rather than as an advanced host firewall.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Service Hardening

Common Ports and services

A 
- always reduce the number of open ports to only those required for necessary services. 
22/TCP - SecureShell (SSH)
53/TCP and UDP - DNS
125-139/TCP and UDP
389/TCP and UDP - LDAP
443/TCP - HTTPS
3389/TCP and UDP
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is OS hardening?

A

Using system settings to reduce the attack surface of your operating system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How can you harden the Windows Registry?

A

registry is the core of how Windows tracks what is happening, and is thus a target for attackers.

  • configure permissions
  • disallow remote registry access
  • limit registry tools like regedit
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What roles do standard naming conventions play?

A
  • identify systems based on purpose, location, etc.
  • make systems more anonymous (examplecorp123 is less meaningful than sqlserver123)
  • make scripting and management easier
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Why might an organization adopt standardized IP schema?

A
  • ensure you are managing IP address space to avoid collisions
  • Identify systems that shouldn’t be using a given address
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Patch management

A

common practice is to delay the installation of a patch for a few days. That allows the patch to be installed around the world and hopefully any issues will surface so the company can decide whether to install the patch or not.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is FDE?

A

Full Disk Encryption encrypts the disk and requires that the bootloader or hardware device provide a decryption key and software or hardware to decrypt the drive for use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is transparent encryption? (also called on the fly or realtime encryption)

A

Transparent encryption is usually invisible to the user, with the drive appearing unencrypted during use. This means that an attacker can simply gain access to the system while the drive is unlocked.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is an SED and what is it used for?

A

Self Encrypting Drives implement encryption on their hardware and firmware. These systems require a key to boot.
Disk encryption downfalls
- if the key is lost, then the system with the data is fucked.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is Sanitation?

A

Wiping the drive or destroying the media.
- degaussers work on tapes and magnetic media, but SSDs and other requires other options. Degaussed devices can be reused!
Solid state stuff requires destruction or overwrite, but overwrites can miss data on SSDs.
- Built in secure erase command can be used and is secure, but an even better option is full disk encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Command-Line Tools: head

A

Shows you first part of a file, by default first 10 lines. Handy to quickly see whats in a file. can change the number of lines shown by using the -n flag.

21
Q

Command-Line Tools: tail

A

displays last 10 lines of a file, used to view recent log entries. -n flag can still be used to change number of lines shown. As with head, tail can monitor multiple files at a time.

22
Q

Command-Line Tools: cat

A

Cat, short for concatenate, is used to output files to standard output or append files to other files.

23
Q

Command-Line Tools: grep

A

grep is a search command that allows you to search for patterns that match provided text or regular expressions.
- grep command has -A and -B options which when provided with a number as an input, will print that many lines before or after the matching pattern.

24
Q

Command-Line Tools: chmod

A

chmod lets you set permissions on files and directories, either using a symbol or a numeric representation of the permissions you wish to set.

25
Q

Command-Line Tools: logger

A

logger is obscure. it will append whatever information you provide as input to the /var/log/syslog file on the system.

26
Q

What is SSH

A

SecureShell is an encrypted protocol used to connect to systems via the command line.

27
Q

What is a shell?

A

A shell is a command-line user interface to an operating system.

28
Q

What is OpenSSL?

A
  • OpenSSL is an implementation of TLS protocol
  • All around cryptography library that offers open source application of the TLS protocol
    It is NOT a shell, nor is it a scripting language.
    Open SSL’s TLS implementation is used for HTTPS traffic. Often used when tunneling via VPN or SSH is not a viable option. OpenSSL is frequently used to wrap traffic and thus you’ll see it embedded often.
29
Q

When is it ideal to use OpenSSL and TLS?

A

When two systems have never communicated before and need to communicate securely.

30
Q

What provides for ephemeral RSA key exchange to create perfect forward secrecy?

A

TLS protocol

31
Q

What is RTOS?

A

Real Time Operating System is used on embedded systems when data needs to be processed as it comes in.

32
Q

What is a Raspberry Pi?

A

Single board computers with full functionality, with BUILT IN network connectivity.

33
Q

What is an Arduino?

A

Unlike a raspberry pi, arduinos are not single board computers. they are microcontrollers. they are used to interface with sensors, motors, lighting, and have BASIC capabilities. They do NOT have network connectivity built in.

34
Q

What is FPGA?

A

Field Programmable Gate Array is a computer chip that can be fully reprogrammed. By itself, an FPGA is not an embedded system, but it can be integrated as a component of an embedded system.

35
Q

What is SCADA and ICS?

A

Industrial and Manufacturing systems, ICS is a broad term for industrial automation.
- SCADA is a system architecture that combines data acquisition and control devices and an interface to control and monitor the architecture. HVAC systems might be controlled using SCADA/ICS.

36
Q

Note on SCADA/ICS

A

Key thing to remember when securing complex systems is that they are often designed without security in mind. This means that security measures might interfere with their function, and may not be practical to add. In some cases, isolating and protecting ICS/SCADA and embedded systems is the most effective security model.

37
Q

Specialized Systems

A

Vehicles, Medical Systems, Aircraft, Smart Meters may all have embedded systems with network connectivity or NFC. If not properly secured these can all have serious implications.
Common for vehicles to have a CAN bus (controller area network).

38
Q

What is VoIP?

A

Voice over Internet Protocol is a method of delivering voice communications over IP networks. The phones themselves are embedded systems with an OS that can be targeted.
- Update regularly, apply baseline security standards.

39
Q

What is an MFP and what security challenges are present?

A

Multi Function Printers frequently have network connectivity built in, many with poor security. These devices present the risk of significant data leakage. These can act as reflectors and amplifiers in an attack.

40
Q

What are some security issues with specialized systems and embedded systems?
What are two considerations that should be taken into account with regard to the risk of embedded systems?

A

Default configurations, vulnerabilities, lack of patching, etc. Consider how to:

  1. Limit the impact of potential problems,
  2. management and incident response processes to deal with them
41
Q

Cellular Connectivity Considerations

A

LTE and 4G/5G can provide high bandwidth access to embedded systems in many locations where WiFi doesn’t work. 3rd party providers are responsible for connectivity, systems need to be secured so that the cellular network doesn’t pose a threat to their operation.

42
Q

What is SIM and what is their risk?

A

Subscriber Identity Module is built into cellular enabled devices. Attackers can repurpose SIMs, or they can clone them which allows the attacker to present themselves as the embedded system.

43
Q

What is Zigbee?

A

Zigbee is a network protocol designed for personal area networks. They are limited in range and data transfer and typically have weak security.

44
Q

Narrowband vs. wideband vs. baseband

A

narrowband has less noise and thus better range and sensitivity, whereas wideband can transfer more data because they have more wireless spectrum to use. Baseband includes frequencies near zero.

45
Q

What is DHCP?

A

Dynamic Host Configuration Protocol is a network management protocol used to automatically assign IP addresses to devices

46
Q

What is TCP?

A

Transmission Control Protocol is a communications standard

47
Q

What is SoC?`

What component is typically not found on SoCs?

A

System on Chip, has most function of complete computer. CPU, memory, I/O, storage.
Unlikely to have display, but having a display that a SoC can access is common on smartwatches.

48
Q

What is a CAN bus and what does it do?

A

Controller Area Network provides communication between microcontrollers, sensors, and other devices in car systems.

Security+ (16 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions