Chapter 11 - Endpoint Security

Question 1

What are some of the most common ways in which operating systems can be vulnerable?

Answer 1

1. Vulnerabilities in the OS code
2. Defaults (default passwords, insecure default settings)
3. Configurations (intentional but insecure)
4. Misconfigurations (unintentional and insecure)

Question 2

Firmware

Answer 2

Firmware is the embedded software that allows devices to function. It is tightly connected to the hardware of a device and may or may not be possible to update depending on the design and implementation of the device’s hardware.

Question 3

End-of-Life/Legacy Hardware

Answer 3

End-of-Life/Legacy Hardware drives will eventually lack support. Once a device or system has reached end-of-life, they typically will also reach the end of their support from the manufacturer. This means that there will no longer be any security fixes/patches.

Question 4

Endpoint

Answer 4

Endpoints, in a wired/wireless network, are devices such as desktops, smartphones, servers, and a variety of other systems found in organizations.

Question 5

What are the two common techniques that UEFI firmware can leverage to ensure that a system is booting securely?

Answer 5

1. Secure Boot
2. Measured Boot

Question 6

Secure Boot

Answer 6

Secure Boot ensures that the system boots using only software that the original equipment manufacturer (OEM) trusts. To perform a Secure Boot operation, the system must have a signature database listing the secure signatures of trusted software and firmware for the boot process.

Question 7

Key Management System (KMS)

Answer 7

Key Management Systems are used to store keys and certificates as well as to manage them centrally. A KMS provides a means of managing keys/secrets while a Hardware Security Module (HSM) is used for key generation.

KSM = Key Management/Governance
HSM = Key Generation/Cryptographic Operations

Question 8

Measured Boot

Answer 8

Measured Boot processes measure each component, starting with the firmware and ending with the boot start drivers. Measured Boot does not validate against a known good list of signatures before booting; instead, it relies on the UEFI firmware to hash the firmware, boot-loader, drivers and anything else that is part of the boot process. This data is stored in the Trusted Platform Module (TPM), and the logs can be validated at a remote server to let security administrators know the boot state of the system. This process allows the remote server to make decisions about the state of the system based on the information it provides, allowing access control and quarantine options.

Question 9

Trusted Platform Module (TPM)

Answer 9

A Trusted Platform Module is a chip that is built into many computers. TPM chips are frequently used to provide built-in encryption, and they provide three major functions:

1. Remote attestation, allowing hardware and software configurations to be verified
2. Binding, which encrypts data
3. Sealing, which encrypts data and sets requirements for the state of the TPM chip before decryption

Question 10

Apple Secure Enclave

Answer 10

Apple’s Secure Enclave is a dedicated secure element that is built into Apple’s system-on-chip (SoC) modules. They provide hardware key management, which is isolated from the main CPU, protecting keys throughout their life cycle and usage.

Question 11

Sandbox

Answer 11

Sandbox, in the context of endpoint security, describes an isolated environment where potentially dangerous or problematic software can run.

Question 12

Allow List/Whitelist

Answer 12

An Allow List allows you to build a list of software, applications, and other system components that are allowed to exist and run on a system. If they are not on the list, they will be removed, disabled, or not installed in the first place. Allow Lists are more secure than Deny Lists.

Question 13

Deny List/Block List/Blacklist

Answer 13

Deny Lists are lists of software or applications that cannot be installed or run.

Question 14

Endpoint Detection and Response (EDR)

Answer 14

Endpoint Detection and Response tools combine monitoring capabilities on endpoint devices and systems using a client or software agent with network monitoring and log analysis capabilities to collect, correlate, and analyze events.

Question 15

Extended Detection and Response (XDR)

Answer 15

Extended Detection and Response tools consider not only endpoints but the full breadth of an organization’s technology stack, including cloud services, security services and platforms, email, and similar components. XDR tools will use detection algorithms, AI, and machine learning to analyze the data to find issues and help security staff respond to them.

Question 16

Data Loss Prevention (DLP)

Answer 16

Data Loss Prevention tools may be deployed to endpoints in the form of clients or applications. These tools also commonly have network and server-resident components to ensure that data is managed throughout its life cycle and various handling processes.

The primary goal of DLP is to ensure that data does not leave the organization.

Question 17

Host-Based Intrusion Prevention System (HIPS)

Answer 17

Host-Based Intrusion Prevention Systems analyze traffic before services or applications on the host process it. A HIPS can take action on that traffic, including filtering out malicious traffic or blocking specific elements of the data that is received. A HIPS can sometimes block legitimate traffic, when a misidentification or misconfiguration occurs.

Question 18

Host-Based Intrusion Detection System (HIDS)

Answer 18

Host-Based Intrusion Detection Systems cannot take action to block traffic. Instead, a HIDS can only report and alert on issues.

Question 19

DNS (Port #)

Answer 19

53 TCP and UDP

Question 20

NetBIOS (Port #)

Answer 20

125-139 TCP and UDP

Question 21

LDAP (Port #)

Answer 21

389 TCP and UDP

Question 22

RDP (Port #)

Answer 22

3389 TCP and UDP

Question 23

Windows Group Policy

Answer 23

Group Policy provides Windows systems and domains with the ability to control settings through Group Policy Objects (GPOs). GPOs can define a wide range of options from disabling guest accounts and setting password minimum lengths to restricting software installations. GPOs can be applied locally or via Active Directory.

Question 24

SELinux

Answer 24

SELinux, or Security-Enhanced Linux, is a kernel-based security module that provides additional security capabilities and options on top of existing Linux distributions.

Question 25

Configuration Management

Answer 25

Configuration Management tools are one of the most powerful options security professionals and system administrators have to ensure that the multitude of systems in their organizations have the right security settings and to help keep them safe.

Question 26

Baseline Configuration

Answer 26

Baseline Configurations are often used for operating system types throughout an organization. For example, you might choose to configure a baseline configuration for Windows 11 desktops, Windows 11 laptops, and macOS laptops.

Question 27

Configuration Enforcement

Answer 27

Configuration Enforcement is a process that not only monitors for changes but makes changes to system configurations as needed to ensure that the configuration remains in its desired state.

Question 28

What are the three phases of a baseline’s life cycle?

Answer 28

1. Establishing a baseline
2. Deploying a baseline
3. Maintaining a baseline

Question 29

Patching

Answer 29

Patching, in the context of security, decreases how long exploits and flaws can be used against systems. However, patching also has its own set of risks. Patches may introduce new flaws, or the patching process itself can sometimes cause issues.

Question 30

Self-Encrypting Drive (SED)

Answer 30

Self-Encrypting Drives implement encryption capabilities in their hardware and firmware. Systems equipped with a self-encrypting drive require a key to boot from the drive, which may be entered manually or provided by a hardware token or device.

Question 31

Embedded Systems

Answer 31

Embedded Systems are computer systems that are built into other devices. Industrial machinery, appliances, and cars are all places where you may have encountered embedded systems.

Question 32

Real-Time Operating System (RTOS)

Answer 32

Real-Time Operating Systems are operating systems that are used when priority needs to be placed on processing data as it comes in, rather than using interrupts for the operating system or waiting for tasks being processed to be handled before data is processed.

Question 33

What are some examples of embedded devices?

Answer 33

1. Medical systems
2. Smart meters (track utility usage)
3. Vehicles (car, aircraft, ships)
4. Drones
5. VoIP systems
6. Printers
7. Surveillance systems

Question 34

Supervisory Control and Data Acquisition (SCADA)

Answer 34

SCADA often refers to large industrial systems that cover large areas. SCADA is a type of system architecture that combines data acquisition and control devices, computers, communications capabilities, and an interface to control and monitor the entire architecture. SCADA systems are commonly found running complex manufacturing and industrial processes, where the ability to monitor, adjust, and control the entire process is critical to success.

Question 35

Industrial Control System (ICS)

Answer 35

Industrial Control System is a broad term for industrial automation.

Question 36

Enumeration

Answer 36

Enumeration is typically associated with scanning to identify assets, and some organizations use port and vulnerability scans to help identify systems that aren’t part of their inventory.

Question 37

Degaussing

Answer 37

Degaussing is a relatively quick way to destroy the data on magnetic media such as an HDD. This process exposes the magnetic media to very strong electromagnetic fields, scrambling the patterns of bits written to the tape or drive.

Question 38

Certificate of Destruction

Answer 38

Certificates of Destruction are used to document that assets were decommissioned.

Question 39

Retention

Answer 39

Retention of data may be required for legal purposes with set retention periods determined by law, or retention may be associated with a legal case due to a legal hold.

Question 40

FTP (Port #)

Answer 40

21 TCP

Question 41

Telnet (Port #)

Answer 41

23 TCP