Lesson 10: Assess Endpoint Security Capabilities Flashcards
Define ‘Device Hardening’
The practice of changing configurations to secure systems from threats by reducing the vulnerabilities attributed to default configurations.
What is the role of base practice baselines in device hardening?
Best practice baselines provide a standard set of guidelines or checklists for configuring devices securely.
What is the essential principle of best practice baselines in device hardening to reduce attack surface?
Principle is of least functionality; that a system should run only the protocols and services required by legitimate users and no more.
What are examples of device hardening?
Disabling excess interfaces; Disabling unnecessary services/ports; Disk encryption; Patch management cycle.
Define ‘Baseline deviation reporting’
Testing the actual configuration of hosts to ensure that their configuration settings match the baseline template.
What is a windows tool to test baseline deviation?
Microsoft Baseline Security Analyzer (MBSA)
How does segmentation enhance a network’s security?
Reduces the potential impact of a cybersecurity incident by isolating systems and limiting the spread of an attack or malware infection.
Define ‘device isolation’
Segregating individual devices within a network to limit their interaction with other devices and systems.
What is the purpose of device isolation?
Prevents the lateral spread of threats should a device become compromised.
Define ‘antivirus’
Signature based software detection and prevention.
Define ‘Full disk encryption (FDE)’
Encryption of all data on a disk by the OS.
Where is the key used to encrypt data stored when using Full disk encryption (FDE)?
Stored in a Trusted Platform Module (TPM).
Define a ‘self-encrypting drive (SED)’
A disk drive where the controller can automatically encrypt data that is written to it instead of relying on the OS.
What is the name of the key that a self-encrypting drive (SED) uses in encrypt data?
Symmetric data/media encryption key (DEK/MEK) for bulk encryption
What is the name of the key that encrypts the symmetric data/media encryption key (DEK/MEK)?
Authentication key (AK) or Key Encryption Key (KEK).
Define an ‘authentication key (AK) or Key Encryption Key (KEK)’
Private key that is used to encrypt the symmetric bulk media encryption key (MEK).
When implementing a self-encrypting drive (SED), how does a user access the encrypted data on the drive?
A user must authenticate with a password to decrypt the MEK and access the media.
What is used to facilitate auto-updates in Linux?
yum-cron or apt unattended-upgrades
What is the purpose of testing patches before applying them to systems in production?
Identify potential issues or conflicts arising from the patch, ensuring that it does not introduce new vulnerabilities or disrupt critical operations; Mitigate the risk of unintended consequences.
What is a ‘endpoint detection and response (EDR)’ product?
Software agent that collects system data and logs for analysis to provide early detection of threats.
What is the purpose/function of endpoint detection and response (EDR)?
To provide real time and historical visibility into the compromise, contain the malware within a single host, and facilitate remediation of the host to its original state.
What is the difference between ‘Extended detection and response (XDR)’ and ‘endpoint detection and response (EDR)’
Extends protection beyond endpoints by incorporating data from the network, cloud platforms, email gateway, firewall, and other essential infrastructure components.
Define ‘Host-based intrusion detection system (HIDS)’
Type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system’s state.
Define ‘host-based intrusion prevention system (HIPS)’
Endpoint protection that can detect and prevent malicious activity via signature and heuristic pattern matching.
What is a crucial feature of Host-based intrusion detection system (HIDS)?
file integrity monitoring (FIM)
Define ‘file integrity monitoring (FIM)’
Software that reviews system files to ensure that they have not been tampered with.
Define the function of ‘file integrity monitoring (FIM)’
Audits key system files to ensure they match the authorized versions.
What is the windows version of file integrity monitoring (FIM)?
Windows File Protection service runs automatically and the System File Checker (SFC) tool.
What Linux command is used to change permissions?
chmod
What management tool is used to automate secure baselines across an environment in windows?
Group policy management
What management tool is use to support access control policies in Linux?
SELinux
Define ‘SELinux’
Security feature of CentOS and RedHat that supports access control policies and mandatory access control.
What is the function of SELinux?
Allows more granular permission control over every process and system object within an operating system.
What are key differences between securing a mobile device in comparison to a traditional desktop?
Remote wiping capabilities, encryption, and secure lock screens.
What is the challenge in secure a mobile device against unwanted applications?
Mobile app ecosystem includes many apps with different access permission requirements that present unique data privacy and protection challenges.
Define ‘Bring your own device (BYOD)’
The mobile device is owned by the employee.
Define a ‘Bring your own device (BYOD)’ policy
Security framework and tools to facilitate use of personally owned devices to access corporate networks and data.
What are typical rules in a Bring your own device (BYOD) policy?
OS version and device capabilities
Define ‘Corporate owned, personally enabled (COPE)’
The device is chosen and supplied by the organization and remains its property but allows personal use.
Define ‘Mobile device management (MDM)’
Process and supporting technologies for tracking, controlling, and securing the organization’s mobile infrastructure.
What is the purpose of implementing Mobile device management (MDM)?
To manage, secure, and enforce policies on smartphones, tablets, and other endpoints.
How is data protection encryption enabled on an iOS device?
Enabled automatically when you configure a password lock on the device.
Define ‘Geolocation’
Use of network attributes to identify (or estimate) the physical position of a device.
What are two forms of geolocation?
- Global Positioning System (GPS)
- Indoor Positioning System (IPS)
Define ‘Indoor Positioning System (IPS)’
Locates a device by triangulating its proximity to other radio sources, such as cell towers, Wi-Fi access points, and Bluetooth/RFID beacons.
What is the primary concern of location services/geolocation?
Privacy; Provides a mechanism to track an individual’s movements, and therefore their social and business habits.
Define ‘Geofencing’
Security control that can enforce a virtual boundary based on real-world geography.
Define ‘GPS tagging’
Adding geographical data, such as the latitude and longitude where the device was located at the time, to media such as photographs, SMS messages, video, and so on.
Define a ‘Personal area networks (PANs)’
A network scope that uses close-range wireless technologies (usually based on Bluetooth or NFC) to establish communications between personal devices, such as smartphones, laptops, and printers/peripheral devices.
Define an ‘ad hoc network’
WIFI-Direct; A type of wireless network where connected devices communicate directly with each other instead of over an established medium.
What is the security setback with Bluetooth discovery?
Even a device in non-discoverable mode can still be detected.
How can authentication/authorization with Bluetooth be made more secure?
By changing the default key or passkey.
Define ‘bluejacking’
Sending an unsolicited message using a Bluetooth connection when device authentication is not configured.
Define ‘Bluesnarfing’
Using an exploit in Bluetooth to steal information from someone else’s phone.
How are Bluetooth connections secured between to devices initializing pairing?
Devices exchange cryptographic keys to authenticate each other’s identity and establish an encrypted communication channel.
What control is used to configure access for devices connected via Bluetooth?
Bluetooth generally requires user consent to connect and access specific services.
What Bluetooth 4.0 protocol was created to prevent eavesdropping, and on path attacks?
Bluetooth Secure Connections (BSC)
How does ‘Bluetooth Low Energy (BLE) Privacy’ protocol provide privacy?
Uses randomly generated device addresses that periodically change to prevent tracking and unauthorized identification of BLE devices.
Define ‘Near-field communication (NFC)’
Based on RFID; Standard for two-way radio communications over very short (around four inches) distances.
Why is Near-field communication (NFC) insecure?
Does not provide encryption, so eavesdropping and on-path attacks are possible if the attacker can find some way of intercepting the communication and the software services are not encrypting the data.
