Lesson 10: Installing and Configuring Wireless and Physical Access Security & Lesson 11: Deploying Secure Host, Mobile, and Embedded Systems

Question 1

Wireless networking

Answer 1

uses electromagnetic radio waves to carry data signals over the air. Wireless transmission methods are also referred to as “unguided media.” From a security perspective, the problem with wireless is that signals are usually relatively simple to eavesdrop. The way some wireless standards were originally implemented also opened numerous security vulnerabilities, most of which have been addressed in recent years.

Question 2

Wireless networks can be configured in one of two modes:

Answer 2

• Ad hoc—the wireless adapter allows connections to and from other devices (a peer-to-peer WLAN). In 802.11 documentation, this is referred to as an independent basic service set (IBSS).
• Infrastructure—the adapter is configured to connect through an access point (AP) to other wireless and wired devices. In 802.11 documentation, this is referred to as a basic service set (BSS). The MAC address of the AP is used as the basic service set identifier (BSSID). More than one BSS can be grouped in an extended service set (ESS).

Question 3

WLAN wireless devices

Answer 3

All wireless devices operating on a WLAN must be configured with the same network name, referred to as the service set identifier (SSID). When multiple access points are grouped into an extended service set, this is more properly called the extended SSID (ESSID). This just means that all the APs are configured with the same SSID.

Question 4

enterprise network

Answer 4

An enterprise network might require the use of tens or hundreds of access points, wireless bridges, and antennas. If access points are individually managed, this can lead to configuration errors on specific access points and can make it difficult to gain an overall view of the wireless deployment, including which clients are connected to which access points and which clients or access points are handling the most traffic.

Rather than configure each device individually, enterprise wireless solutions, such as those manufactured by Cisco®, Ruckus™, or Ubiquiti, allow for centralized management and monitoring of the access points on the network. This may be achieved through use of a dedicated hardware device (a wireless controller), which typically implements the required functionality through additional firmware in a network switch.

Question 5

fat AP

Answer 5

An access point whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller is known as a fat AP, while one that requires a wireless controller in order to function is known as a thin AP.

Question 6

lightweight access point protocol (LWAPP)

Answer 6

Cisco wireless controllers usually communicate with the access points using the lightweight access point protocol (LWAPP). LWAPP allows an AP configured to work in lightweight mode to download an appropriate SSID, standards mode, channel, and security configuration.

Question 7

control and provisioning of wireless access points (CAPWAP)

Answer 7

Alternatives to LWAPP include the derivative control and provisioning of wireless access points (CAPWAP) protocol or a proprietary protocol.

Question 8

VLAN pooling

Answer 8

As well as autoconfiguring the appliances, a wireless controller can aggregate client traffic and provide a central switching and routing point between the WLAN and wired LAN. It can also assign clients to separate VLANs. Automated VLAN pooling ensures that the total number of stations per VLAN is kept within specified limits, reducing excessive broadcast traffic. Another function of a hardware controller is to supply power to wired access points, using Power over Ethernet (PoE).

Question 9

Wi-Fi products work in either the 2.4 GHz band or the 5 GHz band, or both. While band selection does not have a direct effect on the confidentiality or integrity of the network, it can affect availability and performance:

Answer 9

• 802.11a—legacy products working in the 5 GHz band only.
• 802.11bg—legacy products working in the 2.4 GHz band only.
• 802.11n—products can be either dual band (supporting both 2.4 GHz and 5 GHz operation) or 2.4 GHz only. Most access points are dual band but many early 802.11n client adapters were single band only.
• 802.11ac—5 GHz only. Most access points supporting 802.11ac are dual band but use the 2.4 GHz band for legacy clients (802.11bgn) only. Note that better performance will be obtained by disabling support for legacy standards (especially 802.11b).

Question 10

rubber ducky antennas

Answer 10

Most wireless devices have simple omnidirectional vertical rod-type antennas, which can receive and send a signal in all directions. The plastic-coated variants often used on access points are referred to as rubber ducky antennas. To extend the signal range, you can use a directional antenna focused at a particular point. Examples of directional antennas include the Yagi (a bar with fins) and parabolic (dish or grid) antennas. These are useful for point-to-point connections (a wireless bridge). A directional antenna may also be useful to an eavesdropper, allowing them to snoop on a network from a greater distance than might be expected. The increase in signal strength obtained by focusing the signal is referred to as the gain and is measured in dBi (decibel isotropic).

Question 11

access point and antenna placement

Answer 11

When considering access point and antenna placement, a device supporting the Wi-Fi standard should have a maximum indoor range of up to about 30m (100 feet), though the weaker the signal, the lower the data transfer rate. Radio signals pass through solid objects, such as ordinary brick or drywall walls, but can be weakened or blocked by particularly dense or thick material and metal. Interference from a variety of electromagnetic interference sources can also affect signal reception and strength. Other radio-based devices can also cause interference as can devices as various as fluorescent lighting, microwave ovens, cordless phones, and (in an industrial environment) power motors and heavy machinery. Bluetooth® uses the same frequency range as 2.4 GHz Wi-Fi but a different modulation technique, so interference is possible but not common.

Question 12

Coverage

Answer 12

means that the WLAN delivers acceptable data rates to the supported number of devices in all the physical locations expected. To maximize coverage and minimize interference, position the AP as high as possible and set the channels of other nearby APs to different settings. At least 25 MHz spacing should be allowed between channels to operate without co-channel interference (CCI). In practice, therefore, in the 2.4 GHz band no more than three nearby 802.11b/g access points can have non-overlapping channels. This could be implemented, for example, by selecting channel 1 for AP1, channel 6 for AP2, and channel 11 for AP3.

Question 13

channel bonding

Answer 13

802.11n/ac can obtain more bandwidth with the option to use two adjacent 20 MHz channels as a single 40 MHz channel (channel bonding). Channel bonding is only a practical option in the 5 GHz band, where there are 23 non-overlapping 20 MHz channels and 11 40 MHz channels. When using the 5 GHz band for 802.11a or 802.11n/ac, the best option is usually to allow the AP to auto-detect the best channel.

Question 14

site survey

Answer 14

A site survey is the process of selecting the optimum positions for access points and antennas by analyzing the building infrastructure and testing signal strength at different locations. From a security perspective, an additional step would be to use the plan of WLAN zones to identify areas where there is leakage of signals.

Question 15

shielding

Answer 15

Depending on the level of security required, you may then want to install shielding at strategic locations to contain the WLAN zones. For example, you might install shielding on external walls to prevent signals from escaping the building. Of course, this will block incoming signals too (including cell phone calls).

Question 16

Signal strength

Answer 16

the amount of power used by the radio in an access point or station. Simply increasing power output is not always reliable. As you increase power, you also increase the chance of the signal bouncing, causing more interference, especially if there are multiple APs. Also, the client radio power levels should match those of the AP or they may be able to receive signals but not transmit back.

Question 17

received signal strength indicator (RSSI)

Answer 17

shows the strength of the signal from the transmitter. RSSI is a relative indicator, usually expressed as a percentage of a nominal “perfect” signal. RSSI can be calculated differently as it is implemented by the chipset vendor. Survey tools measure signal strength in dBm, which is the ratio of the measured signal to one milliwatt. When measuring signal strength, dBm will be a negative value with values closer to zero representing better performance. A value around -65 dBm represents a good signal while anything over -80 dBm is likely to suffer packet loss or be dropped. The received signal strength must also exceed the noise level by a decent margin. Noise is also measured in dBm but here values closer to zero are less welcome as they represent higher noise levels. For example, if a signal is -65 dBm and noise is -90 dBm, the Signal to Noise Ratio (SNR) is 25 dB; if noise is -80 dBm, the SNR is 15 dB and the connection will be much, much worse.

Question 18

war driving

Answer 18

Power levels are best set to auto-negotiate. You should also be aware of legal restrictions on power output—these vary from country to country. You may want to turn the power output on an AP down and ensure strategic AP device placement to prevent war driving. The main problem with this approach is that it requires careful configuration to ensure that there is acceptable coverage for legitimate users. You also expose yourself slightly to “evil twin” attacks, as users may expect to find the network at a given location and assume that the rogue AP is legitimate.

Question 19

MAC filtering

Answer 19

As with a switch, MAC filtering means specifying which MAC addresses are allowed to connect to the AP. This can be done by specifying a list of valid MAC addresses, but this “static” method is difficult to keep up to date and is relatively error-prone. It is also easy for a wireless sniffer to discover valid MAC addresses and spoof them. Enterprise-class APs allow you to specify a limit to the number of permitted addresses and automatically learn a set number of valid MAC addresses.

A more practical option is to put a firewall/IDS behind the AP in order to filter traffic passing between the wired LAN and WLAN.

Question 20

data emanation

Answer 20

As unguided media, wireless networks are subject to data emanation or signal “leakage.” A WLAN is a broadcast medium, like hub-based Ethernet.

Question 21

packet sniffing

Answer 21

Consider how much simpler packet sniffing is on hub-based compared to switched Ethernet. Similarly, on a WLAN, there is no simple way to “limit” the signal within defined boundaries. It will propagate to the extent of the antenna’s broadcast range, unless blocked by some sort of shielding or natural barrier. Data emanation means that packet sniffing a WLAN is easy if you can get within range.

Because it is so easy to eavesdrop on communications, for Wi-Fi networks to offer confidentiality and integrity, hosts must authenticate to join the network and the transmissions must be encrypted.

Question 22

Wired Equivalent Privacy (WEP)

Answer 22

the original encryption scheme and still supported on old and new devices. However, the encryption system, based on the RC4 cipher, is flawed and WEP should no longer be used, if at all possible. Under WEP version 1, you can select from different key sizes (64-bit or 128-bit). WEP version 2 enforces use of the 128-bit key and even allows a 256-bit key, but is still not considered secure. The main problem with WEP is the 24-bit initialization vector (IV).

Question 23

The initialization vector (IV) is supposed to change the key stream each time it is used. Problems with the WEP encryption scheme are as follows:

Answer 23

• The IV is not sufficiently large, meaning it will be reused within the same keystream under load. This makes the encryption subject to statistical analysis to discover the encryption key and decrypt the confidential data.
• The IV is often not generated using a sufficiently random algorithm; again, assisting brute force or statistical analysis attacks.
• Packets use a checksum to verify integrity, but this is also easy to compute. This allows the attacker to “bit flip” the ciphertext and observe a corresponding bit in the plaintext.

The flaws in WEP allow attackers using WEP cracking tools, such as Aircrack-NG (https://aircrack-ng.org) or AirSnort (https://airsnort.soft112.com), to decrypt and eavesdrop traffic. These tools work by obtaining many examples of IVs. To crack WEP, a type of replay attack is used to make the access point generate lots of packets, usually by replaying ARP packets at it, and cycle through IV values quickly.

WEP is not safe to use. If devices only support WEP, the best alternative is to enhance the connection security with another security application, such as L2TP/IPSec.

Question 24

first version of Wi-Fi Protected Access (WPA)

Answer 24

The first version of Wi-Fi Protected Access (WPA) was designed to fix the security problems with WEP. Version 1 of WPA still uses the RC4 cipher but adds a mechanism called the Temporal Key Integrity Protocol (TKIP) to make it stronger. TKIP fixes the checksum problem in WEP (Message Integrity Check), uses a larger IV (48-bit) to ensure a unique keystream, transmits it as an encrypted hash rather than in plaintext, and adds a sequence counter to resist replay attacks.

Question 25

WPA2

Answer 25

fully compliant with the 802.11i WLAN security standard. The main difference to the original iteration of WPA is the use of Advanced Encryption Standard (AES) for encryption. AES is stronger than RC4/TKIP. AES is deployed within the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). AES replaces RC4 and CCMP replaces TKIP. The only reason not to use WPA2 is if it is not supported by adapters, APs, or operating systems on the network. In many cases, devices will be compatible with a firmware or driver upgrade.

WPA and WPA2 are both much more secure than WEP, though a serious vulnerability was discovered in 2017 (https://www.krackattacks.com) so you should continue to ensure that device firmware is patched against exploits such as this. Also, when used in pre-shared key mode, an attacker can obtain the encrypted key by associating with the access point and then subject the key to brute force or dictionary-based password attacks. These may succeed if a weak password was used to generate the key. When enterprise authentication is deployed, there are no known attacks that would enable an attacker to recover the key.

Question 26

Pre-Shared Key (PSK)

Answer 26

means using a passphrase to generate the key that is used to encrypt communications. It is also referred to as group authentication because a group of users share the same secret. A PSK is generated from a passphrase, which is like a long password. In WPA-PSK, the user enters a passphrase of between 8 and 63 ASCII characters. This is converted to a 256-bit HMAC (expressed as a 64-character hex value) using the PBKDF2 key stretching algorithm.

The main problem is that distribution of the key or passphrase cannot be secured properly, and users may choose unsecure phrases. It also fails to provide accounting, as all users share the same key. The advantage is that it is simple to set up. Conversely, changing the key periodically, as would be good security practice, is difficult.

PSK is the only type of authentication available for WEP and is suitable for SOHO networks and workgroups using WPA.

Question 27

Extensible Authentication Protocol (EAP) authentication

Answer 27

WPA can also implement 802.1X, which uses Extensible Authentication Protocol (EAP) authentication. The AP passes authentication information to a RADIUS server on the wired network for validation. The authentication information could be a username and password or could employ smart cards or tokens. This allows WLAN authentication to be integrated with the wired LAN authentication scheme. This type of authentication is suitable for enterprise networks.

Question 28

open authentication

Answer 28

Selecting open authentication means that the client is not required to authenticate. This mode would be used on a public AP (or “hotspot”). This also means that data sent over the link is unencrypted. Open authentication may be combined with a secondary authentication mechanism managed via a browser. When the client associates with the open hotspot and launches the browser, the client is redirected to a captive portal or splash page. This will allow the client to authenticate to the hotspot provider’s network (over HTTPS, so the login is secure). The portal may also be designed to enforce terms and conditions and/or take payment to access the Wi-Fi service.

Question 29

Virtual Private Network (VPN)

Answer 29

When using open wireless, users must ensure they send confidential web data only over HTTPS connections and only use email, VoIP, IM, and file transfer services with SSL/TLS enabled. Another option is for the user to join a Virtual Private Network (VPN). The user would associate with the open hotspot then start the VPN connection. This creates an encrypted “tunnel” between the user’s computer and the VPN server. This allows the user to browse the web or connect to email services without anyone eavesdropping on the open Wi-Fi network being able to intercept those communications. The VPN could be provided by the user’s company or they could use a third-party VPN service provider. Of course, if using a third-party, the user needs to be able to trust them implicitly. The VPN must use certificate-based tunneling to set up the “inner” authentication method.

Question 30

Wi-Fi Protected Setup (WPS)

Answer 30

As setting up an access point securely is relatively complex for residential consumers, vendors have developed a system to automate the process called Wi-Fi Protected Setup (WPS). To use WPS, both the access point and wireless station (client device) must be WPS-capable. Typically, the devices will have a pushbutton. Activating this on the access point and the adapter simultaneously will associate the devices using a PIN, then associate the adapter with the access point using WPA2. The system generates a random SSID and PSK. If the devices do not support the push-button method, the PIN (printed on the AP) can be entered manually.

Unfortunately, WPS is vulnerable to a brute force attack. While the PIN is eight characters, one digit is a checksum and the rest is verified as two separate PINs of four and three characters. These separate PINs are many orders of magnitude simpler to brute force, typically requiring just hours to crack. On some models, disabling WPS through the admin interface does not actually disable the protocol, or there is no option to disable it. Some APs can lock out an intruder if a brute force attack is detected, but in some cases the attack can just be resumed when the lockout period expires. To counter this, the lockout period can be increased. However, this can leave APs vulnerable to a Denial of Service attack. When provisioning an AP, it is essential to verify what steps the vendor has taken to make their WPS implementation secure and the firmware level required to assure security.

Question 31

Extensible Authentication Protocol (EAP)

Answer 31

The Extensible Authentication Protocol (EAP) is designed to support different types of authentication within the same overall topology of devices. It defines a framework for negotiating authentication mechanisms rather than the details of the mechanisms themselves. Widely adopted now, vendors can write extensions to the protocol to support third-party security devices. EAP implementations can include smart cards, one-time passwords, biometric scanning, or simpler username and password combinations.

Question 32

The EAP framework involves three components:

Answer 32

• Supplicant—this is the client requesting authentication.
• Authenticator—this is the device that receives the authentication request (such as a remote access server or wireless access point). The authenticator establishes a channel for the supplicant and authentication server to exchange credentials using the EAP over LAN (EAPoL) protocol. It blocks any other traffic.
• Authentication Server—the server that performs the authentication (typically an AAA server).

Question 33

EAP-TLS

Answer 33

currently considered the strongest type of authentication and is very widely supported. An encrypted Transport Layer Security (TLS) tunnel is established between the supplicant and authentication server using public key certificates on the authentication server and supplicant. As both supplicant and server are configured with certificates, this provides mutual authentication. The supplicant will typically provide a certificate using a smart card or a certificate could be installed on the client PC, possibly in a Trusted Platform Module (TPM).

Question 34

Protected Extensible Authentication Protocol (PEAP)

Answer 34

In Protected Extensible Authentication Protocol (PEAP), as with EAP-TLS, an encrypted tunnel is established between the supplicant and authentication server, but PEAP only requires a server-side public key certificate. The supplicant does not require a certificate. With the server authenticated to the supplicant, user authentication can then take place through the secure tunnel with protection against sniffing, password-guessing/dictionary, and Man-in-the-Middle attacks.

Question 35

There are two versions of PEAP, each specifying a different user authentication method (also referred to as the “inner” method):

Answer 35

• PEAPv0 (EAP-MSCHAPv2)—uses MS-CHAPv2 for authentication. This is by far the most popular implementation.
• PEAPv1 (EAP-GTC)—Cisco’s implementation.

PEAP is supported by Microsoft® as an alternative to EAP-TLS. It is simpler and cheaper to deploy than EAP-TLS because you only need a certificate for the authentication server.

Question 36

EAP-Tunneled TLS (EAP-TTLS)

Answer 36

similar to PEAP. It uses a server-side certificate to establish a protected tunnel through which the user’s authentication credentials can be transmitted to the authentication server. The main distinction from PEAP is that EAP-TTLS can use any inner authentication protocol (PAP or CHAP, for instance), while PEAP must use EAP-MSCHAP or EAP-GTC.

Question 37

Lightweight EAP (LEAP)

Answer 37

developed by Cisco in 2000 to try to resolve weaknesses in Wired Equivalent Privacy (WEP) and represents a very early implementation of EAP. When a client connects to an access point (the authenticator), it enables EAPoL and the client authenticates to the server and the server to the client. The server and client then calculate a transport encryption session key, which the server sends to the access point. This key is used to encrypt the rest of the session. LEAP relies on MS-CHAP to transmit authentication credentials. This means that LEAP is vulnerable to password cracking, as demonstrated by the ASLEAP cracking tool

Question 38

Flexible Authentication via Secure Tunneling (EAP-FAST)

Answer 38

Cisco’s replacement for LEAP. EAP-FAST is similar to PEAP, but instead of using a certificate to set up the tunnel, it uses a Protected Access Credential (PAC), which is generated for each user from the authentication server’s master key. The problem with EAP-FAST is in distributing (provisioning) the PAC securely to each user requiring access. The PAC can either be distributed via an out-of-band method or via a server with a digital certificate (but in the latter case, EAP-FAST does not offer much advantage over using PEAP). Alternatively, the PAC can be delivered via anonymous Diffie-Hellman key exchange. The problem here is that there is nothing to authenticate the access point to the user. A rogue access point could obtain enough of the user credential to perform an ASLEAP password cracking attack.

Question 39

Flexible Authentication via Secure Tunneling (EAP-FAST)

Answer 39

Cisco’s replacement for LEAP. EAP-FAST is similar to PEAP, but instead of using a certificate to set up the tunnel, it uses a Protected Access Credential (PAC), which is generated for each user from the authentication server’s master key. The problem with EAP-FAST is in distributing (provisioning) the PAC securely to each user requiring access. The PAC can either be distributed via an out-of-band method or via a server with a digital certificate (but in the latter case, EAP-FAST does not offer much advantage over using PEAP). Alternatively, the PAC can be delivered via anonymous Diffie-Hellman key exchange. The problem here is that there is nothing to authenticate the access point to the user. A rogue access point could obtain enough of the user credential to perform an ASLEAP password cracking attack.

Question 40

EAP-MD5

Answer 40

This is simply a secure hash of a user password. This method cannot provide mutual authentication (that is, the authenticator cannot authenticate itself to the supplicant). Therefore, this method is not suitable for use over unsecure networks, as it is vulnerable to Man-in-the-Middle, session hijacking, and password cracking attacks.

Question 41

RADIUS federation

Answer 41

Most implementations of EAP use a RADIUS server to validate the authentication credentials for each user (supplicant). RADIUS federation means that multiple organizations allow access to one another’s users by joining their RADIUS servers into a RADIUS hierarchy or mesh. For example, when Bob from widget.com needs to log on to grommet.com’s network, the RADIUS server at grommet.com recognizes that Bob is not a local user but has been granted access rights and routes the request to widget.com’s RADIUS server.

One example of RADIUS federation is the eduroam network (https://www.eduroam.org), which allows students of universities from several different countries to log on to the networks of any of the participating institutions using the credentials stored by their “home” university.

Question 42

As well as knowing the protocols and settings to configure a single access point securely, in a complex site you may need to consider additional issues to provide secure wireless access and resist wireless Denial of Service attacks. As with other security troubleshooting, there are two general kinds of issues with access point configuration; those where legitimate users cannot connect and those when unauthorized users are able to connect. In the first case, make the following checks:

Answer 42

• Ensure that wireless access points are implementing WPA/WPA2 with a strong passphrase or enterprise authentication.
• Check that clients are configured with the correct passphrase or that access points can communicate with RADIUS servers and that they are operational and functioning as expected.
• Ensure that no other wireless signals are interfering with the access point’s transmission.

Question 43

rogue AP

Answer 43

If scans or network logs show that unauthorized devices are connecting, determine whether the problem is an access point with misconfigured or weak security or whether there is some sort of rogue AP. A rogue AP is one that has been installed on the network without authorization, whether with malicious intent or not. It is vital to periodically survey the site to detect rogue APs. A malicious user can set up such an access point with something as basic as a smartphone with tethering capabilities, and a non-malicious user could enable such an access point by accident. If connected to a LAN without security, an unauthorized AP creates a very welcoming backdoor through which to attack the network. A rogue AP could also be used to capture user logon attempts, allow Man-in-the-Middle attacks, and allow access to private information.

Question 44

evil twin or wiphishing

Answer 44

A rogue AP masquerading as a legitimate one is called an evil twin or sometimes wiphishing. An evil twin might just have a similar name (SSID) to the legitimate one, or the attacker might use some DoS technique to overcome the legitimate AP. This attack will not succeed if authentication security is enabled on the AP, unless the attacker also knows the details of the authentication method. However, the evil twin might be able to harvest authentication information from users entering their credentials by mistake.

One solution is to use EAP-TLS security so that the authentication server and clients perform mutual authentication. There are also various scanners and monitoring systems that can detect rogue APs, including AirMagnet (https://www.enterprise.netscout.com/products/airmagnet-survey), inSSIDer (https://www.metageek.com/products/inssider), Kismet (https://www.kismetwireless.net), and Xirrus Wi-Fi Inspector (https://www.xirrus.com). Another option is a wireless intrusion detection system (WIDS) or wireless intrusion prevention system (WIPS). As well as rogue access points, WIPS can detect and prevent attacks against WLAN security, such as MAC spoofing and DoS.

Question 45

deauthentication

Answer 45

The use of a rogue AP may be coupled with a deauthentication attack. This sends a stream of spoofed deauth frames to cause a client to deauthenticate from an AP. This might allow the attacker to interpose the rogue AP or to sniff information about the authentication process (such as a non-broadcast ESSID).

Question 46

disassociation

Answer 46

A similar attack hits the target with disassociation packets, rather than fully deauthenticating the station. A disassociated station is not completely disconnected, but neither can it communicate on the network until it reassociates. Both attacks may also be used to perform a Denial of Service (DoS) attack against the wireless infrastructure. These attacks work against both WEP and WPA. The attacks can be mitigated if the wireless infrastructure supports Management Frame Protection (MFP/ 802.11w). Both the AP and clients must be configured to support MFP.

Question 47

Wi-Fi jamming attack

Answer 47

A wireless network can be disrupted by interference from other radio sources. These are often unintentional, but it is also possible for an attacker to purposefully jam an access point. This might be done simply to disrupt services or to position an evil twin AP on the network with the hope of stealing data. A Wi-Fi jamming attack can be performed by setting up an AP with a stronger signal. Wi-Fi jamming devices are also widely available, though they are often illegal to use and sometimes to sell. Such devices can be very small, but the attacker still needs to gain fairly close physical proximity to the wireless network.

Question 48

spectrum analyzer

Answer 48

The only ways to defeat a jamming attack are either to locate the offending radio source and disable it, or to boost the signal from the legitimate equipment. AP’s for home and small business use are not often configurable, but the more advanced wireless access points, such as Cisco’s Aironet series, support configurable power level controls. The source of interference can be detected using a spectrum analyzer. Unlike a Wi-Fi analyzer, a spectrum analyzer must use a special radio receiver (Wi-Fi adapters filter out anything that isn’t a Wi-Fi signal). They are usually supplied as handheld units with a directional antenna, so that the exact location of the interference can be pinpointed.

Question 49

Personal Area Networks (PANs)

Answer 49

Wireless technologies are also important in establishing so-called Personal Area Networks (PANs). A PAN usually provides connectivity between a host and peripheral devices but can also be used for data sharing between hosts.

Question 50

Bluetooth

Answer 50

a short-range (up to about 10m) radio link, working at a nominal rate of up to about 3 Mbps (for v2.0 + EDR)

Question 51

Bluetooth devices have a few known security issues, summarized here:

Answer 51

• Device discovery—a device can be put into discoverable mode meaning that it will connect to any other Bluetooth devices nearby. Unfortunately, even a device in non-discoverable mode is quite easy to detect.
• Authentication and authorization—devices authenticate (“pair”) using a simple passkey configured on both devices. This should always be changed to some secure phrase and never left as the default. Also, check the device’s pairing list regularly to confirm that the devices listed are valid.
• Malware—there are proof-of-concept Bluetooth worms and application exploits, most notably the BlueBorne exploit (http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf), which can compromise any active and unpatched system regardless of whether discovery is enabled and without requiring any user intervention. There are also vulnerabilities in the authentication schemes of many devices. Keep devices updated with the latest firmware.

Question 52

bluejacking

Answer 52

Unless some sort of authentication is configured, a discoverable device is vulnerable to bluejacking, a sort of spam where someone sends you an unsolicited text (or picture/ video) message or vCard (contact details). This can also be a vector for malware, as demonstrated by the Obad Android Trojan malware (https://securelist.com/the-most-sophisticated-android-trojan/35929/).

Question 53

Bluesnarfing

Answer 53

Bluesnarfing refers to using an exploit in Bluetooth to steal information from someone else’s phone. The exploit (now patched) allows attackers to circumvent the authentication mechanism. Even without an exploit, a short (4 digit) PIN code is vulnerable to brute force password guessing.

Question 54

Radio Frequency ID (RFID)

Answer 54

a means of encoding information into passive tags, which can be easily attached to devices, structures, clothing, or almost anything else. When a reader is within range of the tag (typically either up to 10cm or up to 1m), it produces an electromagnetic wave that powers up the tag and allows the reader to collect information from it or to change the values encoded in the tag. There are also battery-powered active tags that can be read at much greater distances (hundreds of meters). One type of RFID attack is skimming, which is where an attacker uses a fraudulent RFID reader to read the signals from a contactless bank card. Any reader can access any data stored on any RFID tag, so sensitive information must be protected using cryptography. It is also possible (in theory) to design RFID tags to inject malicious code to try to exploit a vulnerability in a reader.

Question 55

Near Field Communications (NFC)

Answer 55

a very short-range radio link based on RFID. NFC works at up to 4cm at data rates of 106, 212, and 424 Kbps. NFC sensors and functionality are now commonly incorporated into smartphones. NFC is mostly used for contactless payment readers. It can also be used to configure other types of connections (pairing Bluetooth devices for instance) and for exchanging information, such as contact cards. An NFC transaction is sometimes known as a bump, named after an early mobile sharing app, later redeveloped as Android Beam, to use NFC.

As well as powered sensors, an NFC function can be programmed into an unpowered chip that can be delivered as a sticker (an NFC tag). When the phone’s sensor is brought close to the tag, the radio field activates it and triggers some action that has been pre-programmed into the phone.

As a relatively new technology, there are few proven attacks or exploits relating to NFC. It is possible to envisage how such attacks may develop, however. NFC does not provide encryption, so eavesdropping and Man-in-the-Middle attacks are possible if the attacker can find some way of intercepting the communication and the software services are not encrypting the data. Vulnerabilities and exploits are also likely to be found in the software services that use NFC. It is also possible to jam NFC signals, creating a Denial of Service attack.

Some software, such as Google’s Beam, allows NFC transfers to occur without user intervention. It is possible that there may be some way to exploit this by crafting tags to direct the device browser to a malicious web page where the attacker could try to exploit any vulnerabilities in the browser.

Question 56

Follow these guidelines when securing wireless traffic:

Answer 56

• Select access points and supplementary directional antennas that adequately meet your bandwidth and signal range requirements.
• Select the appropriate frequency band and configure the signal strength to meet your needs.
• Consider using thin APs in a controller-based architecture to centralize wireless network operations.
• Conduct a site survey to determine the best possible ways to position your wireless infrastructure with respect to confidentiality, integrity, and availability.
• Configure your Wi-Fi networks with WPA2 encryption and an appropriate authentication method:
• Consider using WPA2-Enterprise in a large corporate environment to take advantage of 802.1X/ RADIUS authentication.
• Use a long passphrase to generate a more secure PSK.
• Avoid using the PIN feature of WPS.
• Implement a captive portal requiring login credentials to protect against unauthorized users accessing your Wi-Fi hotspot.
• Patch and update firmware on all types of wireless systems (Wi-Fi, Bluetooth, RFID, and NFC) regularly and monitor security bulletins for news of emerging attack vectors.

Question 57

physical access controls

Answer 57

Physical security controls, or physical access controls, are security measures that restrict, detect, and monitor access to specific physical areas or assets. They can control access to a building, to equipment, or to specific areas, such as server rooms, finance or legal areas, data centers, network cable runs, or any other area that has hardware or information that is considered to have important value and sensitivity. Determining where to use physical access controls requires a cost–benefit analysis and must consider any regulations or other compliance requirements for the specific types of data that are being safeguarded.

Question 58

Physical access controls depend on the same access control fundamentals as network or operating system security:

Answer 58

• Authentication—create access lists and identification mechanisms to allow approved persons through the barriers.
• Authorization—create barriers around a resource so that access can be controlled through defined entry and exit points.
• Accounting—keep a record of when entry/exit points are used and detect security breaches.

Physical security can be thought of in terms of zones. Each zone should be separated by its own barrier(s). Entry and exit points through the barriers need to be controlled by one or more security mechanisms. Progression through each zone should be progressively more restricted.

Question 59

In existing premises, there will not be much scope to influence site layout. However, given constraints of cost and existing infrastructure, try to plan the site using the following principles:

Answer 59

• Locate secure zones, such as equipment rooms, as deep within the building as possible, avoiding external walls, doors, and windows.
• Position public access areas so that guests do not pass near secure zones. Security mechanisms in public areas should be high visibility, to increase deterrence. Use signs and warnings to enforce the idea that security is tightly controlled. Beyond basic no trespassing signs, some homes and offices also display signs from the security companies whose services they are currently using. These may convince intruders to stay away. Conversely, entry points to secure zones should be discreet. Do not allow an intruder the opportunity to inspect security mechanisms protecting such zones (or even to know where they are).
• Try to minimize traffic having to pass between zones. The flow of people should be “in and out” rather than “across and between.”
• Make high traffic public areas high visibility, so that covert use of gateways, network access ports, and computer equipment is hindered, and surveillance is simplified.
• In secure zones, do not position display screens or input devices facing toward pathways or windows. Alternatively, use one-way glass so that no one can look in through windows.

Question 60

barricade

Answer 60

A barricade is something that prevents access. As with any security system, no barricade is completely effective; a wall may be climbed or a lock may be picked, for instance. The purpose of barricades is to channel people through defined entry and exit points. Each entry point should have an authentication mechanism so that only authorized persons are allowed through. Effective surveillance mechanisms ensure that attempts to penetrate a barricade by other means are detected.

Question 61

fencing

Answer 61

The exterior of a building may be protected by fencing. Security fencing needs to be transparent (so that guards can see any attempt to penetrate it), robust (so that it is difficult to cut), and secure against climbing (which is generally achieved by making it tall and possibly by using razor wire). Fencing is generally effective, but the drawback is that it gives a building an intimidating appearance. Buildings that are used by companies to welcome customers or the public may use more discreet security methods.

Question 62

Security lighting

Answer 62

Security lighting is enormously important in contributing to the perception that a building is safe and secure at night. Well-designed lighting helps to make people feel safe, especially in public areas or enclosed spaces, such as parking garages. Security lighting also acts as a deterrent by making intrusion more difficult and surveillance (whether by camera or guard) easier. The lighting design needs to account for overall light levels (illuminance), the lighting of particular surfaces or areas (allowing cameras to perform facial recognition, for instance), and avoiding areas of shadow and glare.

Question 63

gateway

Answer 63

One of the oldest types of security is a wall with a door in it (or a fence with a gate). In order to secure such a gateway, it must be fitted with a lock (or door access system). A secure gateway will normally be self-closing and self-locking, rather than depending on the user to close and lock it.

Question 64

Lock types can be categorized as follows:

Answer 64

• Conventional—a conventional lock prevents the door handle from being operated without the use of a key. More expensive types offer greater resistance against lock picking.
• Deadbolt—this is a bolt on the frame of the door, separate to the handle mechanism.
• Electronic—rather than a key, the lock is operated by entering a PIN on an electronic keypad. This type of lock is also referred to as cipher, combination, or keyless.
• Token-based—a smart lock may be opened using a magnetic swipe card or feature a proximity reader to detect the presence of a wireless key fob or one-time password generator (physical tokens) or smart card.
• Biometric—a lock may be integrated with a biometric scanner.
• Multifactor—a lock may combine different methods (for example, smart card with PIN).

Locks using a physical key are only as secure as the key management process used to protect the keys. The more physical copies of each key that are made, the less secure the gateway becomes. It is important to track who is holding a key at any one time and to ensure that a key cannot be removed from the site (to prevent a copy being made). Locks using smart cards will require the management of the cryptographic keys issued to the lock mechanism and the smart cards.

Question 65

turnstile

Answer 65

Apart from being vulnerable to lock picking, the main problem with a simple door or gate as an entry mechanism is that it cannot accurately record who has entered or left an area. Multiple people may pass through the gateway at the same time; a user may hold a door open for the next person; an unauthorized user may “tailgate” behind an authorized user. This risk may be mitigated by installing a turnstile (a type of gateway that only allows one person through at a time).

Question 66

mantrap

Answer 66

The other option is to add some sort of surveillance on the gateway. Where security is critical and cost is no object, a mantrap could be employed. A mantrap is where one gateway leads to an enclosed space protected by another barrier.

Question 67

As well as authorized gateways (such as gates and doors), consider the security of entry points that could be misused, such as emergency exits, windows, hatches, grilles, and so on. These may be fitted with bars, locks, or alarms to prevent intrusion. Also consider pathways above and below, such as false ceilings and ducting. There are three main types of alarm:

Answer 67

• Circuit—a circuit-based alarm sounds when the circuit is opened or closed, depending on the type of alarm. This could be caused by a door or window opening or by a fence being cut. A closed-circuit alarm is more secure because an open circuit alarm can be defeated by cutting the circuit.
• Motion detection—a motion-based alarm is linked to a detector triggered by any movement within an area (defined by the sensitivity and range of the detector), such as a room. The sensors in these detectors are either microwave radio reflection (similar to radar) or Passive Infrared (PIR), which detect moving heat sources.
• Duress—this type of alarm is triggered manually by staff if they come under threat. There are many ways of implementing this type of alarm, including wireless pendants, concealed sensors or triggers, and DECT handsets or smartphones. Some electronic entry locks can also be programmed with a duress code that is different from the ordinary access code. This will open the gateway but also alert security personnel that the lock has been operated under duress.

Circuit-based alarms are typically suited for use at the perimeter and on windows and doors. These may register when a gateway is opened without using the lock mechanism properly or when a gateway is held open for longer than a defined period. Motion detectors are useful for controlling access to spaces that are not normally used. Duress alarms are useful for exposed staff in public areas. An alarm might simply sound an alert or it may be linked to a monitoring system. Many alarms are linked directly to local law enforcement or to third-party security companies. A silent alarm alerts security personnel rather than sounding an audible alarm.

Question 68

Surveillance

Answer 68

typically a second layer of security designed to improve the resilience of perimeter gateways. Surveillance may be focused on perimeter areas or within security zones themselves. Human security guards, armed or unarmed, can be placed in front of and around a location to protect it. They can monitor critical checkpoints and verify identification, allow or disallow access, and log physical entry events. They also provide a visual deterrent and can apply their own knowledge and intuition to potential security breaches. The visible presence of guards is a very effective intrusion detection and deterrence mechanism, but is correspondingly expensive. It also may not be possible to place security guards within certain zones because they cannot be granted an appropriate security clearance. Training and screening of security guards is imperative.

Question 69

CCTV (closed circuit television)

Answer 69

a cheaper means of providing surveillance than maintaining separate guards at each gateway or zone, though still not cheap to set up if the infrastructure is not already in place on the premises. It is also quite an effective deterrent. The other big advantage is that movement and access can be recorded. The main drawback compared to the presence of security guards is that response times are longer, and security may be compromised if not enough staff are in place to monitor the camera feeds.

The cameras in a CCTV network are typically connected to a multiplexer using coaxial cabling. The multiplexer can then display images from the cameras on one or more screens, allow the operator to control camera functions, and record the images to tape or hard drive. Newer camera systems may be linked in an IP network, using regular data cabling.

Question 70

access list

Answer 70

An access list held at each secure gateway records who is allowed to enter. An electronic lock may be able to log access attempts or a security guard can manually log movement. At the lowest end, a sign-in and sign-out sheet can be used to record authorized access. Visitor logging requirements will vary depending on the organization, but should include at least name and company being represented, date, time of entry, and time of departure, reason for visiting, and contact within the organization.

Question 71

ID badge

Answer 71

A photographic ID badge showing name and (perhaps) access details is one of the cornerstones of building security. Anyone moving through secure areas of a building should be wearing an ID badge; anyone without an ID badge should be challenged. Color-coding could be used to make it obvious to which zones a badge is granted access.

Question 72

challenge

Answer 72

The cheapest form of surveillance is to leverage ordinary employees to provide it. Security policies should explain staff responsibilities and define reporting mechanisms. One of the most important parts of surveillance is the challenge policy. This sets out what type of response is appropriate in given situations and helps to defeat social engineering attacks. This must be communicated to and understood by staff.

Question 73

Challenges represent a whole range of different contact situations. For example:

Answer 73

• Challenging visitors who do not have ID badges or are moving about unaccompanied.
• Insisting that proper authentication is completed at gateways, even if this means inconveniencing staff members (no matter their seniority).
• Intruders and/or security guards may be armed. The safety of staff and compliance with local laws has to be balanced against the imperative to protect the company’s other resources.

It is much easier for employees to use secure behavior in these situations if they know that their actions are conforming to a standard of behavior that has been agreed upon and is expected of them.

Question 74

secure cabinets/enclosures

Answer 74

As well as access to the site, physical security can be used for network appliances and cabling. The most vulnerable point of the network infrastructure will be the communications room. This should be subject to the most stringent access and surveillance controls that can be afforded. Another layer of security can be provided by installing equipment within secure cabinets/enclosures. These can be supplied with key-operated or electronic locks.

Some data centers may contain racks with equipment owned by different companies (colocation). These racks can be installed inside cages so that technicians can only physically access the racks housing their own company’s servers and appliances.

If installing equipment within a cabinet is not an option, it is also possible to obtain cable hardware locks for use with portable devices such as laptops.

Portable devices and media (backup tapes or USB media storing encryption keys, for instance) may be stored in a safe. Safes can feature key-operated or combination locks but are more likely to come with electronic locking mechanisms. Safes can be rated to a particular cash value for the contents against various international grading schemes.

There are also fire safes that give a certain level of protection against exposure to smoke and flame and to water penetration (from fire extinguishing efforts).

A privacy filter or screen filter prevents anyone but the user from reading the screen (shoulder surfing). Modern TFTs are designed to be viewed from wide angles. This is fine for home entertainment use but raises the risk that someone would be able to observe confidential information shown on a user’s monitor. A privacy filter restricts the viewing angle to the person directly in front of the screen.

Question 75

As well as the switches, routers, and servers housed in equipment cabinets, thought needs to be given to cabling. A physically secure cabled network is referred to as a protected distribution system (PDS). There are two principal risks:

Answer 75

• An intruder could attach eavesdropping equipment to the cable (a tap).
• An intruder could cut the cable (Denial of Service).

A hardened PDS is one where all cabling is routed through sealed metal conduit and subject to periodic visual inspection. Lower grade options are to use different materials for the conduit (plastic, for instance). Another option is to install an alarm system within the cable conduit, so that intrusions can be detected automatically.

Question 76

TEMPEST (Transient Electromagnetic Pulse Emanation Standard)

Answer 76

The leakage of electromagnetic signals was investigated by the US DoD who defined TEMPEST (Transient Electromagnetic Pulse Emanation Standard) as a means of shielding the signals. The specifications are vigorous and very few manufacturers have sought TEMPEST classification. It also possible to install communications equipment within a shielded enclosure, known as a Faraday cage. The cage is a charged conductive mesh that blocks signals from entering or leaving the area.

An air gapped host is one that is not physically connected to any network. Such a host would also normally have stringent physical access controls, such as housing it within a secure enclosure, validating any media devices connected to it, and so on.

Question 77

HVAC (Heating, Ventilation, Air Conditioning)

Answer 77

Environmental security means maintaining a climate that is not damaging to electronic systems and ensures a stable supply of power. Building control systems maintain an optimum working environment for different parts of the building. The acronym HVAC (Heating, Ventilation, Air Conditioning) is often used to describe these services. For general office areas, this basically means heating and cooling; for other areas, different aspects of climate control, such as humidity, may be important.

HVAC ensures adequate cooling and humidity and dust control within a room or other enclosed space. All air flow into and out of the room is run through ducts, fans, and filters and warmed or cooled to the correct temperature and humidity. Ideally, use a thermostatically controlled environment to keep the temperature to around 20-22ºC (68-70ºF) and relative humidity to around 50%. The heat generated by equipment per hour is measured in British Thermal Units (BTU) or Kilowatts (KW). 1 KW is 3412 BTU. To calculate the cooling requirement for an air conditioning system, multiply the wattage of all equipment in the room (including lighting) by 3.41 to get the BTU/hour. If the server room is occupied (unlikely in most cases), add 400 BTU/person. The air conditioner’s BTU-rating must exceed this total value.

A server or equipment room should also provide decent air flow around the server equipment. Air flow is provided by ensuring enough space (at least three feet or one meter) around the server or rack. Obviously, air conditioning vents should not be blocked by racks or equipment. Where possible, the space should not be exposed to direct sunlight.

The positive air pressure created by the HVAC system also forces contaminants such as dust out of the facility. Filters on HVAC systems collect the dust and must be changed regularly. When using an air conditioning system, ensure that it is inspected and maintained periodically. Systems may be fitted with alarms to alert staff to problems. Highly mission-critical systems may require a backup air conditioning system.

Question 78

hot aisle/ cold aisle

Answer 78

A data center or server room should be designed in such a way as to maximize air flow across the server or racks. If multiple racks are used, install equipment so that servers are placed back-to-back not front-to-back, so that the warm exhaust from one bank of servers is not forming the air intake for another bank. This is referred to as a hot aisle/ cold aisle arrangement. In order to prevent air leaks from the hot aisle to the cold aisle, ensure that any gaps in racks are filled by blank panels and use strip curtains or excluders to cover any spaces above or between racks.

Make sure that cabling is secured by cable ties or ducting and does not run across walkways. Cable is best run using a raised floor. If running cable through plenum spaces, make sure it is fire-retardant and be conscious of minimizing proximity to electrical sources, such as electrical cable and fluorescent light, which can corrupt data signals (Electromagnetic Interference [EMI]). You also need to ensure that there is sufficient space in the plenum for the air conditioning system to work properly—filling the area with cable is not the best idea.

Note: To reduce interference, data/network cabling should not be run parallel to power cabling. If EMI is a problem, shielded cabling can be installed. Alternatively, the copper cabling could be replaced with fiber optic cabling, which is not susceptible to EMI.

Question 79

uildings also need to be fitted with automatic smoke or fire detection systems, as well as alarms that can be operated manually. There are several types of detectors:

Answer 79

• Photoelectric smoke detector—measures the integrity of an internal beam of light. The alarm will sound if the beam degrades (for example, if it is obscured by smoke).
• Ionization smoke detector—a radioactive source creates a regular movement of ionized particles, which can be disrupted by smoke.
• Heat detector—these alarms sound if heat rises to a certain point or if the rate of temperature increase exceeds the defined limit.
• Flame detector—these use infrared sensors to detect flames, and are the most effective (and expensive) type.

More sensitive detection systems may be used for certain areas of the building, such as within computer server rooms or rooms used to store archive material.

Question 80

Fire suppression

Answer 80

systems work on the basis of the Fire Triangle. The Fire Triangle works on the principle that a fire requires heat, oxygen, and fuel to ignite and burn. Removing any one of those elements provides fire suppression (and prevention). In the US (and most other countries), fires are divided by class under the NFPA (National Fire Protection Association) system, according to the combustible material that fuels the fire. Portable fire extinguishers come in several different types; each type being designed for fighting a particular class of fire. Notably, Class C extinguishers use gas-based extinguishing and can be used where the risk of electric shock makes other types unsuitable.

Question 81

There are several alternatives to wet-pipe systems that can minimize damage that may be caused by water flooding the room:

Answer 81

• Dry-pipe—these are used in areas where freezing is possible; water only enters this part of the system if sprinklers elsewhere are triggered.
• Pre-action—a pre-action system only fills with water when an alarm is triggered; it will then spray when the heat rises. This gives protection against accidental discharges and burst pipes and gives some time to contain the fire manually before the sprinkler operates.
• Halon—gas-based systems have the advantage of not short circuiting electrical systems and leaving no residue. Up until a few years ago, most systems used Halon 1301. The use of Halon has been banned in most countries as it is ozone depleting, though existing installations have not been replaced in many instances and can continue to operate legally.
• Clean agent—alternatives to Halon are referred to as “clean agent.” As well as not being environmentally damaging, these gases are considered non-toxic to humans. Examples include INERGEN (a mixture of CO2, Argon, and Nitrogen), FM-200/ HFC-227, and FE-13. The gases both deplete the concentration of oxygen in the area (though not to levels dangerous to humans) and have a cooling effect. CO2 can be used too, but it is not safe for use in occupied areas.

Question 82

Follow these guidelines when implementing physical controls:

Answer 82

• Conduct a cost–benefit analysis to determine where and when to place physical security controls.
• Identify any regulations that require certain physical controls.
• Implement a wide variety of physical control types that are appropriate to your facilities and other environments.
• Recognize how your physical environments may be exposed to adverse environmental conditions.
• Implement environmental controls like HVAC systems and fire management processes to reduce exposure risks.
• Ensure that environmental exposures are being consistently monitored.
• Ensure that the safety of personnel and property is a priority in your security operations.
• Consider how existing physical controls can be useful as safety controls.
• Develop an escape plan in the event of a fire or noxious gas hazard.
• Conduct periodic drills to test personnel preparedness.
• Ensure that safety controls are consistently tested for their ability to meet safety standards.

Question 83

Common Criteria (CC)

Answer 83

n ISO standard (ISO 15408) defining security frameworks. It evolved from separate standards developed by the USA (TCSEC or Orange Book), Canada (CTCPEC), and Europe (ITSEC).

Question 84

An OS that meets the criteria for a Common Criteria OS Protection Profile can be described as a Trusted OS (TOS). In very general terms, a Trusted OS provides:

Answer 84

• Trusted Computing Base (TCB)—the kernel and associated hardware and processes must be designed to support the enforcement of a security policy (an access control model). This means it should be tamper-resistant, resistant to vulnerabilities, and not able to be bypassed (it provides complete mediation between users and resources). The TCB should be as small as possible to facilitate better analysis and understanding.
• Security features—such as support for multilevel security (Mandatory Access Control). A problem for many OSes is the means of restricting root or Administrator access to classified data. The process for patching security vulnerabilities is also critical.
• Assurance—such as secure design principles, availability of code reviews and audits, and so on.

All this means that the computing environment is trusted not to create security issues. For example, when a user authenticates to a network using a computer running a trusted OS, there is (or should be) assurance that the system itself has not compromised the authentication process (by allowing snooping, session hijacking, or other such attacks).

The Trusted Computing Group (https://trustedcomputinggroup.org) is a consortium of companies, including Microsoft®, Intel®, AMD, HP®, Cisco®, and Juniper®, set up to develop technologies to improve the security of computing systems. One of the major initiatives of the group was the development of the Trusted Platform Module (TPM).

Question 85

Trusted Computing Group

Answer 85

The Trusted Computing Group (https://trustedcomputinggroup.org) is a consortium of companies, including Microsoft®, Intel®, AMD, HP®, Cisco®, and Juniper®, set up to develop technologies to improve the security of computing systems. One of the major initiatives of the group was the development of the Trusted Platform Module (TPM).

Question 86

hardware Root of Trust (RoT) or trust anchor

Answer 86

A hardware Root of Trust (RoT) or trust anchor is a secure subsystem that is able to provide attestation (declare something to be true). For example, when a computer joins a network, it might submit a report to the Network Access Control (NAC) server declaring, “My operating system files have not been replaced with malicious versions.” The hardware root of trust is used to scan the boot metrics and OS files to verify their signatures, then it signs the report and allows the NAC server to trust it. The NAC server compares the report to its stored template of the same metrics and file signatures and decides whether to grant access or not.

The problem with establishing a hardware root of trust is that devices are used in environments where anyone can get complete control over them. There cannot be complete assurance that the firmware underpinning the hardware root of trust is inviolable, but attacks against trusted modules are sufficiently difficult so as to provide effective security in most cases.

Question 87

Trusted Platform Module (TPM)

Answer 87

In a computer device, the RoT is usually established by a type of cryptoprocessor called a Trusted Platform Module (TPM). TPM is a specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information. Essentially, it functions as an embedded smart card. The TPM is implemented either as part of the chipset or as an embedded function of the CPU.

Each TPM microprocessor is hard-coded with a unique, unchangeable RSA private key (the endorsement key). This endorsement key is used to create various other types of subkeys used in key storage, signature, and encryption operations. During the boot process, the TPM compares hashes of key system state data (boot firmware, boot loader, and OS kernel) to ensure they have not been tampered with.

The TPM also supports the concept of an owner, usually identified by a password (though this is not mandatory). Anyone with administrative control over the setup program can take ownership of the TPM, which destroys and then regenerates its subkeys. A TPM can be managed in Windows via the tpm.msc console or through group policy.

Question 88

supply chain

Answer 88

A supply chain is the end-to-end process of supplying, manufacturing, distributing, and finally releasing goods and services to a customer. For the TPM to be trustworthy, the supply chain of chip manufacturers, firmware authors, OEM resellers, and administrative staff responsible for provisioning the computing device to the end user must all be trustworthy. Anyone with the time and resources to modify the computer’s firmware could (in theory) create some sort of backdoor access. It is also critical that no one learn the endorsement key programmed into each TPM. Anyone obtaining the endorsement key will be able to impersonate that TPM.

Question 89

Basic Input/Output System (BIOS)

Answer 89

The Basic Input/Output System (BIOS) provides industry standard program code that operates the essential components of the PC and ensures that the design of each manufacturer’s motherboard is PC compatible.

Question 90

Unified Extensible Firmware Interface (UEFI)

Answer 90

Newer motherboards use a different kind of firmware called Unified Extensible Firmware Interface (UEFI). UEFI provides support for 64-bit CPU operation at boot, a full GUI and mouse operation at boot, and better boot security.

Question 91

Secure boot

Answer 91

a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader that has been modified by malware (or an OS installed without authorization) from being used.

Question 92

Full Disk Encryption (FDE)

Answer 92

means that the entire contents of the drive (or volume), including system files and folders, are encrypted. OS ACL-based security measures are quite simple to circumvent if an adversary can attach the drive to a different host OS. Drive encryption allays this security concern by making the contents of the drive accessible only in combination with the correct encryption key.

FDE requires the secure storage of the key used to encrypt the drive contents. Normally, this is stored in a TPM. The TPM chip has a secure storage area that a disk encryption program, such as Windows BitLocker®, can write its keys to. It is also possible to use a removable USB drive (if USB is a boot device option). As part of the setup process, you create a recovery password or key. This can be used if the disk is moved to another computer or the TPM is damaged.

Question 93

Self-Encrypting Drives (SED)

Answer 93

One of the drawbacks of FDE is that, because the OS performs the cryptographic operations, performance takes a hit. This issue is mitigated by Self-Encrypting Drives (SED), where the cryptographic operations are performed by the drive controller. The SED uses a Media Encryption Key (MEK) to encrypt data and stores the MEK securely by encrypting it with a Key Encryption Key (KEK), generated from the user password.

Question 94

Electromagnetic Interference (EMI)

Answer 94

the effect unwanted electromagnetic energy has on electronic equipment. Computers installed in “noisy” EMI environments, such as factory floors and power plants, often need shielding from EMI.

Question 95

Electromagnetic Pulse (EMP)

Answer 95

An Electromagnetic Pulse (EMP) is a very powerful but short duration wave with the potential to destroy any type of electronic equipment. Electrostatic Discharge (ESD) can be classified as EMP.

It is possible to build EMP generators and deploy them with the intent of performing a DoS attack against a computer system. Apart from shielding every critical system that might be exposed, the only way to protect against this type of attack is to prevent such a device from being brought onto company premises. They can easily be disguised as a camera or other piece of electronic equipment, but smaller devices lack power and may not be able to cause sufficient damage.

There is also the risk of EMP cyber weapons being used by terrorists or hostile nation state actors or that a particularly strong solar storm could cause EMP effects. An EMP cyber weapon is a nuclear or conventional explosive device designed to explode in the upper atmosphere in such a way that it causes widespread EMP effects across a wide area below the explosion. EMP effects can be mitigated using Faraday Cage type shielding. Projects and funding are being initiated to harden civilian infrastructure against such attacks

Question 96

external storage devices

Answer 96

As revealed by researcher Karsten Nohl in his BadUSB paper (https://srlabs.de/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf), exploiting the firmware of external storage devices, such as USB flash drives (and potentially any other type of firmware), presents adversaries with an incredible toolkit. The firmware can be reprogrammed to make the device look like another device class, such as a keyboard. In this case, it could then be used to inject a series of keystrokes upon an attachment or work as a keylogger. The device could also be programmed to act like a network device and corrupt name resolution, redirecting the user to malicious websites.

Creating such malicious firmware code requires considerable resources to achieve and is only likely to be used in highly targeted attacks. However, you should warn users of the risks and repeat the advice to never attach devices of unknown provenance to their computers. If you suspect a device as an attack vector, observe a sandboxed lab system (sometimes referred to as a sheep dip) closely when attaching the device. Look for command prompt windows or processes such as the command interpreter starting and changes to the registry or other system files.

Some other known security concerns and active exploits against peripheral devices are listed here. You should note that these are by no means exhaustive. Researchers and cyber-attackers are developing new exploit techniques all the time. It is imperative to keep up to date with news of new security vulnerabilities.

Question 97

principal security exploit of wireless input devices

Answer 97

The principal security exploit of wireless input devices is snooping. One example of such an attack is called mousejacking (https://www.bastille.net/research/vulnerabilities/mousejack/technical-details). Hackers can use radio transmitters to inject commands and keystrokes or read input. The attack principally works because while keyboard input is often encrypted, mouse input is not, and the vulnerable devices can be tricked into accepting keyboard input via the mouse controller.

Note: Most keyboards does not mean all. The Bastille researchers have tested numerous keyboards with their Keysniffer utility (https://www.keysniffer.net) and found many that are vulnerable.

Like most peripherals, displays have no protection against malicious firmware updates. Researchers (https://motherboard.vice.com/en_us/article/jpgdzb/hackers-could-break-into-your-monitor-to-spy-on-you-and-manipulate-your-pixels) have demonstrated an exploit against a reverse-engineered Dell monitor. Once the malicious firmware is loaded, the display can be manipulated by sending it instructions coded into pixel values in a specially crafted web page.

Question 98

most famous printer exploits

Answer 98

One of the most famous printer exploits was to rewrite the firmware of a Canon inkjet to install the computer game Doom on it (https://contextis.com/en/blog/hacking-canon-pixma-printers-doomed-encryption). Printers or more generally Multifunction Devices (MFD), with fax and scan capabilities, represent a powerful pivot point on an enterprise network:

• Interfaces and code are not always kept as secure as OS code, making them potentially more vulnerable to compromise.
• An adversary can snoop on and copy highly confidential data in cleartext.
• The hard disk is a useful means of staging data for exfiltration.
• Network connectivity might bridge user and administrative network segments and allow wider network penetration.

Question 99

Wi-Fi-enabled MicroSD card

Answer 99

As the description suggests, a Wi-Fi-enabled MicroSD card can connect to a host Wi-Fi network to transfer images stored on the card. Unfortunately, it is straightforward to replace the kernel on this type of device and install whatever software the hacker chooses (http://dmitry.gr/index.php?r=05.Projects&proj=15&proj=15.%20Transcend%20WiFiSD). This presents a hacker with a perfect device to use to perform network reconnaissance, similar to the Wi-Fi Pineapple (https://wifipineapple.com).

Question 100

Digital cameras

Answer 100

Digital cameras may be equipped with Wi-Fi and cellular data adapters to allow connection to the Internet and posting of images directly to social media sites. A smart camera may also be equipped with a GPS receiver, allowing an image to be tagged with information about where it was taken (geotagging). The flash media storage used by a camera may also be infected with malware or used for data exfiltration, so cameras should be treated like any other removable USB storage and their connection to enterprise hosts subjected to access controls.

Question 101

Weak or misconfigured security configurations

Answer 101

ay leave administrative access protected with a default account or password that is publicly available, sensitive ports open to the Internet, or any number of other such weaknesses. Many breaches have taken place in recent years over exactly these sorts of security vulnerabilities. Any service or interface that is enabled through the default installation or default configuration and left unconfigured should be considered a vulnerability. If a particular configuration deviates from the baseline set, that can be taken as suspicious and the variations investigated.

Question 102

default configurations

Answer 102

In the last few years, vendors have started shipping devices and software in secure default configurations. This means that the default installation is (theoretically) secure but minimal. Any options or services must explicitly be enabled by the installer. This is not the case for older devices and software though; these would often be shipped with all the “bells and whistles” activated to make set up easier. When installing any new device or software, you must use a security policy to determine the strongest possible configuration, and not just leave it to the default.

Question 103

secure configuration

Answer 103

The process of putting an operating system or application in a secure configuration is called hardening. Typically, hardening is implemented to conform with the security requirements in a defined security policy. Many different hardening techniques can be employed, depending on the type of system and the desired level of security. When hardening a system, it is important to keep in mind its intended use, because hardening a system can also restrict the system’s access and capabilities. The need for hardening must be balanced against the access requirements and usability in a particular situation.

Question 104

host software baselining

Answer 104

For an OS functioning in any given role, there will usually be a fairly standard series of steps to follow to apply a secure configuration to allow the OS and applications software to execute that role. This can also be described as host software baselining.

Question 105

The essential principle is of least functionality of host software baselining; that a system should run only the protocols and services required by legitimate users and no more. This reduces the potential attack surface.

Answer 105

• Interfaces provide a connection to the network. Some machines may have more than one interface. For example, there may be wired and wireless interfaces or a modem interface. Some machines may come with a management network interface card. If any of these interfaces are not required, they should be explicitly disabled rather than simply left unused.
• Services provide a library of functions for different types of applications. Some services support local features of the OS and installed applications. Other services support remote connections from clients to server applications. Unused services should be disabled.
• Application service ports allow client software to connect to applications. Again, these should be closed if remote access is not required. Also consider that an application may use multiple ports. For example, there may be a standard user port and another port for management functions. Finally, be aware that a server might be configured with a non-standard port. For example, an HTTP server might be configured to use 8080 rather than 80.

It is also important to establish a maintenance cycle for each device and keep up to date with new security threats and responses for the particular software products that you are running.

Question 106

baseline configuration

Answer 106

Because each baseline configuration is specific to a particular type of system, you will have separate baselines defined for desktop clients, file and print servers, Domain Name System (DNS) servers, application servers, directory services servers, and other types of systems. You will also have different baselines for all those same types of systems, depending on the operating system in use.

While a workstation cannot be hardened to the same extent or with the same rigidity that a server can, several steps can be taken to improve its level of security and decrease the risk of it being used as a vector of attack. This generally consists of ensuring that the device is patched and up-to-date, is running all the required security tools, and is not running any unnecessary or unauthorized applications or services.

Question 107

The following checklist shows the sort of steps that are required to harden the OS of a workstation PC:

Answer 107

1. Remove (or disable) devices that have no authorized function. These could include a legacy modem or floppy disk or standard optical disk drives, USB ports, and so on.
2. Test and install OS and application patches and driver/firmware updates (when they have been tested for network compatibility) according to a regular maintenance schedule. Patches for critical security vulnerabilities may need to be installed outside the regular schedule.
3. Uninstall all but the necessary network protocols.
4. Uninstall or disable services that are not necessary (such as local web server or file and print sharing) and remove or secure any shared folders.
5. Enforce Access Control Lists on resources, such as local system files and folders, shared files and folders, and printers.
6. Restrict user accounts so that they have least privilege over the workstation (especially in terms of installing software or devices).
7. Secure the local administrator or root account by renaming it and applying a strong password.
8. Disable default user and group accounts (such as the Guest account in Windows) and verify the permissions of system accounts and groups (removing the Everyone group from a folder’s ACL, for instance).
9. Install anti-virus software (or malware protection software) and configure it to receive virus definition updates regularly. Anti-virus software should also be configured so that the user cannot disable it and so that it automatically scans files on removable drives, files downloaded from the Internet, or files received as email/IM file attachments.

Note: Mobile devices require many of the same hardening steps that workstations do, with a few additional considerations that are specific to mobile security. As mobile devices are generally configured with access to email accounts, personal photographs, text messages, and the like, the loss of an inappropriately secured mobile device can be a very risky proposition.

Question 108

network servers

Answer 108

Much of the same procedure applies to network servers, network appliances (switches and routers), and web applications, only more so. Obviously, a server will host more shares and services than a client, but the same principle of running only services (or application features) that are required applies. For example, the default installation choice for Windows Server® is the Server Core option, which excludes most of the familiar shell tools, such as File Explorer and MMCs. Server Core also only supports a limited number of roles, including AD DS, file/print, IIS, Hyper-V®, DHCP, and DNS.

Question 109

Administrative Templates

Answer 109

On Windows® networks, Group Policy Objects (GPOs) are a means of applying security settings (as well as other administrative settings) across a range of computers. GPOs are linked to network administrative boundaries in Active Directory®, such as sites, domains, and Organizational Units (OU). GPOs can be used to configure software deployment, Windows settings, and, through the use of Administrative Templates, custom Registry settings. Settings can also be configured on a per-user or per-computer basis.

Question 110

Resultant Set of Policies (RSoP)

Answer 110

A system of inheritance determines the Resultant Set of Policies (RSoP) that apply to a particular computer or user. GPOs can be set to override or block policy inheritance where necessary.

Question 111

Network appliances

Answer 111

(access points, switches, routers, and firewalls, for instance) present somewhat of a special case for hardening. While many of the same concepts apply, these devices are often configurable only within the parameters allowed by their manufacturers. Hardening of network devices is often restricted to ensuring that the device is patched and appropriately configured. It should, however, be noted that, in some cases, devices being marketed as appliances are actually just standard Linux® or Windows servers with a restricted interface. Great care must be taken when altering such devices outside of the vendor’s guidelines, as unexpected results may occur.

The other side of running services and protocols is availability. You may need to consider the likelihood of Denial of Service (DoS) attacks against a particular service and provide alternative means for clients to access it. This could mean providing multiple network links, running redundant servers, configuring separate physical servers for different server applications, and so on.

Question 112

kiosk

Answer 112

A kiosk is a computer terminal deployed to a public environment. Kiosks have a wide range of uses, such as providing ATM services or airport check-in, as well as informational kiosks used in shopping centers, art galleries, and museums. A kiosk needs to be fully locked down so that users are only able to access the menus and commands needed to operate the kiosk application.

Some kiosks will run dedicated operating systems. Specialist kiosk software to implement secure functionality on a publicly-accessible device is available for operating systems such as Windows, Android®, or iOS®. Hardware ports must be made completely inaccessible. If the kiosk supports keyboard input, this must be filtered to prevent the use of control keys to launch additional windows or utilities.

Question 113

Baseline deviation reporting

Answer 113

means testing the actual configuration of clients and servers to ensure that they are patched and that their configuration settings match the baseline template. On Windows networks, the Microsoft Baseline Security Analyzer (MBSA) tool was popularly used to validate the security configuration. MBSA can also be used to scan for weak passwords. MBSA and other Microsoft reporting tools have now been replaced by the Security Compliance Toolkit

Question 114

When troubleshooting why a system is no longer in alignment with the established baseline, keep in mind the following:

Answer 114

• The state of a system will drift over time as a result of normal operations. This does not necessarily indicate that an attack has taken place.
• Patches and other updates may cause the baseline to be outdated, prompting you to update the baseline.

Question 115

Baseline deviations that are the result of an attack may be very subtle if the attacker has done reconnaissance and is familiar with the baseline.

Answer 115

• Enforcing a baseline on user workstations will not be effective unless the fundamental configurations are locked down and access controlled.
• Multiple critical systems with the same or similar baseline deviations will require swift remediation.
• The nature of a baseline deviation may reveal malicious intent. A system that is supposed to be shut off from remote access that suddenly has Telnet installed and activated is a cause for concern.

Question 116

Execution control

Answer 116

the process of determining what additional software may be installed on a client or server beyond its baseline.

Question 117

unauthorized software

Answer 117

Execution control to prevent the use of unauthorized software can be implemented as either an application whitelist or a blacklist:

• Whitelist control means that nothing can run if it is not on the approved whitelist.
• Blacklist control means that anything not on the prohibited blacklist can run.

Anti-virus works on the basis of a blacklist. Malware known to the anti-virus software is recorded in its signature database. It blocks any process matching a malware signature from executing. For consumers, most smartphones and tablets work on the basis of whitelists; apps can only be selected from those approved by the OS vendor to be listed in a store. Corporate execution control software might use a mixture of approaches. Whitelisting will inevitably hamper users at some point and increase support time and costs. For example, a user might need to install a particular conferencing application on short notice. Blacklisting is vulnerable to software that has not previously been identified as malicious (or capable of or vulnerable to malicious use).

If a process is blocked from running, an alert will be displayed to the user, who will then probably contact the help desk if they think that they should be able to run that software. You will need to determine if the package should be added to the whitelist/ removed from the blacklist as appropriate.

Question 118

If unauthorized software is found installed and/or running on a host, it should normally be removed. You will also want to investigate how the software was allowed to be installed or executed:

Answer 118

• Place the host system and software in a sandbox before analyzing its running state.
• Check event logs and browsing history to determine the source of the unauthorized software.
• Conduct an anti-malware scan to determine if the software is known to be malicious.
• Verify user privileges and access controls on the host system to re-secure permissions.

Question 119

Enterprise security software will also be able to apply policies to prevent or manage the use of removable media devices, such as flash memory cards, USB-attached flash and hard disk storage, and optical discs. The policies also need to control any type of portable device with storage capabilities, including smartphones, tablets, and digital cameras. Removable media poses two different challenges to security policies:

Answer 119

• The media might be a vector for malware, either through the files stored in the media or its firmware.
• The media might be a means of exfiltrating data.

Security products can use device and vendor IDs to restrict access to only a subset of authorized devices, but a well-resourced attacker would potentially be able to spoof these IDs. A strong policy would block access to any storage device without encrypted access controls. As with application execution control, an alert will be displayed to the user if a device is blocked by the policy. There should be a support process for users to follow to have this type of device scanned and the data files required from it copied to the network in a secure way (if they are valid data files).

Question 120

No Execute (NX)

Answer 120

Computer viruses (and other malware) can use various techniques to infect a PC. One is a so-called buffer overflow attack, where the virus tricks another program into executing it when the other program thinks it is just processing some data. CPUs and operating systems supporting AMD’s No Execute (NX) technology are more resilient against this type of attack because they prevent areas in memory marked for data storage from executing code (running a new program).

Question 121

Execute Disable (XD)

Answer 121

Intel calls this feature Execute Disable (XD); in Windows, it is referred to as Data Execution Prevention (DEP). Most operating systems also support Address Space Layout Randomization (ASLR). ASLR aims to frustrate attacks by making the exact position of a function or reference in system memory difficult for an attacker to predict and exploit.

Question 122

There are two approaches to applying updates:

Answer 122

• Apply all the latest patches to ensure the system is as secure as possible against attacks targeting flaws in the software.
• Only apply a patch if it solves a particular problem being experienced.

The second approach obviously requires more work, as the administrator needs to keep up to date with security bulletins. However, it is well recognized that updates—particularly service releases—can cause problems, especially with software application compatibility, so the second approach is wisest.

Note: Some applications may require the operating system to be patched to a certain level.

It makes sense to trial an update, especially a service release, on a test system to try to discover whether it will cause any problems. Approach the update like a software installation or upgrade (make a backup and a rollback plan). Read the documentation accompanying the update carefully. Updates may need to be applied in a particular order, and there may be known compatibility issues or problems listed in the ReadMe.

Most operating systems and applications now support automatic updates via a vendor website.

Question 123

Microsoft makes the following distinctions between different types of software patches:

Answer 123

• Updates are widely released fixes for bugs. Critical updates address performance problems while security updates address vulnerabilities and can be rated by severity (critical, important, moderate, or low). There are also definition updates for software such as malware scanners and junk mail filters and driver updates for hardware devices.

Note: Microsoft releases most security patches on Patch Tuesday, the second Tuesday in the month. Other patches are often released on the fourth Tuesday.

• Hotfixes are patches supplied in response to specific customer troubleshooting requests. With additional testing, these may later be developed into public release updates.
• Feature packs add new functionality to the software.
• Service packs and update rollups form a collection of updates and hotfixes that can be applied in one packag

Question 124

Windows Update

Answer 124

Patches, driver updates, and service packs for Windows (and other Microsoft software) can be installed using the Windows Update client. This client can be configured to obtain and install updates automatically. The settings used for automatic updates are often configured in Group Policy. Connecting each client directly to the Windows Update website to download patches can waste a lot of bandwidth.

Question 125

Windows Server Update Services (WSUS)

Answer 125

On a network with a lot of computers, it can make more sense to deploy an update server. The update server for Windows networks is called Windows Server Update Services (WSUS).

If an update fails to install, it will report an error code. You can use this code to troubleshoot the issue. Windows Update actions are also written to a log (%windir% \Windowsupdate.log).

Question 126

distributions

Answer 126

Linux is very much based on distributions. A distribution contains the Linux kernel plus any other software packages the distribution vendor or sponsor considers appropriate. Copies of these packages (including any updates) will be posted to a software repository. Often the vendor will maintain different repositories; for example, one for officially supported package versions, one for beta/untested versions, and one for “at own risk” unsupported packages.

Linux software is made available both as source code and as pre-compiled applications. A source code package needs to be run through the appropriate compiler with the preferred options. Pre-compiled packages can be installed using various tools, such as rpm (RedHat®), apt-get (Debian), or yum (Fedora®). Many distributions also provide GUI package manager front-ends to these command-line tools.

The package manager needs to be configured with the web address of the software repository (or repositories) that you want to use. It can then be used to install, uninstall, or update the Linux kernel and applications software. You can schedule update tasks to run automatically using the cron tool.

The integrity of a package can be tested by making an MD5 hash of the compiled package. The MD5 value is published on the package vendor’s site. When you download a package, you can run md5sum on the package file and compare the output with the published value. If they do not match, you should not proceed with the installation. Package managers may also use GPG signatures to validate updates. The public key used to verify the package is stored on the machine.

Question 127

end of life system

Answer 127

An end of life system is one that is no longer supported by its developer or vendor. End of life systems no longer receive security updates and so represent a critical vulnerability if any remain in active use.

Microsoft products are subject to a support lifecycle policy. Windows versions are given five years of mainstream support and five years of extended support (during which only security updates are shipped). Support is contingent on the latest Service Pack being applied (non-updated versions of Windows are supported for 24 months following the release of the SP). You can check the support status for a particular version of Windows at https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet.

Most OS and application vendors have similar policies. Care also needs to be taken with open source software. If the software is well-maintained, the development group will identify versions that have Long Term Support (LTS). Other builds and version branches might not receive updates.

Question 128

abandonware

Answer 128

It is also possible for both open source and commercial projects to be abandoned; if a company continues to rely on such abandonware, it will have to assume development responsibility for it. There are many instances of applications and devices (peripheral devices especially) that remain on sale with serious known vulnerabilities in firmware or drivers and no prospect of vendor support for a fix. The problem is also noticeable in consumer-grade networking appliances and in the Internet of Things (IoT). When provisioning a supplier for applications and devices, it is vital to establish that they have effective security management lifecycles for their products.

Question 129

Follow these guidelines when securing hosts:

Answer 129

• Stay up to date on OS vendor security information.
• Apply security settings to your OSes like disabling unnecessary services and adhering to the principle of least privilege in user accounts.
• Create security baselines for your systems to streamline the hardening process.
• Compare these baselines to your current host configurations.
• Consider implementing application blacklisting or whitelisting to restrict software that can execute on your systems.
• Ensure that all critical activity on your systems is logged.
• Review logs to identify suspicious behavior.
• Prepare for auditing by external parties to verify that your hosts are in compliance.
• Implement anti-malware solutions on your hosts.
• Consider the unique security implications of different hardware peripherals.
• Consider the unique security implications of embedded systems.

Question 130

Mobile devices

Answer 130

have replaced computers for many email and diary management tasks and are integral to accessing many other business processes and cloud-based applications. A mobile device deployment model describes the way employees are provided with mobile devices and applications.

Question 131

Bring Your Own Device (BYOD)

Answer 131

the mobile device is owned by the employee. The mobile will have to meet whatever profile is required by the company (in terms of OS version and functionality) and the employee will have to agree on the installation of corporate apps and to some level of oversight and auditing. This model is usually the most popular with employees but poses the most difficulties for security and network managers.

Question 132

Corporate Owned, Business Only (COBO)

Answer 132

device is the property of the company and may only be used for company business.

Question 133

Corporate Owned, Personally-Enabled (COPE)

Answer 133

device is chosen and supplied by the company and remains its property. The employee may use it to access personal email and social media accounts and for personal web browsing (subject to whatever acceptable use policies are in force).

Question 134

Choose Your Own Device (CYOD)

Answer 134

same as COPE but the employee is given a choice of device from a list.

Question 135

Virtual Desktop Infrastructure (VDI)

Answer 135

Virtualization can provide an additional deployment model. Virtual Desktop Infrastructure (VDI) means provisioning a workstation OS instance to interchangeable hardware. The hardware only has to be capable of running a VDI client viewer. The instance is provided “as new” for each session and can be accessed remotely. The same technology can be accessed via a mobile device such as a smartphone or tablet. This removes some of the security concerns about BYOD as the corporate apps and data are segmented from the other apps on the device.

Question 136

Mobile Device Management (MDM)

Answer 136

a class of management software designed to apply security policies to the use of mobile devices in the enterprise. This software can be used to manage enterprise-owned devices as well as Bring Your Own Device (BYOD).

Question 137

Network Access Control (NAC)

Answer 137

The core functionality of these suites is rather similar to Network Access Control (NAC) solutions. The management software logs the use of a device on the network and determines whether to allow it to connect or not, based on administrator-set parameters. When the device is enrolled with the management software, it can be configured with policies to allow or restrict use of apps, corporate data, and built-in functions, such as a video camera or microphone.

A key feature is the ability to support multiple operating systems, such as iOS®, Android™, BlackBerry®, and the various iterations of Windows® and Windows Mobile®. A few MDM suites are OS-specific, but the major ones, such as AirWatch® (http://air-watch.com), Microsoft Intune® (https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune), Symantec™ (https://www.symantec.com/products/endpoint-protection-mobile), and XenMobile (https://www.citrix.com/products/citrix-endpoint-management), support multiple device vendors.

Question 138

iOS

Answer 138

operating system for Apple’s iPhone® smartphone and iPad® tablet. Apple® makes new versions freely available, though older hardware devices may not support all the features of a new version (or may not be supported at all).

In iOS, what would be called programs on a PC are described as apps. Several apps are included with iOS, but third-party developers can also create them using Apple’s Software Development Kit, available only on Mac OS. Apps have to be submitted to and approved by Apple before they are released to users, via the App Store. Corporate control over iOS devices and distribution of corporate and B2B (Business-to-Business) apps is facilitated by participating in the Device Enrollment Program (https://support.apple.com/business), the Volume Purchase Program, and the Developer Enterprise Program (https://developer.apple.com/programs/enterprise). Another option is to use an EMM suite and its development tools to create a “wrapper” for the corporate app.

Most iOS attacks are the same as with any system; users click malicious links or enter information into phishing sites, for instance. As a closed and proprietary system, it should not be possible for malware to infect an iOS device as all code is updated from Apple’s servers only. There remains the risk that a vulnerability in either iOS or an app could be discovered and exploited. In this event, users would need to update iOS or the app to a version that mitigates the exploit.

iOS devices are normally updated very quickly. With Android, the situation is far more patchy, as updates often depend on the handset vendor to complete the new version or issue the patch for their flavor of Android. Android OS is more open and there is Android malware, though as with Apple, it is difficult for would-be hackers and spammers to get it into any of the major app repositories.

Question 139

Android

Answer 139

a smartphone/tablet OS developed by the Open Handset Alliance (primarily driven by Google). Unlike iOS, it is an open source OS, based on Linux®. This means that there is more scope for hardware vendors, such as Asus, HTC, LG, Samsung, and Sony, to produce vendor-specific versions. The app model is also more relaxed, with apps available from both Google Play™ (Android Market) and third-party sites, such as Amazon’s app store. The SDK is available on Linux, Windows, and macOS®. The Android for Work (https://www.android.com/enterprise) program facilitates use of EMM suites and the containerization of corporate workspaces. Additionally, Samsung has a workspace framework called KNOX (https://www.samsung.com/us/business/solutions/samsung-knox) to facilitate EMM control over device functionality.

Like iOS, Android apps operate within a sandbox. When the app is installed, access is granted (or not) to specific shared features, such as contact details, SMS texting, and email. As well as being programmed with the code for known malware, A-V software for Android can help the user determine whether an app install is seeking more permissions than it should. However, because the A-V software is also sandboxed, it is often not very effective. Mobile A-V software can also have a substantial impact on performance and battery life.

Question 140

data access

Answer 140

Smartphones and some tablets use the cell phone network for calls and data access. There have been attacks and successful exploits against the major infrastructure and protocols underpinning the telecoms network, notably the SS7 hack (https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw). There is little that either companies or individuals can do about these weaknesses. The attacks require a high degree of sophistication and are relatively uncommon.

Question 141

pen access points or possibly a rogue access point

Answer 141

Mobile devices usually default to using a Wi-Fi connection for data, if present. If the user establishes a connection to a corporate network using strong WPA2 security, there is a fairly low risk of eavesdropping or Man-in-the-Middle attacks. The risks from Wi-Fi come from users connecting to open access points or possibly a rogue access point imitating a corporate network. These allow the access point owner to launch any number of attacks, even potentially compromising sessions with secure servers (using an SSL stripping attack, for instance).

Question 142

Personal Area Network (PAN)

Answer 142

As well as providing local networking, Wi-Fi can be used to establish a Personal Area Network (PAN). Most PANs enable connectivity between a mobile device and peripherals, but ad hoc (or peer-to-peer) networks between mobile devices or between mobile devices and other computing devices can also be established.

Question 143

ANT

Answer 143

Bluetooth is a widely used radio standard for wireless connectivity. Devices can be configured with a pass code to try to prevent malicious pairing. More recently, the ANT protocol and its associated product standard ANT+ have seen widespread use in communicating health and fitness sensor data between devices. As with any communication protocol, Bluetooth and ANT have potential vulnerabilities, but other significant risks come from the device being connected to. A peripheral device with malicious firmware can be used to launch highly effective attacks. This type of risk has a low likelihood, as the resources required to craft such malicious peripherals are demanding.

Question 144

Wi-Fi Direct

Answer 144

Peer-to-peer connections can also be established using Wi-Fi Direct, though in this case, one of the devices actually functions as a soft access point. Ad hoc networks only support weak WEP security while Wi-Fi Direct can use WPA2.

Question 145

tethering

Answer 145

There are also various means for a mobile device to share its cellular data or Wi-Fi connection with other devices (tethering). In terms of corporate security, these peer-to-peer functions should generally be disabled. It might be possible for an attacker to exploit a misconfigured device and obtain a bridged connection to the corporate network.

Question 146

Infrared signaling has been used for PAN in the past (IrDA), but the use of infrared in modern smartphones and wearable technology focuses on two other uses:

Answer 146

• IR blaster—this allows the device to interact with an IR receiver and operate a device such as a TV or HVAC monitor as though it were the remote control handset.
• IR sensor—these are used as proximity sensors (to detect when a smartphone is being held to the ear, for instance) and to measure health information (such as heart rate and blood oxygen levels).

Question 147

Near Field Communications (NFC) chip

Answer 147

A Near Field Communications (NFC) chip allows a mobile device to make payments via contactless point-of-sale (PoS) machines. To configure a payment service, the user enters their credit card information into a mobile wallet app on the device. The wallet app does not transmit the original credit card information, but a one-time token that is interpreted by the card merchant and linked backed to the relevant customer account.

There are three major mobile wallet apps: Apple Pay®, Google Pay™ (formerly Android Pay), and Samsung Pay. Some PoS readers may only support a particular type of wallet app or apps. There are different security models, too. Google Pay just requires the device to be unlocked to authorize a payment, so it works with any device with an NFC chip. Apple Pay is used in conjunction with the device’s fingerprint reader and is only supported on the iPhone 6 and up. Samsung Pay is authorized by using a fingerprint reader, an iris scanner, or a PIN method. Samsung devices also support Magnetic Strip Technology (MST), which allows use of the digital wallet at non-NFC terminals.

Despite having a strict physical proximity requirement, NFC is vulnerable to several types of attacks. Certain antenna configurations may be able to pick up the RF signals emitted by NFC from several feet away, giving an attacker the ability to eavesdrop from a more comfortable distance. An attacker with a reader may also be able to skim information from an NFC device in a crowded area, such as a busy train. An attacker may also be able to corrupt data as it is being transferred through a method similar to a DoS attack—by flooding the area with an excess of RF signals to interrupt the transfer. If someone loses an NFC device or a thief steals it, and the device has no additional layers of authentication security, then anyone can use the device in several malicious ways.

Question 148

USB On The Go (OTG)

Answer 148

Android devices can be connected to a computer via the USB port. Apple devices require a lightning-to-USB converter cable. Once attached the computer can access the device’s hard drive, sync or backup apps, and upgrade the firmware. Some Android USB ports support USB On The Go (OTG) and there are adapters for iOS devices. USB OTG allows a port to function either as a host or as a device. For example, a port on a smartphone might operate as a device when connected to a PC, but as a host when connected to a keyboard or external hard drive. The extra pin communicates which mode the port is in.

There are various ways in which USB OTG could be abused. Media connected to the smartphone could host malware. The malware might not be able to affect the smartphone itself but could be spread between host computers or networks via the device. It is also possible that a charging plug could act as a Trojan and try to install apps (referred to as juice jacking), though modern versions of both iOS and Android now require authorization before the device will accept the connection.

Question 149

Satellite communications (SATCOM)

Answer 149

Some businesses have to establish telecommunications in extremely remote areas or (in the case of military forces) use a communications system that is wholly owned and managed. Satellite communications (SATCOM) offer the best solutions to these requirements. The Wideband Global SATCOM (WGS) system aims to expand the bandwidth available to military communications satellites for use by North American and Australian defense forces. UK defense forces use a system of satellites called Skynet. Commercial satellite services are widely available.

As with telecommunications infrastructure, SATCOMs are as secure as the service provider operating the system. Weaknesses have been found in military satellite communications systems, and projects, such as WGS, aim to make such systems more resilient.

Note that SATCOM access requires satellite phone handsets (or fixed receiver equipment) and cannot be accessed using “normal” smartphones.

Question 150

mobile device access control systems

Answer 150

Authentication on mobile devices is very important, as they are more easily lost. If an attacker is able to gain access to a smartphone or tablet, they can obtain a huge amount of information and the tools with which to launch further attacks. Quite apart from confidential data files that might be stored on the device, it is highly likely that the user has cached passwords for services such as email or remote access VPN and websites. In addition to this, access to contacts and message history (SMS, email, and IM) greatly assists social engineering attacks.

The majority of smartphones and tablets are single-user devices. Access control can be implemented by configuring a screen lock that can only be bypassed using the correct password, PIN, or swipe pattern. Many devices now support biometric authentication, usually as a fingerprint reader but sometimes using facial or voice recognition.

The screen lock can also be configured with a lockout policy. This means that if an incorrect passcode is entered, the device locks for a set period. This could be configured to escalate (so the first incorrect attempt locks the device for 30 seconds while the third locks it for 10 minutes, for instance). This deters attempts to guess the passcode.

It is also important to consider newer authentication models, such as context-aware authentication. For example, smartphones now allow users to disable screen locks when the device detects that it is in a trusted location, such as the home. Conversely, an enterprise may seek more stringent access controls to prevent misuse of a device.

Question 151

remote wipe or kill switch

Answer 151

Another possibility is for the phone to support a remote wipe or kill switch. This means that if the handset is stolen it can be set to the factory defaults or cleared of any personal data (sanitization). Some utilities may also be able to wipe any plug-in memory cards too. The remote wipe could be triggered by several incorrect passcode attempts or by enterprise management software. Other features include backing up data from the phone to a server first and displaying a “Lost/stolen phone—return to XX” message on the handset.

In theory, a thief can prevent a remote wipe by ensuring the phone cannot connect to the network, then hacking the phone and disabling the security.

Question 152

All but the early versions of mobile device OSes for smartphones and tablets provide full device encryption. In iOS 5 (and higher), there are various levels of encryption.

Answer 152

• All user data on the device is always encrypted but the key is stored on the device. This is primarily used as a means of wiping the device. The OS just needs to delete the key to make the data inaccessible rather than wiping each storage location.
• Email data and any apps using the “Data Protection” option are subject to a second round of encryption using a key derived from and protected by the user’s passcode (if this is configured). This provides security for data in the event that the device is stolen. Not all user data is encrypted using the “Data Protection” option; contacts, SMS messages, and pictures are not, for example.

In iOS, Data Protection encryption is enabled automatically when you configure a password lock on the device. In Android, you need to enable encryption via Settings→Security. Android uses full-disk encryption with a passcode-derived key. When encryption is enabled, it can take some time to encrypt the device.

Note: The encryption key is derived from the PIN or password. In order to generate a strong key, you should use a strong password. Of course, this makes accessing the device each time the screen locks more difficult.

A mobile device contains a solid state (flash memory) drive for persistent storage of apps and data. Typical capacities range from 8 to 256 GB. This storage is not upgradeable. Some Android and Windows devices support removable storage using external media, such as a plug-in Micro SecureDigital (SD) card slot; some may support the connection of USB-based storage devices. The mobile OS encryption software might allow encryption of the removable storage too, but this is not always the case. Care should be taken to apply encryption to storage cards using third-party software if necessary and to limit sensitive data being stored on them.

iOS-based devices cannot use removable storage, though there are adapters for importing media via an SD card reader or camera connection kit.

Question 153

Geolocation

Answer 153

the use of network attributes to identify (or estimate) the physical position of a device. Cell phone service providers can use the cell system to triangulate the location of a phone to within a few meters. This is useful for making emergency calls with a phone but has privacy and security implications. In some countries, providers are willing to sell this information to third-parties, including private investigators and debt collectors, as well as making the information available to law enforcement.

Question 154

Global Positioning System (GPS) chips

Answer 154

GPS is a means of determining a receiver’s position on the Earth (its latitude and longitude) based on information received from GPS satellites. The receiver must have line-of-sight to the GPS satellites. GPS provides another means of locating the device. As GPS requires line-of-sight, it does not work indoors.

Question 155

Indoor Positioning Systems (IPS)

Answer 155

work out a device’s location by triangulating its proximity to other radio sources, such as Wi-Fi access points or Bluetooth beacons.

The user needs to install some tracking software and register the phone with the locator application (these are normally subscription services). Having done this, the location of the phone (as long as it is powered on) can be tracked from any web browser.

Question 156

Location Services

Answer 156

Knowing the device’s position also allows app vendors and websites to offer location-specific services (relating to search or local weather, for instance) and (inevitably) advertising. You can use Location Services settings to determine how visible your phone is to these services.

The primary concern surrounding location services is one of privacy. Although very useful when used with navigation systems, it provides a mechanism to track an individual’s movements, and therefore their social habits. The problem is further compounded by the plethora of mobile apps that require access to location services and then both send the information to the application developers and store it within the device’s file structure. If an attacker can gain access to this data, then stalking, social engineering, and even identity theft become real possibilities.

Question 157

application management

Answer 157

It is critical that the organization’s mobile device security practices be specified via policies, procedures, and training. Although we always want our practices specified via policies and procedures, it is particularly important with respect to mobile devices because these devices tend to be forgotten or overlooked. They don’t reside, or live, in the workplace in the same way as, for example, a desktop computer, and they won’t necessarily be there when virus databases are being updated, patches are being installed, files are backed up, and so on. Part of the practice of managing these devices involves making sure that they are kept as secure as devices that reside permanently within the physical infrastructure. Most mobile policy enforcement and monitoring procedures rely on installing an MDM software agent to the mobile device.

EMM software can be used for application management. When the device is joined to the corporate network through enrollment with the EMM software, it can be configured into a corporate “workspace” mode in which only a certain number of whitelisted applications can run.

Third-party developers can create apps using the relevant Apple or Android Software Development Kit (SDK). Apps have to be submitted to and approved by the vendor before they are released to users. Apps are made available for free or can be bought from the iTunes App Store or Google Play (or other marketplace supported by the device).

Question 158

Android Application Package (apk) file

Answer 158

There is an Apple Developer Enterprise program allowing corporate apps to be distributed to employees without having to publish them in the app store. Android allows third-party or bespoke programs to be installed directly via an Android Application Package (apk) file, giving users and businesses the flexibility to directly install apps (sideload) without going through the storefront interface. MDM software often has the capability to block unapproved app sources.

Question 159

Rooting

Answer 159

this term is associated with Android devices. Some vendors provide authorized mechanisms for users to access the root account on their device. For some devices, it is necessary to exploit a vulnerability or use custom firmware.

Rooting or jailbreaking mobile devices involves subverting the security measures on the device to gain administrative access to it. This is generally done in order to enable access to settings that cannot normally be changed or to allow applications to be installed that are not authorized by the device vendor. This also has the side effect of leaving many security measures permanently disabled. If the user has root permissions, then essentially any MDM agent software running on the device is compromised. MDM has routines to detect a rooted or jailbroken device, but it is usually straightforward for malicious software to intercept and modify the reports whenever the agent attempts to communicate with its management server. The device is also at greater risk from malware. As rooting places the device in a considerably more risky category, it is not recommended.

Enterprise Mobility Management is moving more toward containerization as the best solution for enterprise workspaces. These solutions can use cryptography to protect the workspace in a way that is much harder to compromise, even from a rooted/ jailbroken device.

Question 160

Jailbreaking

Answer 160

iOS is more restrictive than Android so the term “jailbreaking” became popular for exploits that enabled the user to obtain root privileges, sideload apps, change or add carriers, and customize the interface. iOS jailbreaking is accomplished by booting the device with a patched kernel. For most exploits, this can only be done when the device is attached to a computer when it boots (tethered jailbreak).

Rooting or jailbreaking mobile devices involves subverting the security measures on the device to gain administrative access to it. This is generally done in order to enable access to settings that cannot normally be changed or to allow applications to be installed that are not authorized by the device vendor. This also has the side effect of leaving many security measures permanently disabled. If the user has root permissions, then essentially any MDM agent software running on the device is compromised. MDM has routines to detect a rooted or jailbroken device, but it is usually straightforward for malicious software to intercept and modify the reports whenever the agent attempts to communicate with its management server. The device is also at greater risk from malware. As rooting places the device in a considerably more risky category, it is not recommended.

Enterprise Mobility Management is moving more toward containerization as the best solution for enterprise workspaces. These solutions can use cryptography to protect the workspace in a way that is much harder to compromise, even from a rooted/ jailbroken device.

Question 161

Carrier unlocking

Answer 161

for either iOS or Android, this means removing the restrictions that lock a device to a single carrier.

Question 162

When a device is privately owned and stores a mix of corporate and personal data, the questions of data ownership and privacy arise.

Answer 162

• Data ownership—how can rights over corporate data be asserted on a device that does not belong to the corporation?
• Privacy—how can the corporation inspect and manage a BYOD without intruding on private data and device usage?

Question 163

containerization

Answer 163

At one level, these concerns of data ownership and privacy need to be addressed by policy and guidance, agreed between the employer and employees. These sorts of concerns have also been addressed by EMM vendors in the form of containerization. This allows the employer to manage and maintain the portion of the device that interfaces with the corporate network. When the device is used on the enterprise network, a corporate workspace with a defined selection of apps and a separate storage container is created (storage segmentation). The enterprise is thereby able to maintain the security it needs but does not have access to personal data/applications. Data in the protected storage area can be used only by the apps permitted by the EMM policy.

Examples of storage segmentation include BlackBerry’s BlackBerry Balance technology, AirWatch’s Workspace Management features, and the Android for Work framework.

Question 164

content management

Answer 164

Containerization also assists content management and Data Loss Prevention (DLP) systems. A content management system tags corporate or confidential data and prevents it from being shared or copied to unauthorized media or channels, such as non-corporate email systems or cloud storage services.

Question 165

Geofencing

Answer 165

the practice of creating a virtual boundary based on real-world geography. Geofencing can be a useful tool with respect to controlling the use of camera or video functions. This involves disabling cameras on mobile devices when they are in areas that should not allow photographs or video according to policy. An organization may use geofencing to create a perimeter around its office property, and subsequently, limit the functionality of any devices that exceed this boundary. The device’s position is obtained from locations services (that is, GPS and/or the indoor positioning system).

Question 166

GPS tagging

Answer 166

the process of adding geographical identification metadata, such as the latitude and longitude where the device was located at the time, to media such as photographs, SMS messages, video, and so on. It allows the app to place the media at specific latitude and longitude coordinates. GPS tagging is highly sensitive personal information and should be processed carefully by an app. The user must be able to consent to the ways in which this information is used and published. Consider for example GPS tagged pictures uploaded to social media. These could be used to track a person’s movements and location.

Question 167

Short Message Service (SMS) and Multimedia Message Service (MMS)

Answer 167

operated by the cellular network providers. They allow transmission of text messages and binary files. Vulnerabilities in processing these messages have resulted in DoS attacks against certain handsets. Vulnerabilities in SMS and the SS7 signaling protocol that underpins it have also cast doubt on the security of 2-step verification mechanisms

Question 168

Push notifications

Answer 168

store services (such as Apple Push Notification Service and Google Cloud to Device Messaging) that an app or website can use to display an alert on a mobile device. Users can choose to disable notifications for an app, but otherwise the app developer can target notifications to some or all users with that app installed. Developers need to take care to properly secure the account and services used to send push notifications. There have been examples in the past of these accounts being hacked and used to send fake communications.

Question 169

baseband update

Answer 169

A baseband update modifies the firmware of the radio modem used for cellular, Wi-Fi, Bluetooth, NFC, and GPS connectivity.

Question 170

radio firmware

Answer 170

The radio firmware in a mobile device contains an operating system that is separate from the end-user operating system (for example, Android or iOS). The modem uses its own baseband processor and memory, which boots a Realtime Operating System (RTOS). An RTOS is often used for time-sensitive embedded controllers, of the sort required for the modulation and frequency shifts that underpin radio-based connectivity.

Question 171

Over The Air (OTA)

Answer 171

The procedures for establishing radio connections are complex and require strict compliance with regulatory certification schemes, so incorporating these functions in the main OS would make it far harder to bring OS updates to market. Unfortunately, baseband operating systems have been associated with several vulnerabilities over the years, so it is imperative to ensure that updates are applied promptly. These updates are usually pushed to the handset by the device vendor, often as part of OS upgrades. The updates can be delivered wirelessly, either through a Wi-Fi network or the data connection, referred to as Over The Air (OTA). A handset that has been jailbroken or rooted might be able to be configured to prevent baseband updates or apply a particular version manually, but in the general course of things, there is little reason to do so.

There are various ways of exploiting vulnerabilities in the way these updates work. A well-resourced attacker can create an “evil base station” using a Stingray/IMSI catcher type of device. This will allow the attacker to identify the location of cell devices operating in the area. In some circumstances it might be possible to launch a Man-in-the-Middle attack and abuse the firmware update process to compromise the phone.

Question 172

Follow these guidelines when implementing mobile device security:

Answer 172

• Be aware of the different connection methods mobile devices may use in your organization.
• Be aware of the different levels of control you have over certain connection methods.
• Incorporate a mobile device management platform in your organization.
• Implement security controls on mobile devices such as screen locking, geolocation, remote wipe, device encryption, and more.
• Monitor certain activities associated with mobile devices, such as app installation from third parties, rooting/jailbreaking, carrier unlocking, and more.
• Enforce policies to curtail or disable the use of certain mobile device activities that bring unwanted risk to the organization.
• Consider the different ways that mobile devices can be deployed in your organization.
• Be aware of the inherent risks of allowing BYOD in your organization.
• Apply various security controls to combat BYOD risks, such as making decisions about ownership, encouraging the use of anti-malware apps, providing users with the tools and knowledge to uphold privacy, and more.

Question 173

embedded system

Answer 173

An embedded system is a complete computer system that is designed to perform a specific, dedicated function. These systems can be as contained as a microcontroller in an intravenous drip-rate meter or as large and complex as an industrial control system managing a water treatment plant. Embedded systems are typically static environments. A PC is a dynamic environment. The user can add or remove programs and data files, install new hardware components, and upgrade the operating system. A static environment does not allow or require such frequent changes.

In terms of security, this can be ideal because unchanging (versus dynamic) environments are typically easier to protect and defend. Static computing environments pose several risks, however. A static environment is often a black box to security administrators. Unlike an OS environment such as Windows, there may be little support for identifying and correcting security issues.

Question 174

firmware running on a Programmable Logic Controller (PLC)

Answer 174

Updates for embedded systems are possible, but usually only through specific management interfaces. Embedded systems are normally based on firmware running on a Programmable Logic Controller (PLC). If updates are supported by the vendor or manufacturer, this firmware can be patched and reprogrammed. The method used to do so must be carefully controlled.

Question 175

System on a Chip (SoC)

Answer 175

Desktop computer system architecture uses a generalized CPU plus various other processors and controllers and system memory, linked via the motherboard. System on a Chip (SoC) is a design where all of these processors, controllers, and devices are provided on a single processor die (or chip). This type of packaging saves space and is usually power efficient and so is very commonly used with embedded systems.

Many embedded systems operate devices that perform acutely time-sensitive tasks, such as drip meters or flow valves. The kernels or operating systems that run these devices must be much more stable and reliable than the OS that runs a desktop computer or server. Embedded systems typically cannot tolerate reboots or crashes and must have response times that are predictable to within microsecond tolerances.

Consequently, these systems often use differently engineered platforms called Real Time Operating Systems (RTOS).

Question 176

Supervisory Control and Data Acquisition (SCADA) systems

Answer 176

components of large-scale, multiple-site Industrial Control Systems (ICS) deployed to monitor and manage industrial-, infrastructure-, and facility-based processes. SCADA systems run as software on ordinary computers gathering data from and managing plant devices and equipment with embedded PLCs, referred to as field devices. They are used in fabrication and manufacturing, controlling automated assembly lines, for example. They are also used in refining, power generation and transmission, wind farms, large communication systems, and so on. In this latter case, field devices may be distributed over a very wide area. SCADA can also be used in building Heating, Ventilation, and Air Conditioning (HVAC) systems.

SCADA is often built without regard to security, though there is growing awareness of the necessity of enforcing security controls to protect them, especially when they operate in a networked environment. NIST Special Publication 800-82 covers some recommendations for implementing security controls for ICS and SCADA

Question 177

Medical devices

Answer 177

represent an array of systems potentially vulnerable to a wide range of attacks. It is important to recognize that use of these devices is not confined to hospitals and clinics but includes portable devices such as cardiac monitors/ defibrillators and insulin pumps. As well as unsecure communication protocols, many of the control systems for these devices run on unsupported versions of operating systems (such as Windows XP) because the costs of updating the software to work with newer OS versions is high and disruptive to patient services. Some of the goals of attacks on medical devices and services are as follows:

• Use compromised devices to pivot to networks storing medical data with the aim of stealing Protected Health Information (PHI).
• Hold medical units ransom by threatening to disrupt services.
• Kill or injure patients (or threaten to do so) by tampering with dosage levels or device settings.

Question 178

Multifunction Devices (MFD)

Answer 178

Most modern print devices, scanners, and fax machines have hard drives and sophisticated firmware, allowing their use without attachment to a computer and over a network. Often these print/scan/fax functions are performed by single devices, referred to as Multifunction Devices (MFD). Unless they have been securely deleted, images and documents are frequently recoverable from all of these machines. Many also contain logs. Sometimes simply knowing who has sent how much information to whom and when it was sent is enough for an aggregation and inference attack. Some of the more feature-rich, networked printers and MFDs can also be used as a pivot point to attack the rest of the network. These machines also have their own firmware that must be kept patched and updated.

Question 179

motor vehicles

Answer 179

Modern motor vehicles use a substantial amount of electronics, all of which can potentially have vulnerabilities that could be exploitable. As well as computer systems to control the vehicle’s engine, steering, and brakes, there may be embedded systems for in-vehicle entertainment and for navigation (sat-nav), using Global Positioning Systems (GPS). Some vehicles are now also fitted with a “black box,” or event data recorder, that can log the car’s telemetry (acceleration, braking, and position).

Question 180

Unmanned Aerial Vehicles (UAV)

Answer 180

Another rapidly developing sector is that of Unmanned Aerial Vehicles (UAV). This sector ranges from full-size fixed wing aircraft to much smaller multi-rotor hover drones. As with other vehicle systems, there is the potential to use the communications channels to interfere with the drone, potentially causing it to crash or go off course. For example, researchers have successfully diverted a drone aircraft by sending it spoofed GPS responses. Drones may also be used to perform surveillance or perform other types of attacks (scattering infected USB sticks, for instance).

Question 181

Smart devices

Answer 181

such as smart TVs, are home appliances with integrated computer functionality (apps, storage, and networking). Custom smart device apps on a TV might facilitate social networking or games, while apps for a refrigerator might have some sort of shopping list or alert feature for restocking. Home automation technology makes heating, lighting, alarms, and appliances all controllable through a computer and network interface. Smart devices and home automation might be managed through a hub device with voice control functionality

Most smart devices use a Linux or Android kernel. Because they’re effectively running mini-computers, smart devices are vulnerable to some of the standard attacks associated with web applications and network functions. Integrated peripherals such as cameras or microphones could be compromised to facilitate surveillance..

Question 182

patch management/security response

Answer 182

Home automation products often use vendor-specific software and networking protocols. As with embedded devices, security features can be poorly documented, and patch management/security response processes of vendors can be inadequate.

Question 183

wearable technology devices

Answer 183

Electronics manufacturing allows a great deal of computing power to be packed within a small space. Consequently, computing functionality is being added to wearable items, such as smart watches, bracelets and pendant fitness monitors, and eyeglasses. Smartwatches have risen in popularity in recent years. Current competing technologies are based on FitBit, Android Wear OS, Samsung’s Tizen OS, and Apple iOS, each with their own separate app ecosystems.

Most wearable technology uses Bluetooth to pair with a smartphone, though some may be capable of Wi-Fi communications, too.

Question 184

camera systems (CCTV

Answer 184

Physical security systems use networked camera systems (CCTV) for surveillance. Unfortunately, some makes of camera systems have been found to have numerous serious vulnerabilities that allow attackers either to prevent intrusions from being recorded or to hijack the cameras to perform their own surveillance. These issues tend to affect cheap consumer-grade systems rather than enterprise models, but in both cases, it is necessary to evaluate the supplier to demonstrate that their security monitoring and remediation support services are effective.

Question 185

Network segmentation

Answer 185

one of the core principles of network security. Network access for static environments should only be required for applying firmware updates and management controls from the host software to the devices and for reporting status and diagnostic information from the devices back to the host software. This control network should be separated from the corporate network using firewalls and VLANs.

With environments such as SCADA, the management software may require legacy versions of operating systems, making the hosts particularly difficult to secure. Isolating these hosts from others through network segmentation and using endpoint security (preventing the attachment of USB devices) can help to ensure they do not become infected with malware or exposed to network exploits.

Question 186

application firewalls

Answer 186

As embedded devices make greater use of a network for diagnostic reporting and updating, they are exposed to greater risks. These risks could be mitigated by deploying application firewalls. These are firewalls designed to protect specific applications and devices, such as a SCADA. This sort of dedicated firewall software to protect the management software and embedded device’s network interfaces is relatively difficult to find for embedded systems, though solutions are starting to appear. The main issue with firewalls implemented on the device firmware is the lack of processing power and memory space available to run such functions.

Question 187

wrappers

Answer 187

One way of increasing the security of data in transit for embedded systems is through the use of wrappers. A wrapper usually includes a header, which precedes the encapsulated data, and a trailer, which follows it. An excellent example of wrappers used for security with IPSec run in tunnel mode, wherein the entire original packet, including the data and the AH, ESP, TCP/UDP, and IP headers are all encapsulated. The only thing visible to an attacker or anyone sniffing the wire is the IPSec header, which describes only the tunnel endpoints. This is useful for protecting traffic between trusted networks when the traffic has to go through an untrusted network to go between them, or between trusted nodes on the same network.

Question 188

Firmware version control

Answer 188

the process of patch management for static and embedded environments.

Question 189

This process is just as vital as keeping host OS software up to date with patches, but for many embedded systems and static environments, it is far more of a challenge:

Answer 189

• Many embedded systems use low-cost firmware chips and the vendor never produces updates to fix security problems or only produces updates for a relatively short product cycle (while the device could remain in operational use for much longer).
• Many embedded systems require manual updates, which are perceived as too time-consuming for a security department with other priorities to perform.