Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Sec+ > Lesson 12 > Flashcards

Lesson 12 Flashcards

1
Q

Hardware root of Trust

A 
•Hardware root of trust/trust anchor
•Attestation
•Trusted Platform Module (TPM)
     •Hardware-based storage of cryptographic data
     •Endorsement key
     •Subkeys used in key storage, signature, 
 and encryption operations
     •Ownership secured
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Hardware Root of Trust or Trust Anchor

A

A hardware Root of Trust (RoT) or trust anchor is a secure subsystem that is able to provide attestation.

Attestation means that a statement made by the system can be trusted by the receiver.

  For example, when a computer joins a network, it might submit a report to the network access control (NAC) server declaring, "My operating system files have not been replaced with malicious versions." The hardware root of trust is used to scan the boot metrics and OS files to verify their signatures, then it signs the report. The NAC server can trust the signature and therefore the report contents if it can trust that the signing entity's private key is secure.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Attestation

A

(Hardware RoT provides this)

Attestation means that a statement made by the system can be trusted by the receiver.

  For example, when a computer joins a network, it might submit a report to the network access control (NAC) server declaring, "My operating system files have not been replaced with malicious versions." The hardware root of trust is used to scan the boot metrics and OS files to verify their signatures, then it signs the report. The NAC server can trust the signature and therefore the report contents if it can trust that the signing entity's private key is secure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Trusted Platform Module (TPM)

A
  • Hardware-based storage of cryptographic data
  • Endorsement key
  • Subkeys used in key storage, signature, and encryption operations
  • Ownership secured via password

The RoT is usually established by a type of cryptoprocessor called a trusted platform
module (TPM). TPM is a specification for hardware-based storage of encryption keys,
hashed passwords, and other user and platform identification information. The TPM is
implemented either as part of the chipset or as an embedded function of the CPU.

Each TPM is hard-coded with a unique, unchangeable asymmetric private key calledthe endorsement key. This endorsement key is used to create various other typesof subkeys used in key storage, signature, and encryption operations. The TPM alsosupports the concept of an owner, usually identified by a password (though this isnot mandatory). Anyone with administrative control over the setup program can take
ownership of the TPM, which destroys and then regenerates its subkeys. A TPM canbe managed in Windows via the tpm.msc console or through group policy. On anenterprise network, provisioning keys to the TPM might be centrally managed via theKey Management Interoperability Protocol (KMIP).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Boot Integrity

A
  • Unified extensible firmware interface (UEFI)
  • Secure boot
    * Validate digital signatures before running boot loader or OS kernel
  • Measured boot
    * Use TPM to measure hashes of boot files at each stage
  • Boot Attestatio Attestation
    • Report boot metrics and signatures to remote server
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

•Unified extensible firmware interface (UEFI)

A

(supports boot integrity) Most PCs and smartphones implement the unified extensible firmware interface
(UEFI). UEFI provides code that allows the host to boot to an OS. UEFI can enforce a number of boot integrity checks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Secure Boot

A
  • Secure boot
    * Validate digital signatures before running boot loader or OS kernel (requires UEFI but not TPM)

Secure boot is designed to prevent a computer from being hijacked by a malicious OS.
UEFI is configured with digital certificates from valid OS vendors. The system firmware
checks the operating system boot loader and kernel using the stored certificate to
ensure that it has been digitally signed by the OS vendor. This prevents a boot loader
or kernel that has been changed by malware (or an OS installed without authorization)
from being used. Secure boot is supported on Windows and many linux platforms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Measured boot

A
  • Measured boot
    * Use TPM to measure hashes of boot files at each stage

A trusted or measured boot process uses platform configuration registers (PCRs)
in the TPM at each stage in the boot process to check whether hashes of key system state data (boot firmware, boot loader, OS kernel, and critical drivers) have changed

.This does not usually prevent boot, but it will record the presence of unsigned kernellevel
code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Boot Attestation

A
  • Boot Attestatio Attestation
    • Report boot metrics and signatures to remote server

Boot attestation is the capability to transmit a boot log report signed by the TPM via a
trusted process to a remote server, such as a network access control server. The boot
log can be analyzed for signs of compromise, such as the presence of unsigned drivers.
The host can be prevented from accessing the network if it does not meet the required
health policy or if no attestation report is received.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Drive (disk) encryption

A

Drive Encryption
•Full disk encryption (FDE)
•Encryption key secured with user password
•Secure storage for key in TPM or USB thumb drive

  • Self-encrypting drives (SED)
    • Data/media encryption key (DEK/MEK)
    • Authentication key (AK) or key encrypting key (KEK)
    • Opal specification compliant
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Full disk encryption (FDE)

A
  • Full disk encryption (FDE)
    • Encryption key secured with user password
    • Secure storage for key in TPM or USB thumb drive

Full disk encryption (FDE) means that the entire contents of the drive (or volume), including system files and folders, are encrypted. OS ACL-based security measuresare quite simple to circumvent if an adversary can attach the drive to a different host
OS. Drive encryption allays this security concern by making the contents of the drive
accessible only in combination with the correct encryption key. Disk encryption can be
applied to both hard disk drives (HDDs) and solid state drives (SSDs).

FDE requires the secure storage of the key used to encrypt the drive contents.
Normally, this is stored in a TPM. The TPM chip has a secure storage area that a disk
encryption program, such as Windows BitLocker, can write its keys to. It is also possible
to use a removable USB drive (if USB is a boot device option). As part of the setup
process, you create a recovery password or key. This can be used if the disk is moved
to another computer or the TPM is damaged.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Self-encrypting drives (SED)

A
  • Self-encrypting drives (SED)
    • Data/media encryption key (DEK/MEK)
    • Authentication key (AK) or key encrypting key (KEK)
    • Opal specification compliant

One of the drawbacks of FDE is that, because the OS performs the cryptographic
operations, performance is reduced. This issue is mitigated by self-encrypting drives
(SED), where the cryptographic operations are performed by the drive controller. The
SED uses a symmetric data/media encryption key (DEK/MEK) for bulk encryption and
stores the DEK securely by encrypting it with an asymmetric key pair called either the
authentication key (AK) or key encryption key (KEK). Use of the AK is authenticated by
the user password. This means that the user password can be changed without having
to decrypt and re-encrypt the drive. Early types of SEDs used proprietary mechanisms,
but many vendors now develop to the Opal Storage Specification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Data/media encryption key (DEK/MEK) [for SED)

A

SED uses a symmetric data/media encryption key (DEK/MEK) for bulk encryption and
stores the DEK securely by encrypting it with an asymmetric key pair called either the
authentication key (AK) or key encryption key (KEK).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Authentication key (AK) or key encrypting key (KEK)

A

SED uses a symmetric data/media encryption key (DEK/MEK) for bulk encryption and
stores the DEK securely by encrypting it with an asymmetric key pair called either the
authentication key (AK) or key encryption key (KEK). Use of the AK is authenticated by
the user password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

USB and flash drie security

A
  • BadUSB
    • Exposes potential of malicious firmware
    • Malicious USB cabl
    • Malicious flash drive
  • Sheep dip
    • Sandbox system for testing new/suspect devices
    • Isolated from production network/data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Bad USB

A
  • BadUSB
    • Exposes potential of malicious firmware
    • Malicious USB cabl
    • Malicious flash drive

As revealed by researcher Karsten Nohl in his BadUSB paper, exploiting the firmware of external
storage devices, such as USB flash drives (and potentially any other type of firmware),
presents adversaries with an incredible toolkit. The firmware can be reprogrammed
to make the device look like another device class, such as a keyboard. In this case it
could then be used to inject a series of keystrokes upon an attachment or work as
a keylogger. The device could also be programmed to act like a network device and
corrupt name resolution, redirecting the user to malicious websites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Sheep dip

A
  • Sheep dip
    • Sandbox system for testing new/suspect devices
    • Isolated from production network/data

A modified device may have visual clues that distinguish it from a mass manufactured
thumb drive or cable, but these may be difficult to spot. You should warn users of the
risks and repeat the advice to never attach devices of unknown provenance to their
computers and smartphones. If you suspect a device as an attack vector, observe a
sandboxed lab system (sometimes referred to as a sheep dip) closely when attaching the device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Third-party Risk Management

A
  • Supply chain and vendors
    • End-to-end process of supplying, manufacturing, distributing, and finally releasing goods and services to a customer
    • Could malicious actors within supply chain introduce backdoor access via hardware/firmware components?
    • Most companies must depend on governments/security services to ensure trustworthiness of market suppliers
    • Consider implications of using second-hand equipment
  • Vendors versus business partners
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

•Vendors versus business partners

A

When assessing suppliers for risk, it is helpful to distinguish two types of relationship:
• Vendor—this means a supplier of commodity goods and services, possibly with
some level of customization and direct support.
• Business partner—this implies a closer relationship where two companies share
quite closely aligned goals and marketing opportunities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

End of Life Systems and Lack of Vendor Support

A
  • Support lifecycles
  • End of life (EOL)
    • Product is no longer sold to new customers
    • Availability of spares and updates is reduced
  • End of service life (EOSL)
    • Product is no longer supported
  • Lack of vendor support
    • Abandonware
    • Software and peripherals/devices
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

•End of life (EOL)

A
  • Product is no longer sold to new customers

* Availability of spares and updates is reduced

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

•End of service life (EOSL)

A

•Product is no longer supported

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

•Lack of vendor support

A
  • Abandonware

* Software and peripherals/devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

MOU

A

Intent to work together

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Business partnership agreement (BPA)

A

Establish a formal partner relationship

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Non-disclosure agreement (NDA)

A

Govern use and storage of shared confidential and private information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Service level agreement (SLA)

A

Establish metrics for service delivery and performance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Measurement systems analysis (MSA)

A

Evaluate data collection and statistical methods used for quality management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Host Hardening

A
  • Reducing attack surface
  • Interfaces
    • Network and peripheralconnections and hardware ports
  • Services
    • Software that allows client connections
  • Application service ports
    • TCP and UDP ports
    • Disable applicationservice or use firewall to control access
    • Detect non-standard usage
  • Encryption for persistent storage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

least functionality (attack surface)

A

The essential principle is of least functionality;
that a system should run only the protocols and services required by legitimate users
and no more. This reduces the potential attack surface.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Interfaces (hardening)

A

Network and peripheralconnections and hardware ports

Interfaces provide a connection to the network. Some machines may have more than one interface.

***if any of these interfaces are not required, they should be explicitly disabled
rather than simply left unused.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Services (hardening)

A

Software that allows client connections

Services provide a library of functions for different types of applications. Some
services support local features of the OS and installed applications. Other services
support remote connections from clients to server applications.

***Unused services
should be disabled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Application service ports

A
  • Application service ports
    • TCP and UDP ports
    • Disable applicationservice or use firewall to control

allow client software to connect to applications over a
network. These should either be disabled or blocked at a firewall if remote access
is not required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Encryption for persistent storage

A

Persistent storage holds user data generated by applications, plus cached
credentials. Disk encryption is essential to data security. Self encrypting drives can
be used so that all data-at-rest is always stored securely.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Baseline Configuration and Registry Settings

A

You will have separate configuration baselines for desktop clients, file and print
servers, Domain Name System (DNS) servers, application servers, directory services
servers, and other types of systems.

  • OS/host role
    • Networkappliance, server, client, …
  • Configuration baseline template
  • Registry settings and group policy objects (GPOs)
  • Malicious registry changes
  • Baseline deviation reporting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

•Registry settings and group policy objects (GPOs)

A

In Windows, configuration settings are stored in
the registry.

On a Windows domain network, each domain-joined computer will receive
policy settings from one or more group policy objects (GPOs).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q
  • Malicious registry changes

* Baseline deviation reporting

A

just need to repeat this as part of Baseline Configuration and Registry Settings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Patch update poliicies and schedule

A
  • Update policies and schedule
    • Apply all latest –auto-update (used for SOHO)
    • Only apply specific patches
    • Third-party patches
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Scheduling updates

A

It can also be difficult to schedule patch operations, especially if applying the patch
is an availability risk to a critical system. If vulnerability assessments are continually
highlighting issues with missing patches, patch management procedures should
be upgraded. If the problem affects certain hosts only, it could be an indicator of
compromise that should be investigated more closely.

40
Q

Managing unpatchablesystems

A

Patch management can also be difficult for legacy systems, proprietary systems, and
systems from vendors without robust security management plans, such as some types
of Internet of Things devices. These systems will need compensating controls, or some
other form of risk mitigation if patches are not readily available.

41
Q

Endpoint Protection

A

Another crucial step in hardening is to configure endpoint protection for automatic
detection and prevention of malware threats. There have been many iterations of
host-based/endpoint protection suites and agents.

Antivirus (A-V)/anti-malware
•Signature-based detection of all malware/PUP types

Host-based intrusion detection/prevention (HIDS/HIPS)
•File integrity monitoring and log/network traffic scanning
•Prevention products can block processes or network connections

Endpoint Protection Platform (EPP)
•Consolidate agents for multiple functions
•Combine A-V, HIDS, host firewall, content filtering, encryption, …

Data loss prevention (DLP)
•Block copy or transfer of confidential data
•Endpoint protection deployment

42
Q

Antivirus (A-V)/anti-malware

A

•Signature-based detection of all malware/PUP types

The first generation of anti-virus (A-V) software is characterized by signature-based
detection and prevention of known viruses. An “A-V” product will now perform
generalized malware detection, meaning not just viruses and worms, but also Trojans,
spyware, PUPs, cryptojackers, and so on. While A-V software remains important,
signature-based detection is widely recognized as being insufficient for the prevention
of data breaches.

43
Q

Host-Based Intrusion Detection/Prevention (HIDS/HIPS)

A
  • File integrity monitoring and log/network traffic scanning
  • Prevention products can block processes or network connections

Host-based intrusion detection systems (HIDS) provide threat detection via log and
file system monitoring. HIDS come in many different forms with different capabilities,
some of them preventative (HIPS). File system integrity monitoring uses signatures to
detect whether a managed file image—such as an OS system file, driver, or application
executable—has changed. Products may also monitor ports and network interfaces,
and process data and logs generated by specific applications, such as HTTP or FTP.

44
Q

Endpoint Protection Platform (EPP)

A
  • Consolidate agents for multiple functions
  • Combine A-V, HIDS, host firewall, content filtering, encryption, …

Endpoint protection usually depends on an agent running on the local host. If multiple
security products install multiple agents (say one for A-V, one for HIDS, another for
host-based firewall, and so on), they can impact system performance and cause conflicts, creating numerous technical support incidents and security incident false
positives. An endpoint protection platform (EPP) is a single agent performing multiple
security tasks, including malware/intrusion detection and prevention, but also other
security features, such as a host firewall, web content filtering/secure search and
browsing, and file/message encryption.

45
Q

Data loss prevention (DLP)

A

•Block copy or transfer of confidential data

Many EPPs include a data loss prevention (DLP) agent. This is configured with policies
to identify privileged files and strings that should be kept private or confidential, such
as credit card numbers. The agent enforces the policy to prevent data from being
copied or attached to a message without authorization.

46
Q

Endpoint protection deployment

A

i skipped this one

47
Q

Next-Generation Endpoint Protection

A

Where EPP provides mostly signature-based detection and prevention, next-generationendpoint protection with automated response is focused on logging of endpointobservables and indicators combined with behavioral- and anomaly-based analysis.

Endpoint detection and response (EDR)
•Visibility and containment rather than preventing malware execution
•User and entity behavioranalytics driven by cloud-hosted machine learning

Next-generation firewall integration
•Use endpoint detection to alter network firewall policies
•Block filelessthreats and covert channels
•Prevent lateral movement

48
Q

Endpoint detection and response (EDR)

A
  • Visibility and containment rather than preventing malware execution
  • User and entity behavioranalytics driven by cloud-hosted machine learning

An endpoint detection and response (EDR) product’s aim is not to prevent initial
execution, but to provide real-time and historical visibility into the compromise, contain
the malware within a single host, and facilitate remediation of the host to its original
state.

49
Q

Next-Generation Firewall Integration

A
  • Use endpoint detection to alter network firewall policies
  • Block filelessthreats and covert channels
  • Prevent lateral movement

An analytics-driven next-gen antivirus product is likely to combine with the perimeter
and zonal security offered by next-gen firewalls. For example, detecting a threat on an
endpoint could automate a firewall policy to block the covert channel at the perimeter,
isolate the endpoint, and mitigate risks of the malware using lateral movement
between hosts.

50
Q

Antivirus Response

A

Signature-based detection and heuristics

Malware identification and classification
•Common Malware Enumeration (CME)

Manual remediation advice

Advanced malware tools
•Manually identify file system changes and network activity

Sandboxing
•Execute malware for analysis in a protected environment

51
Q

Signature-based detection and heuristics

A

Scanner scans for malware

If the code matches a signature of known malware or exhibits malwarelike behavior that matches a heuristic profile, the scanner will prevent execution and
attempt to take the configured action on the host file (clean, quarantine, erase, and so
on).

An alert will be displayed to the user and the action will be logged (and also may generate an administrative alert).

The malware will normally be tagged using a vendor
proprietary string and possibly by a CME (Common Malware Enumeration) identifier.
These identifiers can be used to research the symptoms of and methods used by
the malware.

52
Q

Common Malware Enumeration (CME)

A

when a prevention system detect/prevents malware….

The malware will normally be tagged using a vendor
proprietary string and possibly by a CME (Common Malware Enumeration) identifier.
These identifiers can be used to research the symptoms of and methods used by
the malware.

53
Q

Advanced malware tools

A

•Manually identify file system changes and network activity

Malware is often able to evade detection by automated scanners. Analysis of SIEM and
intrusion detection logs might reveal suspicious network connections, or a user may
observe unexplained activity or behavior on a host. When you identify symptoms such
as these, but the AV scanner or EPP agent does not report an infection, you will need to
analyze the host for malware using advanced tools.

54
Q

Sandboxing

A

Execute malware for analysis in a protected environment

55
Q

Embedded Systems

A

Embedded system is in a static environment. PC is in a dynamic envionrment (you can add or remove applications, etc etc)

  • Computer system with dedicated function
  • Static environment
  • Cost, power, and compute constraints
    • Single-purpose devices with no overhead for additional security computing
  • Crypto, authentication, and implied trust constraints
    • Limited resource for cryptographic implementation
    • No root of trust
    • Perimeter security
  • Network and range constraints
    • Power constrains range
    • Emphasize low data rates, but minimize latency
56
Q

Logic Controllers for Embedded Systems

A
  • Programmable logic controller (PLC)
  • System on chip (SoC)
    • Processors, controllers, and devices all provided on single package
    • Raspberry Pi
    • Arduino
  • Field programmable gate array (FPGA)
    • End customer can configure programming logic
  • Real-time operating system (RTOS)
    • Designed to be ultra-stable
    • Prioritizes real-time scheduling
57
Q

Programmable logic controller (PLC)

A

Embedded systems are normally based on firmware running on a programmable
logic controller (PLC). These PLCs are built from different hardware and OS
components than some desktop PCs.

58
Q

System on Chip (SoC)

A
  • System on chip (SoC)
    • Processors, controllers, and devices all provided on single package
    • Raspberry Pi
    • Arduino

Desktop computer system architecture uses a generalized CPU plus various other
processors and controllers and system memory, linked via the motherboard. System
on chip (SoC) is a design where all these processors, controllers, and devices areprovided on a single processor die (or chip). This type of packaging saves space and is
usually power efficient, and so is very commonly used with embedded systems.

59
Q

Types of SoC

A
  • Raspberry Pi

* Arduino

60
Q

Field Programmable Gate Array (FPGA)

A
  • Field programmable gate array (FPGA)
    • End customer can configure programming logic

A microcontroller is a processing unit that can perform sequential operations from
a dedicated instruction set. The instruction set is determined by the vendor at the
time of manufacture. Software running on the microcontroller has to be converted
to these instructions (assembly language). As many embedded systems perform
relatively simple but repetitive operations, it can be more efficient to design the
hardware controller to perform only the instructions needed. One example of this
is the application-specific integrated circuits (ASICs) used in Ethernet switches. ASICs
are expensive to design, however, and work only for a single application, such as
Ethernet switching.

A field programmable gate array (FPGA) is a type of controller that solves this
problem. The structure of the controller is not fully set at the time of manufacture.
The end customer can configure the programming logic of the device to run a
specific application.

61
Q

Real-time operating system (RTOS)

A

Real-time operating system (RTOS)
•Designed to be ultra-stable
•Prioritizes real-time scheduling

Many embedded systems operate devices that perform acutely time-sensitive tasks,
such as drip meters or flow valves. The kernels or operating systems that run these
devices must be much more stable and reliable than the OS that runs a desktop
computer or server. Embedded systems typically cannot tolerate reboots or crashes
and must have response times that are predictable to within microsecond tolerances.
Consequently, these systems often use differently engineered platforms called realtime
operating systems (RTOS). An RTOS should be designed to have as small an
attack surface as possible. An RTOS is still susceptible to CVEs and exploits, however.

62
Q

Operational Technology (OT) networks

A

•Serial data and Industrial Ethernet

A cabled network for industrial applications is referred to as an operational technology
(OT) network. These typically use either serial data protocols or industrial Ethernet.
Industrial Ethernet is optimized for real-time, deterministic transfers. Such networks
might use vendor-developed data link and networking protocols, as well as specialist
application protocols.

63
Q

•Cellular networks/baseband radio

A
  • Cellular networks/baseband radio
    • Narrowband-IoT (NB-IoT)
    • LTE Machine Type Communication (LTE-M)
    • 4G versus 5G
    • Subscriber identity module (SIM) cards
    • Encryption and backhaul
64
Q

baseband radio

A

A cellular network enables long-distance communication over the same system that
supports mobile and smartphones. This is also called baseband radio, after thebaseband processor that performs the function of a cellular modem. There are severalbaseband radio technologies:

  • Narrowband-IoT (NB-IoT)—
  • LTE Machine Type Communication (LTE-M)—
65
Q

NB-IoT vs LTE-M

A

• Narrowband-IoT (NB-IoT)—this refers to a low-power version of the Long Term
Evolution (LTE) or 4G cellular standard. The signal occupies less bandwidth than
regular cellular.
- Narrowband also has greater penetrating power, making it more suitable
for use in inaccessible locations, such as tunnels or deep within buildings, where
ordinary cellular connectivity would be impossible.

• LTE Machine Type Communication (LTE-M)—this is another low-power system, but
supports higher bandwidth (up to about 1 Mbps).

66
Q

5g vs 4g

A

While not yet completely standardized, both NB-IoT and LTE-M are designed to be
compatible with 5G networks. This means they do not interfere with 5G signaling and
can use tower relays developed for 5G. They may support higher data rates, though
latency and reliability tend to be more important considerations.

67
Q

Subscriber identity module (SIM) cards

A

Any LTE-based cellular radio uses a subscriber identity module (SIM) card as an
identifier. The SIM is issued by a cellular provider, with roaming to allow use of other
suppliers’ tower relays. As a removable card is not really a suitable form factor for
embedded, an eSIM incorporates the same function as a chip on the system board or
SoC design.

68
Q

Encryption and backhaul

A

Encryption of frames between the endpoint and the cell tower and within the backhaul
to Internet routers is the responsibility of the network operator. Over the air encryption
is performed by encryption schemes devised by the cellular standards body 3GPP.
Backhaul security is usually enforced using IPSec. The embedded system can use
application layer encryption for additional security.

69
Q

Z-Wave and Zigbee

A

Z-Wave and Zigbee are wireless communications protocols used primarily for home
automation. Both create a mesh network topology, using low-energy radio waves to
communicate from one appliance to another..

Zwave - evices can be configured to
work as repeaters to extend the network but there is a limit of four “hops” between a
controller device and an endpoint.

Zigbee - Zigbee has similar uses to Z-Wave and is an open source competitor technology to it.
The Zigbee Alliance operates certification programs for its various technologies and
standard

70
Q

Industrial Control systems (ICS)

A

Industrial systems have different priorities to IT systems. Often, hazardouselectromechanical components are involved, so safety is the overriding priority.
Industrial processes also prioritize availability and integrity over confidentiality—
reversing the CIA triad as the AIC triad.

71
Q

Availability, integrity, confidentiality (AIC triad)

A

Industrial processes also prioritize availability and integrity over confidentiality—reversing the CIA triad as the AIC triad.

72
Q

Workflow and process automation for ICS

A

Industrial control systems (ICSs) provide mechanisms for workflow and process automation. These systems control machinery used in critical infrastructure, like
power suppliers, water suppliers, health services, telecommunications, and national security services.

73
Q

Plant devices and embedded PLCs (ICS)

A

An ICS comprises plant devices and equipment with embedded PLCs.

74
Q
  • Workflow and process automation
    • Industrial control systems (ICSs)
    • Plant devices and embedded PLCs
    • OT network
    • Electromechanical components and sensors
    • Human machine interface (HMI)
    • Data historian
A

I skipped most of this

75
Q

Industries that use ICS/SCADA systems

A

Energy
•Power generation and distribution

Industrial
•Mining and refining raw materials

Fabrication and manufacturing
•Creating components and assembling them into products

Logistics
•Moving things

Facilities
•Site and building management systems
•Heating, ventilation, and air conditioning (HVAC)

76
Q

Internet of Things

A
  • Machine to Machine (M2M) communication
  • Hub/control system
    • Communications hub
    • Control system for headless devices
    • Smart hubs and PC/smartphone controller apps
  • Smart devices
    • IoT endpoints
    • Compute, storage, and network functions and vulnerabilities
  • Wearables
  • Sensors
  • Vendor security management
    • Weak defaults
    • Patching and updates
77
Q

•Machine to Machine (M2M) communication

A

The term Internet of Things (IoT) is used to describe a global network of appliancesand personal devices that have been equipped with sensors, software, and networkconnectivity. This compute functionality allows these objects to communicate and
pass data between themselves and other traditional systems like computer servers.
This is often referred to as Machine to Machine (M2M) communication.

78
Q

Hub/control system—

A
  • Communications hub
  • Control system for headless devices
  • Smart hubs and PC/smartphone controller apps

IoT devices usually require a communications hub to facilitate
Z-Wave or Zigbee networking. There must also be a control system, as most IoT
devices are headless, meaning they have no user control interface.

79
Q

Smart devices

A
  • IoT endpoints
  • Compute, storage, and network functions and vulnerabilities

Smart devices—IoT endpoints implement the function, such as a smart lightbulb
or a video entryphone that you can operate remotely. These devices implement
compute, storage, and network functions that are all potentially vulnerable to
exploits.

80
Q

Wearables

A

some IoT devices are designed as personal accessories, such as
smart watches, bracelets and pendant fitness monitors, and eyeglasses. Current
competing technologies are based on FitBit, Android Wear OS, Samsung’s Tizen OS,
and Apple iOS, each with their own separate app ecosystems.

81
Q

Sensors

A

IoT devices need to measure all kinds of things, including temperature,
light levels, humidity, pressure, proximity, motion, gas/chemicals/smoke, heart/
breathing rates, and so on.

82
Q

Vendor security management (IoT)

A
  • Weak defaults

* Patching and updates

83
Q

Specialized Systems for Facility Automation

A 
Building automation system (BAS)
•Smart buildings
•Process and memory vulnerabilities
•Credentials embedded in application code
•Code injection

Smart meters

Surveillance systems
•Physical access control system (PACS)
•Risks from third-party provision
•Abuse of cameras

84
Q

physical access control system (PACS)

A

is a network of monitored locks, intruder
alarms, and video surveillance.

Surveillance systems
•Physical access control system (PACS)
•Risks from third-party provision
•Abuse of cameras

85
Q

Building automation system (BAS)

A
  • Smart buildings
  • Process and memory vulnerabilities
  • Credentials embedded in application code
  • Code injection

building automation system (BAS) for offices and data centers (“smart buildings”)
can include physical access control systems, but also heating, ventilation, and air
conditioning (HVAC), fire control, power and lighting, and elevators and escalators.

86
Q

Smart meter

A

A smart meter provides continually updating reports of electricity, gas, or water usage
to the supplier, reducing the need for manual inspections.

87
Q

Specialized Systems in IT

A

Multifunction printer (MFP)
•Hard drives and firmware represent potential vulnerabilities
•Recovery of confidential information from cached print files
•Log data might assist attacks
•Pivot to compromise other network devices

Voice over IP

Shodan

88
Q

Shodan

A

Shodan search results for sites responding to probes over port 9100 (TCP port for raw print data).

89
Q

Multifunction printer (MFP)

A
  • Hard drives and firmware represent potential vulnerabilities
    • Recovery of confidential information from cached print files
    • Log data might assist attacks
    • Pivot to compromise other network devices
90
Q

Specialized Systems for Vehicles and Drones

A
  • Unmanned Aerial Vehicles (UAV)/drones
  • Computer-controlled or assisted engine, steering, and brakes
  • In-vehicle entertainment and navigation
  • Controller area network (CAN) serial communications buses
    • Onboard Diagnostics (OBD-II) module
    • Access via cellular or Wi-Fi
91
Q

Controller area network (CAN) serial communications buses

A

Modern vehicles are increasingly likely to have navigation and entertainment
systems, plus driver-assist or even driverless features, where the vehicle’s automated
systems can take control of steering and braking. The locking, alarm, and engine
immobilizer mechanisms are also likely to be part of the same system. Each of these
subsystems is implemented as an electronic control unit (ECU), connected via one
or more controller area network (CAN) serial communications buses. The principal
external interface is an Onboard Diagnostics (OBD-II) module. The OBD-II also acts as a
gateway for multiple CAN buses.

The CAN bus operates in a somewhat similar manner to shared Ethernet and was
designed with just as little security. ECUs transmit messages as broadcast so they
are received by all other ECUs on the same bus. There is no concept of source
addressing or message authentication. An attacker able to attach a malicious device
to the OBD-II port is able to perform DoS attacks against the CAN bus, threatening
the safety of the vehicle. There are also remote means of accessing the CAN bus,
such as via the cellular features of the automobile’s navigation and entertainment
system (wired.com/2015/07/hackers-remotely-kill-jeep-highway). Some vehicles also
implement on-board Wi-Fi, further broadening the attack surface.

92
Q

Specialized Systems for Medical Devices

A
  • Used in hospitals and clinics but also at home by patients
  • Potentially unsecure protocols and control systems
  • Use compromised devices to pivot to networks
  • Stealing Protected Health Information (PHI)
  • Ransom by threatening to disrupt services
  • Kill or injure patients
93
Q

Security for Embedded Systems

A
  • Network segmentation
    • Strictly restrict access to OT networks
    • Increased monitoring for SCADA hosts
  • Wrappers
    • Use IPSec for authentication and integrity and confidentiality
  • Firmware code control
    • Supply chain risks
  • Inability to patch
    • Inadequate vendor support
    • Time-consuming patch procedures
    • Inability to schedule downtime
94
Q

Network segmentation

A
  • Network segmentation
    • Strictly restrict access to OT networks
    • Increased monitoring for SCADA hosts

Network segmentation is one of the core principles of network security. Network access
for static environments should only be required for applying firmware updates and
management controls from the host software to the devices and for reporting status and
diagnostic information from the devices back to the host software.

95
Q

Wrappers

A

•Use IPSec for authentication and integrity and confidentiality

One way of increasing the security of data in transit for embedded systems is through the
use of wrappers, such as IPSec. The only thing visible to an attacker or anyone sniffing
the wire is the IPSec header, which describes only the tunnel endpoints. This is useful
for protecting traffic between trusted networks when the traffic has to go through an
untrusted network to go between them, or between trusted nodes on the same network.

96
Q

Firmware Control Code

A
  • Firmware code control
    • Supply chain risks
  • Inability to patch
    • Inadequate vendor support
    • Time-consuming patch procedures
    • Inability to schedule downtime

Embedded systems demonstrate one of the reasons that supply chain risks must be
carefully managed. Programming logic implemented in FPGA and firmware code must
not contain backdoors. Firmware patching is just as vital as keeping host OS software
up to date, but for many embedded systems, it is far more of a challenge:

Sec+ (23 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions