Lesson 12 Host security solutions Flashcards
HW RoT
HW Root of Trust
is a secure subsystem that is able to provide attestation
it scans the boot metrics and OS files to verify their signatures
It then signs the report and sends it to the NAC Server
Attestation
A statement made by the system can be trusted by the receiver
Uses signing keys to do this
TPM
Trusted Platform Module
Part of the motherboard chipset or an embedded function of the CPU
Stores encryption keys, hashed passwords, and other user and platform identification information
Hardcoded with a unique, unchangeable asymmetric key called an endorsement key
Thief cannot remove like they could with the HSM
UEFI
Unified Extensible Firmware Interface
is the code that allows a host to boot to an OS
enforces a number of Boot Integrity checks
Secure Boot
Prevents a computer from being hijacked by malicious OS
Requires UEFI, which stores certs from valid OS vendors
The systems firmware can then compare the stored cert has been signed by the OS Vendor
Does not require a TPM
Measured Boot
Uses TPM at each stage of the boot
Checks hashes of the key system state data for changes
Records presence of kernel-level code change but does not prevent boot
Boot Attestation
The capability to transmit boot log report signed by the TPM via a trusted process to the remote server, usually the network access control server
log is analyzed for compromise, like unsigned drivers
If compromise or lack of report, the host can be prevented from joining the network
Disk Encryption - FDE
Full Disk Encryption - entire disk, including system files, are encrypted
Thwarts an attacker trying to attach the disk to an different OS
as it requires the encryption key to use the disk contents
Win BitLocker tool can write keys to the TPM’s secure storage area or a USB drive
Can reduce performance as the OS has overhead for the cryptographic functions
Can be mitigated by SED, self encrypting drives
SED
Self Encrypting Drive
performs cryptographic functions by the drive controller not the OS
Data/Media Encryption Key (DEK/MEK) for bulk encryption
DEK is stored securely in asymmetric key pair named either authentication key (AK) or Key Encryption Key (KEK)
The AK is authenticated by the user password, which means you can change the user password without needing to decrypt and re-encrypt the drive
USB/Flash Drive Security measures
Suspected USB or flash drives should be tested on sandboxed lab, known as ‘sheep dip’
Look for cmd prompt windows or nefarious processes starting attempting to modify system files or register
HIDS (host intrusion detection systems) can block most USB ports
Host should always be configured to not auto run USB devices are attached to prevent malware from being installed, which is most commonly found on these types of drives.
Trustworthy supply chain
Supply chain is the end to end process of supplying, manufacturing, distributing, and finally releasing goods and services to a customer
Establishment of trusted supply chain means denying malicious actors the time or resources to modify the assets being supplied
End of life systems
End of Life (EOL)
- discontinued sale of a product, spares and upgrades become limited
End of Service Life (EOSL)
- system which is no longer supported by it developer or vendor
- receives no security updates and is therefore a critical vulnerability if left in use
- a compensating control is to isolated these types of devices if still needed on the system
MOU
Memorandum of Understanding
- Intent to work together
- Relatively informal with no binding contracts
BPA
Business Partnership Agreement
Establish a formal partner relationship
NDA
Non-Disclosure Agreement
governs use and storage of confidential and private information
SLA
Service Level Agreement
Establish metrics for service delivery and performance
A contractual agreement setting details of a provided service
MSA
Measure System Analysis
evaluate data collection and statistical methods used for quality management to ensure a product is robust
Hardening
process of putting an OS or application in a secure configuration
essential principle is of least functionality
- only run protocols/services which are required by legitimate users
- done to reduce the potential attack surface
The following are steps to provide a hardened system:
Disable the following unused interfaces and services
Disable or block at the firewall application service ports
Encrypted disks to protect data at rest
Antivirus/Anti-malware
Endpoint host protection sw which uses signature based detection of all malware and PUPs
PUPs - Potentially Unwanted Programs
Insufficient in preventing data breaches
HIDS/HIPS
HIDS - Host based Intrusion Detection System
-provide threat detection via log and file system monitoring using signitures
HIPS - Host based Intrusion Prevention System
-provide threat detection via port and network interface monitoring
EPP
Endpoint Protection Platform using a single local agent to perform multiple security tasks
Can perform:
- malware/intrusion detection
- host firewall
- web content filtering/secure search and browsing
- file/message encryption
DLP
Data Loss Prevention is an agent of EPP and is configured to identify privileged files and strings which should be kept private or confidential.
Enforces the policy which prevents data from being copied or attached to a message without authorization
EDR
Endpoint Detection and Response
provides real-time and historical visibility into a compromise, contains the malware to the host, and restores the host to it’s original state
controlled from the cloud
uses AI
NGFW
Next Gen Firewall
use endpoint detection to alter network firewall
blocks fileless threat and covert channels
prevents lateral movement
CME
Common Malware Enumeration
An identification value returned by Antivirus response to allow further investigation to support remediation efforts
Further analysis using advanced malware tools like Sysinternals
Sandboxing
A technique to isolate an untrusted host or app in a segregated environments allowing for tests to be conducted
Have limited interfaces to the host environment
Allow for testing with many different environment setups
Embedded System
a computer systems designed to perform a specific dedicated function
operates in a static environment
little support is need
not a lot of compute power for security tools, cryptography, etc
Logic Controller for Embedded systems PLC SoC FPGA RTOS
PLC - Programmable Logic Controller
SoC - System on Chip
- Entire PC like setup on a single processor die (chip)
- think raspberry pi, Arduino
FPGA - Field Programmable Gate Array
- a micro controller which the end user can configure the programming logic for a specific application
RTOS - Real Time Operating System
- designed to have a small attack surface
RTOS
Real-time Operating System
- a type of logic controller for embedded systems
performs time sensitive functions
However are susceptible to CVEs and exploits
Z-wave and Zibee
wireless communication protocols used for home automation
create a mesh network for appliances to communicate
Both have communication encryption
main threat is repairing attacks and rogue devices
re-pairing attack
Threat actor can discover the network key by forcing a device off the network and the device re-pairs
ICS
Industrial Control Systems
provides mechanisms for workflow and process automation
controls machinery in critical infrastructure
DCS - distributed control system is an ICS which manages process automation within a single site
prioritize availability and integrity over confidentiality
SCADA
Supervisory Control and Data Acquisition
A system or svr to gather data from and manage ICS devices and embedded PLCs
uses WAN communications
Network Segmentation
regarding embedded systems, network access should be separated from the corporate network
can be achieved by firewall and VLANs
Wrappers
A method for securing data in transit for embedded systems
IPSec is used for this
HSM
Hardware Security Module
an add-on device that is plugged into your computer
provides crypto processing
manage/store digital encryption keys
