Sec+ Chapter 11: Endpoint Security Flashcards
Endpoint
A wide range of devices that includes desktops, mobile devices, servers, etc
The end points of a network, whether that’s wired or wireless
UEFI
Unified extensible firmware interface
A replacement for basic input/output system (BIOS) and leverages two techniques that prove a system is secure
1) Secure boot
2) Measured boot
Secure boot
Ensures the system boots using only software that the OEM (original equipment manufacturer) trusts
Checks the bootloader to ensure no malware has changed the boot process
System must have a signature database listing the secure signatures of trusted software and firmware for boot process
Measured boot
Measures each component, starting with firmware and ending with the boot start drivers
Doesn’t validate against a known good list of signatures. Instead relies on UEFI firmware to hash the firmware, bootloader, drives, and other boot processes loaded during secure and trusted boot
TPM
Trusted platform module
A piece of hardware that helps with cryptographic functions used by apps in the OS
Can include a cryptographic processor that’s used as a random number or key generator
The memory of a TPM can store keys, especially keys that are burned on permanently and not changed
This means we can reference the TPM to obtain a unique value that’s not on any other computer you might have
Password protected and built with anti brute force tech
Hardware root of trust
We put specific security controls in place to ensure that we can rely on and trust our systems
EX: An individual system can have a TPM, or HSM
It’s the hardware root of trust that gives us the ability to trust that the system is going to be safe and secure
A significant security benefit is that hardware is difficult to change, and the hardware has to be installed for the trust to be put into the system
PUF
Physically unclonable function
Based on the unique features of a microprocessor that are created when it’s manufactured, and not intentionally created or replicated
How do antimalware tools detect malicious software?
Can you explain each one?
1) Signature based detection
2) Heuristic/behavior based detection
3) AI and ML systems
4) Sandboxing
Sandbox
An isolated environment where potentially dangerous or problematic software can be run and tested for in-depth analysis
EDR
Endpoint detection and response
Tools that combine monitoring capabilities on endpoint devices and systems with network monitoring and log analysis to collect, correlate, and analyze events
Can also perform a root cause analysis to check why the behavior happened in the first place
Isolate the system, quarantine the thread, or rollback to a previously known good configuration
API-drive, and can be done without any technician present
IoC
Indicators of compromise
DLP
Data loss prevention
Designed to prevent sensitive data across the network either in the clear or encrypted
Tools that can be deployed to endpoints in the form of clients or apps to protect data from prying eyes
Can also be put on networks, servers, email systems, or the cloud to manage data and handle processes
If it identifies sensitive data, it can block that information from being transferred
Host based firewall
Built into most modern OS and typically enabled by default
Usually runs on every endpoint
Doesn’t provide much insight into traffic they filter since they either block or allow apps, services, ports, or protocols
HIPS
Host intrusion prevention system
Analyzes traffic before services or apps on the host process it
Can take action and filter out malicious traffic or block specific elements of data that’s received
Uses signatures, heuristics, or behavior to identify malicious activity
HIDS
Host intrusion detection system
Uses log files to identify intrusions, and can reconfigure firewalls to block
Primarily, it only reports and alerts on issues though
NGFW
Next gen firewall AKA: application layer gateway, stateful multilayer inspection, or deep packet inspection (DPI)
Usually for an entire network vs hosts or endpoints, and sits on OSI layer 7
It inspects all data in every packet, and has:
1) Built in IDS or IPS functionality
2) Antimalware features
3) Geo-IP and geolocation to match threats with real-world locations
4) Proxying, allows device to intercept traffic and analyze it
5) Web app firewall capabilities
6) Sandboxing
Hardening
Changing settings on a system to increase its overall level of security and reduce vulnerability to attack
Attack surface
The places where a system could be attacked
CIS
Center for internet security
Common parts of a hardening process
Can you explain them?
1) Open ports and services
2) The registry
3) Disk encryption
4) OS
5) Patch management (third party updates and auto-update)
Fastest way to decrease attack surface?
Reduce the number of open ports and services that it provides
Best way to deal with open ports and unneeded services?
Disable them entirely
Firewall rules can work as well
OS hardening
Use of system settings to reduce the attack surface for your OS (windows, linux, android, ios, etc), and there are tools, standards, and processes that can help accomplish this
Always update your OS, stay up on patches
Keep user accounts secure with minimum password lengths and complexity, limit account permissions
Limit network access
Monitor and secure with antimalware software
How to harden Windows registry
Configure permissions for the registry and disallow remote access if it’s not required for a specific need
Limit access to registry tools
Configuration management tools
Tools to help enforce security standards, manage systems, and report on areas where systems don’t match expected settings
EX: Jamf Pro (mac), Configuration Manager (Windows), CFEngine (open source)
Baseline configuration
Setting a configuration standard across all machines at your org
Standards can be modified as needed with groups, teams, divisions, individual users, etc
Importance of naming conventions
Can you explain them?
1) Help ID systems based on purpose, location, etc
2) Make systems more anonymous
3) Make scripting and management easier bc you can filter, sort, etc
Importance of IP schema
Can you explain them?
Segment systems based on purpose, location, or other factors to:
1) Avoid address collisions
2) Don’t run out of addresses in network segments
3) ID systems that shouldn’t be using a given address
Patch management
The practice of ensuring systems stay up to date in a timely manner without introducing new flaws or causing issues with patches
Often built in to the OS itself
FDE
Full disk encryption
Encrypts the disk and requires that the bootloader or hardware device provide a decryption key and software or hardware to decrypt
Transparent encryption
On the fly / real time encryption
Largely invisible to the user, with the drive appearing to be unencrypted during use
Simple attacks using this will gain access while drive is unlocked
Volume encryption
Filesystem level encryption
Protects specific volumes on the drive and allows additional security beyond encrypting the entire disk with a single key
SED
Self encrypting drive
Encryption capabilities built into the hardware and firmware of the drive itself
Anything written to the drive is automatically encrypted
BONUS: Uses opal storage standard
How to sanitize drives
1) Wipe the data
2) Destroy the media
DBAN
Darik’s boot and nuke
Utility that performs multiple passes over an entire disk to attempt to remove all data
Data remanence
Data that remains on a disk after it’s been supposedly wipe
Major security concern
SSH
Secure shell
An encrypted protocol used to connect to systems, usually through a CLI
OpenSSL
An implementation of the TLS protocol, often used to protect other services
EX: Used for HTTPS traffic - any time it needs to be sent across a network in a protected way, and SSH or VPN can’t help, OpenSSL is a good alt
How to use OpenSSL
Using OpenSSL and TLS is ideal when two systems that may have never opened comms need to communicate securely
Embedded systems
Computer systems built into other devices
EX: Industrial machinery, appliances, Tesla cars, etc
RTOS
Real time OS
OS used in many embedded systems when priority needs to be placed on processing data as it comes in
EX: Anti lock brakes in a car, because it needs specific updates on wheel slippage as you brake
Raspberry pi
Single-board computers that have all functions of a computer system like network connectivity, storage, video output, input, CPU, and memory
SoC (system on a chip)
Arduino
A microcontroller
Includes a large power CPU with a small amount of memory and storage, and provides input and output capabilities
No network capability
FPGA
Field programmable gate array
A type of computer chip that can be programmed to redesign how it works, which makes it customizable
Common on things like firewalls and switches
ICS
Industrial control system
A broad term for industrial automation
SCADA
Supervisory control and data acquisition
Refers to large systems that run power and water distribution, or other systems covering large areas
IoT security concerns
1) Weak default settings
2) Lack of network security (firewalls)
3) Exposed or vulnerable services
4) lack of encryption for data transfer
5) Weak authentication
6) Use of embedded credentials
7) Insecure data storage
IoT lifespan concerns
Short lifespan means they’re not patched or updated, leaving them potentially vulnerable for most of their lives
IoT data concerns
1) Vendor data-handling practice issues like licensing and data ownership
2) Potential to reveal data to both employees, vendor partners, govt, other agencies without users being aware
Specialized systems
1) Medical systems, including devices found in hospitals and at doctors offices (pacemakers, insulin pumps, etc)
2) Smart meters that track utility usage
3) Vehicles from cars to aircraft and even ships
4) Drones and AVs (autonomous vehicles)
5) VOIP systems
6) Printers, including MFPs (multifunction printers)
7) Surveillance systems
SIM
Subscriber identity module
A universal integrated circuit card we see in mobile phones, but also in IoT devices that use cellular network
Contains IMSI (international mobile subscriber identity), authentication and contact info, etc
Target of attacks, like SIM cloning
Integrity Measurements Check
See if all the details in your configuration documentation match what’s running in a particular app
Check against your well established baselines
If there are any deviations from a baseline, you need to understand what it is and how to correct it
Standard naming conventions
+
Devices and cables in your environment so you can refer to them or change control meaning and everyone understands where it’s located
Give tasks to someone in a data center and they know exactly what location to go (server rack, etc)
Network equipment have switches and routers clearly labeled with interface names and patch panel numbers on each one
Standardization for usernames in your environment and email addresses used in your server
SoC
System on a chip
Multiple components running on a single chip
Zigbee
An IEEE standard 802.15.4 PAN, alternative to WiFi and Bluetooth
A way to communicate with IoT over longer distances using less power
Also allows all IoT to create a meshed network, which means devices on one end of the home can hop through other IoT devices on other side of your home
In the US, communicates over the ISM (industrial, scientific, and medical) band in 900 MHz and 2.4 GHz
Narrowband
If the embedded device isn’t using the cellular network to communicate, it may use narrowband
Narrowband uses smaller frequency bandwidth than broadband, which allows many different comms in a single set of frequencies, and it can be communicated over longer distances
EX: SCADA equipment or sensors in oil fields
Baseband
Uses a single frequency to communicate, often over a single cable or fiber connection using digital comms
Anything going over the link is going to use 0% or 100% of the connection
It can be bidirectional, but usually only goes one way at a time
EX: We see it on ethernet connections 100BASE-TX, 1000BASE-T, 10GBASE-T
Constraints with embedded devices
1) Power: May not have access to main power source, and batteries might be needed
2) Compute: Lost power CPUs are limited in speed
3) Network: May not have the option for wired connections, might be in the middle of nowhere
4) Cryptography: Can’t add or change cryptography functions
5) Inability to patch: Some have no field-upgradeable options, or upgrades could be limited or difficult to install
6) Authentication: Security features are an afterthought, no MFA, limited integration with directory services
7) Range: Purpose-built and usually does one thing very well, but that’s about it
8) Cost: They come at a low cost, but that low cost can negatively impact product quality
9) Implied trust: Limited access to the hardware and software, difficult to verify the security posture
Trusted boot
The bootloader verifies the digital signature of the OS kernel, and a corrupted kernel will halt the boot process
The kernel verifies all other startup components like boot drivers and startup files
ELAM (early launch antimalware) starts before loading the drivers, which checks all drivers against digital signatures
If the driver fails, or the signature is untrusted, OS won’t load the driver
Remote attestation
A device provides a central management server with a verification report showing the info gathered during measured boot, and it’s encrypted and digitally signed by the TPM
An attestation server receives the boot report and compares the information to the information it knows to be trusted
If that shows modifications, the sysadmins can turn it off or have it disabled until a tech can look at it
