Sec+ Chapter 11: Endpoint Security

Question 1

Endpoint

Answer 1

A wide range of devices that includes desktops, mobile devices, servers, etc

The end points of a network, whether that’s wired or wireless

Question 2

UEFI

Answer 2

Unified extensible firmware interface

A replacement for basic input/output system (BIOS) and leverages two techniques that prove a system is secure

1) Secure boot

2) Measured boot

Question 3

Secure boot

Answer 3

Ensures the system boots using only software that the OEM (original equipment manufacturer) trusts

Checks the bootloader to ensure no malware has changed the boot process

System must have a signature database listing the secure signatures of trusted software and firmware for boot process

Question 4

Measured boot

Answer 4

Measures each component, starting with firmware and ending with the boot start drivers

Doesn’t validate against a known good list of signatures. Instead relies on UEFI firmware to hash the firmware, bootloader, drives, and other boot processes loaded during secure and trusted boot

Question 5

TPM

Answer 5

Trusted platform module

A piece of hardware that helps with cryptographic functions used by apps in the OS

Can include a cryptographic processor that’s used as a random number or key generator

The memory of a TPM can store keys, especially keys that are burned on permanently and not changed

This means we can reference the TPM to obtain a unique value that’s not on any other computer you might have

Password protected and built with anti brute force tech

Question 6

Hardware root of trust

Answer 6

We put specific security controls in place to ensure that we can rely on and trust our systems

EX: An individual system can have a TPM, or HSM

It’s the hardware root of trust that gives us the ability to trust that the system is going to be safe and secure

A significant security benefit is that hardware is difficult to change, and the hardware has to be installed for the trust to be put into the system

Question 7

PUF

Answer 7

Physically unclonable function

Based on the unique features of a microprocessor that are created when it’s manufactured, and not intentionally created or replicated

Question 8

How do antimalware tools detect malicious software?

Can you explain each one?

Answer 8

1) Signature based detection

2) Heuristic/behavior based detection

3) AI and ML systems

4) Sandboxing

Question 9

Sandbox

Answer 9

An isolated environment where potentially dangerous or problematic software can be run and tested for in-depth analysis

Question 10

EDR

Answer 10

Endpoint detection and response

Tools that combine monitoring capabilities on endpoint devices and systems with network monitoring and log analysis to collect, correlate, and analyze events

Can also perform a root cause analysis to check why the behavior happened in the first place

Isolate the system, quarantine the thread, or rollback to a previously known good configuration

API-drive, and can be done without any technician present

Question 11

IoC

Answer 11

Indicators of compromise

Question 12

DLP

Answer 12

Data loss prevention

Designed to prevent sensitive data across the network either in the clear or encrypted

Tools that can be deployed to endpoints in the form of clients or apps to protect data from prying eyes

Can also be put on networks, servers, email systems, or the cloud to manage data and handle processes

If it identifies sensitive data, it can block that information from being transferred

Question 13

Host based firewall

Answer 13

Built into most modern OS and typically enabled by default

Usually runs on every endpoint

Doesn’t provide much insight into traffic they filter since they either block or allow apps, services, ports, or protocols

Question 14

HIPS

Answer 14

Host intrusion prevention system

Analyzes traffic before services or apps on the host process it

Can take action and filter out malicious traffic or block specific elements of data that’s received

Uses signatures, heuristics, or behavior to identify malicious activity

Question 15

HIDS

Answer 15

Host intrusion detection system

Uses log files to identify intrusions, and can reconfigure firewalls to block

Primarily, it only reports and alerts on issues though

Question 16

NGFW

Answer 16

Next gen firewall AKA: application layer gateway, stateful multilayer inspection, or deep packet inspection (DPI)

Usually for an entire network vs hosts or endpoints, and sits on OSI layer 7

It inspects all data in every packet, and has:

1) Built in IDS or IPS functionality

2) Antimalware features

3) Geo-IP and geolocation to match threats with real-world locations

4) Proxying, allows device to intercept traffic and analyze it

5) Web app firewall capabilities

6) Sandboxing

Question 17

Hardening

Answer 17

Changing settings on a system to increase its overall level of security and reduce vulnerability to attack

Question 18

Attack surface

Answer 18

The places where a system could be attacked

Question 19

CIS

Answer 19

Center for internet security

Question 20

Common parts of a hardening process

Can you explain them?

Answer 20

1) Open ports and services

2) The registry

3) Disk encryption

4) OS

5) Patch management (third party updates and auto-update)

Question 21

Fastest way to decrease attack surface?

Answer 21

Reduce the number of open ports and services that it provides

Question 22

Best way to deal with open ports and unneeded services?

Answer 22

Disable them entirely

Firewall rules can work as well

Question 23

OS hardening

Answer 23

Use of system settings to reduce the attack surface for your OS (windows, linux, android, ios, etc), and there are tools, standards, and processes that can help accomplish this

Always update your OS, stay up on patches

Keep user accounts secure with minimum password lengths and complexity, limit account permissions

Limit network access

Monitor and secure with antimalware software

Question 24

How to harden Windows registry

Answer 24

Configure permissions for the registry and disallow remote access if it’s not required for a specific need

Limit access to registry tools

Question 25

Configuration management tools

Answer 25

Tools to help enforce security standards, manage systems, and report on areas where systems don’t match expected settings

EX: Jamf Pro (mac), Configuration Manager (Windows), CFEngine (open source)

Question 26

Baseline configuration

Answer 26

Setting a configuration standard across all machines at your org

Standards can be modified as needed with groups, teams, divisions, individual users, etc

Question 27

Importance of naming conventions

Can you explain them?

Answer 27

1) Help ID systems based on purpose, location, etc

2) Make systems more anonymous

3) Make scripting and management easier bc you can filter, sort, etc

Question 28

Importance of IP schema

Can you explain them?

Answer 28

Segment systems based on purpose, location, or other factors to:

1) Avoid address collisions

2) Don’t run out of addresses in network segments

3) ID systems that shouldn’t be using a given address

Question 29

Patch management

Answer 29

The practice of ensuring systems stay up to date in a timely manner without introducing new flaws or causing issues with patches

Often built in to the OS itself

Question 30

FDE

Answer 30

Full disk encryption

Encrypts the disk and requires that the bootloader or hardware device provide a decryption key and software or hardware to decrypt

Question 31

Transparent encryption

Answer 31

On the fly / real time encryption

Largely invisible to the user, with the drive appearing to be unencrypted during use

Simple attacks using this will gain access while drive is unlocked

Question 32

Volume encryption

Answer 32

Filesystem level encryption

Protects specific volumes on the drive and allows additional security beyond encrypting the entire disk with a single key

Question 33

SED

Answer 33

Self encrypting drive

Encryption capabilities built into the hardware and firmware of the drive itself

Anything written to the drive is automatically encrypted

BONUS: Uses opal storage standard

Question 34

How to sanitize drives

Answer 34

1) Wipe the data

2) Destroy the media

Question 35

DBAN

Answer 35

Darik’s boot and nuke

Utility that performs multiple passes over an entire disk to attempt to remove all data

Question 36

Data remanence

Answer 36

Data that remains on a disk after it’s been supposedly wipe

Major security concern

Question 37

SSH

Answer 37

Secure shell

An encrypted protocol used to connect to systems, usually through a CLI

Question 38

OpenSSL

Answer 38

An implementation of the TLS protocol, often used to protect other services

EX: Used for HTTPS traffic - any time it needs to be sent across a network in a protected way, and SSH or VPN can’t help, OpenSSL is a good alt

Question 39

How to use OpenSSL

Answer 39

Using OpenSSL and TLS is ideal when two systems that may have never opened comms need to communicate securely

Question 40

Embedded systems

Answer 40

Computer systems built into other devices

EX: Industrial machinery, appliances, Tesla cars, etc

Question 41

RTOS

Answer 41

Real time OS

OS used in many embedded systems when priority needs to be placed on processing data as it comes in

EX: Anti lock brakes in a car, because it needs specific updates on wheel slippage as you brake

Question 42

Raspberry pi

Answer 42

Single-board computers that have all functions of a computer system like network connectivity, storage, video output, input, CPU, and memory

SoC (system on a chip)

Question 43

Arduino

Answer 43

A microcontroller

Includes a large power CPU with a small amount of memory and storage, and provides input and output capabilities

No network capability

Question 44

FPGA

Answer 44

Field programmable gate array

A type of computer chip that can be programmed to redesign how it works, which makes it customizable

Common on things like firewalls and switches

Question 45

ICS

Answer 45

Industrial control system

A broad term for industrial automation

Question 46

SCADA

Answer 46

Supervisory control and data acquisition

Refers to large systems that run power and water distribution, or other systems covering large areas

Question 47

IoT security concerns

Answer 47

1) Weak default settings

2) Lack of network security (firewalls)

3) Exposed or vulnerable services

4) lack of encryption for data transfer

5) Weak authentication

6) Use of embedded credentials

7) Insecure data storage

Question 48

IoT lifespan concerns

Answer 48

Short lifespan means they’re not patched or updated, leaving them potentially vulnerable for most of their lives

Question 49

IoT data concerns

Answer 49

1) Vendor data-handling practice issues like licensing and data ownership

2) Potential to reveal data to both employees, vendor partners, govt, other agencies without users being aware

Question 50

Specialized systems

Answer 50

1) Medical systems, including devices found in hospitals and at doctors offices (pacemakers, insulin pumps, etc)

2) Smart meters that track utility usage

3) Vehicles from cars to aircraft and even ships

4) Drones and AVs (autonomous vehicles)

5) VOIP systems

6) Printers, including MFPs (multifunction printers)

7) Surveillance systems

Question 51

SIM

Answer 51

Subscriber identity module

A universal integrated circuit card we see in mobile phones, but also in IoT devices that use cellular network

Contains IMSI (international mobile subscriber identity), authentication and contact info, etc

Target of attacks, like SIM cloning

Question 52

Integrity Measurements Check

Answer 52

See if all the details in your configuration documentation match what’s running in a particular app

Check against your well established baselines

If there are any deviations from a baseline, you need to understand what it is and how to correct it

Question 53

Standard naming conventions

+

Answer 53

Devices and cables in your environment so you can refer to them or change control meaning and everyone understands where it’s located

Give tasks to someone in a data center and they know exactly what location to go (server rack, etc)

Network equipment have switches and routers clearly labeled with interface names and patch panel numbers on each one

Standardization for usernames in your environment and email addresses used in your server

Question 54

SoC

Answer 54

System on a chip

Multiple components running on a single chip

Question 55

Zigbee

Answer 55

An IEEE standard 802.15.4 PAN, alternative to WiFi and Bluetooth

A way to communicate with IoT over longer distances using less power

Also allows all IoT to create a meshed network, which means devices on one end of the home can hop through other IoT devices on other side of your home

In the US, communicates over the ISM (industrial, scientific, and medical) band in 900 MHz and 2.4 GHz

Question 56

Narrowband

Answer 56

If the embedded device isn’t using the cellular network to communicate, it may use narrowband

Narrowband uses smaller frequency bandwidth than broadband, which allows many different comms in a single set of frequencies, and it can be communicated over longer distances

EX: SCADA equipment or sensors in oil fields

Question 57

Baseband

Answer 57

Uses a single frequency to communicate, often over a single cable or fiber connection using digital comms

Anything going over the link is going to use 0% or 100% of the connection

It can be bidirectional, but usually only goes one way at a time

EX: We see it on ethernet connections 100BASE-TX, 1000BASE-T, 10GBASE-T

Question 58

Constraints with embedded devices

Answer 58

1) Power: May not have access to main power source, and batteries might be needed

2) Compute: Lost power CPUs are limited in speed

3) Network: May not have the option for wired connections, might be in the middle of nowhere

4) Cryptography: Can’t add or change cryptography functions

5) Inability to patch: Some have no field-upgradeable options, or upgrades could be limited or difficult to install

6) Authentication: Security features are an afterthought, no MFA, limited integration with directory services

7) Range: Purpose-built and usually does one thing very well, but that’s about it

8) Cost: They come at a low cost, but that low cost can negatively impact product quality

9) Implied trust: Limited access to the hardware and software, difficult to verify the security posture

Question 59

Trusted boot

Answer 59

The bootloader verifies the digital signature of the OS kernel, and a corrupted kernel will halt the boot process

The kernel verifies all other startup components like boot drivers and startup files

ELAM (early launch antimalware) starts before loading the drivers, which checks all drivers against digital signatures

If the driver fails, or the signature is untrusted, OS won’t load the driver

Question 60

Remote attestation

Answer 60

A device provides a central management server with a verification report showing the info gathered during measured boot, and it’s encrypted and digitally signed by the TPM

An attestation server receives the boot report and compares the information to the information it knows to be trusted

If that shows modifications, the sysadmins can turn it off or have it disabled until a tech can look at it