Security Plus - Chapter 11 Flashcards
Operating System Vulnerabilities
Vulnerabilities directly in the operating system drives ongoing operating system patching as well as configuring systems to minimize their attack footprint, or the number of services that are exposed and can thus potentially be targeted
Default passwords and insecure default settings are potential targets for an attacker.
Configurations can also introduce vulnerabilities by not ensuring the proper security controls are established. Ex. Mandatory access control which limits access to the OS
Misconfiguration occurs when human error does not secure the OS to meet the organization’s baseline controls for the OS.
Hardware Vulnerabilities
Firmware vulnerabilities - The embedded software that allows devices to function and is tightly connected to the hardware. This may or may not be possible to update depending on the design or implementation of the hardware. Firmware attacks may occur through any path that allows access to the firmware.
End of Life or legacy hardware drives concern around lack of support. End of life device or system also means end of support from the manufacturer. Without updated security fixes, the system or device becomes vulnerable.
Vendor Terminology for End of Life system
- End of Sales
- End of life
- End of support
- Legacy - Systems still being used that no longer are supported by the vendor
Endpoints
Desktops, mobile devices, servers, and a variety of other systems.
Endpoint Protection Methods
Preserving boot integrity - Ensuring that no untrusted or malicious components are inserted into the boot process. Begins with the hardware root of trust, which contains the cryptographic keys that secure the boot process. Common implementation of the hardware root of trust is the TPM chip built into many computers. TPM chips provide built-in encryption and provide:
- Remote attestation - Allows hardware and software configurations to be verified
- Binding - Encrypts data
- Sealing - Encrypts data and sets requirements for the state of the TPM chip before decryption.
Modern UEFI (replaced BIOS) firmware leverages two different techniques for securing the system.
- Secure boot - Ensures the system boots using only software that the original equipment manufacturer trusts. The system needs to have a signature database listing the secure signatures of trusted software and firmware for the boot process.
- Measured boot - Relies on the UEFI firmware to hash the firmware, boot-loader, drivers, and anything else that is part of the boot process. The data gathered is stored in the Trusted Platform Module (TPM), and the logs can be validated remotely to let security administrators know the boot state of the system. Compares the boot attestation against known good, states, and administrators can take action if the measured boot shows a difference from the accepted or secured known state.
Endpoint Hardware Security
Trusted Platform Module (TPM) - A physical or embedded security technology that uses cryptography to store and protect sensitive information on a computer.
Hardware security modules (HSM) - Used to create, store, and manage keys for multiple systems.
Key Management System (KMS) - A service used to manage keys, certificates, or secrets in a centralized manner.
Endpoint Security Tools
Antivirus and Antimalware
Allow and Deny Lists
Endpoint Detection and Response and Extended Detection and Response
Data Loss Prevention
Network Defenses
Antivirus and Antimalware
Work to detect malicious software and applications through a variety of means.
Methods of antimalware:
- Signature-based detection - Uses a hash or pattern-based signature detection method to identify files or components of the malware that have been previously observed. Used by traditional tools but attackers have used polymorphism to alter malware every time it is installed, as well as encryption and packing to make signatures less useful.
- Heuristic or behavior-based - Looks at what actions the malicious software takes and matches them to profiles of unwanted activities. These can identify new malware based on what it is doing, rather than matching it to a known fingerprint.
- Artificial Intelligence (AI) and Machine Learning (ML) - Leverage large amounts of data to find ways to identify malware that may include heuristic, signature, and other detection capabilities.
- Sandboxing - A protected environment where unknown, untrusted, potentially dangerous, or known malicious code can be run to observe it.
Allow and Deny Lists
Allow and deny lists are ways to control what applications are permitted to be installed on an endpoint.
Allow list - A list of software, applications, and other system components that are allowed to exist and run on a system. If they are not on the list, they will not be permitted for installation or they will be removed or disabled. Allow list provides greater security.
Deny (block) list - Lists of software or applications that cannot be installed or run on the system. If specific programs are considered undesirable, a deny list is a better choice.
Implemented through firewall rules and similar technologies.
Both require higher maintenance needs.
Endpoint Detection and Response (EDR)
Combine monitoring capabilities on endpoint devices and systems using a client or software agent with network monitoring and log analysis capabilities to collect, correlate, and analyze events. Able to search and explore the collected data and use it to perform investigations and detect suspicious data.
Extended Detection and Response (XDR)
Similar to EDR but broadens the perspective by not only considering the endpoints but also the full breadth of an organization’s technology stack, including cloud services, security services and platforms, email, and similar components.
Data Loss Prevention (DLP)
Protects organizational data from both theft and inadvertent exposure. DLP may be deployed to endpoints in the form of clients or applications. Also have network and server resident components to ensure data is managed throughout it’s lifecycle.
Elements of DLP:
- Data classification/labeling
- Policy management and enforcement
- monitoring and reporting
Network Defenses
Host-based firewalls
Host-based intrusion prevention systems (HIPS)
Host-based detection system (HIDS)
Host-Based Firewall
Firewalls that are built into most modern operating systems and are typically enabled by default. Don’t offer insight into the traffic being filtered, they provide basic blocking or allowing of applications, services, ports, or protocols.
Host-Based Intrusion Prevention System
Analyzes traffic before services or applications on the host. It can take some type of action on the traffic, including filtering out malicious traffic or blocking specific elements of the data. It can filter complex traffic across multiple packets of an entire series of communications.
Host-Based Intrusion Detection System
Analyzes traffic before services or applications on the host. It does not take an action on the traffic but can report or alert when it discovers an issue.