Security Plus - Chapter 11 Flashcards

1
Q

Operating System Vulnerabilities

A

Vulnerabilities directly in the operating system drives ongoing operating system patching as well as configuring systems to minimize their attack footprint, or the number of services that are exposed and can thus potentially be targeted

Default passwords and insecure default settings are potential targets for an attacker.

Configurations can also introduce vulnerabilities by not ensuring the proper security controls are established. Ex. Mandatory access control which limits access to the OS

Misconfiguration occurs when human error does not secure the OS to meet the organization’s baseline controls for the OS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Hardware Vulnerabilities

A

Firmware vulnerabilities - The embedded software that allows devices to function and is tightly connected to the hardware. This may or may not be possible to update depending on the design or implementation of the hardware. Firmware attacks may occur through any path that allows access to the firmware.

End of Life or legacy hardware drives concern around lack of support. End of life device or system also means end of support from the manufacturer. Without updated security fixes, the system or device becomes vulnerable.
Vendor Terminology for End of Life system
- End of Sales
- End of life
- End of support
- Legacy - Systems still being used that no longer are supported by the vendor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Endpoints

A

Desktops, mobile devices, servers, and a variety of other systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Endpoint Protection Methods

A

Preserving boot integrity - Ensuring that no untrusted or malicious components are inserted into the boot process. Begins with the hardware root of trust, which contains the cryptographic keys that secure the boot process. Common implementation of the hardware root of trust is the TPM chip built into many computers. TPM chips provide built-in encryption and provide:
- Remote attestation - Allows hardware and software configurations to be verified
- Binding - Encrypts data
- Sealing - Encrypts data and sets requirements for the state of the TPM chip before decryption.

Modern UEFI (replaced BIOS) firmware leverages two different techniques for securing the system.
- Secure boot - Ensures the system boots using only software that the original equipment manufacturer trusts. The system needs to have a signature database listing the secure signatures of trusted software and firmware for the boot process.
- Measured boot - Relies on the UEFI firmware to hash the firmware, boot-loader, drivers, and anything else that is part of the boot process. The data gathered is stored in the Trusted Platform Module (TPM), and the logs can be validated remotely to let security administrators know the boot state of the system. Compares the boot attestation against known good, states, and administrators can take action if the measured boot shows a difference from the accepted or secured known state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Endpoint Hardware Security

A

Trusted Platform Module (TPM) - A physical or embedded security technology that uses cryptography to store and protect sensitive information on a computer.
Hardware security modules (HSM) - Used to create, store, and manage keys for multiple systems.
Key Management System (KMS) - A service used to manage keys, certificates, or secrets in a centralized manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Endpoint Security Tools

A

Antivirus and Antimalware
Allow and Deny Lists
Endpoint Detection and Response and Extended Detection and Response
Data Loss Prevention
Network Defenses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Antivirus and Antimalware

A

Work to detect malicious software and applications through a variety of means.
Methods of antimalware:
- Signature-based detection - Uses a hash or pattern-based signature detection method to identify files or components of the malware that have been previously observed. Used by traditional tools but attackers have used polymorphism to alter malware every time it is installed, as well as encryption and packing to make signatures less useful.
- Heuristic or behavior-based - Looks at what actions the malicious software takes and matches them to profiles of unwanted activities. These can identify new malware based on what it is doing, rather than matching it to a known fingerprint.
- Artificial Intelligence (AI) and Machine Learning (ML) - Leverage large amounts of data to find ways to identify malware that may include heuristic, signature, and other detection capabilities.
- Sandboxing - A protected environment where unknown, untrusted, potentially dangerous, or known malicious code can be run to observe it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Allow and Deny Lists

A

Allow and deny lists are ways to control what applications are permitted to be installed on an endpoint.
Allow list - A list of software, applications, and other system components that are allowed to exist and run on a system. If they are not on the list, they will not be permitted for installation or they will be removed or disabled. Allow list provides greater security.
Deny (block) list - Lists of software or applications that cannot be installed or run on the system. If specific programs are considered undesirable, a deny list is a better choice.
Implemented through firewall rules and similar technologies.
Both require higher maintenance needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Endpoint Detection and Response (EDR)

A

Combine monitoring capabilities on endpoint devices and systems using a client or software agent with network monitoring and log analysis capabilities to collect, correlate, and analyze events. Able to search and explore the collected data and use it to perform investigations and detect suspicious data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Extended Detection and Response (XDR)

A

Similar to EDR but broadens the perspective by not only considering the endpoints but also the full breadth of an organization’s technology stack, including cloud services, security services and platforms, email, and similar components.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Data Loss Prevention (DLP)

A

Protects organizational data from both theft and inadvertent exposure. DLP may be deployed to endpoints in the form of clients or applications. Also have network and server resident components to ensure data is managed throughout it’s lifecycle.
Elements of DLP:
- Data classification/labeling
- Policy management and enforcement
- monitoring and reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Network Defenses

A

Host-based firewalls
Host-based intrusion prevention systems (HIPS)
Host-based detection system (HIDS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Host-Based Firewall

A

Firewalls that are built into most modern operating systems and are typically enabled by default. Don’t offer insight into the traffic being filtered, they provide basic blocking or allowing of applications, services, ports, or protocols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Host-Based Intrusion Prevention System

A

Analyzes traffic before services or applications on the host. It can take some type of action on the traffic, including filtering out malicious traffic or blocking specific elements of the data. It can filter complex traffic across multiple packets of an entire series of communications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Host-Based Intrusion Detection System

A

Analyzes traffic before services or applications on the host. It does not take an action on the traffic but can report or alert when it discovers an issue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Hardening

A

Involves changing the settings on the system to increase its overall level of security and reduce its vulnerability to attack. Tools and scripts are the common way to perform hardening of a system.
Service Hardening
Network Hardening
Default Passwords
Removing unnecessary software

17
Q

Service Hardening

A

Reduce the number of ports that accessible on a system is the quickest way to decrease the attack surface. Disable ports and protocols to reduce the ability of an attacker accessing a system remotely. Rule of thumb, only enable the ports or services that are required for the system to provide the necessary services. Port scanners offer attackers the ability to scan a system and quickly find the open ports

18
Q

Network Hardening

A

Using a virtual local area network (VLAN) to segment different trust levels, user groups, or systems is the best way for network hardening. Place IoT devices on separate VLANs with appropriate access controls or dedicated network security protections for each VLAN helps to ensure that more vulnerable devices are more protected.

19
Q

Default Passwords and Accounts

A

Change any passwords that are the standard vendor provided account and password. Also disable the default account if it is not necessary to perform ongoing processing functions.

20
Q

Removing Unnecessary Software

A

By removing unnecessary software it reduces the attack surface due to having less software for an attacker to exploit. Many systems have pre-installed software that is not necessary for the system to run. Also, this reduces maintenance issues from not needing to keep the software updated ongoing.

21
Q

Operating System Hardening

A

Updating the settings on a system to match the desired security stance for a given system. Examples of configuration settings to modify:
- Setting the password history to remember 24 or more passwords
- Setting the maximum password age to 365 or fewer days, but not 0, preventing users from simply changing their passwords 24 times to get back to the same password again.
- Setting the minimum password length to 14 or more characters
- Requiring password complexity
- Disabling the storage of passwords using reversible encryption

Can be updated in local security policy or with Group Policy.

22
Q

Windows Registry Hardening

A

Windows Group Policy provides Windows systems and domains the ability to control settings through Group Policy Objects. Microsoft Security Compliance Toolkit which can configure Secuity configuration baselines then compare deployed GPOs to the baseline and allow editing through Active Directory.

23
Q

Linux Hardening

A

Security Enhanced Linux or SELinux, a kernel-based security module that provides additional security capabilities and options. It provides mandatory access control (MAC) that can be enforced at the user file, system service, and network layer for least privilege-based security. Enforces user rights based on username, role, and type of domain for each entity.

24
Q

OS Hardening Configuration, Standards, and Schemas

A

Utilize configuration management tools for a powerful option to ensure the systems in an organization have the right security settings. They help enforce standards, manage systems, and report on areas where systems do not match expected settings. The config tools start with a baseline configuration that systems will be compared with throughout the organization. Baseline phases:
- Establishing the baseline - This uses an existing industry standard (ie. CIS Benchmark) with modifications and adjustments made to fit the organization.
- Deploy the baseline - Manually or utilizing a central management tool, the baseline is placed on the system depending on the scope, scale, and capabilities of the organization.
- Maintaining the baseline - Using the central management tool and enforcement capabilities as well as adjustments to the organizations baseline as determined through the use of the baseline.

25
Q

Patching and Patch Management

A

Ensuring the systems and software are up to date hardens the endpoint security by removing known vulnerabilities. Timely patching decreases how long the vulnerability and flaws can be used against those systems. Patching may introduce new flaws or cause an availability issue. Patching needs to be controlled and managed.

26
Q

Encryption

A

Keeping the contents of disks secure protects data in the event that a system or disk is lost, stolen, or compromised.
- Full disk encryption (FDE) - Encrypts the disk and requires that the bootloader or a hardware device provide a decryption key and software or hardware to decrypt the drive for use.
- Transparent encryption with the drive appearing to be unencrypted during use.
These are the simplest attack because there is no encryption while the drive is in
use.
- FDE can be implemented at the hardware level also. Using self-encrypting drives
(SED) which implement encryption capabilities in their hardware and firmware,
require a key to boot from the drive, which may be entered manually or provided
by a hardware token or device.
- Volume encryption - Protects specific volumes of the hard drive, allowing different levels of trust and additional security beyond that provides by encrypting the disk with a single key.

27
Q

Embedded Systems

A

Computer systems that are built into other devices. Highly specialized, running customized operating systems and with very specific functions and interfaces that are exposed to the user. Many use a real-time operating system (RTOS) which is used when priority needs to be placed on processing data as it comes in, rather than using interrupts for the operating system or waiting for tasks being processed to be handled before the data is processed.

28
Q

Assessing Embedded Systems

A

Identify the manufacturer or type of embedded system and acquire documentation or other materials about it.

Determine how the embedded system interfaces with the world; does it connect to a network, to other embedded devices, or just through a keyboard/mouse or other physical interface?

If the device does provide a network connection, identify any services or access to it provided through that network connection, and how you can secure those services or the connection itself.

Learn about how the device is updated, if patches are available, and how and when those patches should be installed; then ensure a patching cycle is in place that matches the device threat model and usage requirements.

Document what your organization would do in the event that the device has a security issue or compromise.

Document your findings and ensure that appropriate practices are included in your orgs operational procedures.

29
Q

Security Constraints of Embedded Systems

A

The overall computational power and capacity of these systems are usually much lower than a traditional pc or mobile device.

Embedded systems may not connect to a network. This may cause the inability to patch, update, or monitor.

Without network connectivity, CPU, and memory capacity, authentication may not be possible. Therefore, no access controls may be established.

Embedded systems may be very low cost, but effectively are very expensive, because they are part of a larger industrial or specialized system. Simple replacement if it fails may not be possible.

30
Q

Securing the Internet of Things (IoT)

A

IoT describes network connected devices that are used for automation, sensors, security, and similar tasks. A type of embedded system but may leverage technologies like ML or AI to provide “smart” features.

Security concerns of IoT:
Poor security practices, including weak default settings, lack of network security (firewalls), exposed or vulnerable services, lack of encryption for data transfer, embedded credentials, insecure data transmission or storage.

Short support lifespan - IoT devices may not be patched or updated in a timely manner if at all.

Vendor data handling practices - Licensing and data ownership concerns as well as potentially revealing data to employees and partners of the vendor without an agreement in place.

31
Q

Asset Inventory Enumeration

A

Scanning a system to identify assets. This may involve port and vulnerability scans to help identify systems that are not part of the inventory.

32
Q

Asset Management Lifecycle Management Security

A

Acquisition and procurement - Ensure security best practices are followed with a risk assessment, to review the appropriate controls and features are implemented, and contracts and agreements are in place.

Once assets are acquired, they need to be added to inventories and tracked through their lifespan. Assigning owners or managers, classifications, particularly for the data that resides on the system, and the tools that these assets will be working with.

Decommission - When systems are at the end of the useful life for the organization, the asset must be decommissioned which typically involves removing a device from service, removing it from inventory, and ensuring no sensitive data remains on the system.

33
Q

Sanitization of Data

A

Degaussing - Wiping data from a magnetic hard drive by exposing it to a strong magnetic field and scrambling the patterns of bits written to the tape or drive. Quick way to destroy data.
Wiping data - Performing a series of overwrites on a drive by continually rewriting on the drives with 1s and 0s over numerous passes. Number of passes depends on how important it is to overwrite the data. The more times, the more the data is unrecoverable.
Shredding/Pulverizing - Completely destroying the drives will verify no data will be recoverable, but the media is no longer usable.