Security Plus - Chapter 11 Flashcards
(33 cards)
Operating System Vulnerabilities
Vulnerabilities directly in the operating system drives ongoing operating system patching as well as configuring systems to minimize their attack footprint, or the number of services that are exposed and can thus potentially be targeted
Default passwords and insecure default settings are potential targets for an attacker.
Configurations can also introduce vulnerabilities by not ensuring the proper security controls are established. Ex. Mandatory access control which limits access to the OS
Misconfiguration occurs when human error does not secure the OS to meet the organization’s baseline controls for the OS.
Hardware Vulnerabilities
Firmware vulnerabilities - The embedded software that allows devices to function and is tightly connected to the hardware. This may or may not be possible to update depending on the design or implementation of the hardware. Firmware attacks may occur through any path that allows access to the firmware.
End of Life or legacy hardware drives concern around lack of support. End of life device or system also means end of support from the manufacturer. Without updated security fixes, the system or device becomes vulnerable.
Vendor Terminology for End of Life system
- End of Sales
- End of life
- End of support
- Legacy - Systems still being used that no longer are supported by the vendor
Endpoints
Desktops, mobile devices, servers, and a variety of other systems.
Endpoint Protection Methods
Preserving boot integrity - Ensuring that no untrusted or malicious components are inserted into the boot process. Begins with the hardware root of trust, which contains the cryptographic keys that secure the boot process. Common implementation of the hardware root of trust is the TPM chip built into many computers. TPM chips provide built-in encryption and provide:
- Remote attestation - Allows hardware and software configurations to be verified
- Binding - Encrypts data
- Sealing - Encrypts data and sets requirements for the state of the TPM chip before decryption.
Modern UEFI (replaced BIOS) firmware leverages two different techniques for securing the system.
- Secure boot - Ensures the system boots using only software that the original equipment manufacturer trusts. The system needs to have a signature database listing the secure signatures of trusted software and firmware for the boot process.
- Measured boot - Relies on the UEFI firmware to hash the firmware, boot-loader, drivers, and anything else that is part of the boot process. The data gathered is stored in the Trusted Platform Module (TPM), and the logs can be validated remotely to let security administrators know the boot state of the system. Compares the boot attestation against known good, states, and administrators can take action if the measured boot shows a difference from the accepted or secured known state.
Endpoint Hardware Security
Trusted Platform Module (TPM) - A physical or embedded security technology that uses cryptography to store and protect sensitive information on a computer.
Hardware security modules (HSM) - Used to create, store, and manage keys for multiple systems.
Key Management System (KMS) - A service used to manage keys, certificates, or secrets in a centralized manner.
Endpoint Security Tools
Antivirus and Antimalware
Allow and Deny Lists
Endpoint Detection and Response and Extended Detection and Response
Data Loss Prevention
Network Defenses
Antivirus and Antimalware
Work to detect malicious software and applications through a variety of means.
Methods of antimalware:
- Signature-based detection - Uses a hash or pattern-based signature detection method to identify files or components of the malware that have been previously observed. Used by traditional tools but attackers have used polymorphism to alter malware every time it is installed, as well as encryption and packing to make signatures less useful.
- Heuristic or behavior-based - Looks at what actions the malicious software takes and matches them to profiles of unwanted activities. These can identify new malware based on what it is doing, rather than matching it to a known fingerprint.
- Artificial Intelligence (AI) and Machine Learning (ML) - Leverage large amounts of data to find ways to identify malware that may include heuristic, signature, and other detection capabilities.
- Sandboxing - A protected environment where unknown, untrusted, potentially dangerous, or known malicious code can be run to observe it.
Allow and Deny Lists
Allow and deny lists are ways to control what applications are permitted to be installed on an endpoint.
Allow list - A list of software, applications, and other system components that are allowed to exist and run on a system. If they are not on the list, they will not be permitted for installation or they will be removed or disabled. Allow list provides greater security.
Deny (block) list - Lists of software or applications that cannot be installed or run on the system. If specific programs are considered undesirable, a deny list is a better choice.
Implemented through firewall rules and similar technologies.
Both require higher maintenance needs.
Endpoint Detection and Response (EDR)
Combine monitoring capabilities on endpoint devices and systems using a client or software agent with network monitoring and log analysis capabilities to collect, correlate, and analyze events. Able to search and explore the collected data and use it to perform investigations and detect suspicious data.
Extended Detection and Response (XDR)
Similar to EDR but broadens the perspective by not only considering the endpoints but also the full breadth of an organization’s technology stack, including cloud services, security services and platforms, email, and similar components.
Data Loss Prevention (DLP)
Protects organizational data from both theft and inadvertent exposure. DLP may be deployed to endpoints in the form of clients or applications. Also have network and server resident components to ensure data is managed throughout it’s lifecycle.
Elements of DLP:
- Data classification/labeling
- Policy management and enforcement
- monitoring and reporting
Network Defenses
Host-based firewalls
Host-based intrusion prevention systems (HIPS)
Host-based detection system (HIDS)
Host-Based Firewall
Firewalls that are built into most modern operating systems and are typically enabled by default. Don’t offer insight into the traffic being filtered, they provide basic blocking or allowing of applications, services, ports, or protocols.
Host-Based Intrusion Prevention System
Analyzes traffic before services or applications on the host. It can take some type of action on the traffic, including filtering out malicious traffic or blocking specific elements of the data. It can filter complex traffic across multiple packets of an entire series of communications.
Host-Based Intrusion Detection System
Analyzes traffic before services or applications on the host. It does not take an action on the traffic but can report or alert when it discovers an issue.
Hardening
Involves changing the settings on the system to increase its overall level of security and reduce its vulnerability to attack. Tools and scripts are the common way to perform hardening of a system.
Service Hardening
Network Hardening
Default Passwords
Removing unnecessary software
Service Hardening
Reduce the number of ports that accessible on a system is the quickest way to decrease the attack surface. Disable ports and protocols to reduce the ability of an attacker accessing a system remotely. Rule of thumb, only enable the ports or services that are required for the system to provide the necessary services. Port scanners offer attackers the ability to scan a system and quickly find the open ports
Network Hardening
Using a virtual local area network (VLAN) to segment different trust levels, user groups, or systems is the best way for network hardening. Place IoT devices on separate VLANs with appropriate access controls or dedicated network security protections for each VLAN helps to ensure that more vulnerable devices are more protected.
Default Passwords and Accounts
Change any passwords that are the standard vendor provided account and password. Also disable the default account if it is not necessary to perform ongoing processing functions.
Removing Unnecessary Software
By removing unnecessary software it reduces the attack surface due to having less software for an attacker to exploit. Many systems have pre-installed software that is not necessary for the system to run. Also, this reduces maintenance issues from not needing to keep the software updated ongoing.
Operating System Hardening
Updating the settings on a system to match the desired security stance for a given system. Examples of configuration settings to modify:
- Setting the password history to remember 24 or more passwords
- Setting the maximum password age to 365 or fewer days, but not 0, preventing users from simply changing their passwords 24 times to get back to the same password again.
- Setting the minimum password length to 14 or more characters
- Requiring password complexity
- Disabling the storage of passwords using reversible encryption
Can be updated in local security policy or with Group Policy.
Windows Registry Hardening
Windows Group Policy provides Windows systems and domains the ability to control settings through Group Policy Objects. Microsoft Security Compliance Toolkit which can configure Secuity configuration baselines then compare deployed GPOs to the baseline and allow editing through Active Directory.
Linux Hardening
Security Enhanced Linux or SELinux, a kernel-based security module that provides additional security capabilities and options. It provides mandatory access control (MAC) that can be enforced at the user file, system service, and network layer for least privilege-based security. Enforces user rights based on username, role, and type of domain for each entity.
OS Hardening Configuration, Standards, and Schemas
Utilize configuration management tools for a powerful option to ensure the systems in an organization have the right security settings. They help enforce standards, manage systems, and report on areas where systems do not match expected settings. The config tools start with a baseline configuration that systems will be compared with throughout the organization. Baseline phases:
- Establishing the baseline - This uses an existing industry standard (ie. CIS Benchmark) with modifications and adjustments made to fit the organization.
- Deploy the baseline - Manually or utilizing a central management tool, the baseline is placed on the system depending on the scope, scale, and capabilities of the organization.
- Maintaining the baseline - Using the central management tool and enforcement capabilities as well as adjustments to the organizations baseline as determined through the use of the baseline.
