Security Plus - Chapter 11

Question 1

Operating System Vulnerabilities

Answer 1

Vulnerabilities directly in the operating system drives ongoing operating system patching as well as configuring systems to minimize their attack footprint, or the number of services that are exposed and can thus potentially be targeted

Default passwords and insecure default settings are potential targets for an attacker.

Configurations can also introduce vulnerabilities by not ensuring the proper security controls are established. Ex. Mandatory access control which limits access to the OS

Misconfiguration occurs when human error does not secure the OS to meet the organization’s baseline controls for the OS.

Question 2

Hardware Vulnerabilities

Answer 2

Firmware vulnerabilities - The embedded software that allows devices to function and is tightly connected to the hardware. This may or may not be possible to update depending on the design or implementation of the hardware. Firmware attacks may occur through any path that allows access to the firmware.

End of Life or legacy hardware drives concern around lack of support. End of life device or system also means end of support from the manufacturer. Without updated security fixes, the system or device becomes vulnerable.
Vendor Terminology for End of Life system
- End of Sales
- End of life
- End of support
- Legacy - Systems still being used that no longer are supported by the vendor

Question 3

Endpoints

Answer 3

Desktops, mobile devices, servers, and a variety of other systems.

Question 4

Endpoint Protection Methods

Answer 4

Preserving boot integrity - Ensuring that no untrusted or malicious components are inserted into the boot process. Begins with the hardware root of trust, which contains the cryptographic keys that secure the boot process. Common implementation of the hardware root of trust is the TPM chip built into many computers. TPM chips provide built-in encryption and provide:
- Remote attestation - Allows hardware and software configurations to be verified
- Binding - Encrypts data
- Sealing - Encrypts data and sets requirements for the state of the TPM chip before decryption.

Modern UEFI (replaced BIOS) firmware leverages two different techniques for securing the system.
- Secure boot - Ensures the system boots using only software that the original equipment manufacturer trusts. The system needs to have a signature database listing the secure signatures of trusted software and firmware for the boot process.
- Measured boot - Relies on the UEFI firmware to hash the firmware, boot-loader, drivers, and anything else that is part of the boot process. The data gathered is stored in the Trusted Platform Module (TPM), and the logs can be validated remotely to let security administrators know the boot state of the system. Compares the boot attestation against known good, states, and administrators can take action if the measured boot shows a difference from the accepted or secured known state.

Question 5

Endpoint Hardware Security

Answer 5

Trusted Platform Module (TPM) - A physical or embedded security technology that uses cryptography to store and protect sensitive information on a computer.
Hardware security modules (HSM) - Used to create, store, and manage keys for multiple systems.
Key Management System (KMS) - A service used to manage keys, certificates, or secrets in a centralized manner.

Question 6

Endpoint Security Tools

Answer 6

Antivirus and Antimalware
Allow and Deny Lists
Endpoint Detection and Response and Extended Detection and Response
Data Loss Prevention
Network Defenses

Question 7

Antivirus and Antimalware

Answer 7

Work to detect malicious software and applications through a variety of means.
Methods of antimalware:
- Signature-based detection - Uses a hash or pattern-based signature detection method to identify files or components of the malware that have been previously observed. Used by traditional tools but attackers have used polymorphism to alter malware every time it is installed, as well as encryption and packing to make signatures less useful.
- Heuristic or behavior-based - Looks at what actions the malicious software takes and matches them to profiles of unwanted activities. These can identify new malware based on what it is doing, rather than matching it to a known fingerprint.
- Artificial Intelligence (AI) and Machine Learning (ML) - Leverage large amounts of data to find ways to identify malware that may include heuristic, signature, and other detection capabilities.
- Sandboxing - A protected environment where unknown, untrusted, potentially dangerous, or known malicious code can be run to observe it.

Question 8

Allow and Deny Lists

Answer 8

Allow and deny lists are ways to control what applications are permitted to be installed on an endpoint.
Allow list - A list of software, applications, and other system components that are allowed to exist and run on a system. If they are not on the list, they will not be permitted for installation or they will be removed or disabled. Allow list provides greater security.
Deny (block) list - Lists of software or applications that cannot be installed or run on the system. If specific programs are considered undesirable, a deny list is a better choice.
Implemented through firewall rules and similar technologies.
Both require higher maintenance needs.

Question 9

Endpoint Detection and Response (EDR)

Answer 9

Combine monitoring capabilities on endpoint devices and systems using a client or software agent with network monitoring and log analysis capabilities to collect, correlate, and analyze events. Able to search and explore the collected data and use it to perform investigations and detect suspicious data.

Question 10

Extended Detection and Response (XDR)

Answer 10

Similar to EDR but broadens the perspective by not only considering the endpoints but also the full breadth of an organization’s technology stack, including cloud services, security services and platforms, email, and similar components.

Question 11

Data Loss Prevention (DLP)

Answer 11

Protects organizational data from both theft and inadvertent exposure. DLP may be deployed to endpoints in the form of clients or applications. Also have network and server resident components to ensure data is managed throughout it’s lifecycle.
Elements of DLP:
- Data classification/labeling
- Policy management and enforcement
- monitoring and reporting

Question 12

Network Defenses

Answer 12

Host-based firewalls
Host-based intrusion prevention systems (HIPS)
Host-based detection system (HIDS)

Question 13

Host-Based Firewall

Answer 13

Firewalls that are built into most modern operating systems and are typically enabled by default. Don’t offer insight into the traffic being filtered, they provide basic blocking or allowing of applications, services, ports, or protocols.

Question 14

Host-Based Intrusion Prevention System

Answer 14

Analyzes traffic before services or applications on the host. It can take some type of action on the traffic, including filtering out malicious traffic or blocking specific elements of the data. It can filter complex traffic across multiple packets of an entire series of communications.

Question 15

Host-Based Intrusion Detection System

Answer 15

Analyzes traffic before services or applications on the host. It does not take an action on the traffic but can report or alert when it discovers an issue.

Question 16

Hardening

Answer 16

Involves changing the settings on the system to increase its overall level of security and reduce its vulnerability to attack. Tools and scripts are the common way to perform hardening of a system.
Service Hardening
Network Hardening
Default Passwords
Removing unnecessary software

Question 17

Service Hardening

Answer 17

Reduce the number of ports that accessible on a system is the quickest way to decrease the attack surface. Disable ports and protocols to reduce the ability of an attacker accessing a system remotely. Rule of thumb, only enable the ports or services that are required for the system to provide the necessary services. Port scanners offer attackers the ability to scan a system and quickly find the open ports

Question 18

Network Hardening

Answer 18

Using a virtual local area network (VLAN) to segment different trust levels, user groups, or systems is the best way for network hardening. Place IoT devices on separate VLANs with appropriate access controls or dedicated network security protections for each VLAN helps to ensure that more vulnerable devices are more protected.

Question 19

Default Passwords and Accounts

Answer 19

Change any passwords that are the standard vendor provided account and password. Also disable the default account if it is not necessary to perform ongoing processing functions.

Question 20

Removing Unnecessary Software

Answer 20

By removing unnecessary software it reduces the attack surface due to having less software for an attacker to exploit. Many systems have pre-installed software that is not necessary for the system to run. Also, this reduces maintenance issues from not needing to keep the software updated ongoing.

Question 21

Operating System Hardening

Answer 21

Updating the settings on a system to match the desired security stance for a given system. Examples of configuration settings to modify:
- Setting the password history to remember 24 or more passwords
- Setting the maximum password age to 365 or fewer days, but not 0, preventing users from simply changing their passwords 24 times to get back to the same password again.
- Setting the minimum password length to 14 or more characters
- Requiring password complexity
- Disabling the storage of passwords using reversible encryption

Can be updated in local security policy or with Group Policy.

Question 22

Windows Registry Hardening

Answer 22

Windows Group Policy provides Windows systems and domains the ability to control settings through Group Policy Objects. Microsoft Security Compliance Toolkit which can configure Secuity configuration baselines then compare deployed GPOs to the baseline and allow editing through Active Directory.

Question 23

Linux Hardening

Answer 23

Security Enhanced Linux or SELinux, a kernel-based security module that provides additional security capabilities and options. It provides mandatory access control (MAC) that can be enforced at the user file, system service, and network layer for least privilege-based security. Enforces user rights based on username, role, and type of domain for each entity.

Question 24

OS Hardening Configuration, Standards, and Schemas

Answer 24

Utilize configuration management tools for a powerful option to ensure the systems in an organization have the right security settings. They help enforce standards, manage systems, and report on areas where systems do not match expected settings. The config tools start with a baseline configuration that systems will be compared with throughout the organization. Baseline phases:
- Establishing the baseline - This uses an existing industry standard (ie. CIS Benchmark) with modifications and adjustments made to fit the organization.
- Deploy the baseline - Manually or utilizing a central management tool, the baseline is placed on the system depending on the scope, scale, and capabilities of the organization.
- Maintaining the baseline - Using the central management tool and enforcement capabilities as well as adjustments to the organizations baseline as determined through the use of the baseline.

Question 25

Patching and Patch Management

Answer 25

Ensuring the systems and software are up to date hardens the endpoint security by removing known vulnerabilities. Timely patching decreases how long the vulnerability and flaws can be used against those systems. Patching may introduce new flaws or cause an availability issue. Patching needs to be controlled and managed.

Question 26

Encryption

Answer 26

Keeping the contents of disks secure protects data in the event that a system or disk is lost, stolen, or compromised.
- Full disk encryption (FDE) - Encrypts the disk and requires that the bootloader or a hardware device provide a decryption key and software or hardware to decrypt the drive for use.
- Transparent encryption with the drive appearing to be unencrypted during use.
These are the simplest attack because there is no encryption while the drive is in
use.
- FDE can be implemented at the hardware level also. Using self-encrypting drives
(SED) which implement encryption capabilities in their hardware and firmware,
require a key to boot from the drive, which may be entered manually or provided
by a hardware token or device.
- Volume encryption - Protects specific volumes of the hard drive, allowing different levels of trust and additional security beyond that provides by encrypting the disk with a single key.

Question 27

Embedded Systems

Answer 27

Computer systems that are built into other devices. Highly specialized, running customized operating systems and with very specific functions and interfaces that are exposed to the user. Many use a real-time operating system (RTOS) which is used when priority needs to be placed on processing data as it comes in, rather than using interrupts for the operating system or waiting for tasks being processed to be handled before the data is processed.

Question 28

Assessing Embedded Systems

Answer 28

Identify the manufacturer or type of embedded system and acquire documentation or other materials about it.

Determine how the embedded system interfaces with the world; does it connect to a network, to other embedded devices, or just through a keyboard/mouse or other physical interface?

If the device does provide a network connection, identify any services or access to it provided through that network connection, and how you can secure those services or the connection itself.

Learn about how the device is updated, if patches are available, and how and when those patches should be installed; then ensure a patching cycle is in place that matches the device threat model and usage requirements.

Document what your organization would do in the event that the device has a security issue or compromise.

Document your findings and ensure that appropriate practices are included in your orgs operational procedures.

Question 29

Security Constraints of Embedded Systems

Answer 29

The overall computational power and capacity of these systems are usually much lower than a traditional pc or mobile device.

Embedded systems may not connect to a network. This may cause the inability to patch, update, or monitor.

Without network connectivity, CPU, and memory capacity, authentication may not be possible. Therefore, no access controls may be established.

Embedded systems may be very low cost, but effectively are very expensive, because they are part of a larger industrial or specialized system. Simple replacement if it fails may not be possible.

Question 30

Securing the Internet of Things (IoT)

Answer 30

IoT describes network connected devices that are used for automation, sensors, security, and similar tasks. A type of embedded system but may leverage technologies like ML or AI to provide “smart” features.

Security concerns of IoT:
Poor security practices, including weak default settings, lack of network security (firewalls), exposed or vulnerable services, lack of encryption for data transfer, embedded credentials, insecure data transmission or storage.

Short support lifespan - IoT devices may not be patched or updated in a timely manner if at all.

Vendor data handling practices - Licensing and data ownership concerns as well as potentially revealing data to employees and partners of the vendor without an agreement in place.

Question 31

Asset Inventory Enumeration

Answer 31

Scanning a system to identify assets. This may involve port and vulnerability scans to help identify systems that are not part of the inventory.

Question 32

Asset Management Lifecycle Management Security

Answer 32

Acquisition and procurement - Ensure security best practices are followed with a risk assessment, to review the appropriate controls and features are implemented, and contracts and agreements are in place.

Once assets are acquired, they need to be added to inventories and tracked through their lifespan. Assigning owners or managers, classifications, particularly for the data that resides on the system, and the tools that these assets will be working with.

Decommission - When systems are at the end of the useful life for the organization, the asset must be decommissioned which typically involves removing a device from service, removing it from inventory, and ensuring no sensitive data remains on the system.

Question 33

Sanitization of Data

Answer 33

Degaussing - Wiping data from a magnetic hard drive by exposing it to a strong magnetic field and scrambling the patterns of bits written to the tape or drive. Quick way to destroy data.
Wiping data - Performing a series of overwrites on a drive by continually rewriting on the drives with 1s and 0s over numerous passes. Number of passes depends on how important it is to overwrite the data. The more times, the more the data is unrecoverable.
Shredding/Pulverizing - Completely destroying the drives will verify no data will be recoverable, but the media is no longer usable.