Lesson 12 Host security solutions

Question 1

HW RoT

Answer 1

HW Root of Trust

is a secure subsystem that is able to provide attestation

it scans the boot metrics and OS files to verify their signatures

It then signs the report and sends it to the NAC Server

Question 2

Attestation

Answer 2

A statement made by the system can be trusted by the receiver

Uses signing keys to do this

Question 3

TPM

Answer 3

Trusted Platform Module

Part of the motherboard chipset or an embedded function of the CPU

Stores encryption keys, hashed passwords, and other user and platform identification information

Hardcoded with a unique, unchangeable asymmetric key called an endorsement key

Thief cannot remove like they could with the HSM

Question 4

UEFI

Answer 4

Unified Extensible Firmware Interface

is the code that allows a host to boot to an OS

enforces a number of Boot Integrity checks

Question 5

Secure Boot

Answer 5

Prevents a computer from being hijacked by malicious OS

Requires UEFI, which stores certs from valid OS vendors

The systems firmware can then compare the stored cert has been signed by the OS Vendor

Does not require a TPM

Question 6

Measured Boot

Answer 6

Uses TPM at each stage of the boot

Checks hashes of the key system state data for changes

Records presence of kernel-level code change but does not prevent boot

Question 7

Boot Attestation

Answer 7

The capability to transmit boot log report signed by the TPM via a trusted process to the remote server, usually the network access control server

log is analyzed for compromise, like unsigned drivers

If compromise or lack of report, the host can be prevented from joining the network

Question 8

Disk Encryption - FDE

Answer 8

Full Disk Encryption - entire disk, including system files, are encrypted

Thwarts an attacker trying to attach the disk to an different OS
as it requires the encryption key to use the disk contents

Win BitLocker tool can write keys to the TPM’s secure storage area or a USB drive

Can reduce performance as the OS has overhead for the cryptographic functions
Can be mitigated by SED, self encrypting drives

Question 9

SED

Answer 9

Self Encrypting Drive
performs cryptographic functions by the drive controller not the OS

Data/Media Encryption Key (DEK/MEK) for bulk encryption
DEK is stored securely in asymmetric key pair named either authentication key (AK) or Key Encryption Key (KEK)

The AK is authenticated by the user password, which means you can change the user password without needing to decrypt and re-encrypt the drive

Question 10

USB/Flash Drive Security measures

Answer 10

Suspected USB or flash drives should be tested on sandboxed lab, known as ‘sheep dip’

Look for cmd prompt windows or nefarious processes starting attempting to modify system files or register

HIDS (host intrusion detection systems) can block most USB ports

Host should always be configured to not auto run USB devices are attached to prevent malware from being installed, which is most commonly found on these types of drives.

Question 11

Trustworthy supply chain

Answer 11

Supply chain is the end to end process of supplying, manufacturing, distributing, and finally releasing goods and services to a customer

Establishment of trusted supply chain means denying malicious actors the time or resources to modify the assets being supplied

Question 12

End of life systems

Answer 12

End of Life (EOL)
- discontinued sale of a product, spares and upgrades become limited

End of Service Life (EOSL)

• system which is no longer supported by it developer or vendor
• receives no security updates and is therefore a critical vulnerability if left in use
• a compensating control is to isolated these types of devices if still needed on the system

Question 13

MOU

Answer 13

Memorandum of Understanding

• Intent to work together
• Relatively informal with no binding contracts

Question 14

BPA

Answer 14

Business Partnership Agreement

Establish a formal partner relationship

Question 15

NDA

Answer 15

Non-Disclosure Agreement

governs use and storage of confidential and private information

Question 16

SLA

Answer 16

Service Level Agreement

Establish metrics for service delivery and performance

A contractual agreement setting details of a provided service

Question 17

MSA

Answer 17

Measure System Analysis

evaluate data collection and statistical methods used for quality management to ensure a product is robust

Question 18

Hardening

Answer 18

process of putting an OS or application in a secure configuration

essential principle is of least functionality

• only run protocols/services which are required by legitimate users
• done to reduce the potential attack surface

The following are steps to provide a hardened system:
Disable the following unused interfaces and services
Disable or block at the firewall application service ports
Encrypted disks to protect data at rest

Question 19

Antivirus/Anti-malware

Answer 19

Endpoint host protection sw which uses signature based detection of all malware and PUPs

PUPs - Potentially Unwanted Programs

Insufficient in preventing data breaches

Question 20

HIDS/HIPS

Answer 20

HIDS - Host based Intrusion Detection System
-provide threat detection via log and file system monitoring using signitures

HIPS - Host based Intrusion Prevention System
-provide threat detection via port and network interface monitoring

Question 21

EPP

Answer 21

Endpoint Protection Platform using a single local agent to perform multiple security tasks

Can perform:

• malware/intrusion detection
• host firewall
• web content filtering/secure search and browsing
• file/message encryption

Question 22

DLP

Answer 22

Data Loss Prevention is an agent of EPP and is configured to identify privileged files and strings which should be kept private or confidential.

Enforces the policy which prevents data from being copied or attached to a message without authorization

Question 23

EDR

Answer 23

Endpoint Detection and Response

provides real-time and historical visibility into a compromise, contains the malware to the host, and restores the host to it’s original state

controlled from the cloud

uses AI

Question 24

NGFW

Answer 24

Next Gen Firewall

use endpoint detection to alter network firewall
blocks fileless threat and covert channels
prevents lateral movement

Question 25

CME

Answer 25

Common Malware Enumeration

An identification value returned by Antivirus response to allow further investigation to support remediation efforts

Further analysis using advanced malware tools like Sysinternals

Question 26

Sandboxing

Answer 26

A technique to isolate an untrusted host or app in a segregated environments allowing for tests to be conducted

Have limited interfaces to the host environment

Allow for testing with many different environment setups

Question 27

Embedded System

Answer 27

a computer systems designed to perform a specific dedicated function

operates in a static environment

little support is need

not a lot of compute power for security tools, cryptography, etc

Question 28

Logic Controller for Embedded systems
PLC
SoC
FPGA
RTOS

Answer 28

PLC - Programmable Logic Controller

SoC - System on Chip

• Entire PC like setup on a single processor die (chip)
• think raspberry pi, Arduino

FPGA - Field Programmable Gate Array
- a micro controller which the end user can configure the programming logic for a specific application

RTOS - Real Time Operating System
- designed to have a small attack surface

Question 29

RTOS

Answer 29

Real-time Operating System
- a type of logic controller for embedded systems
performs time sensitive functions

However are susceptible to CVEs and exploits

Question 30

Z-wave and Zibee

Answer 30

wireless communication protocols used for home automation

create a mesh network for appliances to communicate

Both have communication encryption

main threat is repairing attacks and rogue devices

Question 31

re-pairing attack

Answer 31

Threat actor can discover the network key by forcing a device off the network and the device re-pairs

Question 32

ICS

Answer 32

Industrial Control Systems

provides mechanisms for workflow and process automation
controls machinery in critical infrastructure

DCS - distributed control system is an ICS which manages process automation within a single site

prioritize availability and integrity over confidentiality

Question 33

SCADA

Answer 33

Supervisory Control and Data Acquisition

A system or svr to gather data from and manage ICS devices and embedded PLCs

uses WAN communications

Question 34

Network Segmentation

Answer 34

regarding embedded systems, network access should be separated from the corporate network

can be achieved by firewall and VLANs

Question 35

Wrappers

Answer 35

A method for securing data in transit for embedded systems

IPSec is used for this

Question 36

HSM

Answer 36

Hardware Security Module
an add-on device that is plugged into your computer

provides crypto processing

manage/store digital encryption keys