Ch-11 Flashcards
(16 cards)
UEFI
Replaced BIOS.
UEFI Secure Boot - ensures that the system boots using only software that the OEM trusts. For secure boot the system must have a database listing secure signatures of trusted software.
UEFI Measured Boot - Compares known good hashes of the firmware, bootloader, drivers, and anything else involved in the boot to the hashes of the current attempted boot. The data is stored in the Trusted Platform Module(TPM). This process allows a remote server to make decisions about the state of the system.
Hardware root of trust
TPM chip- Trusted Platform Module - Provides three key features
- Remote attestation - allows hardware and software configs to be verified
- Binding - Encrypts data
- Sealing - Encrypts data and sets requirements for the state of the TPM before decryption
PUF - physically unclonable functions - unique to the specific hardware that provides a unique fingerprint to the machine.
HSM - Hardware security module - High-end external devices or plugin cards used to create store and manage digital keys. As well as to offload cryptographic processing.
Endpoint Security Tools
Antivirus/Antimalware - Sandboxing - Cuckoo - Automated malware analysis tool Allow and Deny Lists - Endpoint Detection and Response (EDR) - Data loss prevention (DLP) - Network Defenses -
Antivirus/malware detection techniques
Common Detection Methods -
Signature-based - Uses hashes or other signature generation methods to id files or components of malware that has been observed previously. Traditional method.
Heuristic/Behavior-based - looks at the actions of malicious software and matches them to unwanted activities. Can identify new-malware based on its actions rather than just its fingerprint.
AI/Machine Learning(ML) - Leverage large amounts of data to find ways to identify malware. Increasingly common.
Sandboxing
Used by some tools such as Cuckoo and some antimalware vendors in order to isolate and run sample malicious code.
Allow and Deny lists
Allow lists - Only those that are specifically allowed can run.
Deny lists - Only what is denied cannot run.
Endpoint Detection and Response (EDR)
When antimalware is not enough EDR tools combine monitoring on endpoints and systems using a client or software agent with network monitoring and log analysis capabilities to collect, correlate and analyze events. Also allows the ability to search the collected data.
Data loss prevention (DLP)
Will monitor and enforce the various standards set by the organization.
Network Defenses
Host based firewalls - Simply allow , block apps, services, ports or protocols
Host intrusion prevention system (HIPS) - Can filter out malicious traffic.
Host intrusion detection system (HIDS) - Sends reports and alerts on issues but does not take action.
Hardening
OS - Changes settings on a system to increase its level of security. Increasing password length to 14 or more characters, password complexity, disabling the storage of passwords, max password age to 60 days, & password history to remember 24 or more.
Service - Reduce the open ports. Windows it is common to have port 22 closed. Linux it is common to have port 3389 closed.
Windows Registry - Configuring permissions, disallowing remote access and limiting access to registry tools.
Configuration management tools - Enterprise environments use tools such as Jamf for mac, configuration manager for windows, or even an open source tool such as CFEngine to help enforce standards, manage systems, and report on areas.
Standard naming and addressing schemas -
Can help id systems based on purpose, location, or other elements included in name.
Can be used to make systems more anon. Ex: example123 is less meaningful that examplesqlsever
Can make scripting and management easier because you can filter, sort, and take other actions.
Patch management - Fix vulnerable software
Disk Security - Keep contents of the disk secure
FDE (full disk encryption) - Encrypts disk and requires that the bootloader provide a decryption key. However the whole time the item is on the disk in decrypted.
Volume encryption - Protects specific volumes on the drive. Allows for different trust levels as well as transfer of data in a secure way.
SED (Self-encrypting drive) - Encryption is implemented in the hardware and firmware. Requires a key to boot from the encrypted drive which may be entered manually or by a token.
Sanitization - Ensure that a disk is wiped securely.
Degaussing - Exposing magnetic media such as tapes, SSDs, optical drives, and flash drives to very strong electromagnetic fields.
Overwrites - Typically writing all 1s or 0s to all of a drive in multiple passes. Tools such as Dariks Boot and Nuke (DBAN) can help. Remanence data may be left on SSDs or flash media.
Encryption - Simply Encrypting the entire drive and discarding the encryption key.
Shredding, Pulverizing, or Incinerating - No data can possibly be recovered for the good and bad.
File Manipulation CMD line
head - Will show the first 10 lines of a file by default. You can change the line count with the -n flag Ex: $ head -n 5 file.txt
tail - Will show the last 10 lines of a file by default. Line count can be changed with the -n
flag. Using the -f flag you can monitor multiple files at once. Ex: $ tail -n 5 -f file.txt file2.txt
cat - Display Ex: $ cat file.txt or Append file to another file Ex: $ cat file.txt > more.txt
grep - Search files by pattern. Ex: $ grep ‘pattern’ /location/ -A lines before -B lines after
chmod - file permissions.
logger - Appends info you provide to the /var/log/syslog . It can also be used to ass info from other cmds or file’s to the syslog by calling that command or file via logger.
Endpoint Shells and Script tools
Shell - Simply is a cmd line user interface such as powershell, ssh, and bash
SSH - Secure Shell - connects systems typically by the cmd line
Powershell - Windows cmd line shell
Bash - Linux cmd line shell
Scripting Languages -
Python - Both system management and maintenance. Provides users with a powerful
way to complete complex tasks.
Perl - Particularly common for Linux and Unix systems as well as parts of software packages.
Other -
OpenSSL - An implementation of the TLS protocol and is often used to protect other services. OpenSSLs TLS mode is commonly used for HTTPS traffic and any traffic that is not a good match for SSH or VPN but needs a secure channel. A key feature is that TLS protocol provides for ephemeral RSA ley exchange to create Perfect Forward Secrecy, plainly put conversations can only be decrypted when the key is known and a temp key is generated as part of the start of the communication between the two systems.
Types of embedded systems
Embedded Systems - Highly specialized computer systems that are built into other devices, such as industrial machines, appliances, and cars.
Real-Time OS (RTOS) - places priority on processing data as it comes in instead of waiting for tasks to finish prior to processing data. Typically found in industrial settings.
Raspberry Pi - Single-board computer typically found being used for personal development or small scale custom.
Arduinos - Classified as a microcontroller. They include low-power CPU and a small amount of memory as well as input output however they do not have network connection built into them. Typically found being used for prototyping devices that interface with sensors, motors, lighting, and similar basic capabilities.
Field-programmable gate array (FPGA) - A type of computer chip that can be programmed to redesign how it work. FPGAs on their own are not embedded systems however embedded systems may integrate FPGAs as a component or program processor.
ICS/SCADA
Broad term referring to industrial control and management systems. Many ICS/SCADA devices are embedded systems.
Best practices for ICS/SCADA systems/devices is to isolate them physically and logically from the network and environment.
IoT
Internet of Things
Broad term that describes network connected devices that are used for automation, sensors, wearable devices, security and similar tasks. IoT devices are typically some kind of embedded system but many leverage ML/AI, cloud services, and similar ‘smart’ features.
Most IoT devices are not created with security in mind. So you must to them into account.
They typically have weak security defaults, short lifespans as many cannot be patched or updated, and vendor issues.
Specialized Systems
Medical systems - including devices found at hospitals, pacemakers, insulin pumps, etc. There are already exploits for pacemakers via Bluetooth that exist.
Smart meters - Track utility usage
Vehicles - cars, aircraft, ships are now network connected
Drones and Autonomous vehicles (AV) - Controlled by the internet or through wireless command channels. Encryption is vital to security.
VoIP - Backend servers, phones, and devices. Many provide interfaces for direct remote login or management.
Printers - Many store data and can potentially be a significant data leak risk. They also can be used as reflectors and amplifiers, as well as pivot points.
Surveillance systems - Commonly accessible via a web interface
Poor defaults, lack of patching, vulnerabilities and similar issues are common with specialized systems.
