Chapter 11

Question 1

What are ways an OS can be Vulnerable?

Answer 1

-Vulnerabilities in the OS itself
-Defaults like default passwords and insecure settings
-Configurations. Though Intentional, can still be vulnerable.
-Misconfiguration caused by human error.

Question 2

Firmware

Answer 2

The embedded software that allows devices to function. Tightly connected to the device and may not be possible to update.

Question 3

MoonBounce Malware

Answer 3

Sophisticated firmware-level malware that infects a computer’s UEFI firmware.

Question 4

Unified Extensible Firmware Interface
(UEFI)

Answer 4

Modern replacement for Basic Input/Ouput System. (BIOS).

Question 5

Secure Boot

Answer 5

A feature of (UEFI) that aims to protect the operating environment of the local system by preventing the loading or installing of device drivers or an operating system that is not signed by a preapproved digital certificate. Secure boot thus protects systems against a range of low-level or boot-level malware, such as certain rootkits and backdoors.

Question 6

OEM

Answer 6

Original Equipment Manufacturer

Question 7

Measure Boot

Answer 7

A boot process that provides a trusted log of all components like drivers and other components loaded during a boot process.

Question 8

Trusted Platform Module (TPM)

Answer 8

A specification for a cryptoprocessor as well as the chip in a mainboard supporting this function. A TPM chip is used to store and process cryptographic keys for the purposes of a hardware- supported or implemented hard drive encryption system.

Question 9

Hardware root at Trust

Answer 9

The foundation of security in computing systems.

Question 10

What are the 3 major funcitons of TPM chips?

Answer 10

• Remote Attestion: Allowing hardware and software to be verified
• Binding: Encrypts Data
• Sealing: Encrypts Data and sets requirements for the state of the TPM chip before decryption.

Question 11

Physically Unclonable Functions (PUFs)

Preserving Boot Integrity

Answer 11

Unique to the specific hardware device that provide a unique identifier or digital fingerprint for the device.

Question 12

Apple’s Secure Enclave

Answer 12

A dedicated secure element that is built into Apple’s system on chip (SoC) modules.

Question 13

Where are HSMs often used?

Answer 13

HSMs are often used in high-security environments and are normally certified to meet standards like federal information processing standards (FIPS) 140 or Common Criteria (ISO/IEC 15408).

Question 14

Key Management Systems (KSMs)

Answer 14

Used to store keys and certificates as well as to manage them centrally.

Question 15

Signature-Based Detection

Endpoint Security Tools

Answer 15

Uses a hash or pattern-based signature detection method to identify files or components of the malware that have been previously observed.

Question 16

Polymorphism

Attacker Technique

Answer 16

A technique used by malware to constantly change its code while maintaining its functionality. This makes it difficult for traditional antivirus programs to detect and block the threat.

Question 17

Heurisitic or Behavior-based Detection

Endpoint Security Tools

Answer 17

An intrusion discovery mechanism used by intrusion detection systems (IDSs). Behavior- based detection finds out about the normal activities and events on your system by watching and learning. After it has accumulated enough data about normal activity, it can detect abnormal and possible malicious activities and events. Also known as statistical intrusion detection, anomaly detection, and heuristics- based detection.

Question 18

Sandboxing

Endpoint Security Tools

Answer 18

A security technique that provides a security boundary for applications and prevents the application from interacting with other applications. Antimalware applications use sandboxing techniques to test unknown applications. If the application displays suspicious characteristics, the sandboxing technique prevents the application from infecting other applications or the operating system.

Question 19

Allow lists / White Lists

Answer 19

It allows you to create a list of software, applications, and other system components that are allowed to exist and run on a system. If they are not on the list, they will be removed and disabled, or they will not be able to install.

Question 20

Deny Lists / Black Lists

Answer 20

Lists of software or applications that cannot be installed or run, rather than a list of what is allowed.

Question 21

Endpoint Detection and Response (EDR)

Answer 21

EDR tools combine monitoring capabilities on endpoint devices and systems using a client or software agent with network monitoring and log analysis capabilities to collect, correlate, and analyze events.

Question 22

Extended Detection and Response (XDR)

Answer 22

XDR is similar to EDR but has a broader perspective considering not only endpoints but the full breadth of an organization’s technology stack, including cloud services, security services and platforms, and similar components.

Question 23

What are key elements of DLP?

Answer 23

The ability to classify data so that organizations know which data should be protected; policy management and enforcement functions used to manage data to the stnadards set by the organization; and monitoring and reporting capabilities to quickly notify administrators or security practitioners about issues or potential problems.

Question 24

Host-Based Firewalls

Network Defenses

Answer 24

Built into most modern operating systems and are typically enabled by default.

Question 25

Host-Based Intrusion Prevention Systems (HIPS) ## Footnote Network Defenses

Answer 25

Analyzes traffic before services or applications on the host process it. It can take action on that traffic, including filtering out malicious traffic or blocking specific elements of the data that is received.

Question 26

Host-Based Instrusion Detections Systems (HIDS) ## Footnote Network Defenses

Answer 26

Analyzes traffic before services or applications on the host process it, but it cannot take action to block traffic. Instead, it reports and alerts on issues.

Question 27

Network-based Instrusion Detection System (IDS) ## Footnote Network Defenses

Answer 27

A product that automates the inspection of audit logs and real- time system events. IDSs are generally used to detect intrusion attempts, but they can also be employed to detect system failures or to rate overall performance.

Question 28

Hardening Techniques

Answer 28

Hardening a system or application involves changing settings on the system to increase its overall level of security and reduce its vulnerability to attack. Ex: Encryption, Installing Endpoint protection, host-based firewalls and host-based intrusion prevention systems, disabling ports and protocols, changing default passwords, and removing unnecessary software.

Question 29

Service Hardening

Answer 29

Disabling port and protocols. If an attacker can't connect to a system remotely, they'll have a much harder time exploiting the system directly.

Question 30

Common Ports and Services for Linux & Windows

Answer 30

**Common Ports and services** **Port** | **Service** | **Protocol** | **Description** | |----------|------------|------------|----------------| | 20, 21 | FTP | TCP | File Transfer Protocol (data & control) | | 22 | SSH | TCP | Secure Shell for remote access | | 53 | DNS | TCP/UDP | Domain Name System resolution | | 80 | HTTP | TCP | Web traffic (unencrypted) | | 389 | LDAP | TCP & UDP | NETBIOS | | 443 | HTTPS | TCP | Secure web traffic | | 3389 | RDP | TCP & UDP | Remote Desktop Protocol |

Question 31

Virtual Local Area Networks (VLANs) ## Footnote Network Hardening

Answer 31

A logical network segmentation implemented on switches and bridges to manage traffic. Multiple VLANs can be hosted on the same switch but are isolated as if they are separate physical networks. Cross- VLAN communications can occur only through a routing function, often provided by a multilayer switch. VLANs function like physical network segments.

Question 32

Default Passwords

Answer 32

Pre-set credentials that manufacturers assign to devices, software, or systems for initial setup. These passwords are often found on routers, network devices, and enterprise applications. These are typically documented and available publicly.

Question 33

Center for Internet Security (CIS)

Answer 33

An industry organization that publishes hundreds of benchmarks for commonly used platforms.

Question 34

Local Security Policy ## Footnote Windows

Answer 34

In Windows is a powerful administrative tool that allows users to configure security-related settings on a local computer. It provides control over various security policies, including password policies, account lockout settings, audit policies, and user rights assignments.

Question 35

Windows Registry

Answer 35

A hierarchical database that stores configuration settings for the Windows operating system and installed applications. It contains information about system hardware, software configurations, user preferences, and security settings

Question 36

Regedit ## Footnote Hardening Windows Registry

Answer 36

A built-in Windows tool used to view and modify the Windows Registry, a hierarchical database that stores system settings, configurations, and application preferences.

Question 37

Windows Group Policy (WGP)

Answer 37

Provides Windows systems and domains with the ability to control settings through Group Policy Objects (GPO).

Question 38

Group Policy Objects (GPO)

Answer 38

GPOs can define a wide range of options from disabling guest accounts and setting password minimum lengths to restricting software installations. Can be applied locally or via Active Directory.

Question 39

Security Compliance Toolkit (SCT)

Answer 39

A set of tools that work with Microsoft's security configurations baselines for Windows and other Microsoft applications.

Question 40

Security Enhanced Linux: SELinux ## Footnote Hardening Linux

Answer 40

A Linux kernel-based security module that provides additional security capabilities and options on top of existing Linux distributions.

Question 41

Mandatory Access Controls (MAC) ## Footnote Hardening Linux

Answer 41

An access control mechanism that uses security labels to regulate subject access to objects. Implementations include using a hierarchical MAC environment, a compartmentalized MAC environment, and a hybrid MAC environment.

Question 42

AppArmor ## Footnote Hardening Linux

Answer 42

A Linux application that implements mandatory access controls for Linux.

Question 43

Configuration Management Tools ## Footnote Configurations, Standards, and Schemas

Answer 43

The process of logging, auditing, and monitoring activities related to security controls and security mechanisms over time. This data is then used to identify agents of change, such as objects, subjects, programs, communication pathways, or even the network itself.

Question 44

Baseline Configurations ## Footnote Configurations, Standards, and Schemas

Answer 44

A documented set of specifications for a system or a configuration item within a system that has been formally reviewed and agreed upon at a given point in time. It serves as a reference point for future builds, releases, and changes, ensuring consistency and security.

Question 45

Configurations Enforcement ## Footnote Configurations, Standards, and Schemas

Answer 45

A process that not only monitors for changes but makes changes tosystem configurations as needed to ensure that the configuration remains in its desired state.

Question 46

What are the three phases of baseline's life cycle? ## Footnote Configurations, Standards, and Schemas

Answer 46

1. Establishing a baseline 2. Deploying the security baseline 3. Maintaining the baseline

Question 47

Microsoft Configuration Manager ## Footnote Patching and Patching Management

Answer 47

Used for patch management for operating systems.

Question 48

Transparent Encryption ## Footnote Encryption

Answer 48

Sometimes called on-the-fly, or real-time, encryption. Implementations are visible to the user, with the drive appearing to be unencrypted during use.

Question 49

Self-Encrypting Drive (SED) ## Footnote Encryption

Answer 49

A drive with encryption capabilities built in.

Question 50

Embedded Systems

Answer 50

Computer systems that are built into other devices.

Question 51

Real-Time Operating Systems (RTOS)

Answer 51

An operating system that is used when priority needs to be placed on processing data as it comes in, rather than using interrupts for the operating system or waiting for tasks being processed to be handled before data is processed.

Question 52

Controller Area Network (CAN)

Answer 52

Provide communication between microcontrollers, sensors, and other devices that make up a car's systems .

Question 53

Industrial Control Systems (ICS) ## Footnote SCADA and ICS

Answer 53

A broad term for industrial automation.

Question 54

Supervisory Control and Data Aquisition (SCADA) ## Footnote SCADA and ICS

Answer 54

An industrial control system (ICS) unit that can operate as a standalone device, can be networked with other SCADA systems, or can be networked with traditional IT systems. Most SCADA systems are designed with minimal human interfaces. Often, they use mechanical buttons and knobs or simple LCD screen interfaces (similar to what you might have on a business printer or a GPS navigation device). However, networked SCADA devices may have more complex remote- control software interfaces.

Question 55

Remote Telemetry Unit (RTUs) ## Footnote SCADA and ICS

Answer 55

Collects data from sensors.

Question 56

Programmable Logic Controllers (PLC)

Answer 56

Control and collect data from industrial devices

Question 57

Zigbee

Answer 57

A network protocol that is designed for personal area networks like those found in houses for home automation.

Question 58

Enumeration ## Footnote Asset Management

Answer 58

Typically associated with scanning to identify assets.

Question 59

Degausser ## Footnote Decommissioning

Answer 59

Exposes the magnetic merdia to very strong electromagnetic fields, scrambling the patterns of bits written to the tape or drive. A quick way to destroy data on magnetic media.

Question 60

Darik's Boot and Nuke (DBAN) ## Footnote Decommissioning

Answer 60

Performs multiple passes over an entire disk to attempt to ensure that no data remains.

Question 61

Certificates of Destruction ## Footnote Decommissioning

Answer 61

Provided as proof that assets were properly disposed of.

Question 62

Retention

Answer 62

Retention of data may be required for legal purposes with set retention periods determined by law, or it may be associated with a legal case due to a legal hold. Retention may also serve business purposes or have a compliance or audit component