Lesson 12 Flashcards

Question

Business partnership agreement (BPA)

Answer 1

Establish a formal partner relationship

Answer 2

Govern use and storage of shared confidential and private information

Answer 3

Establish metrics for service delivery and performance

Answer 4

Evaluate data collection and statistical methods used for quality management

Answer 5

* Reducing attack surface * Interfaces * Network and peripheralconnections and hardware ports * Services * Software that allows client connections * Application service ports * TCP and UDP ports * Disable applicationservice or use firewall to control access * Detect non-standard usage * Encryption for persistent storage

Answer 6

The essential principle is of least functionality; that a system should run only the protocols and services required by legitimate users and no more. This reduces the potential attack surface.

Answer 7

Network and peripheralconnections and hardware ports Interfaces provide a connection to the network. Some machines may have more than one interface. ***if any of these interfaces are not required, they should be explicitly disabled rather than simply left unused.

Answer 8

Software that allows client connections Services provide a library of functions for different types of applications. Some services support local features of the OS and installed applications. Other services support remote connections from clients to server applications. ***Unused services should be disabled.

Answer 9

* Application service ports * TCP and UDP ports * Disable applicationservice or use firewall to control allow client software to connect to applications over a network. These should either be disabled or blocked at a firewall if remote access is not required

Answer 10

Persistent storage holds user data generated by applications, plus cached credentials. Disk encryption is essential to data security. Self encrypting drives can be used so that all data-at-rest is always stored securely.

Answer 11

You will have separate configuration baselines for desktop clients, file and print servers, Domain Name System (DNS) servers, application servers, directory services servers, and other types of systems. * OS/host role * Networkappliance, server, client, … * Configuration baseline template * Registry settings and group policy objects (GPOs) * Malicious registry changes * Baseline deviation reporting

Answer 12

In Windows, configuration settings are stored in the registry. On a Windows domain network, each domain-joined computer will receive policy settings from one or more group policy objects (GPOs).

Answer 13

just need to repeat this as part of Baseline Configuration and Registry Settings

Answer 14

* Update policies and schedule * Apply all latest –auto-update (used for SOHO) * Only apply specific patches * Third-party patches

Answer 15

It can also be difficult to schedule patch operations, especially if applying the patch is an availability risk to a critical system. If vulnerability assessments are continually highlighting issues with missing patches, patch management procedures should be upgraded. If the problem affects certain hosts only, it could be an indicator of compromise that should be investigated more closely.

Answer 16

Patch management can also be difficult for legacy systems, proprietary systems, and systems from vendors without robust security management plans, such as some types of Internet of Things devices. These systems will need compensating controls, or some other form of risk mitigation if patches are not readily available.

Answer 17

Another crucial step in hardening is to configure endpoint protection for automatic detection and prevention of malware threats. There have been many iterations of host-based/endpoint protection suites and agents. Antivirus (A-V)/anti-malware •Signature-based detection of all malware/PUP types Host-based intrusion detection/prevention (HIDS/HIPS) •File integrity monitoring and log/network traffic scanning •Prevention products can block processes or network connections Endpoint Protection Platform (EPP) •Consolidate agents for multiple functions •Combine A-V, HIDS, host firewall, content filtering, encryption, … Data loss prevention (DLP) •Block copy or transfer of confidential data •Endpoint protection deployment

Answer 18

•Signature-based detection of all malware/PUP types The first generation of anti-virus (A-V) software is characterized by signature-based detection and prevention of known viruses. An "A-V" product will now perform generalized malware detection, meaning not just viruses and worms, but also Trojans, spyware, PUPs, cryptojackers, and so on. While A-V software remains important, signature-based detection is widely recognized as being insufficient for the prevention of data breaches.

Answer 19

* File integrity monitoring and log/network traffic scanning * Prevention products can block processes or network connections Host-based intrusion detection systems (HIDS) provide threat detection via log and file system monitoring. HIDS come in many different forms with different capabilities, some of them preventative (HIPS). File system integrity monitoring uses signatures to detect whether a managed file image—such as an OS system file, driver, or application executable—has changed. Products may also monitor ports and network interfaces, and process data and logs generated by specific applications, such as HTTP or FTP.

Answer 20

* Consolidate agents for multiple functions * Combine A-V, HIDS, host firewall, content filtering, encryption, … Endpoint protection usually depends on an agent running on the local host. If multiple security products install multiple agents (say one for A-V, one for HIDS, another for host-based firewall, and so on), they can impact system performance and cause conflicts, creating numerous technical support incidents and security incident false positives. An endpoint protection platform (EPP) is a single agent performing multiple security tasks, including malware/intrusion detection and prevention, but also other security features, such as a host firewall, web content filtering/secure search and browsing, and file/message encryption.

Answer 21

•Block copy or transfer of confidential data Many EPPs include a data loss prevention (DLP) agent. This is configured with policies to identify privileged files and strings that should be kept private or confidential, such as credit card numbers. The agent enforces the policy to prevent data from being copied or attached to a message without authorization.

Answer 22

i skipped this one

Answer 23

Where EPP provides mostly signature-based detection and prevention, next-generationendpoint protection with automated response is focused on logging of endpointobservables and indicators combined with behavioral- and anomaly-based analysis. Endpoint detection and response (EDR) •Visibility and containment rather than preventing malware execution •User and entity behavioranalytics driven by cloud-hosted machine learning Next-generation firewall integration •Use endpoint detection to alter network firewall policies •Block filelessthreats and covert channels •Prevent lateral movement

Answer 24

* Visibility and containment rather than preventing malware execution * User and entity behavioranalytics driven by cloud-hosted machine learning An endpoint detection and response (EDR) product's aim is not to prevent initial execution, but to provide real-time and historical visibility into the compromise, contain the malware within a single host, and facilitate remediation of the host to its original state.

Answer 25

* Use endpoint detection to alter network firewall policies * Block filelessthreats and covert channels * Prevent lateral movement An analytics-driven next-gen antivirus product is likely to combine with the perimeter and zonal security offered by next-gen firewalls. For example, detecting a threat on an endpoint could automate a firewall policy to block the covert channel at the perimeter, isolate the endpoint, and mitigate risks of the malware using lateral movement between hosts.

Answer 26

Signature-based detection and heuristics Malware identification and classification •Common Malware Enumeration (CME) Manual remediation advice Advanced malware tools •Manually identify file system changes and network activity Sandboxing •Execute malware for analysis in a protected environment

Answer 27

Scanner scans for malware If the code matches a signature of known malware or exhibits malwarelike behavior that matches a heuristic profile, the scanner will prevent execution and attempt to take the configured action on the host file (clean, quarantine, erase, and so on). An alert will be displayed to the user and the action will be logged (and also may generate an administrative alert). The malware will normally be tagged using a vendor proprietary string and possibly by a CME (Common Malware Enumeration) identifier. These identifiers can be used to research the symptoms of and methods used by the malware.

Answer 28

when a prevention system detect/prevents malware.... The malware will normally be tagged using a vendor proprietary string and possibly by a CME (Common Malware Enumeration) identifier. These identifiers can be used to research the symptoms of and methods used by the malware.

Answer 29

•Manually identify file system changes and network activity Malware is often able to evade detection by automated scanners. Analysis of SIEM and intrusion detection logs might reveal suspicious network connections, or a user may observe unexplained activity or behavior on a host. When you identify symptoms such as these, but the AV scanner or EPP agent does not report an infection, you will need to analyze the host for malware using advanced tools.

Answer 30

Execute malware for analysis in a protected environment

Answer 31

Embedded system is in a static environment. PC is in a dynamic envionrment (you can add or remove applications, etc etc) * Computer system with dedicated function * Static environment * Cost, power, and compute constraints * Single-purpose devices with no overhead for additional security computing * Crypto, authentication, and implied trust constraints * Limited resource for cryptographic implementation * No root of trust * Perimeter security * Network and range constraints * Power constrains range * Emphasize low data rates, but minimize latency

Answer 32

* Programmable logic controller (PLC) * System on chip (SoC) * Processors, controllers, and devices all provided on single package * Raspberry Pi * Arduino * Field programmable gate array (FPGA) * End customer can configure programming logic * Real-time operating system (RTOS) * Designed to be ultra-stable * Prioritizes real-time scheduling

Answer 33

Embedded systems are normally based on firmware running on a programmable logic controller (PLC). These PLCs are built from different hardware and OS components than some desktop PCs.

Answer 34

* System on chip (SoC) * Processors, controllers, and devices all provided on single package * Raspberry Pi * Arduino Desktop computer system architecture uses a generalized CPU plus various other processors and controllers and system memory, linked via the motherboard. System on chip (SoC) is a design where all these processors, controllers, and devices areprovided on a single processor die (or chip). This type of packaging saves space and is usually power efficient, and so is very commonly used with embedded systems.

Answer 35

* Raspberry Pi | * Arduino

Answer 36

* Field programmable gate array (FPGA) * End customer can configure programming logic A microcontroller is a processing unit that can perform sequential operations from a dedicated instruction set. The instruction set is determined by the vendor at the time of manufacture. Software running on the microcontroller has to be converted to these instructions (assembly language). As many embedded systems perform relatively simple but repetitive operations, it can be more efficient to design the hardware controller to perform only the instructions needed. One example of this is the application-specific integrated circuits (ASICs) used in Ethernet switches. ASICs are expensive to design, however, and work only for a single application, such as Ethernet switching. A field programmable gate array (FPGA) is a type of controller that solves this problem. The structure of the controller is not fully set at the time of manufacture. The end customer can configure the programming logic of the device to run a specific application.

Answer 37

Real-time operating system (RTOS) •Designed to be ultra-stable •Prioritizes real-time scheduling Many embedded systems operate devices that perform acutely time-sensitive tasks, such as drip meters or flow valves. The kernels or operating systems that run these devices must be much more stable and reliable than the OS that runs a desktop computer or server. Embedded systems typically cannot tolerate reboots or crashes and must have response times that are predictable to within microsecond tolerances. Consequently, these systems often use differently engineered platforms called realtime operating systems (RTOS). An RTOS should be designed to have as small an attack surface as possible. An RTOS is still susceptible to CVEs and exploits, however.

Answer 38

•Serial data and Industrial Ethernet A cabled network for industrial applications is referred to as an operational technology (OT) network. These typically use either serial data protocols or industrial Ethernet. Industrial Ethernet is optimized for real-time, deterministic transfers. Such networks might use vendor-developed data link and networking protocols, as well as specialist application protocols.

Answer 39

* Cellular networks/baseband radio * Narrowband-IoT (NB-IoT) * LTE Machine Type Communication (LTE-M) * 4G versus 5G * Subscriber identity module (SIM) cards * Encryption and backhaul

Answer 40

A cellular network enables long-distance communication over the same system that supports mobile and smartphones. This is also called baseband radio, after thebaseband processor that performs the function of a cellular modem. There are severalbaseband radio technologies: - Narrowband-IoT (NB-IoT)— - LTE Machine Type Communication (LTE-M)—

Answer 41

• Narrowband-IoT (NB-IoT)—this refers to a low-power version of the Long Term Evolution (LTE) or 4G cellular standard. The signal occupies less bandwidth than regular cellular. - Narrowband also has greater penetrating power, making it more suitable for use in inaccessible locations, such as tunnels or deep within buildings, where ordinary cellular connectivity would be impossible. • LTE Machine Type Communication (LTE-M)—this is another low-power system, but supports higher bandwidth (up to about 1 Mbps).

Answer 42

While not yet completely standardized, both NB-IoT and LTE-M are designed to be compatible with 5G networks. This means they do not interfere with 5G signaling and can use tower relays developed for 5G. They may support higher data rates, though latency and reliability tend to be more important considerations.

Answer 43

Any LTE-based cellular radio uses a subscriber identity module (SIM) card as an identifier. The SIM is issued by a cellular provider, with roaming to allow use of other suppliers' tower relays. As a removable card is not really a suitable form factor for embedded, an eSIM incorporates the same function as a chip on the system board or SoC design.

Answer 44

Encryption of frames between the endpoint and the cell tower and within the backhaul to Internet routers is the responsibility of the network operator. Over the air encryption is performed by encryption schemes devised by the cellular standards body 3GPP. Backhaul security is usually enforced using IPSec. The embedded system can use application layer encryption for additional security.

Answer 45

Z-Wave and Zigbee are wireless communications protocols used primarily for home automation. Both create a mesh network topology, using low-energy radio waves to communicate from one appliance to another.. Zwave - evices can be configured to work as repeaters to extend the network but there is a limit of four "hops" between a controller device and an endpoint. Zigbee - Zigbee has similar uses to Z-Wave and is an open source competitor technology to it. The Zigbee Alliance operates certification programs for its various technologies and standard

Answer 46

Industrial systems have different priorities to IT systems. Often, hazardouselectromechanical components are involved, so safety is the overriding priority. Industrial processes also prioritize availability and integrity over confidentiality— reversing the CIA triad as the AIC triad.

Answer 47

Industrial processes also prioritize availability and integrity over confidentiality—reversing the CIA triad as the AIC triad.

Answer 48

Industrial control systems (ICSs) provide mechanisms for workflow and process automation. These systems control machinery used in critical infrastructure, like power suppliers, water suppliers, health services, telecommunications, and national security services.

Answer 49

An ICS comprises plant devices and equipment with embedded PLCs.

Answer 50

I skipped most of this

Answer 51

Energy •Power generation and distribution Industrial •Mining and refining raw materials Fabrication and manufacturing •Creating components and assembling them into products Logistics •Moving things Facilities •Site and building management systems •Heating, ventilation, and air conditioning (HVAC)

Answer 52

* Machine to Machine (M2M) communication * Hub/control system * Communications hub * Control system for headless devices * Smart hubs and PC/smartphone controller apps * Smart devices * IoT endpoints * Compute, storage, and network functions and vulnerabilities * Wearables * Sensors * Vendor security management * Weak defaults * Patching and updates

Answer 53

The term Internet of Things (IoT) is used to describe a global network of appliancesand personal devices that have been equipped with sensors, software, and networkconnectivity. This compute functionality allows these objects to communicate and pass data between themselves and other traditional systems like computer servers. This is often referred to as Machine to Machine (M2M) communication.

Answer 54

* Communications hub * Control system for headless devices * Smart hubs and PC/smartphone controller apps IoT devices usually require a communications hub to facilitate Z-Wave or Zigbee networking. There must also be a control system, as most IoT devices are headless, meaning they have no user control interface.

Answer 55

* IoT endpoints * Compute, storage, and network functions and vulnerabilities Smart devices—IoT endpoints implement the function, such as a smart lightbulb or a video entryphone that you can operate remotely. These devices implement compute, storage, and network functions that are all potentially vulnerable to exploits.

Answer 56

some IoT devices are designed as personal accessories, such as smart watches, bracelets and pendant fitness monitors, and eyeglasses. Current competing technologies are based on FitBit, Android Wear OS, Samsung's Tizen OS, and Apple iOS, each with their own separate app ecosystems.

Answer 57

IoT devices need to measure all kinds of things, including temperature, light levels, humidity, pressure, proximity, motion, gas/chemicals/smoke, heart/ breathing rates, and so on.

Answer 58

* Weak defaults | * Patching and updates

Answer 59

``` Building automation system (BAS) •Smart buildings •Process and memory vulnerabilities •Credentials embedded in application code •Code injection ``` Smart meters Surveillance systems •Physical access control system (PACS) •Risks from third-party provision •Abuse of cameras

Answer 60

is a network of monitored locks, intruder alarms, and video surveillance. Surveillance systems •Physical access control system (PACS) •Risks from third-party provision •Abuse of cameras

Answer 61

* Smart buildings * Process and memory vulnerabilities * Credentials embedded in application code * Code injection building automation system (BAS) for offices and data centers ("smart buildings") can include physical access control systems, but also heating, ventilation, and air conditioning (HVAC), fire control, power and lighting, and elevators and escalators.

Answer 62

A smart meter provides continually updating reports of electricity, gas, or water usage to the supplier, reducing the need for manual inspections.

Answer 63

Multifunction printer (MFP) •Hard drives and firmware represent potential vulnerabilities •Recovery of confidential information from cached print files •Log data might assist attacks •Pivot to compromise other network devices Voice over IP Shodan

Answer 64

Shodan search results for sites responding to probes over port 9100 (TCP port for raw print data).

Answer 65

* Hard drives and firmware represent potential vulnerabilities * Recovery of confidential information from cached print files * Log data might assist attacks * Pivot to compromise other network devices

Answer 66

* Unmanned Aerial Vehicles (UAV)/drones * Computer-controlled or assisted engine, steering, and brakes * In-vehicle entertainment and navigation * Controller area network (CAN) serial communications buses * Onboard Diagnostics (OBD-II) module * Access via cellular or Wi-Fi

Answer 67

Modern vehicles are increasingly likely to have navigation and entertainment systems, plus driver-assist or even driverless features, where the vehicle's automated systems can take control of steering and braking. The locking, alarm, and engine immobilizer mechanisms are also likely to be part of the same system. Each of these subsystems is implemented as an electronic control unit (ECU), connected via one or more controller area network (CAN) serial communications buses. The principal external interface is an Onboard Diagnostics (OBD-II) module. The OBD-II also acts as a gateway for multiple CAN buses. The CAN bus operates in a somewhat similar manner to shared Ethernet and was designed with just as little security. ECUs transmit messages as broadcast so they are received by all other ECUs on the same bus. There is no concept of source addressing or message authentication. An attacker able to attach a malicious device to the OBD-II port is able to perform DoS attacks against the CAN bus, threatening the safety of the vehicle. There are also remote means of accessing the CAN bus, such as via the cellular features of the automobile's navigation and entertainment system (wired.com/2015/07/hackers-remotely-kill-jeep-highway). Some vehicles also implement on-board Wi-Fi, further broadening the attack surface.

Answer 68

* Used in hospitals and clinics but also at home by patients * Potentially unsecure protocols and control systems * Use compromised devices to pivot to networks * Stealing Protected Health Information (PHI) * Ransom by threatening to disrupt services * Kill or injure patients

Answer 69

* Network segmentation * Strictly restrict access to OT networks * Increased monitoring for SCADA hosts * Wrappers * Use IPSec for authentication and integrity and confidentiality * Firmware code control * Supply chain risks * Inability to patch * Inadequate vendor support * Time-consuming patch procedures * Inability to schedule downtime

Answer 70

* Network segmentation * Strictly restrict access to OT networks * Increased monitoring for SCADA hosts Network segmentation is one of the core principles of network security. Network access for static environments should only be required for applying firmware updates and management controls from the host software to the devices and for reporting status and diagnostic information from the devices back to the host software.

Answer 71

•Use IPSec for authentication and integrity and confidentiality One way of increasing the security of data in transit for embedded systems is through the use of wrappers, such as IPSec. The only thing visible to an attacker or anyone sniffing the wire is the IPSec header, which describes only the tunnel endpoints. This is useful for protecting traffic between trusted networks when the traffic has to go through an untrusted network to go between them, or between trusted nodes on the same network.

Answer 72

* Firmware code control * Supply chain risks * Inability to patch * Inadequate vendor support * Time-consuming patch procedures * Inability to schedule downtime Embedded systems demonstrate one of the reasons that supply chain risks must be carefully managed. Programming logic implemented in FPGA and firmware code must not contain backdoors. Firmware patching is just as vital as keeping host OS software up to date, but for many embedded systems, it is far more of a challenge: