Chapter 5 - Securing Hosts and Data
Backdoor
A backdoor is an access point to an application or service that bypasses normal security mechanisms.
Baseline
A baseline is a known starting point and organizations commonly use secure baselines to provide known starting points for systems. The use of baselines works in three steps: 1. *Initial baseline configuration* - Administrators use various tools to deploy systems consistently in a secure state. 2. *Integrity measurements for baseline deviation* - Automated tools monitor the systems for any baseline changes, which is a common security issue. Some tools such as vulnerability scanners monitor the systems and report any changes they detect. Other tools such as Group Policy automatically reconfigure the systems to the baseline settings when they detect changes. 3. *Remediation* - Network Acess Control (NAC) methods can detect some changes to baseline settings and automatically isolate or quarantine systems in a remediation network. Typically, administrators need to correct the problems in these systems manually.
hardware security module (HSM)
A hardware security module (HSM) is a security device you can add to a system to manage, generate, and securely store cryptographic keys. High performance HSMs are external devices connected to a network using TCP/IP. Smaller HSMs come as expansion cards you install within a server, or as devices you plug into computer ports.
hybrid cloud
A hybrid cloud is a combination of two or more clouds. They can be private, public, community, or a combination. These retain separate identities to help protect resources in private clouds. However, they are bridged together, often in such a way that it is transparent to the users.
Master Image
A master image provides a secure starting point for systems. Administrators sometimes create them with templates or with other tools to create a secure baseline. They then use integrity measurements to discover when a system deviates from the baseline.
private cloud
A private cloud is set up for specific organizations. For example, the Shelbyville Nuclear Power Plant might decide it wants to store data in the cloud, but does not want to use a third- party vendor. Instead, the plant chooses to host its own servers and make these servers available to internal employees through the Internet.
real-time operating system (RTOS)
A real-time operating system (RTOS) is an operating system that reacts to input within a specific time. If it can't respond within the specified time, it doesn't process the data and typically reports an error.
Secure Staging Environment
A secure staging environment includes multiple environments, and typically includes different systems used for each stage. • *Development* - Software developers use a development environment to create the application. This typically includes version control and change management controls to track the application development. • *Test* - Testers put the application through its paces and attempt to discover any bugs or errors. The testing environment typically doesn't simulate a full production environment, but instead includes enough hardware and software to test software modules. • *Staging* - The staging environment simulates the production environment and is used for late stage testing. It provides a complete but independent copy of the production environment. • *Production* - The production environment is the final product. It includes everything needed to support the application and allow customers and others to use it. In this example, it would include the live web server, possibly a back-end database server, and Internet access.
system on a chip (SoC)
A system on a chip (SoC) is an integrated circuit that includes all the functionality of a computing system within the hardware. It typically includes an application contained within onboard memory, such as read-only memory (ROM), electrically erasable programmable ROM (EEPROM), or flash memory. Many mobile computing devices include an SoC.
third-party app store
A third-party app store is something other than Apple's App Store or Google Play. Apps obtained from these third-party app stores don't undergo the same level of scrutiny as apps on the App Store or Google Play and represent a higher risk.
Trusted Operating System
A trusted operating system meets a set of predetermined requirements with a heavy emphasis on authentication and authorization.
Aircraft and unmanned aerial vehicles (UAVs)
Aircraft and unmanned aerial vehicles (UAVs) include embedded systems. Hobbyists use small UAVs to take pictures remotely. Other organizations such as the military include sophisticated embedded systems for reconnaissance and to deliver weapons.
supervisory control and data acquisition (SCADA)
An ICS is controlled by a supervisory control and data acquisition (SCADA) system. Ideally, these systems are contained within isolated networks, such as within a virtual local area network (VLAN), that do not have access to the Internet. If they are connected to the corporate network, they are often protected by a network intrusion prevention system (NIPS) to block unwanted traffic.
Self-encrypting Drives (SEDs)
An SED includes the hardware and software to encrypt all data on the drive and securely store the encryption keys. These typically allow users to enter credentials when they set up the drive. When users power up the system, they enter their credentials again to decrypt the drive and boot the system.
Application Blacklist
An application blacklist is a list of applications the system blocks.
Application Whitelist
An application whitelist is a list of applications authorized to run on a system.
embedded system
An embedded system is any device that has a dedicated function and uses a computer system to perform that function.
industrial control system (ICS)
An industrial control system (ICS) typically refers to systems within large facilities such as power plants or water treatment facilities.
Security as a Service
Another entry into cloud computing is Security as a Service. It includes any services provided via the cloud that provide security services, and is commonly viewed as a subset of the Software as a Service (SaaS) model. A common example of a Security as a Service application is antivirus software. Imagine radio station W-KOMA decides to purchase antivirus software for its eight employees. They purchase licenses to access the software from an antivirus company. Each employee then configures their system to use the software with their individual licenses. Once installed, the software automatically downloads virus definitions keeping each user's system up to date without relying on the user to do so. A key benefit of Security as a Service is that it outsources the administrative tasks associated with implementing the service. Additionally, professionals are focused on the specific security services offered, eliminating the need for employees to be experts on everything.
chroot
Another method of sandboxing is with the Linux based chroot command. It is used to change the root directory for an application, effectively isolating it.
Change Management
Change management defines the process for any type of system modifications or upgrades, including changes to applications. It provides two key goals: • To ensure changes to IT systems do not result in unintended outages • To provide an accounting structure or method to document all changes
Cloud-based DLP
Cloud-based DLP solutions allow an organization to implement policies for data stored in the cloud.
community cloud
Communities with shared concerns (such as goals, security requirements, or compliance considerations) can share cloud resources within a community cloud. As an example, imagine that the Shelbyville Nuclear Power Plant and several schools within Springfield decided to share educational resources within a cloud. They could each provide resources for the cloud and only organizations within the community would have access to the resources.
Data exfiltration
Data exfiltration is the unauthorized transfer of data outside an organization and is a significant concern.
Electromagnetic Interference (EMI)
EMI comes from sources such as motors, power lines, and fluorescent lights and it can interfere with signals transmitted over wires.
Electromagnetic Pulse (EMP)
EMP is a short burst of electromagnetic energy. EMP can come from a wide assortment of sources and some sources can cause damage to computing equipment. Some sources include: • *Electrostatic discharge (ESD)* - Basic ESD prevention practices, such as using ESD wrist straps, help prevent ESD damage. • *Lightning* - Lightning pulses can go through electrical wires and damage unprotected systems. Surge protection methods, such as surge protection strips, protect electrical systems. • *Military weapons* - Nuclear explosions create a large EMP that can damage electronic equipment (including embedded systems) over a large area. Some non-nuclear weapons have been designed to mimic the nuclear EMP, but without the nuclear explosion. Non- nuclear EMP has a smaller range than nuclear EMP, but can still damage equipment. The best publicly known protection is to turn equipment off, but you're unlikely to know when one of these explosions will occur.
Full Disk Encryption (FDE)
Full disk encryption (FDE) encrypts an entire disk. Several applications are available to do this. For example, VeraCrypt is an open source utility that can encrypt partitions or the entire storage device.
Heating, ventilation, and air conditioning (HVAC) systems
Heating, ventilation, and air conditioning (HVAC) systems keep computing systems at the proper temperature and with the proper humidity. Most have embedded systems to control them.
Home automation
Home automation includes Internet-connected devices, such as wireless thermostats, lighting, coffee makers, and more.
Infrastructure as a Service (IaaS) allows
Infrastructure as a Service (IaaS) allows an organization to outsource its equipment requirements, including the hardware and all support operations. The IaaS service provider owns the equipment, houses it in its data center, and performs all the required hardware maintenance. The customer essentially rents access to the equipment and often pays on a per-use basis.
Wearable technology
It includes any device you can wear or have implanted. These devices can then be used to interact with other devices, such as a smartphone.
custom firmware
It's also possible to overwrite the firmware with custom firmware. Some people do this as another method of rooting Android devices. The process is typically complex and fraught with risks. However, some people find downloadable images and copy them onto their devices to overwrite the firmware.
Jailbreaking
Jailbreaking refers to removing all software restrictions from an Apple device. After jailbreaking a device, users can install software from any third-party source.
Wi-Fi Direct
Many mobile devices also support Wi-Fi Direct, which is a standard that allows devices to connect without a wireless access point, or wireless router.
Mobile device management (MDM)
Mobile device management (MDM) includes the technologies to manage mobile devices. MDM applications help administrators manage mobile devices. The following bullets describe many of the MDM concepts that apply to mobile devices: • *Application management* - MDM tools can restrict what applications can run on mobile devices. They often use application whitelists to control the applications and prevent unapproved applications from being installed. • *Full device encryption* - Encryption protects against loss of confidentiality on multiple platforms, including workstations, servers, mobile devices, and data transmissions. Encryption methods such as full device encryption provide device security, application security, and data security. While an organization can ensure corporate-owned devices use full device encryption, this isn't always possible when employees use their own devices. • *Storage segmentation* - In some mobile devices, it's possible to use storage segmentation to isolate data. For example, users might be required to use external storage for any corporate data to reduce the risk of data loss if the device is lost or stolen. It's also possible to create separate segments within the device. Users would store corporate data within an encrypted segment and personal data elsewhere on the device. • *Content management* - After creating segmented storage spaces, it's important to ensure that appropriate content is stored there. An MDM system can ensure that all content retrieved from an organization source (such as a server) is stored in an encrypted segment. Also, content management can force the user to authenticate again when accessing data within this encrypted segment. • *Containerization* Chapter 1 discusses the use of application cell virtualization (also known as container virtualization). Containerization can also be implemented in mobile devices. By running an application in a container, it isolates and protects the application, including any of its data. This is very useful when an organization allows employees to use their own devices. It's possible to encrypt the container to protect it without encrypting the entire device. • *Passwords and PINs* - Mobile devices commonly support the use of passwords or personal identification numbers (PINs). MDM systems typically support password policies, similar to the password policies used in desktop systems. The only limitation is that some mobile devices only support PINs, while others support either passwords or PINs. • *Biometrics* - Many mobile devices now support biometrics for authentication. For example, you can teach the device your fingerprint and then use your fingerprint to authenticate instead of entering a password or PIN. • *Screen locks* - Most devices support the use of a passcode or password to lock the device. This is like a password-protected screen saver on desktop systems that automatically locks the device after a period of time. It prevents someone from easily accessing the device and the data it contains. This is often combined with an erase function. For example, if someone steals the phone and enters the incorrect passcode ten times, the smartphone will automatically erase all data on the phone. • *Remote wipe* - Remote wipe capabilities are useful if the phone is lost. It sends a remote signal to the device to wipe or erase all the data. The owner can send a remote wipe signal to the phone to delete all the data on the phone. This also deletes any cached data, such as cached online banking passwords, and provides a complete sanitization of the device by removing all valuable data. They also include enforcing strong authentication methods to prevent unauthorized access. • *Geolocation* - Mobile devices commonly include Global Positioning System (GPS) capabilities that can be used for geolocation. Applications commonly use GPS to identify the location of the device. This can also be used to locate a lost device. • *Geofencing* - Organizations sometimes use GPS to create a virtual fence or geographic boundary using geofencing technologies. Apps can respond when the device is within the virtual fence. As an example, an organization can configure mobile apps so that they will only run when the device is within the virtual fence. Similarly, an organization can configure a wireless network to only operate for mobile devices within the defined boundary. • *GPS tagging* - GPS tagging (also called geotagging) adds geographical information to files such as pictures when posting them to social media web sites. For example, when you take a picture with a smartphone that has GPS features enabled, the picture application adds latitude and longitude coordinates to the picture. Thinking of friends and family, this is a neat feature. However, thinking of thieves and criminals, they can exploit this data. For example, if Lisa frequently posts pictures of friends and family at her house, these pictures identify her address. If she later starts posting pictures from a vacation location, thieves can realize she's gone and burglarize her home. • *Context-aware authentication* - Context-aware authentication uses multiple elements to authenticate a user and a mobile device. It can include the user's identity, geolocation, verification that the device is within a geofence, time of day, and type of device. Combined, these elements help prevent unauthorized users from accessing apps or data. • *Push notification services* - Push notification services send messages to mobile devices from apps. As an example, if Lisa installs the Facebook app on her smartphone and enables notifications, the Facebook app will send her notifications. Software developers can configure the notifications to appear even if the device is in screen lock mode and even if the app is not running. MDM apps can send notifications to remind users of security settings, or to let them know if their device is complying with security policy requirements.
tethering
Most smartphones support tethering, which allows you to share one device's Internet connection with other devices. As an example, you can connect your smartphone to the Internet and then use this Internet connection with a laptop, a tablet, or any device that has a wireless connection. If employees use tethering within the organization, it allows them to bypass security such as firewalls and proxy servers.
Unified Extensible Firmware Interface (UEFI)
Newer systems use Unified Extensible Firmware Interface (UEFI) instead of BIOS. UEFI performs many of the same functions as BIOS, but provides some enhancements. As an example, it can boot from larger disks and it is designed to be CPU-independent.
data loss prevention (DLP)
Organizations often use data loss prevention (DLP) techniques and technologies to prevent data loss. They can block the use of USB flash drives and control the use of removable media. They can also examine outgoing data and detect many types of unauthorized data transfers.
Patch Management
Patch management ensures that systems and applications stay up to date with current patches. This is one of the most efficient ways to reduce operating system and application vulnerabilities because it protects systems from known vulnerabilities.
Platform as a Service (PaaS)
Platform as a Service (PaaS) provides customers with a preconfigured computing platform they can use as needed. It provides the customer with an easy-to-configure operating system, combined with appropriate applications and on-demand computing.
sideloading
Possible to install applications on Android devices by sideloading them. Sideloading is the process of copying an application package in the Application Packet Kit (APK) format to the device and then activating it. The device must be set to allow apps from Unknown Sources, which can significantly weaken security. Sideloading is useful for developers testing apps, but considered risky when installing apps from third parties.
Public cloud services
Public cloud services are available from third-party companies, such as Amazon, Google, Microsoft, and Apple. They provide similar services to anyone willing to pay for them.
Remote attestation
Remote attestation process works like the secure boot process. However, instead of checking the boot files against the report stored in the TPM, it uses a separate system. Again, when the TPM is configured, it captures the signatures of key files, but sends this report to a remote system. When the system boots, it checks the files and sends a current report to the remote system. The remote system verifies the files are the same and attests, or confirms, that the system is safe.
Rooting
Rooting is the process of modifying an Android device to give the user root-level (or full administrator) access to the device.
Sandboxing
Sandboxing is the use of an isolated area on a system and it is often used for testing.
Software as a Service (SaaS)
Software as a Service (SaaS) includes any software or application provided to users over a network such as the Internet. Internet users access the SaaS applications with a web browser. It usually doesn't matter which web browser or operating system a SaaS customer uses. They could be using Microsoft Edge, Chrome, Firefox, or just about any web browser.
Least Functionality
Systems should be deployed with only the applications, services, and protocols they need to meet their purpose.
Basic Input/Output System (BIOS)
The Basic Input/Output System (BIOS) includes software that provides a computer with basic instructions on how to start. It runs some basic checks, locates the operating system, and starts.
Hardware Root of Trust
The TPM ships with a unique Rivest, Shamir, Adleman (RSA) private key burned into it, which is used for asymmetric encryption. This private key is matched with a public key and provides a hardware root of trust, or a known secure starting point. The private key remains private and is matched with a public key. Additionally, the TPM can generate, store, and protect other keys used for encrypting and decrypting disks.
deployment models for mobile devices
The following list identifies some common deployment models for mobile devices. • *Corporate-owned* - In this traditional deployment model, the organization purchases devices and issues them to employees. • *COPE (corporate-owned, personally enabled)* - COPE is similar to the traditional corporate-owned model, but the primary difference is that the employees are free to use the device as if it was their personally owned device. This allows employees to use the devices for personal activities in addition to connecting them to the organization's network. Because the organization owns the devices, it makes it easier to manage them. • *BYOD (bring your own device)* - Some organizations allow employees to bring their own mobile devices to work and attach them to the network. Employees are responsible for selecting and supporting the device and they typically must comply with a BYOD policy when connecting their device to the network. While this is simple for the employees, it is sometimes referred to as bring your own disaster among IT professionals. Because employees can have any possible device, the IT department is now responsible for supporting, monitoring, and managing any possible device owned by employees. • *CYOD (choose your own device)* - To avoid some of the challenges related to supporting any possible mobile devices, some organizations create a list of acceptable devices along with a CYOD policy. Employees can purchase devices on the list and bring them to work. This gives the IT department a specific list of devices that they need to support, monitor, and manage. • *VDI (virtual desktop infrastructure)* - VDIs, which host a user's desktop operating system on a server. While these are typically accessed by traditional computers within a network, it's also possible to deploy a VDI that users can access with their mobile device. This allows users to access any applications installed on their desktop. When the organization hosts a remote access solution such as a virtual private network (VPN), users can access the mobile VDI from anywhere if they have Internet access.
Windows Permissions
The following list shows the basic Windows permissions: • Read* - Users granted read permission can view the contents of a file or folder. • *Read & Execute* - Users granted the Read & Execute permission have Read permission and they can also run or execute programs. • *Write* - Users can create new files and folders, and they can also make changes to existing files and folders. This would typically be assigned with Read permission. • *Modify* - When granted the Modify permission to a file or a folder, a user can read, execute, write, and delete files and folders. The primary addition is the ability to delete files and folders.
Hardening
The practice of making an operating system (OS) or application more secure from its default installation. It helps eliminate vulnerabilities from default configurations, misconfigurations, and weak configurations.
cloud deployment models
There are four categories of cloud deployment models: public, private, community, and hybrid. These identify who has access to the cloud infrastructure.
Connection Methods for mobile devices
There are several methods that mobile devices ca use to connect to networks and other devices. They include: • *Cellular* - Smartphones (and many tablets) include the ability to connect to a cellular network, such as a third generation (3G), longterm-evolution (LTE), fourth generation (4G), or 4G LTE network. The type of network you connect with is dependent on your cellular provider. Newer generations typically provide increased speed for digital transfers and improved voice communications. • *Wi-Fi* - Mobile devices almost always have a wireless network interface that you can configure to connect to a wireless network. Chapter 4 discusses common wireless security methods and wireless protocols. Typical wireless networks require you to enter or select the service set identifier (SSID) and enter the pre-shared key or password to access the network. More secure networks use Enterprise mode with an 802.1x server. • *SATCOM* - Some mobile devices support connections to networks using satellite communications (SATCOM). The most common usage of SATCOM is in mobile phones rather than tablets. However, you can purchase satellite hot spots. You can connect mobile devices to the hot spot, and the hot spot provides Internet and voice access via a satellite connection. Additionally, some vehicles include satellite communication technologies that can be used for phone calls and sometimes for shared Internet access. • *Bluetooth* - Most mobile devices include Bluetooth support. Bluetooth is a wireless protocol commonly used with personal area networks. For example, most smartphones support the use of a Bluetooth headset for hands-free use of the phone. Additionally, some technologies use Bluetooth to connect two smartphones. For example, Apple's AirDrop uses Bluetooth to create a peer-to-peer network. This makes it easy to exchange files such as photos or videos between two phones. • *NFC (near field communication)* - NFC is most commonly used as a payment gateway allowing you to make payments simply by waving your phone in front of an NFC reader at a retailer. You can also create a peer-to-peer network between two devices with NFC. For example, Android Beam allows two users with Android devices to share data displayed on the screen by placing two devices back to back. Some applications use NFC to enable Bluetooth on the two devices, send the shared data via Bluetooth, and then disable Bluetooth. • *ANT* - ANT and ANT+ are proprietary wireless protocols used by some mobile devices. While it looks like an acronym, it isn't spelled out on the ANT Wireless web site (https://www.thisisant.com/). Many sports and fitness sensors (such as Fitbit) collect data on users (such as heart rate, steps taken, and so on) and use ANT to send the data to a mobile device application. • *Infrared* - Infrared is a line-of-sight wireless technology used by some mobile devices. This is the same technology used by most remote controls for TVs and other audiovisual equipment. Many people add apps to their smartphones and use them as a universal remote for their equipment. It's also possible to transfer files between smartphones using infrared, as long as both smartphones support infrared. • *USB (Universal Serial Bus)* - Mobile devices can typically be connected to a desktop PC or laptop via a USB cable. Most Apple devices have a Lightning port and can connect to PCs via a Lightning to USB cable. Many Android devices have a mini-USB cable and can connect to PCs via a mini-USB to standard USB cable.
Linux Permissions
They are: • *Owner* - This is a user who owns the file or directory and the owner is typically granted all permissions for the file or directory. • *Group* - The file can also be owned by a named group. Members of this group are granted specific permissions for the file or directory. These permissions are typically less than the permissions applied to the owner. • *Others* - You can think of this as everyone else. Permissions applied here do not override the Owner or Group permissions. In addition to understanding who you can assign permissions to, it's also important to understand the basic Linux permissions. These may be represented as letters (r, w, and x) or as numbers. They are: • *Read (r)* - This allows you to view the file and is represented with the number 4. • *Write (w)* - This allows you to modify the file and is represented with the number 2. • *Execute (x)* - This allows you to run the file (assuming it is an application) and is represented with the number 1.
cloud access security broker (CASB)
This is a software tool or service deployed between an organization's network and the cloud provider. It monitors all network traffic and can enforce security policies. As an example, it can ensure that all data stored in the cloud is encrypted.
Trusted Platform Module (TPM)
Trusted Platform Module (TPM) is a hardware chip on the computer's motherboard that stores cryptographic keys used for encryption. Many laptop computers include a TPM and you may see them on many mobile devices, too. However, if the system doesn't include a TPM, it is not feasible to add one. Once enabled, the TPM provides full disk encryption capabilities. It keeps hard drives locked, or sealed, until the system completes a system verification and authentication process.
Firmware OTA updates
Updates to the operating system overwrite the firmware using over-the-air (OTA) techniques. Firmware OTA updates keep the device up to date.
Secure Boot
When the system boots, the secure boot process checks the files against the stored signatures to ensure they haven't changed. If it detects that the files have been modified, such as from malware, it blocks the boot process to protect the data on the drive.
wireless ad hoc network
Wifi direct is similar to a wireless ad hoc network, which allows devices to connect together without a wireless access point or wireless router. The difference is that Wi-Fi Direct uses single radio hop communication. In other words, none of the devices in a Wi-Fi Direct network can share an Internet connection. However, systems in a= wireless ad hoc network use multihop wireless communications and can share an Internet connection.
