CompTia Security+(SY0-501) Lesson 9 +Lesson 11 + Lesson 12
SNMP monitor
(a software program) provides a location from which network activity can be overseen. It monitors all agents by polling them at regular intervals for information from their MIBSs
transparent proxy
(forced intercepting) intercepts client traffic without the client having to be reconfigured. often implemented on a switch or router.
heuristics
(learning from experience) to generate a statistical model of what the baseline is like
Guidelines to Implement Mobile Device Security
- Be aware of the different connection methods mobile devices may use in your organization. - Be aware of the different levels of control you have over certain connection methods. - Incorporate a mobile device management platform in your organization. - Implement security controls on mobile devices such as screen locking, geolocation, remote wipe, device encryption, and more. - Monitor certain activities associated with mobile devices, such as app installation from third parties, rooting/jailbreaking, carrier unlocking, and more. - Enforce policies to curtail or disable the use of certain mobile device activities thatbring unwanted risk to the organization. - Consider the different ways that mobile devices can be deployed in your organization. - Be aware of the inherent risks of allowing BYOD in your organization. - Apply various security controls to combat BYOD risks, such as making decisions about ownership, encouraging the use of anti-malware apps, providing users with the tools and knowledge to uphold privacy, and more.
Baseline deviations that are the result of an attack may be very subtle if the attacker has done reconnaissance and is familiar with the baseline.
- Enforcing a baseline on user workstations will not be effective unless the fundamental configurations are locked down and access controlled. - Multiple critical systems with the same or similar baseline deviations will require swift remediation. - The nature of a baseline deviation may reveal malicious intent. A system that is supposed to be shut off from remote access that suddenly has Telnet installed and activated is a cause for concern.
Challenge to keep embedded systems and static environments up-to-date
- Many embedded systems use low-cost firmware chips and the vendor never produces updates to fix security problems or only produces updates for a relatively short product cycle (while the device could remain in operational use for much longer). - Many embedded systems require manual updates, which are perceived as too time-consuming for a security department with other priorities to perform.
Investigate how the software was allowed to be installed or executed:
- Place the host system and software in a sandbox before analyzing its running state. - Check event logs and browsing history to determine the source of the unauthorized software. Conduct an anti-malware scan to determine if the software is known to be malicious. - Verify user privileges and access controls on the host system to re-secure permissions.
Follow these guidelines when securing hosts:
- Stay up to date on OS vendor security information.• Apply security settings to your OSes like disabling unnecessary services and adhering to the principle of least privilege in user accounts. - Create security baselines for your systems to streamline the hardening process.• Compare these baselines to your current host configurations. - Consider implementing application blacklisting or whitelisting to restrict software that can execute on your systems. - Ensure that all critical activity on your systems is logged. - Review logs to identify suspicious behavior.• Prepare for auditing by external parties to verify that your hosts are in compliance. - Implement anti-malware solutions on your hosts. - Consider the unique security implications of different hardware peripherals. - Consider the unique security implications of embedded systems.
Removable Media Control poses two different challenges to security policies:
- The media might be a vector for malware, either through the files stored in the media or its firmware. - The media might be a means of exfiltrating data.
When troubleshooting why a system is no longer in alignment with the established baseline, keep in mind the following:
- The state of a system will drift over time as a result of normal operations. This does not necessarily indicate that an attack has taken place. - Patches and other updates may cause the baseline to be outdated, prompting you to update the baseline.
Microsoft's distinction between different types of software patches
- Updates are widely released fixes for bugs. Critical updates address performance problems while security updates address vulnerabilities and can be rated by severity (critical, important, moderate, or low). There are also definition updates for software such as malware scanners and junk mail filters and driver updates for hardware devices. - Hotfixes are patches supplied in response to specific customer troubleshooting requests. With additional testing, these may later be developed into public release updates. - Feature packs add new functionality to the software. - Service packs and update rollups form a collection of updates and hotfixes that can be applied in one package.
Some of the goals of attacks on medical devices and services are
- Use compromised devices to pivot to networks storing medical data with the aim of stealing Protected Health Information (PHI). - Hold medical units ransom by threatening to disrupt services. - Kill or injure patients (or threaten to do so) by tampering with dosage levels or device settings.
Approaches to apply updates:
-Apply all the latest patches to ensure the system is as secure as possible against attacks targeting flaws in the software. -Only apply a patch if it solves a particular problem being experienced.
Multi-function devices (MFD) (i.e. printers with scanners and fax capabilities) represent a powerful pivot point on an enterprise network:
-Interfaces and code are not always kept as secure as OS code, making them potentially more vulnerable to compromise. -An adversary can snoop on and copy highly confidential data in cleartext. The hard disk is a useful means of staging data for exfiltration. -Network connectivity might bridge user and administrative network segments and allow wider network penetration.
Remediation responses
-alert only -block -quarantine -tombstone
prevent data exfiltration by...
-all sensitive data is encrypted at rest -create and maintain offsite backups of data -ensure systems that are storing or transmitting sensitive data are implementing access controls -restrict the types of network channels that attackers can use -train users about document confidentiality and the use of encryption
file integrity checks
-centuil -hashfile File Algorithm (windows) -fciv -v (windows) -md5sum | sha1sum | sha256sum | sha512sum -c (linux) -gpg (linux) -File Integrity Management (FIM) software sudits key system files to make sure they match the authorized versions
key things to watch for when detecting intrustions
-free disk space -high cpu usage -memory leak -page file usage -account activity -out of hours utilization
disadvantage of NIDS
-significant delay before an admin can put countermeasures into place -heavy traffic can overload the sensor or analysis engine -training and tuning are complex -encrypted traffic cannot be analyzed
Log maintenance
-time synchronization: normalizes time zones -event duplication: event storms are identified as a single event
Problems with stateless firewalls
-vulnerable to attacks that are apread over a sequence of packets -have traffic flow problems
most common VIP protocols
1. Common Address Redundancy Protocol (CARP) 2. Gateway Load Balancing Protocol (GLBP)
main types of load balancer
1. Layer 4: stateless; based forwarding decisions on IP addresses and TCP/UDP port values. 2. Layer 7: content switch; based forwarding decisions on application level data like requesting a particular url or data types like video or audio streaming.
main options for connecting a sensor
1. SPAN (switch port analyzer)/ mirror port: sensor attached to a specially configured port on the switch that receives copies of frames addressed to nominated ports 2. Passive test access point(TAP): box with ports for incoming and outgoing network cabling and an inductor or optical splitter that physically copies the signal from the cabling to the monitor port. 3. Active TAP: a powered device that performs signal regeneration.
Types of SA
1. round robin: picking next node 2. weighted : use admin set preferences or dynamic load information or both
features of most load balancers
1.Configurable load: assign specific server in the farm for certain types of traffic 2.TCP offload: group HTTP packets from a single client into a collection of packets assigned to a specific server 3.SSL offload: implement SSL/TLS to provide for secure connections 4.Caching: reduces load on static web servers 5.Prioritization: filter and mange traffic based on its priority.
Steps to harden the OS of a workstation PC
1.Remove (or disable) devices that have no authorized function. These could include a legacy modem or floppy disk or standard optical disk drives, USB ports, and soon. 2.Test and install OS and application patches and driver/firmware updates (when they have been tested for network compatibility) according to a regular maintenance schedule. Patches for critical security vulnerabilities may need to be installed outside the regular schedule. 3.Uninstall all but the necessary network protocols. 4.Uninstall or disable services that are not necessary (such as local web server or file and print sharing) and remove or secure any shared folders. 5.Enforce Access Control Lists on resources, such as local system files and folders,shared files and folders, and printers.6.Restrict user accounts so that they have least privilege over the workstation(especially in terms of installing software or devices). 7.Secure the local administrator or root account by renaming it and applying a strong password. 8.Disable default user and group accounts (such as the Guest account in Windows)and verify the permissions of system accounts and groups (removing the Everyone group from a folder's ACL, for instance). 9.Install anti-virus software (or malware protection software) and configure it to receive virus definition updates regularly. Anti-virus software should also be configured so that the user cannot disable it and so that it automatically scans files on removable drives, files downloaded from the Internet, or files received as email/IM file attachments.
Most Smart Devices use
A Linux or Android Kernel
What use is a TPM when implementing full disk encryption?
A Trusted Platform Module provides a secure mechanism for creating and storing the key used to encrypt the data. Access to the key is provided by configuring a password. The alternative is usually to store the private key on a USB stick.
A secure boot
A UEFI feature that prevents a system from booting up with drivers or an OS that are not digitally signed and trusted by the motherboard or computer manufacturer.
What is a security-enabled configuration?
A basic principle of security is to run only services that are needed. Many default OS installations and network devices also install optional services automatically, requiring the installer to disable them if they are not needed. Most devices and software now ship in a security-enabled configuration, meaning that the installer must choose which services to install and enable.
Mobile Device Management (MDM)
A class of management software designed to apply security policies to the use of mobile devices in the enterprise.
Embedded System
A complete computer system that is designed to perform a specific, dedicated function.
Kiosks
A computer terminal deployed to a public environment. Similarly to an ATM
Interfaces provides
A connection to the network. Some machines may have more than one interface.
Trusted Computing Group
A consortium of Companies (i.e. Microsoft) set up to develop technologies to improve security of computing systems.
System on a Chip (SoC)
A design where all of these processors, controllers, and devices are provided on a single processor die (or chip). This type of packaging saves space and is usually power efficient and so is very commonly used with embedded systems.
Correlation Engine
A device that aggregates and correlates content from different sources to uncover an attack.
flood guard
A feature that controls a device's tolerance for unanswered service requests and helps to prevent a DoS or DDoS attack.
Wrappers
A header, which precedes the encapsulated data, and a trailer, which follows it. The only thing visible to an attacker or anyone sniffing the wire is the IPSec header, which describes only the tunnel endpoints. This is useful for protecting traffic between trusted networks when the traffic has to go through an untrusted network to go between them, or between trusted nodes on the same network.
What special security management challenges does a kiosk-type host pose?
A kiosk is a computer terminal that is completely exposed to public use. Consequently, both the hardware and software interfaces must be made secure, either by making them inaccessible or by carefully filtering input.
Group Policy Objects (GPO)
A means of applying security settings across a range of computers. GPOs are linked to network administrative boundaries in Active Directory
IP filtering
A method of blocking packets based on IP addresses.
round-robin DNS
A method of increasing name resolution availability by pointing a host name to a list of multiple IP addresses in a DNS zone file. After pointing a client to one IP address in the list, DNS will point the next client that requests resolution for the same domain name to the next IP address in the list, and so on.
What is containerization?
A mobile app or workspace that runs within a partitioned environment to prevent other (unauthorized) apps from interacting with it.
Internet Key Exchange (IKE) (also referred to as Internet Security Association and Key Management Protocol (ISAKMP))
A protocol is the part of the IPSec protcol suite that handles authentication and key exchange, referred to as Security Associations
Hardware Root of Trust or Trust Anchor
A secure subsystem that is able to provide attestation (Declare something to be true).
Android
A smartphone/tablet OS developed by the Open Handset Alliance (primarily driven by Google). Unlike iOS, it is an open-source OS, based on Linux®. This means that there is more scope for hardware vendors, such as Asus, HTC, LG, Samsung, andSony, to produce vendor-specific versions. The app model is also more relaxed, with apps available from both Google Play™ (Android Market) and third-party sites, such as amazon's app store. The SDK is available on Linux, Windows, and macOS®.
Sysinternals
A suite of tools designed to assist with troubleshooting issues with windows.
Least Functionality
A system should run only the protocols and services required by legitimate users and no more. This reduces the potential attack surface.
host-based intrusion prevention system (HIPS)
A system that automatically responds to computer intrusions by monitoring activity on one or more individual PCs or servers and responding based on a rule set.
host-based IDS
A system that monitors traffic on a single system. Its primary responsibility is to protect the system on which it is installed.
Port filtering
A technique of selectively enabling or disabling TCP and UDP ports on computers or network devices.
Security Information and Event Management (SIEM)
A two-part process consisting of security event monitoring (SEM), which performs real-time monitoring of security events, and security information management (SIM), where the monitoring log files are reviewed and analyzed by automated and human interpreters. (process in lesson 9 Topic E)
SYN Flood
A type of DoS where an attacker sends a large amount of SYN request packets to a server in an attempt to deny service. (pg 353 for extended explaination)
Electromagnetic Pulse (EMP)
A very powerful but short duration wave with the potential to destroy any type of electronic equipment.
Vulnerabilities in Over The Air updates
A well-resourced attacker can create an "evil base station" using a Stingray/IMSI catcher type of device. This will allow the attacker to identify the location of cell devices operating in the area. In some circumstances it might be possible to launch a Man-in-the-Middle attack and abuse the firmware update process to compromise the phone.
Resultant Set of Policies(RSoP)
Apply to a particular computer or user. GPOs can be set to override or block policy inheritance where necessary
Why should detailed vendor and product assessments be required before allowing the use of IoT devices in the enterprise?
As systems with considerable computing and networking functionality, these devices are subject to the same sort of vulnerabilities and exploits as ordinary workstations and laptops. It is critical to assess the vendor's policies in terms of the security design for the product and support for identifying and mitigating any vulnerabilities discovered in its use.
false positive
Assessment error in which pathology is reported (that is, test results are positive) when none is actually present.
Rooting
Associated with Android devices. Some vendors provide authorized mechanisms for users to access the root account on their device. For some devices, it is necessary to exploit a vulnerability or use custom firmware.
Evaluate the features and vulnerabilities found in medical devices to select the accurate statements. (Select two) A. Medical devices are only those devices located outside of the hospital setting, including defibrillators and insulin pumps. B. Attackers may attempt to gain access in order to kill or injure patients, or hold medical units ransom. C. Medical devices are updated regularly to secure them against vulnerabilities and protect patient safety. D. Many portable devices, such as cardiac monitors and insulin pumps, run on unsupported operating systems.
B. Attackers may attempt to gain access in order to kill or injure patients, or hold medical units ransom. D. Many portable devices, such as cardiac monitors and insulin pumps, run on unsupported operating systems.
Compare and evaluate the various levels and types of security found within a Trusted OS (TOS) to deduce which scenario is an example of a hardware Root of Trust (RoT). A. A security system designed to prevent a computer from being hijacked by a malicious operating system. B. The boot metrics and operating system files are checked and signatures verified at logon. C. Digital certificates, keys and hashed passwords are maintained in hardware-based storage. D. The industry standard program code that operates the essential components of a system.
B. The boot metrics and operating system files are checked and signatures verified at logon.
Evaluate the features and vulnerabilities found in the software on printers and Multifunction Devices (MFDS) and select the accurate statements. (Select three) A. Interfaces and code on MFDS have the same level of security as the OS using it, giving an attacker insight into network security. B. The hard disk on MFDS is a useful means of staging data for exfiltration. C. An attacker can use MFDS to snoop on and copy highly confidential data in cleartext. D. Network connectivity on printers and MFDS can allow attackers further access into the network and allow wider penetration.
B. The hard disk on MFDS is a useful means of staging data for exfiltration. C. An attacker can use MFDS to snoop on and copy highly confidential data in cleartext. D. Network connectivity on printers and MFDS can allow attackers further access into the network and allow wider penetration.
Analyze and compare iOS and Android operating systems (OS) to accurately differentiate between the two. (Select all that apply.) A. Android releases updates often, while iOS is more sporadically released. B. iOS is limited to Apple products, while Android has multiple hardware vendors. C. Android is an open source OS based on Linux, unlike iOS, which is a closed and proprietary system. D. iOS is more vulnerable to attack due to being a closed source, while Android is more secure with multiple partners working to secure the OS.
B. iOS is limited to Apple products, while Android has multiple hardware vendors. C. Android is an open source OS based on Linux, unlike iOS, which is a closed and proprietary system.
Source code package needs to
Be ran through the appropriate compiler with the preferred options
Hosts
Before DNS was developed (in the 1980s), name resolution took place using a text file.
Anti-virus is a malware that
Blocks any process matching a malware signature from executing.
Active/active clustering
Both servers in the cluster are up and running and actively responding to requests
What type of deployment model(s) allow users to select the mobile device makeand model?
Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD).
A system administrator has received new systems to deploy within a work center. Which of the following should the system administrator implement to ensure proper hardening? (Select two) A. Remove all third party software. B. Disable client software to connect applications. C. Disable any network interfaces that are not required. D. Disable all unused services.
C. Disable any network interfaces that are not required. D. Disable all unused services.
Trusted Platform Module
Can be controlled by anyone with administrative control. It can be managed in Windows via the tpm.msc console of through group policy.
Near Field Communications (NFC) is vulnerable to these types of attakcs:
Certain antenna configurations may be able to pick up the RF signals emitted by NFC from several feet away, giving an attacker the ability to eavesdrop from a more comfortable distance. An attacker with a reader may also be able to skim information from an NFC device in a crowded area, such as a busy train. An attacker may also be able to corrupt data as it is being transferred through a method similar to a DoS attack—by flooding the area with an excess of RF signals to interrupt the transfer. If someone loses an NFC device or a thief steals it, and the device has no additional layers of authentication security, then anyone can use the device in several malicious ways.
What first step must you take when configuring automatic updates on a Linux server?
Choose a trustworthy installation source.
The ANT protocol and its associated product standard ANT+ have seen widespread use in
Communicating health and fitness sensor data between devices.
Supervisory Control and Data Acquisition (SCADA)
Components of Industrial Control Systems (ICS)
Containerization
Concerns need to be addressed by policy and guidance, agreed between the employer and employees. These sorts of concerns have also been addressed by EMM vendors
Removable Media Control needs policies that
Control any type of portable device with storage capabilities
Administrative Templates
Custom Registry settings
A network manager is installing a new switch on the network. Compare the hardening processes for servers, appliances, and applications to recommend the hardening steps that should be taken to complete the task. A. A Group Policy Object (GPO) should be built in order to configure custom registry settings. B. The Server Core option should be used as to limit the device to only using Hyper-V and DHCP. C. The Microsoft Baseline Security Analyzer (MBSA) tool should be used to validate the security configuration. D. The network manager should ensure all patches are applied and it is appropriately configured.
D. The network manager should ensure all patches are applied and it is appropriately configured.
EMP generators can be deployed to perform a
DOS attack against a computer
Vulnerabilities of SMS and MMS resulted in
DOS attacks
Mobile Device Deployment Model
Describes the way employees are provided with mobile devices and applications: - Bring Your Own Device (BYOD) - Corporate Owned, Business Only (COBO) - Corporate Owned, Personally-Enabled (COPE) - Choose Your Own Device (CYOD)
Problem with establishing a Hardware Root of Trust
Devices are used in environments where everyone can get complete control over them. - cannot be complete assurance that the firmware underpinning the hardware root of trust is inviolable.
bots
DoS tools
Why is a rooted or jailbroken device a threat to enterprise security?
Enterprise Mobility Management (EMM) solutions depend on the device user not being able to override their settings or change the effect of the software. A rooted or jailbroken device means that the user could subvert the software controls.
Executing attack to stop a buffer overflow attack
Execute Disable (XD) - Intel Data Execution Prevention (DEP) - Windows Address Space Layout Randomization (ASLR) - most OS support
True or false? Only Microsoft's operating systems and applications require security patches.
False—any vendor's or open source software or firmware can contain vulnerabilities that need
Application Firewalls
Firewalls designed to protect specific applications and devices, such as a SCADA
Host software baselining
For an OS functioning in any given role, there will usually be a fairly standard series of steps to follow to apply a secure configuration to allow the OS and applications software to execute that role.
Carrier unlocking
For either iOS or Android, this means removing the restrictions that lock a device to a single carrier.
A kiosk needs to be
Fully locked down so that users are only able to access the menus and commands needed to operate the kiosk application.
Global Positioning System (GPS)
GPS is a means of determining a receiver's position on the Earth (its latitude and longitude) based on information received from GPS satellites. The receiver must have line-of-sight to the GPS satellites. GPS provides another means of locating the device. As GPS requires line-of-sight, it does not work indoors.
Infrared in modern smartphones and wearable technology focuses on
IR blaster and IR sensor
content filter
In an Internet browser, software that blocks content.
DNS spoofing
Is an attack that compromises the name resolution process.
DNS Server Cache Poisoning (Pollution)
Is another redirection attack, but instead of trying to subvert the name service used by the client, it aims to corrupt the records by the DNS server itself.
Industrial Control Systems (ICS)
It is deployed to monitor and manage industrial-, infrastructure-, and facility-based processes.
IT administrators in your company have been abusing their privileges to install computer games on company PCs. What technical control could you deploy to prevent this?
It is difficult to define technical controls to apply to administrators, but you could enforce whitelisting or blacklisting of executables allowed.
Host Software baselining essential principle
Least functionality
Point-to-Point Tunneling Protocol (PPTP)
Legacy protocols such as the PPTP have been deprecated because they do not offer adequate security
Digital Cameras's flash media storage
May be infected with malware or used for data exfiltration
DNS footprinting
Means obtaining information about a private network by using its DNS server to perform a zone transfer (all the records in a domain) to a rogue DNS or simply by querying the DNS service, using a tool such as nslookup or dig.
Always-on VPN
Means that the computer establishes the VPN whenever an internet connection over a trusted network is detected, using the user's cached credentials to authenticate.
Aside from leaving sensitive documents uncollected in the output tray,are there security concerns with respect to printers?
Modern printers have their own hard drive, OS, and firmware and are, therefore,susceptible to the same attacks like any other computer—with the additional problem that many users are unaware of this and, therefore, do not remember to update or patch operating systems to securely delete the contents of the drive, or destroy the drive itself upon retiring the printer.
Baseband update
Modifies the firmware of the radio modem used for cellular, Wi-Fi,Bluetooth, NFC, and GPS connectivity.
Personal Area Network (PAN)
Most PANs enable connectivity between a mobile device and peripherals, but ad hoc (or peer-to-peer) networks between mobile devices or between mobile devices and other computing devices can also be established.
Server Core excludes
Most of the familiar shell tools, such as File Explorer and MMCs.
Choose Your Own Device (CYOD)
Much the same as COPE but the employee isgiven a choice of device from a list.
Methods to Secure Embedded Systems
NETWORK SEGMENTATION APPLICATION FIREWALLS WRAPPERS FIRMWARE VERSION CONTROL AND MANUAL UPDATES
Network Segmentation
Network access for static environments should only be required for applying firmware updates and management controls from the host software to the devices and for reporting status and diagnostic information from the devices back to the host software. This control network should be separated from the corporate network using firewalls and VLANs. isolating these hosts from others through network segmentation and using endpoint security
Satellite communications (SATCOM)
Offers the best solutions for the businesses that have to establish telecommunications in extremely remote areas or use communications systems that is wholly owned and managed
Static Computing/Environment
Often a black box to security administrators. Typically little support if there is security issues
Active/Passive clustering
One server is actively responding to requests while the other acts as a live standby
End of Life System
One that is no longer supported by its developer or vendor. No longer receive security updates and so represent a critical vulnerability if any remain in active use
What countermeasures can you use against the threat of maliciousfirmware code?
Only use reputable suppliers for peripheral devices and strictly controlled sources for firmware updates. Consider use of a sheep dip sand boxed system to observe a device before allowing it to be attached to a host in the enterprise network. Use execution control software to white list only approved USB vendors.
Short Message Service (SMS) and Multimedia Message Service (MMS)
Operated by the cellular network providers. They allow transmission of text messages and binary files.
Network IDS (NIDS)
Passive Detection; Deployed as a passive sniffer/sensor at network aggregation points. Uses signature, anomaly analysis.
Using Wi-Fi Direct
Peer-to-peer connections can also be established
Snooping
Principle security exploit of wireless input devices
Multifunction Devices (MFD)
Print/scan/fax functions are performed by single devices
Hardening
Process of putting an operating system or application in a secure configuration
Services
Provide a library of functions for different types of applications. Some services support local features of the OS and installed applications. Other services support remote connections from clients to server applications. Unused services should be disabled.
Dynamic Host Configuration Protocol (DHCP)
Provides an automatic method for network address allocation
Preventing against Denial of Service (DOS) attacks on a network appliance
Providing multiple network links, running redundant servers, configuring separate physical servers for different server applications
Virtual Desktop Infrastructure (VDI)
Provisioning a workstation OS instance to interchangeable hardware. Removes some security concerns about BYOD
You should warn users of the risks of
Putting an unknown peripheral device in your computer
An employee's car was recently broken into, and the thief stole a company tablet that held a great deal of sensitive data. You've already taken the precaution of securing plenty of backups of that data. What should you do to be absolutely certain that the data doesn't fall into the wrong hands?
Remotely wipe the device.
Wi-Fi endabled MicroSD cards can
Rep;lace the kernel on this type of device and install whatever software the hacker chooses
Remote Wipe/Kill Switch
Resets phone to factory defaults if the handset/phone is stolenn
Trusted Platform Module (TPM)
Root of Trust is typically established by a type of cryptoprocessor A specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information.
Host Key
SSH servers are identified by a public/public key pair.
Why would you need to deploy SATCOM and what sort of assessments should you make?
Satellite Communications (SATCOM) provides near global coverage so is used for telecommunications in remote areas. You need to assess service providers to ensure that they have vulnerability management procedures for receivers and handsets and that the communications links use secure encryption.
Company policy requires that you ensure your smartphone is secured from unauthorized access in case it is lost or stolen. To prevent someone from accessing data on the device immediately after it has been turned on, what security control should be used?
Screen lock.
Assurance
Secure design principles, availability of code reviews and audits, and so on.
Default installation choice for Windows Server is
Server Core
Network Appliances
Should follow the parameters allowed by their manufacturers.
Blacklisting is vulnerable to
Software that has not previously been identified as malicious
Data Loss Prevention (DLP)
Software which works like antivirus programs in reverse, blocking outgoing messages (e-mail, instant messages, etc.) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect.
Embedded Systems are typically
Static Environments
What are SCADA devices and what are the security issues associated with them?
Supervisory Control and Data Acquisition Systems are large-scale control systems used in system ssuch as manufacturing and fabrication. The two great security issues with SCADA devices stem from the fact that so many of them are legacy and, therefore, built without an eye to security and without the awareness that they would one day be networked. Securing devices such as these after the fact can therefore, by its nature, be extremely difficult.
Unified Extensible Firmware Interface (UEFI) Provides
Support for 64-bit CPU operation at boot, a full GUI and mouse operation at boot, and a better boot security
Security Features
Support for multilevel security (Mandatory Access Control). A problem for many OSes is the means of restricting root or Administrator access to classified data.
Mandatory access control includes
Support for multilevel security. This solves the common problem that many operating systems face of restricting root access to classified data. An enforcement of security policy is provided by an access control model.
A content management system
Tags corporate or confidential data and prevents it from being shared or copied to unauthorized media or channels, such as non-corporate email systems or cloud storage services.
Baseline Deviation reporting
Testing the actual configuration of clients and servers to ensure that they are patched and that their configuration settings match the baseline template.
Blacklist control
That anything not on the prohibited blacklist can run.
Whitelist control
That nothing can run if it is not on the approved whitelist.
What use is made of a TPM for NAC attestation?
The Trusted Platform Module (TPM) is a tamper-proof (at least in theory)cryptographic module embedded in the CPU or chipset. This can provide a means to report the system configuration to a policy enforcer securely.
Trap
The agent is also capable of initiating a trap operation where it informs the management systems of a notable event (port failure, for instance)
Management Information Base (MIB)
The agent that mainaint a database called MIB that holds statistics relating to the activity of the activity of the device (for example, the number of framed per second handled by a switch).
Pharming
The attacker compromises the process of DNS resolution in some way to replace the valid IP address for a trusted website such as mybank.com with the attacker's IP address.
Trusted OS
The computing environment is trusted not to create security issues
Basic Input/Output System (BIOS) ensures that
The design of each manufacturer's motherboard is PC compatible
Corporate Owned, Business Only (COBO)
The device is the property of the company and may only be used for company business.
Why are OS-enforced file access controls not sufficient in the event of the loss or theft of a computer or mobile device?
The disk (or other storage) could be attached to a foreign system and the administrator could take ownership of the files. File-level or Full Disk Encryption(FDE) mitigates this by requiring the presence of the user's decryption key to read the data.
Electromagnetic Interference (EMI)
The effect of unwanted electromagnetic energy has one electronic equipment.
Supply Chain
The end-to-end process of supplying, manufacturing, distributing, and finally releasing goods and services to the company.
Trusted Computing Base (TCB)
The kernel and associated hardware and processes must be designed to support the enforcement of a security policy (an access control model). It should be tamper-resistant.
Trusted Platform Module Hashes
The key systems state data to ensure they have not been tampered with.
resource exhaustion
The malicious result of many DoS and DDoS attacks. The attack overloads a computer's resources (such as the processor and memory), resulting in service interruption.
Network Access Control(NAC) and MDM are similar
The management software logs the use of a device on the network and determines whether to allow it to connect or not, based on administrator-set parameters.
iOS
The operating system for Apple's iPhone® smartphone and iPad® tablet. Apple®makes new versions freely available, though older hardware devices may not support all the features of a new version
Geofencing
The practice of creating a virtual boundary based on real-world geography. Geofencing can be a useful tool with respect to controlling the use of camera or video functions. This involves disabling cameras on mobile devices when they are in areas that should not allow photographs or video according to policy.
GPS tagging
The process of adding geographical identification metadata, such as the latitude and longitude where the device was located at the time, to media such as photographs, SMS messages, video, and so on
Anomaly-based detection
The process of comparing definitions of what activity is considered normal against observed events to identify significant deviations.
Execution Control
The process of determining what additional software may be installed on a client or server beyond its baseline.
Full Disk Encryption (FDE)
The process of encrypting all the data on the hard disk drive used to boot a computer, including the computer's operating system, and permitting access to the data only after successful authentication with the full disk encryption product
Firmware version control
The process of patch management for static and embedded environments.
To ensure the Trusted Platform Module is trustworthy, the supply chain
The staff responsible for provisioning the computing device to the end user must all be trustworthy
Data Exfiltration
The unauthorized transfer of data outside an organization.
Over The Air (OTA)
The updates can be delivered wirelessly, either through a Wi-Fi network or the data connection
Geolocation
The use of network attributes to identify (or estimate) the physical position of a device.
Execution Control prevents
The use of unauthorized software can be implemented as either an application whitelist or a blacklist:
What is the process of sideloading?
The user installs an app directly onto the device rather than from an official appstore.
Buffer Overflow Attack
The virus tricks another program into executing it when the other program thinks it is just processing some data
Tethering
There are also various means for a mobile device to share its cellular data or Wi-Fi connection with other devices
If the user establishes a connection to a corporate network using strong WPA2 security
There is a fairly low risk of eavesdropping or Man-in-the-Middle attacks.
IR sensor
These are used as proximity sensors (to detect when a smartphone is being held to the ear, for instance) and to measure health information (such as heart rate and blood oxygen levels).
IR blaster
This allows the device to interact with an IR receiver and operate a device such as a TV or HVAC monitor as though it were the remote control handset.
Encaspsulation Security Payload (ESP)
This provides confidentiality and authentication by encrypting the packet rather than simply calculating HMAC.
Why might a company invest in device control software that prevents the use of recording devices within company premises?
To hinder physical reconnaissance and espionage.
True or false? A maliciously designed USB battery charger could be used to exploit a mobile device on connection.
True (in theory)—though the vector is known to the mobile OS and handset vendors so the exploit is unlikely to be able to run without user authorization.
The three core features of a TOS is
Trusted Computing Base (TCB), security features and assurance.
Trusted OS Provides
Trusted Computing Base, Security Features, Assurance.
Why is a trusted OS necessary to implement file system access control measures?
Trusted OS means that the OS fully mediates the access control system. If this is not the case, an attacker may be able to bypass the security controls.
Why is it essential to follow a baseline when setting up a system for the first time?
Unless you know where you started, you won't know how far you've come. Security monitoring and accounting largely depends on identifying things that are out-of-the-ordinary. Baselining a system establishes what is normal.
Windows Server Update Services (WSUS)
Update Server for Windows network
Programmable Logic Controller
Updates are supported by the vendor or manufacturer, this firmware can be patched and reprogrammed. The method used to do so must be carefully controlled.
The Microsoft Baseline Security Analyzer
Used on Windows Networks, popularly used to validate the security configuration. It can also be used to scan for weak passwords
Hardware Root of Trust
Used to scan the boot metrics and OS files to verify their signatures, then it signs the report and allows the NAC server to trust it
Most iOS attacks are the same as with any system
Users click malicious links or enter information into phishing sites b
The risks from Wi-Fi come from
Users connecting to open access points or possibly a rogue access point imitating a corporate network.
Pre-compiled packages can be installed
Using various tools
How does VDI work as a mobile deployment model?
Virtual Desktop Infrastructure (VDI) allows a client device to access a VM. In this scenario, the mobile device is the client device. Corporate data is stored and processed on the VM so there is less chance of it being compromised, even though the client device itself is not fully managed.
false negative
When a system incorrectly rejects an action instead of accepting it.
storage segmentation
When the device is used on the enterprise network, a corporate workspace with a defined selection of apps and a separate storage container is created
Whitelisting will inevitably hamper users at some point
Will increase support time and costs.
Exploiting the firmware of external storage devices (i.e. flash drive) can present adversaries
With an incredible toolkit. Firmware can be reprogrammed to make the device look like another device class
Indoor Positioning Systems(IPS)
Work out a device's location by triangulating its proximity to other radio sources
A strong policy for Removable Media Control
Would block access to any storage device without encrypted access controls.
Logs
________ are one of the most valuable sources of security information. they are a record of both authorized and unauthorized uses of a resource or privilege
all traffic
__________ passes through IPS appliances, as it would with proxy servers
nontransparent proxy
a client must be configured with the proxy server address and port number to use it. often configured as port 8080
Kiting
a domain name can be registered for up to five days without paying for it. Kiting means that the name is continually registered, deleted, then re-registered.
Shared Secret
a key known only to the two hosts that want to communicate
Embedded Systems could contain
a microcontroller in an intravenous drip-rate meter or as large and complex as an industrial control system managing a water treatment plant.
collector or Connector
a plug-in code written for the SIEM and will scan and parse each event submitted to the SIEM over the network
Multipurpose Proxy
a proxy configured with filters from multiple protocol types, such as http, ftp, and smtp
Host based firewall(personal)
a software application running on a single host and only protects the host
Linux kernel copies can be found on
a software repository
Intrusion Detection System (IDS)
a system that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions
Distributed Reflection DoS (amplification attack)
adversary spoofs the victim's IP address and attempts to open connections with multiple servers, sending SYN/ACK responses to the vitim's server, consuming the victim's bandwidth.
zombie
agent PCs
Zone transfer
all the records in a domain
blackhole
an area of the network that cannot reach any other part of the network that helps mitigate DDoS attacks
distributed DoS attacks
attacks are launched from multiple compromised computers
traffic filtering
basic function of a fire wall; Verify all incoming traffic source addresses for validity via a rule based system.
tuples
block or allow traffic based on several parameters
packet denial
block or drop the packet, and optionally log the event
Remote Access VPN (VPN concentrator)
bottom of page 502. didnt really see a defintion
Internal firewalls
can be placed anywhere in the network to filter traffic flows between different security zones
back-end
clustering is used to provide fault tolerance for _________ applications.
Scheduling Algorithms (SA)
code and metrics that determine which node is selected for processing each incoming request.
NAC server
compares the report its stored template of the same metrics and decides whether to grant access or not.
analysis engine
component of HIDS that scans and interprets the traffic captured by the senor or agent with the purpose of identifying suspicious activity
Unified Threat Management (UTM)
comprehensive security management tool that combines multiple security tools, including firewalls, virtual private networks, intrusion detection systems, and web content filtering and anti-spam software
policy server
configures confidentiality rules and policies, log incidents, and compile reports
When a device is privately owned and stores a mix of corporate and personal data, the questions of
data ownership and privacy
rules
defines what type of traffic is allowed to pass through the firewall.
web application firewall (WAF)
designed to protect software running on web servers and their backend databases from code injection and Dos attacks
Firewall
devices used to implement security zones:
load balancer
distributes client requests across available server nodes in a farm or pool; provides fault tolerance and higher throughput
Endpoint Agents
enforce policy on client computers, even when they are not connected to the network
baseline
establishes the expected pattern of operation for a server or network
clustering
fault tolerance of stateful data; data residing on one node (or pool) is made available to another node (or pool) seamlessly and transparently in the event of a node failure.
border firewalls
filter traffic between trusted local network and untrusted external networks
router firewall
firewall that is built into the router firmware
caching engines
frequently requested web pages are retained on the proxy, negating the need to re-fetch the pages for subsequent requests.
Network Time Protocol (NTP) monlist
generates a response containing a list of the last 600 machines that the NTP server has contacted; a way to DNS amplification attack that allows a short request to direct a long response at the victim network
Corporate Owned, Personally-Enabled (COPE)
he device is chosen and supplied by the company and remains its property. The employee may use it to access personal email and social media accounts and for personal web browsing
DNS SEcurity Extensions (DNSSEC)
help to mitigate against spoofing and poisoning attacks by providing a validation process for DNS responses.
Data ownership
how can rights over corporate data be asserted on a device that does not belong to the corporation?
Privacy
how can the corporation inspect and manage a BYOD without intruding on private data and device usage?
Jailbreaking
iOS is more restrictive than Android so the term "jailbreaking" became popular for exploits that enabled the user to obtain root privileges,side load apps, change or add carriers, and customize the interface. iOS jailbreaking is accomplished by booting the device with a patched kernel.
anti-virus scanner or IPS works by...
identifying when processes or scripts are executed and intercepting(or hooking) the call to scan the code first
Packet Filtering
inspects each packet that passes through the firewall and accepts or rejects it based on a set of rules(ACL)
application aware firewall/gateway/stateful multilayer inspection/deep packet inspection
inspects the contents of packets at the application layer, although it cannot examine encrypted data packets
Remote Desktop Protocol (RDP)
is Microsoft protocol for operating remote connections to a windows machine.
Agent
is a process (software or firmware) running on a switch, router, server, other SNMP-compatible network device
INternet Protocol Security (IPSec)
is a set of open, non-proprietary standards that you can use to secure data as it travels across the network or the internet.
Tunneling
is a technology used when the source and destination computers are on the same logical network but connected via different physical network.
Telnet
is a terminal emulation software to support a remote connection to another host.
Simple Network Management (SNMP)
is a widely used framework for management and monitoring. SNMP consists of an SNMP monitor and agents.
CyberSquatting
is an attack where an adversart acquires a domain for a company's trading name or trademark, or perhaps some spelling variation thereof.
OpenVPN
is an open source example pf a TLS VPN
If a company continues to rely on abandonware
it will have to assume development responsibility for it. There are many instances of applications and devices (peripheral devices especially) that remain on sale with serious known vulnerabilities in firmware or drivers and no prospect of vendor support for a fix. The problem is also noticeable in consumer-grade networking appliances and in the Internet of Things (IoT). When provisioning a supplier for applications and devices, it is vital to establish that they have effective security management life cycles for their products.
Source IP/ session affinity
layer 4 approach; when a client establishes a session, it becomes stuck to the node that first accepted the requested via hashing the IP and port information.
packet acceptance
letting the packet pass through the firewall
one feature of___________ and reporting software should be to ______________-.
log analysis; identify trends
access log
logs each connection or request for a resource
Remote access
means that the user's device does not make a direct cabled or wireless connection to the network. The connection occurs over or thorough an intermediate network, usually public wide area network.
Typosquatting
misspelled domains can be profitable depending on the frequency that users enter the misspelled name.
HIDS/HIPS is....
more application specific than NIDS, but is detectable on host, and consumes CPU, memory, and disk-space
___________ is a stateless technique bc the firewall examines each packet in isolation and has no record of the previous packet
packet filtering
sensor
packet sniffer
thresholds
points of reduced or poor performance or change in configuration, compared to the baseline, that generate an administrative alert
web security gateways
primary functions are to prevent viruses or trojans infecting computers from the internet, blocking spam, and restricting web use to authorized sites
Authentication Header (AH)
protocol performs a cryptographic hash on the packet plus a shared secret key (known only to the communicating hosts), adds this HMAC in its header as an integrity Check Value (ICV)
Network-based Intrusion Prevention System (NIPS)
provides active response to any network threats that it matches. This can include ending the TCP session, add a temp filter on the firewall, throttling bandwidth to attacking hosts, and modifying suspect packets.
audit logs/security log
records the use of system privileges
event log
records things that occur within an OS or a software application
TLS VPN
requires a remote access server listening on port 443
circuit-level stateful inspection firewall
resolves stateless issues by maintaining stateful information about the session established between two hosts
firewall, proxy, or content filter is an example of ________________
rule based management
Network agents
scan communications at network borders and interface with web and messaging servers to enforce policy
out-band monitoring
separate cabling infrastructure, or the same cabling with physical switches; provides better security than the opposite.
Network operating system (NOS) firewall
software based firewall running under a network server OS (Windows or Linux) and functions as a proxy
application firewall
software designed to run on a server to protect a particular application only
Linux software is made available both as
source code and pre-compiled applications
reverse proxy server
specific to inbound traffic; placed in front of web servers, reverse proxy servers protect, hide, offload, and distribute access to web servers; can publish applications from corporate network to the internet
appliance firewall
stand-alone hardware firewall that only performs the function of a firewall. can also be a type of network firewall
a packet filtering firewall is _________ because ____________.
stateless; it does not preserve the information about the connection between two hosts
proxy server
store and forward model; deconstructs each packet, performs analysis, then rebuilds the packet and forwards it on (if it conforms to the rules). i.e this is a legit man in the middle
Self-encrypting drives
the cryptographic operations are performed by the drive controller. Uses a Media Encryption Key to encrypt data and stores the MEK securely
behavioral-based detection
the engine is trained to recognize baseline "normal" traffic or events. Anything that deviates formt his basline (outside a define level of tolerance) generates an incident, but does not keep a record of what happened.
Bring Your Own Device (BYOD)
the mobile device is owned by the employee. The mobile will have to meet whatever profile is required by the company (in terms of OS version and functionality) and the employee will have to agree on the installation of corporate apps and to some level of oversight and auditing. Poses the most difficulties for security and network managers
Secure Shall (SSH)
the principal means of obtaining secure remote access to a unix or LINUX server.
analytics
the process of reviewing the events and incidents that trigger IDS/IPS. This is used to ensure that genuine events are being recorded
Tasting
this is the registration of a domain to test how much traffic it generates within the five day grace period; if the domain is not profitable, the registration is never completed.
sinkhole routing
traffic flooding a particular IP address is routed to a different network where it can be analyzed
Security issues with Android
updates often depend on the handset vendor to complete the new version or issue the patch for their flavor of Android. Android OS is more open and there is Android malware, though as with Apple, it is difficult for would-be hackers and spammers to get it into any of the major app repositories. Similarly to iOS, Android is in a sandbox
SOHO internet router/modems
use a router firewall, but wouldn't be supporting any larger session counts
persistance
used to keep a client connected to a session for the purpose of load balancing
in-band monitoring
using the same network as the link being monitored
incident
violation or security policy or standard
trigger
when a threshold is exceeded
State table
where each session is dynamically stored & updated
ingress/egress filtering
whether the firewall can control only inbound traffic or both inbound and outbound traffic.
WORM
write once read many
Compare the features of static and dynamic computing environments to select the accurate statements. (Select two) A. Embedded systems are typically static, while most personal computers are dynamic. B. A dynamic environment is easier to update than a static environment. C. A dynamic environment gives less control to a user than a static environment. D. Dynamic environments are easier to protect in terms of security than static environments.
A. Embedded systems are typically static, while most personal computers are dynamic. B. A dynamic environment is easier to update than a static environment.
A senior system administrator is preparing a training session with junior technicians on Trusted OS (TOS). Analyze the required Common Criteria (CC) in ISO 15408 to determine which core features should be highlighted in the training. (Select two) A. Mandatory access control and an access control model are required for a system to be considered a TOS. B. A system must be tamper-proof, resistant to vulnerabilities and not be able to be bypassed to be considered a TOS. C. A Trusted Computing Base (TCB) includes support for multilevel security such as mandatory access control. D. The three core features of a TOS is a Trusted Computing Base (TCB), security features and assurance.
A. Mandatory access control and an access control model are required for a system to be considered a TOS. D. The three core features of a TOS is a Trusted Computing Base (TCB), security features and assurance.
Select the options that can be configured by Group Policy Objects (GPOs). (Select two) A. Registry settings B. Execution control C. Software deployment D. Baseline deviation
A. Registry settings C. Software deployment
Analyze mobile device deployment models to select the best explanation of the Corporate Owned, Personally-Enabled (COPE) deployment model. A. The employee may use the mobile device to access personal email and social media accounts. The device is chosen and supplied by the company. B. The employee may use the mobile device to access personal email and social media accounts. The device is chosen and supplied by the employee. C. The device is the property of the company and may only be used for company business. D. The employee may use the mobile device to access personal email and social media accounts. The device is chosen by the employee and supplied by the company.
A. The employee may use the mobile device to access personal email and social media accounts. The device is chosen and supplied by the company.
Weak/Misguided security configurations may leave
Administrative access protected with a default account or password that is publicly available, sensitive ports open to the Internet or many more.
Network Access Server (NAS) or Remote Access Server (RAS)
All the major NOs are bundled with software supporting VPN. The functionality is apart of a router or dedicated security appliance, it may be called a VPN concentrator.
Levels of encryption for full device encryption:
All user data on the device is always encrypted but the key is stored on the device.This is primarily used as a means of wiping the device. The OS just needs to deletethe key to make the data inaccessible rather than wiping each storage location. Email data and any apps using the "Data Protection" option are subject to a second round of encryption using a key derived from and protected by the user's passcode (if this is configured). This provides security for data in the event that the device is stolen. Not all user data is encrypted using the "Data Protection" option; contacts, SMS messages, and pictures are not, for example.
Application service ports
Allow client software to connect to applications. Again, these should be closed if remote access is not required. Also, consider that an application may use multiple ports.
Near Field Communications (NFC)
Allows a mobile device to make payments via contactless point-of-sale (PoS) machines.
signature-based detection
Also known as knowledge-based detection or misuse detection, the examination of system or network data in search of patterns that match known attack signatures.
Virtual IP; VIP
An IP address and a specific port number that can be used to reference different physical servers.
What is a UAV?
An Unmanned Aerial Vehicle (UAV) is more popularly referred to as a drone.
Domain Hijacking
An adversary gains control over the registration of a domain name, allowing the host records to be configured ti IP addresses of the attacker's choosing.
Smurf Attack
An attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim.
How might wireless connection methods be used to compromise the security of a mobile device processing corporate data?
An attacker might set up some sort of rogue access point (Wi-Fi) or cell tower(cellular) to perform eavesdropping or Man-in-the-Middle attacks. For Personal Area Network (PAN) range communications, there might be an opportunity for an attacker to run exploit code over the channel.
Why are end-of-life systems and lack of vendor support distinct from one another as vulnerability management challenges?
An end-of-life system is one where the vendor has previously announced a timescale for withdrawing support in terms of providing patches and updates. Lack of vendor support is a situation where the vendor refuses to fix known issues even though the product might remain on sale or where a product is no longer supported because the original vendor or developer in no longer available.
Radio firmware in a mobile device contains
An operating system that is separate from the end-user operating system