Cybersecurity Quiz 2 Reviewer
SCEP
(Simple Certificate Enrollment Protocol)A protocol that provides scalable request and enrollment for digital certificates. • Enrollment process is simplified for users and devices. • Also enables public key distribution, renewal, and CRL queries. • Commonly used in MDM solutions to enroll devices in CA architecture. • Basic process: • MDM solution publishes shared secret to devices. • Devices request certificate from CA using shared secret. • CA verifies shared secret and issues certificate to device. • Devices can now authenticate and securely communicate with other resources. • Vulnerability in spoofing distinguished name. • Device requests certificate using wrong name in directory. • Can enable privilege escalation. • Mitigate by publishing unique shared secret for each device.
BAS
(building automation system) A system that monitors and controls various operational resources in a building Resources include: -Lighting systems -Power systems -Alarms -And more -Resources are networked under a centralized management system -Can save the enterprise time and money -Can help admins make policy-based adjustments to resources -Are still vulnerable to traditional computer-based attacks -BAS may use SNMP, which is vulnerable in multiple ways -Attackers can damage equipment or compromise the entire premises -You must understand the risks involved in implementing a BASE
DPI
(deep packet inspection) The practice of inspecting a packet's payload for malicious or unwanted contents. • Goes beyond surface-level inspection that just looks at headers. • With DPI, you can identify malicious code or attack patterns in network traffic. • Management of traffic with DPI is more granular. • DPI can trigger alerts, reject or allow packets, etc. • Combines firewall with IDS/IPS. • DPI solutions can also examine data flows. • Determines legitimacy of aggregate traffic. • Can enforce data flow policies. • Encryption is a potential roadblock to DPI. • Standard solutions can't make sense of encrypted payloads. • HTTPS inspection gets around encryption limitations. • Intercepts transmissions and re-encrypts data before sending it along. • Essentially a man-in-the-middle proxy.
MDM
(mobile device management) The process of tracking, controlling, and securing the organization's mobile infrastructure. • Typically web-based centralized consoles. • You can enforce security policies on all mobile devices in a network. • Common features: • Pushing out updates. • Enrolling devices. • Enforcing security policy layers on apps. • Locating devices. • Configuring devices with security profiles. • Sending mass push notifications. • Enabling devices to use remote access. • Enabling remote lock/wipe. • Constructing encrypting containers.
Watermarking
- A DRM mechanism that uses steganographic techniques to embed data within media to enforce copyright protection - Platforms can validate a file's authenticity through its watermark - Hidden data may include source and identity info - Examples: Copyright owner, media distributor - Doesn't prevent users from copying data - Can alert distributors to unauthorized use - Example: Watermarked audio file can be traced back to its source - Some tools can remove watermarks
NIPS
- A NIDS that has the additional capability of actively blocking traffic that triggers an alert - Can drop unwanted packets or reset a connection - Differs from firewall, which blocks based on ports and IPs - Place strategically to optimize its effect and reduce network overhead -False positives are more harmful than in a NIDS - Configure NIPS to align with your network's day-to-day traffic
Secure cryptoprocessor
- A SoC that carries out cryptographic operations, often for a larger physical system - Resistant to tampering - Used in TPM
CSP
- A Windows software library that implements Microsoft's CryptoAPI - Developers design apps to call a CSP to perform crypto services - CSP specifies algorithms, key length, digital signature format, etc.
PFS (Perfect Forward Secrecy)
- A characteristic of session encryption that ensures if a key used during a certain session is compromised, it should not affect data previously encrypted by that key. - Without PFS, long-term keys are at risk of exposing all data if compromised - Data previously captured by attackers can be decrypted - Example: Decryption of past HTTPS traffic through compromised web server - Example: Decryption of past emails through compromise of user's device - In PFS, ephemeral keys are not used twice to generate other keys - Attacker will only be able to decrypt one piece of information - Standard in SSH and OTR - Optional in IPSec and TLS - Many TLS-enabled sites fail to incorporate PFS - Minor overhead of PFS does not justify leaving it out
Blockchain
- A concept in which an expanding list of transactional records is secured using cryptography - Each record (block) is hashed - Hash of previous block is added to hash calculation for next block in the chain - Blocks are securely linked; they can validate the integrity of each prior block - Blocks contain timestamps and the actual transaction data - Blockchain is recorded as a digital ledger - Decentralized in a P2P network - Mitigates risks of single point of failure/compromise - Everyone can openly view transactions - Blockchains can fork into different paths - Consensus dictates the trusted path - Examples applications: - Financial transactions - Online voting systems - Identity management systems
Digital Signatures
- A message digest that has been encrypted again with a user's private key - Enabled by asymmetric algorithms - Encrypted hash is attached to message as a digital signature Digital signatures uphold: - Authenticity - Integrity - Non-repudiation Example: Financial institution must validate changes to customer accounts -Request arbiter must verify that contents have not been tampered with - Arbiter must guarantee that sender cannot deny sending the request
Hashing
- A process that transforms plaintext input into an indecipherable fixed-length output and ensures this process cannot be feasibly reversed. - Resulting output is called a hash, hash value, or message digest. - Input can vary in length; hash output is fixed-length - Small changes in input produce significant changes in output - Used in password authentication, digital signatures, and file integrity verification
ECC (Elliptic curve cryptography)
- A public key encryption technique that leverages the algebraic structures of elliptic curves over finite fields - Supports similar levels of security to non-ECC - Uses smaller key sizes that non-ECC - Reduces overhead of storage and transmission of keys - Multiple types of elliptic curces - Curves have different mathematical properties - Example: Curves over prime fields vs. binary fields Curves over prime fields expressed as: - Length of a prime number (p) of elements in the field - NIST recommends P-256, P-384, and P-521 - Differ based on the length of p in the field - Typically, higher number is more secure but slower - NIST curves' security has been called into question due to possible NSA backdoor
Steganography
- A security technique that hides a secret message by enclosing it in an ordinary message - Hides content and its existence - Information is embedded in text, images, or other media - Commonly used in digital watermarking
SIEM
- A solution that provides real-time or near real-time analysis of security alerts generated by network hardware and applications -Can be implemented as hardware, software, or managed services - Enhances incident response capabilities - Aggregates and correlates event data - Can streamline network security administration - Can make log analysis and auditing more productive - Crucial in security breaches where every second counts
UTM
- A system that centralizes various security techniques into a single appliance Can include: -Firewall -Anti-malware -NIDS/NIPS -URL Filtering -And more. - Provides a single console for administrators - Reduces complexity of having discrete systems from different vendors - Streamlines maintenance of network systems - Creates a single point of failure - Can struggle with latency issues
NIDS
- A system that primarily uses passive hardware sensors to monitor traffic on a specific segment of the network - Can send alerts about anomalies or concerns - Cannot analyze encrypted packets - Can be based on one of several analysis techniques - Can monitor traffic on one machine or entire network segments -Should be placed in strategic points within network - Can also be used to detect rogue machines - May cause network bandwidth issues - Can only scan for attacks as they occur (may be too late) - Difficult to separate signal from the noise in network traffic
OCSP (PKI Concept)
- Alternative to CRL - Client requests certificate status; receives a response from server
Key escrow (PKI Concept)
- Alternative to key backups - Enables trusted third party to access keys under certain conditions
Cryptocurrency and Bitcoin
- An alternative digital currency that is secured through the use of cryptography, typically by using a blockchain
S/MIME
- An email-based encryption standard that adds digital signatures and public key cryptography to traditional MIME communications - MIME defines advanced characteristics of email messages - Examples: Send text not using ASCII, send non-text file attachments S/MIME provides assurances of: - Confidentiality - Integrity - Authenticity - Non-repudiation - Built into most modern email clients - Sender and receiver rely on same CA - Supports centralized management - No specific plugins necessary
Cryptographic module
- Any software or hardware solution that implements one or more cryptographic concepts - Can implement different encryption algorithms - Facilitate implementation of algorithms encrypting data
Digital certificate (PKI Concept)
- Associates credentials with a public key - Incorporates digital signatures
Issuance to entities (PKI Concept)
- Automatic vs. manual certificate requests - Using wildcard certificates vs. separate certificates - Certificate lifespan - Private CA vs. public CA (or both)
Physical Access Control Sytems
- BAS can support doors, locks mantraps, biometric scanners, etc. -Automated based on pre-defined policies -If networked, systems can be managed from a central platform -Administrators can instantly allow or deny physical access to personnel -Weak virtual security may weaken physical access controls -Attacker may compromise physical systems by compromising the network
Scientific and Industrial Equipment
- Can be networked for increased ease of management - Can respond to control commands and provide real-time reports - Newer equipment is more likely to support TCP/IP -Equipment is volatile and extremely important to certain operations *Scientific research may be compromised if equipment is compromised *Industrial plants may suffer significant losses if equipment is compromised - Industrial equipment also poses a safety hazard *Attackers may cause physical harm by compromising this equipment.
Interoperability
- Devices from different vendors may not support the same protocols you do - Test devices to discover interoperability issues with encryption
OCSP stapling (PKI Concept)
- Shifts burden of contacting CA to web server - Web server queries OSCP server; sends certificate status to client
HVAC Controllers
- Elements of a BAS that regulate comfort levels in a physical environment - Typically automated to keep an HVAC device within a baseline. *Example: Heating system kicks in if temperature falls below 70 F. -Network HVAC controllers can interface with a BAS for manual operation -Building manager can respond to alerts without being physically present -Susceptible to similar attacks against weak security protocols -Attacker can create an uncomfortable or hazardous work environment -Attacker can damage temperature-sensitive equipment.
Block cipher (Cipher type)
- Encrypts data in blocks, usually 128-bit - Stronger and more secure than stream - Worse performance than stream - Mode of operation defines how plaintext is transformed into repeated blocks - Some ciphers provide integrity assurances
Stream cipher (Cipher type)
- Encrypts data one bit at a time - Relatively fast and requires little overhead - Ciphertext is the same size as plaintext - Produces fewer errors and errors affect only one bit - Doesn't provide integrity assurances
Full disk encryption
- Encrypts entire storage device - Useful for protecting mobile devices that may be lost or stolen - Example product: BitLocker - Block-level encryption works on blocks of data in fixed sizes.
File encryption
- Encrypts individual files and folders - VeraCrypt creates containers to be used as files - EFS encrypts files and folders in Windows NTFS
Guidelines for Implementing Cryptography
- Follow overall proper implementation guidelines - Choose an implementation that upholds design principles - Implement DRM to protect intellectual property - Use watermarking to embed identity information in a file - Keep in mind that DRM/watermarking can be bypassed - Use SSL/TLS for secure web communications - Use SSH to execute commands on a remote host - Implement PGP/GPG to encrypt email, but be aware of extra software needed - Use S/MIME to encrypt email with the use of a CA - Consider using software encryption with hardware encryption of mobile devices
PKI token (PKI Concept)
- Hardware device that stores digital certificates and private keys - Can be USB key fob or smart card
CRL (PKI Concept)
- List of revoked certificates - Server publishes CRL at regular intervals
Performance
- Longer keys typically require more overhead - Asymmetric encryption is typically slower than symmetric
Sensors
- Measure the state of physical phenomena - Report state to other nodes in a network -Can measure: *Temperature *Sound *Air pressure *And more. - Sensors can interface with controllers to inform personnel about an environment -Must be discrete hardware that physically dispersed -Vulnerable to similar threats in a BAS -Attacker can force an emergency alert to go undetected -Attacker can create a false alarm -Sensor firmware is often bare-bones and lacking in security
Sender (PGP and GPG)
- Message encrypted with session key - Session key's encrypted with receiver's public key
Mobile Device Encryption
- Modern mobile devices support hardware encryption - Data on lost/stolen device is inaccessible to anyone without the key - Entire file system and all data is secure - Software encryption available from some apps - Data available to app is encrypted as a second layer of defense - Older devices may not support hardware encryption - Company-owned devices controlled by MDM - Device encryption is commonly enforced through MDM
SSL/TLS
- Network security protocols that employ digital certificates and public key encryption Guarantee: - Authenticity (certificate authorities) - Integrity (MACs) - Confidentiality (shared key) - De facto protocol for protecting HTTP web traffic - CA is a weak point - If it is compromised, the trust relationship is compromised - Internet-facing web servers must rely on public CAs - Intranet-facing web servers can rely on private CAs - Client may ignore warnings about illegitimate certificates - Can lead to man-in-the-middle attacks
Feasibility to implement
- Older systems may not support the latest encryption standards - Certain implementations can be costly, like an internal PKI
Implementing Network Security
- Plan Deployment of Network Security Components and Devices - Plan Deployment of Network-Enabled Devices - Implement Advanced Network Design - Implement Network Security Controls
Hash Function Resistances
- Pre-image - Second pre-image - Collision
SSH
- Protocol used for secure remote access and transfer of data - Consists of a client and server - Implements terminal emulation software for remote login sessions - Entire session is encrypted; prevents eavesdropping - Supports PFS by default - Used on Unix/Linux, requires third party software on Windows - Often used to execute commands on a remote device like a file server or router
PGP and GPG
- Public available email security and authentication utilities that use a variation of public key cryptography to encrypt emails - The sender encrypts the mail contents and then encrypts this key - Encrypted key is sent with email - Receiver decrypts key, then uses this key to decrypt contents - PGP also uses PKI to digitally sign emails for authentication - Requires end-user plugins - May make integration and management difficult - GPG is the open source alternative - Compliant with PGP services - Meets latest IETF standards
Additional Cryptographic Implementations
- Secure cryptoprocessor - Cryptographic module - CSP
Implementing Security Controls for Hosts
- Select Host Hardware and Software - Harden Hosts - Virtualize Servers and Desktops - Protect Boot Loaders
Guidelines for Selecting Cryptographic Techniques
- Select protocols that incorporate transport encryption - Select protocols that incorporate data at rest encryption - Consider implementing data in use encryption techniques - Ensure solutions use strong hash functions that are resistant to attacks - Use MACs to verify message integrity and authenticity - Digitally sign any apps you develop - Implement solutions with key stretching algorithms - Ensure TLS-enabled sites enforce PFS - Consider how blockchain technology can apply to your data integrity needs - Ensure you are selecting the appropriate PKI components for your business needs
Receiver (PGP and GPG)
- Session key decrypted with receiver's private key - Message decrypted with session key
Data in Transit Encryption Protocols
- Some data, by nature, must be encrypted. - Applies to both internal- and external-facing data Protocols: - SSL/TLS for web-based encryption with PKI - SSH for remote session encryption - IPSec for cross-network encryption - WPA/2 for wireless network encryption
Wildcard (PKI Concept)
- Special character that replaces characters in a string - Used to secure all of a website's subdomains
Cryptographic Design Considerations
- Strength - Performance - Feasibility to implement - Interoperability
DRM (Digital rights management)
- Technology that attempts to control how digital content can and cannot be used after it is published - Used to protect copyrighted work from being copied and distributed - Can use encryption to make media inaccessible if a user does not have the key - Often used by companies that publish intellectual property - Can limit customer's ability to share content with others - Example: Music from online store is only playable on certain hardware or software - Prevents user from copying song - May have an expiration date - Can still be bypassed through software or hardware
Strength
- The longer the key, the harder it is to break the encryption - Some algorithms have multiple key length options
Code Signing
- The method of using a digital signature to ensure the source the integrity of programming code - Apps on the Internet are untrusted - Verify author's identity before installing apps - Developer signs the code with their private key - Recipient uses sender's public key to verify signature - Does not prevent attackers from distributing malware - Attacker can get their malicious code signed - Users should install software from only trusted publishers
PRNG (Pseudorandom number generation)
- The process by which an algorithm produces numbers that approximate randomness without being truly random - PRNs are based on an initial seed state - A number that defines the first stage in generation - Seed state is run through a formula to output a PRN - Crypto key generation often uses PRNs - Specialized hardware can generate true randomness from physical phenomena - True randomness is not always practical - PRNG will always produce the same number sequence with the same seed state - Seed state must therefore be truly random - If not, attackers could use the seed to generate compromised keys
Data in Use Encryption
- The process of securing data as it is being processed by the system's CPU or stored temporarily in volatile memory - Encrypting data that's being used requires more novel techniques - Processor may need to read data and keep it private at the same time - Wiping key material from RAM may be insufficient - Attacker may capture memory before it's wiped - Data in use encryption is an emerging field Secure encrypted enclaves: - Software code and data are segmented into memory ranges - Only code in the same range can read the data Homomorphic encryption: - Processor operates on ciphertext as input - Decrypted result is the same as if the processed input were plaintext
Data at Rest Encryption
- The process of securing information that is stored on a medium and is not currently being modified or transferred to another medium. - Full disk encryption - File encryption - Database encryption
Data in Transit Encryption
- The process of securing the delivery of data that is transferred between parties. - Also called transport encryption - Can support confidentiality, integrity, authenticity, non-repudiation of transmissions. - Secure protocols must defend against passive and active attacks - Passive attacks monitor communications to glean information - Example: Eavesdropping on a VOIP call Active attacks can intercept and modify transmission contents. - Example: Man-in-the-middle can tamper with both sides of a transmission - Rogue web/proxy servers can trick users into trusting them.
Key Stretching
- The technique of strengthening weak cryptographic keys against brute force attacks - Original key is run through a stretching algorithm - Increases the time it takes to perform a cryptographic operation - Can be a useful deterrent against brute force cracking - Adds performance overhead Techniques: - Repeatedly looping has functions - Repeatedly looping block ciphers - Configuring cipher's key schedule to increase key setup time
Certificate pinning (PKI Concept)
- Trusts certificates more directly than a CA hierarchy - No need to go up the hierarchy to the root CA.
Issuance to entity subgroups (PKI Concept)
- Users: Short expiration; avoid wildcards - Systems: Long expiration; easier to centrally manage - Applications: Moderate expiration; managed centrally
Patch Management
- can be a manual, automated, or combined process - automation is preferable, but requires some manual work - configure based on the context of each hosts a. mission-critical hosts should be treated differently than non-critical hosts b. misapplied patches can leave hosts vulnerable c. patches may interfere with existing security measures - patch management program might include: a. individuals who subscribe to vendor update newsletters b. review and triage of updates into categories c. offline patch testing environment d. immediate administrative push of important patches e. weekly administrative push of important patches f. replication of patch management processes g. evaluation phase and full rollout phase 1. evaluate 2. test 3. deploy
Standard Operating Environment
- develop a consistent configuration baseline for an OS a. reduces admin effort b. can be used from host to host c. scalable and adaptable to new threats/vulnerabilities - example configuration for a standard environment is to restrict access to apps - whitelist: a. list of apps you specifically allows b. apps not on the list are blocked - blacklist: a. list of apps you specifically blocked b. apps not on the list are allowed - whitelist is preferable
Database encryption
- encrypts a database in whole or in part - Can incorporate data at rest and in transit encryption - Individual records can be encrypted
FDE
- file encryption is viable if specific files on a host need to be protected - FDE has advantages a. esoteric memory and temp files are included b. users/admins don't need to remember the individual files to encrypt c. destroying data is as easy as destroying the key. - FDE increases overhead. a. especially for large or numerous volumes b. TCO may outweigh the need for FDE
Common Shell Restrictions
- most end users don't need to access the command shell a. can end up creating problems - you can restrict access to commands or the entire command shell a. reduces chance of accidents b. reduces attack surface - insecure protocols like Telnet should be inaccessible - guest accounts shouldn't have shell access on public hosts
Firmware Updates
- patch management usually applies to OS/app software - less attention may be paid to firmware updates a. this can have significant consequences on host security. - firmware manages low-level control over hardware a. hardware component can be part of a larger system b. hardware component can be an independent device - vendors and researchers discord flaws in firmware just as other software - consider applying firmware fixes depends on vendor and device - how and when to apply firmware fixes depends on vendor and device a. "Smart" devices may download/install firmware updates automatically b. BIOS updates must be installed manually - may be best to hold off on updating firmware unless absolutely necessary a. can increase the risk of "bricking" a component
Security and Group Policy Implementation
- security policies should focus on individual hosts - group policies can apply security guidelines to many hosts at once - examples: password policies and system auditing policies - group policies help you uphold least privilege for users - end-user training is also important for hardening hosts
Bitcoin mining
- the process of performing calculations to "discover" new blocks to add to the blockchain - Mining is like solving a complex math puzzle - Miners compile transactions into a discovered block and broadcast it to the network - Other nodes validate the block and transactions - New block is added to the main chain if consensus is reached. - Miners are rewarded with bitcoins for their efforts - Parties remain pseudonymous; transaction is open to the world. - Anyone can validate the integrity of the transaction - Bitcoin is often associated with illicit activity - However, it is increasingly accepted by legitimate vendors
SIEM Capabilities
-Aggregation : Combines event data from disparate systems to produce a single vantage point -Correlation: Links common events and data together to form a more complete picture. -Deduplication: Removes redundant entries from a data set to improve efficiency of analysis -Alerting: Automated analysis generates alerts to notify admins under certain conditions -Visibility: Data is combined into a dashboard-style view for a quick, meaningful observation -Compliance: Gathers compliance data to produce reports meeting requirements -Data retention: Stores historical data to facilitate correlation over long periods of time -WORM: Ensures integrity of event data written to a storage medium
SoC
-An electronic device that consolidates the functionality of a CPU, memory module, and peripherals into one component. -Typically found in embedded systems *Everything from home appliances to large industrial equipment -Modern SoCs have built-in encryption engines -Some SoCs include network interfaces *May integrate with Wi-Fi, Ethernet, or both *Provide full TCP/IP IPv4/6 stack *IoT/network-enabled devices can communicate over a network -ARM devices like Android/iOS phones incorporate SoCs -Many network-enabled devices contain SoCs with network interfaces
Guidelines for Planning to Deploy Network Security Components and Devices
-Consider how UTMs make management easier, but create a single point of failure. -Strategically place NIDS for optimal protection and limited network disruption -Investigate how NIPS can impact the network in the event of false positives -Determine how SIEM can help you monitor network appliances -Determine if multiple hosts would benefit from network-attached HSM -Investigate usefulness of application- and protocol-aware security devices -Familiarize yourself with how common network devices can improve security
Network-Attached HSM
-HSMs can provide cryptographic services over networks -Beneficial in large-scale environments with many hosts that need these services -Act as standalone devices -Increase scalability of cryptographic services -Can provide isolated containers for hosts *HSMs act as root of trust for implementations using these containers *Multiple hosts can connect to a single container -Are discrete network devices that network servers connect to
Guidelines for Planning to Deploy Network-Enabled Devices
-Identify protocols used by building automation systems -Identify BAS elements that have a network interface -Identity how HVAC controllers can be used maliciously -Map all networked sensors -Ensure networked sensor firmware is hardened -Put redundant sensors in place -Determine the enterprise's need for networked physical access control systems -Identify access control points and how they can be managed centrally -Assess risks involved in network scientific and industrial equipment -Determine how A/V devices can communicate -Determine if network bandwidth can accommodate IP camera surveillance -Identify how an attacker can spoof or snoop on IP camera surveillance -Integrate SCADA protocols in assets that network with an ICS -Identify other peripheral devices that may be networked
A/V Systems
-TVs, projectors, microphones, speakers, etc., can be networked *Example: Hotel might program lobby TVs over a network -May not carry sensitive information, but should still be part of security governance -Compromised A/V device can still be a headache -Businesses rely on A/V systems in meetings and presentations *Disruption may lead to loss of business - Internet-connected devices like smart TVs increase the attack surface
Additional Mobile Device Security Concerns
1. Android fragmentation • Manufactured devices are unable to update to latest OS versions. • Many different users running many different versions of Android. • Some can't install new apps, benefit from security improvements, etc. • More difficult to manage fragmented workforce. • Android is much more fragmented than iOS. 2. Application permissions • Mobile apps must ask permission to access sensitive resources. • Example: App asking for device's location. • User can accept or deny permission. • Modern OSes ask for permission at runtime. • Older versions of Android ask at install only, limiting granularity. 3. Geotagging • Actively adding geographical metadata to an app or data. • Media can include photos, video, texts, etc. • Geotags can reveal where a user or device is. • If location must be kept private, this can be a risk. 4. Unauthorized network bridging • Connecting two networks together to function as one. • Example: Laptop has one Ethernet adapter, one Wi-Fi. • Ethernet connects to corporate network, Wi-Fi to public hotspot next door. • If adapters are bridged, insecure Wi-Fi traffic can hit the corporate network. • Corporate policies can't be applied to Wi-Fi that isn't under its control. 5. Baseband processor • Mobile device component that handles radio frequency communication. • Handles cellular communications, not Wi-Fi/Bluetooth. • Typically uses proprietary firmware—difficult to audit. • Some firmware is vulnerable to remote access/back doors. 6. Augmented reality • Technology that modifies view of physical reality to enhance its elements. • Elements are augmented, like more prominent visuals or sounds. • Portable and attached to user. • Always recording user's immediate physical environment. • Can raise security/privacy issues in private/confidential locations. • Can also immediately call up personal information easier than usual.
Wearable Technology Security Concerns
1. Physical reconnaissance • Wearables with cameras can make reconnaissance easier. • Attacker doesn't need to remember or write down what they see. 2. Unauthorized remote activation/deactivatioN • Wearables with network connections can be controlled remotely. • Presents a serious risk with medical devices. 3. Unencrypted communications • Wearables may lack transport encryption. • Attacker can sniff and read sensitive traffic. 4. Personal data theft • Wearables may also lack storage encryption. • Stolen devices can reveal confidential information. 5. Health privacy • Fitness/medical devices can provide a holistic view of a person's health. • Health data used by wearables must remain confidential. 6. Digital forensics • Forensics as a discipline is less mature when it comes to wearables. • Consider the impact of wearables on your forensic policies/procedures.
Wearable Technology
1. Smartwatches: • Can run operating systems and a variety of apps. • Incorporate touchscreens and network connectivity. 2. Fitness devices: • Monitor user's physical fitness metrics. • More specialized than a smartwatch, but similar form factor. 3. Medical devices: • More sophisticated ways to monitor user's health. • Can incorporate network connectivity to alert personnel to problems. 4. HMDs: • Advanced headsets with optical sensors/cameras for one or both eyes. • Variety of applications in many industries. 5. Smartglasses: • HMD that enables user to see through lens portion like normal glasses. • Project digital image in user's field of vision or create augmented reality.
Mobile Device Authentication
1. Swipe pattern • Basic and insecure. • User traces finger over a set of objects like dots in correct order. • Patterns may have few dots and few possible ways to connect them. 2. Gesture • Similar to swipe, but has more types of motion. • Hold, double-tap, pinch, rotate, etc. • Less predictable pattern, but still a limited number of gestures. 3. PIN • Harder to guess than swipe pattern and gesture. • Like a traditional password, but you're limited to numbers. • Difficult to memorize long numbers, so users often choose short ones. 4. Biometrics • Facial recognition, fingerprint scans, iris scans, etc. • Facial recognition can be inaccurate. • Fingerprint and iris scans are usually more accurate. • Accuracy and security depend on the technology being used.
IP Video
A device that is used for surveillance of an area and actively transmits data to and from networks like the internet -Different than CCTV, which has a limited transmission area -Can encrypt payloads to ensure confidentiality and integrity of signals -Can be monitored from anywhere with Internet access -Can accept multiple remote commands -May be a drain on bandwidth -Lack of encryption may lead to snooping/man-in-the-middle attacks -Wireless devices are at greater risk -Leaving default credentials enabled is also a risk *Attackers can connect over the Internet using HTTP
Network Segmentation with VLANs
A method of logically segmenting nodes in a network from other portions of the network. • Enables you to group hosts based on factors like: • Who accesses them. • How often they are accessed. • The role they play in the business. • And more. • Segmentation can delay an attacker through defense in depth. • If every host is on the same LAN, a compromise of one host can easily spread. • Segmenting with VLANs can halt the spread of an attack. • Example: One VLAN has web servers, another has transactional databases. • A Dos against the web servers won't necessarily affect the database VLAN. • Separating critical assets in VLANs mitigates wide-reaching attacks on the network.
SDN
A networking approach that separates systems that control where traffic is sent from systems that actually forward this traffic to its destination. • Enables admins to directly program control systems. • Admins can more easily manage flow and logistics of the network. • SDN architecture is flexible and scalable. • Provides a more complete picture of a network. • Admins can quickly respond to breaches or adapt network to evolving needs. • Centralized control can open network up to greater risk of Dos. • If attacker compromises controller, they will have significant privileges. • Connection between controller and forwarders must be secured. • Example: Use SSL/TLS.
DMZ
A small section of an internal network that is located behind one firewall or between two firewalls and made available for public access. • Enables external clients to access data on public systems. • Clients can't compromise the rest of the private network. • Two-firewall scheme is more secure. • Best used to protect assets that are heavily accessed from the outside, including: • Web servers. • DNS servers. • Remote access servers. • FTP servers. • Example: Customer accesses website through certain ports. • Irrelevant ports are blocked. • Internal router prevents customer's traffic from reaching the LAN. • Customer can access website, nothing more.
Remote Wiping
A technique that removes data from a mobile device when you are not in physical possession of said device. • Feature of most MDM solutions. • Addresses problems of device loss/theft. • Device contains sensitive data that shouldn't fall into the wrong hands. • Admin can wipe a device from their console. • Standard wiping removes all data from phone's storage. • Some wiping can also remove SD card data. • If containerization is enabled, the wipe can be more precise. • Only wipes corporate-owned data. • Personal data is retained. • Successful wiping demands strong backup procedures. • Wiping without a backup can mean you lose data permanently.
Tokenization
A technique that replaces a payment method with a token that represents that payment method. • The card you associate with a wallet app isn't stored directly on the device. • The bank creates a random number tied to this card. • The random number is sent to the app for it to use in transactions. • Some apps also support dynamic codes for each transaction. • You can authorize transactions through a PIN, biometrics, etc. • A thief can't extract payment details and use it outside the app. • Authentication can stop attacker from using the app, too. • Data is also protected if intercepted in transit. • Greatly reduces risks of using mobile wallets and other methods. • Used by Apple Pay, Google Wallet, and Samsung Pay.
SCADA
A type of ICS that supports critical infrastructure utilities by sending remote control signals to industrial assets used by these utilities -Also receives information about the state of assets *Can be used to troubleshoot problems *Example: Engineer receives data about pressure and volume of a water tank -Original SCADA systems were isolated from the network. *Not designed with security in mind -Newer SCADA systems can interface with TCP/IP -SCADA systems use unique protocols for communication and control *You must assess and integrate these protocols into the wider network
Mesh Networks
A type of network topology in which all nodes are directly connected to all other nodes. • Every node is a relay to all other nodes. • Much more common in wireless networks. • Rest of nodes fall back on a secondary routing path if one node is down. • Data transfer is not interrupted. • Each node carries its own weight. • Keeps network highly available. • Nodes have dedicated lines; don't need to be switched. • Traffic more reliably reaches its intended destination only. • Very costly and difficult to administer. • May require each node to install software.
Network ACLS
An access control mechanism that specifies which objects on a network have which permissions. • Routers and switches can deny access to resources. • Can apply to incoming or outgoing traffic. • Can apply to IP address or port number. • Similar to a firewall, but: • Less complex. • Place less strain on the network. • Place ACLs on devices that communicate with external networks. • Helps protect the network against malicious or untrusted traffic. • Helps secure vulnerable ports.
Remotely Triggered Black Hole
An advanced black hole routing technique that alters routing tables to mitigate DDoS traffic while minimizing collateral damage. • Destination-based: • Trigger router has a static route with an unused IP address. • Trigger has BGP peering relationship with edge routers. • Admin sends trigger's static route as an update to edge routers. • Edge routing tables point unused IP address to nullo. • Static route is next hop after attack target. • Edge routers forward traffic meant for target to nullo (dropped). • After attack, admin removes static route from trigger, which updates edge routers. • Legitimate traffic bound for target is also dropped. • Source-based: • Mitigates collateral damage if source IP address is known. • Next hop for traffic with malicious source IP address points to nullo. • Traffic from source is dropped, legitimate traffic is allowed. • Also uses static routes updated through BGP.
Network Data Flow
Attackers can disrupt the flow of data or use it to hide their actions. • Implement complex network security solutions for data flow. • Sensors and monitors can capture size and frequency of transmitted packets. • Monitors can record transmissions on host-by-host level. • You can analyze and pinpoint the source and destination of incident data. • Flow can also help you detect baseline deviations. • Construct data flow diagrams to help you see traffic flows. • Diagrams map movement of data as it traverses systems and users. • Understand how nodes interact with each other. • Easily pinpoint vulnerabilities and breakdowns in communication. • Can be as high-level or low-level as you want. • Enhance visual language of diagrams to make them easier to digest.
Mobile Deployment Models
Corporate-owned • Organization is sole owner of devices and has full management control. • Most secure. • May be too strict to be feasible. BYOD • Bring your own device—employees own and manage personal devices. • Becoming increasingly common. • Introduces security issues with new risks and questions of ownership. CYOD • Choose your own device—employees choose from a vetted list of devices. • Employee still in control of device. • Tries to mitigate BYOD vulnerabilities but not be too strict. COPE • Corporate-owned, personally enabled. • Employees can still use devices for personal reasons. • Organization still has some control, which can prompt privacy concerns. VMI • Virtual mobile infrastructure—similar to VDI but for mobile OSes. • Employees connect to VMs running mobile OSes. • Organization retains control during work; employee regains control after work.
Critical Infrastructure and Industrial Control Systems
Critical infrastructure: Resources that, if damaged or destroyed, would cause significant negative impact to a society. -Economy, public health and safety, and security of society at large -Example assets: *Water supplies *Electricity generators *Food producers *Health services *Transportation services *Telecommunication services *Security and defense services Industrial control systems: Networked systems that support communications between critical infrastructure assets.
802.1X Design
Entities can only attach to the network if they're authenticated. • Especially crucial for wireless networks. • 802.1X can help you block unwanted or unknown entities. • Considerations for deployment: • Ensure EAP method chosen aligns with your security requirements. • Consider authentication requirements of different EAP methods. • Not all EAP methods are supported by all supplicants/authentication servers. • Multiple endpoints shouldn't authenticate to a single port. • Maintain failover VLAN if authentication server is unavailable. • Enable accounting for relevant information.
IMA
Integrity Measurement Architecture: a TPM-based method of verifying trusted computing - open source Linux subsystem - works with OS kernel to measure a file before it is loaded. - measurement is hashed and stored - TPM validates hash against expected values - if there's no match, the file cannot execute - identifies integrity violations - protects trusted pool from compromise
Pre-image
Message digest -> Hash Function - X (Secret)
Push Notifications
Messages initiated and sent by a central server to multiple entities under its control. • In MDM, push notification services deploy messages to mobile devices. • Messages can be delivered using one of several protocols/apps. • Might be sent from server to agent software using in-band channel like SSL/TLS. • Might be sent using out-of-band channel like SMS. • Purpose is to ensure personnel are aware of issues or changes. • Example: Admin sees increased phishing success. • Mobile users are falling victim. • Admin sends notification to all devices. • Notification informs users about the threat. • Notification triggers device's ringtone/vibration mechanism. • User more likely to receive notification.
Resource Placement in the Network
Network is often divided into internal and external resources. • Perimeter is in between and comprises one or more devices. • Defense in depth requires security defenses placed inside the network as well. • Fixed devices: • Stationary devices like routers, switches, servers, workstations, etc. • Placement depends on device's function. • Physical and virtual location are easier to link. • Mobile devices: • Devices that are constantly moving. • Can't hook a smartphone into a switch to put it on a subnet. • MDM controls can segment devices on the wireless network. • Physical topology must be secured as well. • Virtual configurations are pointless if a thief can just steal a device. • Place hardware in physical locations where access is controlled and monitored. • Virtual resources may need to be physically distributed.
Mobile Device Storage
Non-removable storage • Storage space is integral to device. • Configuration and temporary data from apps is often placed here. • Can also store sensitive data. • Anyone with physical access can read the data. Removable storage • Storage space that is not integral to device. • SD cards, USB drives, etc. • Portable and doesn't require device to be read. • Apps writing to removable storage is discouraged. Cloud storage • Data synchronization can mitigate effects of lost/stolen • device/storage. • Automatic authentication/synchronization can be a risk. • Data in transmit must be encrypted. Uncontrolled storage • Personal cloud, rogue device, unauthorized file server, etc. • Corporate-owned data won't adhere to security policy. • You must restrict where corporate data is stored.
host vulnerabilites
OS vulnerabilities: - programming flaws enabling privilege escalation - excessive or improperly assigned file sharing permissions - inadequate anti-malware protections - unpatched kernel and system files - poorly configured firewall - weak or non-existent data encryption - poor management of third-party/untrusted apps and services - poorly configured user authentication and group policies - support for obsolete/insecure networking protocols - poor performance leading to availability issues hardware, firmware, and apps are also vulnerable and need hardening
Cryptographic Implementations
Proper Implementation: - Choose a strong industry-standard scheme like AES or RSA - Use algorithms with strong key lengths, like 128-bit (symmetric) and 2,048-bit (asymmetric) - Store keys in management systems - Regulate access to management systems - Employ PFS in asymmetric encryption - Ensure encryption covers all areas of enterprise - Weigh benefits with cost of encryption Improper implementations: - Choose an obsolete scheme like DES - Use algorithms with weak key lengths, like 56-bit (symmetric) and 1,024-bit (asymmetric) - Store data in insecure and easily accessible locations - Fail to account for increased cost and overhead - Employ encryption in only some areas of the enterprise
Rooting and Jailbreaking
Rooting: The process of enabling root privileges on an Android device. Jailbreaking: The process of removing software restrictions on an iOS device. • Rooting enables user to gain complete control over device. • Jailbreaking enables user to run apps not downloaded from the App Store. • Malware on a rooted phone can gain greater levels of privilege and access. • Corporate owned-resources are at risk. • Example: Malware accessing another app's session cookies. • Rooting process can "brick" a device. • Jailbroken device can run malicious software. • Can monitor device activity. • Can harvest credentials.
Additional Networking Components
Router: ACLs filter traffic and drop packets from untrusted sources Switch: Support port security, flood guards, and loop protection Proxy: Controls internal traffic heading outbound or vice versa Firewall: Denies or allows traffic based on simple pre-defined rules Load balancer: Supports availability of servers and mitigates effects of DoS WLAN controller: Enables easy application of security configuration to WAPs
Collision
Secret -> Hash Function -> Message digest cAsP18 -> Hash Function -> X (Message digest)
Second pre-image
Secret -> Hash Function -> X (Message digest)
OTAP
The ability to wirelessly push software updates and configurations to mobile devices in a centralized, on-demand fashion. • Every device in an OTAP channel must accept changes. • Otherwise, device may be removed from channel. • Streamlines application of security policies to enterprise mobile devices. • Deployment is quick. • Deployment doesn't require a physical connection. • Usually deployed over SMS. • SMS messages interface with device's SIM card.
NAC
The collected protocols, policies, and hardware that govern access on device network interconnections. • Can be implemented as software or hardware devices. • Scan systems for compliance and initiate remediation techniques. • Quarantine is one remediation path. • Devices not meeting standards are routed to VLAN jails. • Device is kept in a controlled environment. • NACs provide access to devices after a health check. • Health check can be agent-based or agentless. • Agents can be permanent or dissolvable. • Deploy NAC policy based: • Authentication method. • Endpoint vulnerability assessment. • Network security enforcement.
Configuration Lockdown
The practice of preventing system configurations from being modified in certain ways once they are in place. • If any user can reconfigure a baseline, the baseline is unreliable. • Lockdown protects the integrity of the baseline. • Prevents undesired actions from compromising the state of the network. • Doesn't just defend against malicious actions, but accidents as well. • Admins are people and therefore make mistakes.
Mobile Containerization
The practice of segmenting corporate-owned resources from personally owned resources on a device. • Each resource domain is placed in a separate container. • Each container runs OS/apps independently. • Prevents processes in one container from accessing another. • Tries to solve data ownership issues. • Enterprise can encrypt corporate container, leaving personal data unaffected. • Enterprise can wipe data in corporate container, leaving personal data intact.• Data ownership is more flexible. • Data ownership is more flexible. • You can apply more granular security policies. • Sometimes called personally owned, corporate enabled.
Application Wrapping
The process of adding a layer of control over one or more apps on a device. • Enforces security policy rather than relying on the apps' own security. • Wrapper can: • Apply to an app to force users to authenticate. • Restrict how data is handled through an app. • Restrict functionality like API calls. • Wrapping layer intercepts system/API calls. • Wrapping layer handles calls based on defined policy. • Used in containerization. • Creates container by applying policy to groups of apps. • Isolates apps from system and other containers.
Tethering
The process of sharing a wireless Internet connection with multiple devices. • Example: User connects phone to laptop when Wi-Fi isn't available. • Laptop shares phone's cellular connection. • Can be enabled through USB, Bluetooth, etc. • Newer Bluetooth versions support tethering better. • Version 3.0 made some improvements to power consumption. • Version 4.0 introduced low energy mode. • Version 4.1 supports power scaling and coexistence with 4G LTE. • Tethering can alleviate issues in densely populated areas. • Many devices, all communicating across the same frequency range. • Spectrum management optimizes radio frequency spectrum for use. • Tethers a device hotspot to many "slave" devices (a cluster). • Multiple clusters better maximize spectrum use. • Enables more devices to connect with fewer issues.
Change Monitoring
The process of watching a system for any alterations to a baseline, and then logging, auditing, and alerting the proper personnel to this change. • Example: Change monitor detects a rogue AP. • Analyzes event and determines course of action. • May just send an alert for you to deal with manually. • Prevents subtle threats from going undetected. • Helps you keep sight of your network's evolution over time.
Network Device Configuration
Transport security: • TLS can be used in VPNs. • SSH can be used to remotely access network devices. Port Security: • Deny access to switch ports based on MAC address of device. • Switch won't forward packets if originating from MAC address. Trunking security: • Trunk carries data from multiple VLANs and connects two switches. • Attackers can hop across VLANs using the trunk. • Disable DTP and explicitly configure access ports. Route protection: • Ensures there is an available path between routers for data delivery. • Route may be blocked due to Dos or upstream failure. DDoS protection: • Switches have flood guards to protect against SYN/ping flood. • Switches can also protect against loops. • Black hole routing sends traffic to a non-existent host (null0). • Protects against DDoS. • Black holes may inflict collateral damage.
Application- and Protocol-Aware Technologies
WAF: -implement firewall functionality on web app itself -can control traffic that does not meet standard firewall policy. NGFW: -operate at application layer and protocol stack -can use deep packet inspection to detect traffic at a higher level IPs: -Some IPSes can analyze app/protocol behavior -Can block malicious activity while reducing false positives Passive vulnerability scanners: -some scanners can report on app/protocol information -can provide a more complete picture of network vulnerabilities DAM: -runs independently from database -monitors and reports on database like user authentication
HSM
a physical device that enforces encryption and access control capabilities in a computer - plugged into a computer - prevents execution of programs that tamper with computer. - can log action, trigger alarms, or lock down system - verifies integrity through MACs. a. HSM secures key used to construct MAC. b. Secure key management is important. - often come with standardized interfaces. - can also act as a key generator/container for CAs - can take on key generation for SSL/TLS - can support scalability through clustering and load balancing - can be expensive
HSM
a physical device that enforces encryption and access control capabilities in a computer. - plugged into a computer - prevents execution of programs that tamper with computer. - can log action, trigger alarms, or lock down system. - verifies integrity through MACs. a. HSM secures key used to construct MAX. b. Secure key management is important. - often come with standardized interfaces. - can also act as a key generator/container for CAs. - can take on key generation for SSL/TLS. - can support scalability through clustering and load balancing. - can be expensive.
BIOS
a standard for firmware interfaces that is stored on a computer motherboard's ROM chip - BIOS firmware is run first wen computer is powered on. - test hardware components and runs boot loader to start OS. - enables users to apply system-level changes outside of the OS. - was the dominant standard in the computer industry for several decades
VDI
a type of virtualization that separates a personal computing environment from the user's physical machine. - desktop OSes and apps are run inside VMs. - VMs hosted on servers in virtualization infrastructure - deployment models: a. hosted: on demand desktop services from third party b. centralized: VM images stored and provisioned centrally. c. synchronized: user can work with VDE offline.
Container-Based Virtualization
a virtualization method in which a physical host runs its own OS, and on that OS are individual containers that run isolated systems. - also called operating system-level virtualization. - more efficient at managing resources that type 1 or 2 hypervisors. - guest doesn't install OS. a. OS on host provisions resources for all containers. - containers must use same OS as host. - containers can't directly interface with one another a. a compromise of one container won't spread to another - like type 2 hypervisors, the host OS is an attack surface
Peripheral Restrictions
a. USB - most common peripheral communications protocol. - used as a vector for data exfiltration and spread malware. - susceptible to BadUSB firmware attack. - encrypt data to defend against exfiltration. - restrict employee use of thumb drives when possible. b. SD - portable memory card format. - desktops extend SD support through card readers. - can be an attack vector like USB. - only allow SD readers when absolutely necessary. c. HDMI - format for HD audio/video transmission. - restrict port access to systems that don't need output. - prevent accidental or malicious leaking of audio/visual data. d. External storage devices - not always feasible to completely restrict external storage drives. - consider how drive mounting reveals metadata. - consider how drive mapping can lead to network share compromise. e. A/V recording devices - includes webcams, mics, scanners, etc. - can record private or sensitive information. - policies should dictate when and how to use A/V input devices.
VM Vulnerabilities
a. VM escape - attacker executes code in a VM to interact directly with hypervisor - can give attacker access to host OS and all running VMs. b. Privilege elevation - attacker exploits flaws to gain higher-level privileges - may be able to access host machine and all running VMs. c. Live VM migration - migrating VMs from one host to another with limited availability impact - attackers may migrate VM to their machine - attackers may migrate VM to victim machine in a DoS attack d. Data remnants - leftover data after basic removal attempts - deleting data on VM doesn't guarantee it's deleted from physical host - often a concern during VM de-provisioning process
Endpoint Security Software
a. anti-malware: - uses different methods to scan for and remove known or potential malware. - antivirus stops viruses, worms, Trojan horses, etc., at the host level. - anti-spyware removes spyware that hides itself well. b. spam filters - can be placed on a host as a second layer of defense. - use source blacklisting and content pattern recognition to detect spam. - spam is more than a nuisance; often contains destructive malware. c. patch management - monitors, obtains, evaluates, tests, and deploys software updates. - increase in vulnerabilities makes it difficult to manage patches manually. - patch managers ensure a host is always receiving the latest security fixes. d. HIPS/HIDS - monitors a system for unwanted behavior. - examines system resources to see if components are behaving appropriately - HIDS just sends alerts; HIPS actively responds to a threat e. DLP - prevents data from being stolen or falling into the wrong hands. - monitors and blocks data from being copied or destroyed. - protects data that is outbound from a system f. host-based firewalls - protect the host itself from certain network traffic - enable more granular protection beyond a network firewall - can prevent inbound malware from reaching the system g. EDR - provides greater insights into advanced security threats that use endpoints - monitors activity and sends tit to a database to be analyzed - can respond as necessary after analysis h. log monitoring - logs can be overwhelming for human reviewers - automates review process to look for unwanted behavior - doesn't analyze runtime behaviors; just recorded output after-the-fact
Security Implications of VDI
advantages: - simplified desktop provisioning/administration - simplified security and data protection - easier to provide secure remote access to desktop environments - lower cost of deploying new apps. - reduce downtime in event of hardware failure. disadvantages: - added risk if network is not managed properly - challenging to support peripheral devices - difficult to support media-rich apps - added complexity of building/managing VDEs. - lost productivity due to network interruption
vTPM
an extension of TPM functionality to software running in a virtual machine on a host with TPM hardware - VMs can take advantage of cryptographic functions on the software level. - vTPM instances are tied to corresponding VMs. a. If VM migrates, so too should vTPM instance. b. vTPM instance retains confidentiality and integrity of data. - vTPMs can establish chains of trust from physical to virtual TPM. - Software may need to differentiate between real and virtual TPM. a. if not, key/certificate signing may not be validated
Secure Boot
an optional UEFI feature that prevents unwanted code from executing during the boot operation - code must be signed with a valid digital signature - if the signature can't be validated, the code won't be loaded a. malware likely won't have a valid signature - valid signatures are stored in a database in memory - may constrain your ability to customize boot operations - in some cases, hosts running BIOS alongside UEFI can disable secure boot - secure boot supported by Windows 10, Server 2016, and some Linux distributions
Peripherals
any device that connects to a host computer but is not considered a fundamental part of it. - includes: a. input devices like mouse and keyboard b. output devices like monitors and speakers c. external storage media like USB thumb drives - can be abused by attackers - example: remote server doesn't need a mouse, keyboard, or monitor a. admin remotes into server from their own computer b. defends against attackers with physical access - be careful with how you treat host peripherals
Application Delivery Services
application streaming: the process of continually providing only the application resources that a thin client needs. - apps typically run from a networked VM or container - streaming process is centralized independent from client - increases efficiency - client only gets what it needs - alleviates storage burden on client - ensures app streaming is done through encrypted channels - network infrastructure must be able to handle streaming workload.
Out-of-Band Management
communication that operates outside of normal channels - example: Out-of-band NIC can send/receive data separate from normal networking - NICs, ACLs, and management and data interface can all be out-of-band - Out-of-band functionality: a. reset host if main channel fails b. reboot host that is shut down c. reinstall host OS d. mount physical media e. access host's BIOS/UEFI f. monitor hardware components - mitigates impact of attacker compromising main channel
Hyperconverged Infrastructure
converged infrastructure: the practice of centralizing the major components of enterprise IT into a single, unified infrastructure. a. components include servers, networking, storage, etc. b. resources are pooled and shared among components. c. streamlines management and optimizes performance. hyperconverged infrastructure: similar to CI, but virtualizes all IT components instead of relying on physical systems. a. IT components are fully implemented/controlled through software. b. Components in HCI are even more tightly integrated. c. Consolidates attack surface and creates single point of failure. d. Security implementations are homogenized. e. Attacker who gains root access may gain control over everything.
Endpoint Security
endpoint: any host that is exposed to another host in communication channel. - can refer to: a. workstations b. servers c. storage devices d. and more - unauthorized endpoint access is a major concern - endpoint security software allows authorized devices to connect to a network - endpoint security software addresses threats and vulnerabilities
UEFI
firmware that is meant to replace BIOS as the standard firmware interface for computing environments advantages over BIOS: a. runs faster b. operates within greater amount of memory c. can access disk drives of much larger sizes d. can access more hardware types BIOS is vulnerable to rootkit attacks a. can grant elevated privileges to attacker b. can enable attacker to read physical memory c. can enable attacker to take control of system before OS is boosted. d. can enable attacker to corrupt BIOS chip UEFI addresses BIOS risks by implementing secure boot
TPM
hardware-based encryption specification that allows secure cryptoprocessors to generate cryptographic keys. - used to: a. authenticate hardware b. encrypt disks. c. enforce DRM. d. other encryption-enabled applications. - can be used in full disk encryption apps like BitLocker. - major PC manufacturers provide TPM-integrated microprocessors.
Hypervisors
the layer of software that separates the virtual software from the physical hardware it runs on. - manage resources on host and provide them to guests. - can run multiple guests on one host efficiently. - type 1: a. runs on bare metal b. relatively fast. c. less attack surface. - type 2: a. run as app on top of host OS b. slower than type 1. c. adds a new attack surface.
Attestation
the process of enabling a TPM to report the result of its trusted computing tasks for verification - tasks can include secure boot, measured launch, key generation, etc. - tasks are validated by attestation services a. ensures no tampering has occurred. - example: TPM takes hash of boot loader a. sends to attestation service to verify integrity - example: entity requests a certificate from CA a. attestation service validates private key was generate by TPM.
Measured Launch
the process of measuring and validating a boot environment's factors to determine if it meets expected measurements. - TCG and TXT implement measured launch - measurements can be app code, system configurations, memory state, etc. - if measurements don't meet pre-defined policy, the host is marked as untrusted. - untrusted hosts are removed from the trusted pool - protects against integrity violations - can certify security of host BIOS or hypervisor - measurements are hashed and placed in special registers a. prevents tampering b. forms a chain of trust
Terminal Service
thin client: a client that connects to a server while using minimal hardware - thin client offload processing workload to the server - terminal emulator emulates user input functions - emulated terminal provides thin client with a remote interface - common means of remotely accessing VMs. - terminal emulators must use secure protocols a. avoid unencrypted protocols like Telnet. b. use encrypted protocols like SSH. c. prevent against man-in-the-middle attacks.
Trusted OS
trusted US: an OS that security professionals have determined meets a certain standard based on the Common Criteria (CC). CC: a set of standards developed by a group of governments working together to create a baseline of security assurance for a product. EAL: a numerical system that rates the security level of technologies and services with respect to the Common Criteria standards. - OS isolates resources and services from apps that run on the OS. - apps only have access to functionality they absolutely need. - levels of access categorized by roles. - delegates users and groups based on least privilege. - implement trusted OSes when your systems need to support highly confidential data.
Virtualization Platforms
virtualization: the process of creating a simulated environment of computing technology that already exists in its actual form. - Hardware/VM platforms: a. Hyper-V b. VMware ESXi c. Oracle VM VirtualBox - Operating system-level/container-based platform: a. Docker b. Solaris Containers c. LXD - Application platforms: a. App-V b. VMware ThinApp c. XenApp
Hardware Anti-tampering
• Attacker can bypass system/software controls at lower level. • Example: Attacker accesses device's firmware. • Downgrades firmware to exploit older vulnerability. • eFuse can change the logic of a chip during operation. • Typically, chips have hard-coded logic. • Meant to mitigate performance issues. • Fuse is "tripped" to reroute logic more optimally. • eFuse can prevent firmware downgrading. • Fuse is tripped after every update. • Device expects certain number of fuses for a specific version. • Can't go back to an older version because too many fuses have been tripped. • Example: Version 5.0 expects 3 fuses tripped, 5.1 expects 4. • Going from 5.1 to 5.0 is blocked because 3 is expected, but 4 have already been tripped.
Network Authentication
• Authentication methods are an important component of network design. • Not one best solution for all situations. • Business needs dictate the best solutions. • Username/password may be sufficient for small businesses, but not larger ones. • Multi-factor authentication is effective in many situations. • Example: Users connecting to Wi-Fi must present username/password and smart card. • Mitigates risk of attacker compromising a single factor and accessing the network. • Mutual authentication through ticketing system is also effective. • Example: Kerberos. • Server and client require equal trust relationship.
Context-Aware Management
• Basic security restrictions: • Example: Prevent download/install of untrusted apps. • Mobile OS and hardware environment influence restrictions. • Geolocation: • Identify where in the world a device is located. • Use to apply policies like geofencing. • Geofencing creates a virtual boundary. • Time-based restrictions: • Disable functionality outside of designated hours. • Example: Restrict device usage during non-work hours/weekend. • User behavior: • Identify behavior that deviates from the norm. • Example: User accesses one app every day. • One day, user accesses an unknown app instead. • MDM policies can then apply.
Network Baselining
• Before implementing controls, capture the state of your network. • Baselining sets security standards that your assets need to meet. • Like hosts, apps, etc., networks will benefit from baselining. • Without a baseline, the network is more vulnerable to new and unknown threats. • Implement secure configurations and baselining of network components.
Unauthorized Apps
• Can bring risk to the organization, even if not overtly malicious. • Native OS security provides some protection. • Rooting/jailbreaking can undo these protections. • On Android, no rooting is necessary to install unauthorized apps. • Sideloading directly installs app package on a device, bypassing the app store. • App stores like Google Play vet the security of an app. • Sideloaded apps aren't vetted. • Unsigned apps can also be sideloaded. • Code signing supports authenticity. • Requires an option to be enabled in settings. • Sideloaded apps are usually placed in a user context. • Limits ability to cause damage. • Rooted devices can sideload apps in a system context. • Increases privileges and ability to cause damage.
Guidelines for Implementing MDM
• Choose an MDM solution that fulfills your business needs. • Choose a mobile deployment model that suits your needs and infrastructure. • Implement containerization to segment corporate-owned data from private data. • Apply encryption and other security policies to containerized corporate data. • Implement application wrapping for more granular control over software and data.• Use OTAP to streamline deployment of MDM policies to devices. • Use OTAP to streamline deployment of MDM policies to devices. • Consider using SCEP to simplify the certificate enrollment process for devices. • In SCEP, generate a different shared secret for each device. • Apply context-aware management procedures to devices. • Group similar devices together into a single profile for easy policy deployment.• Issue push notifications to alert users to important information. • Issue push notifications to alert users to important information. • Establish a secure MDM VPN for mobile devices to access the network externally. • Employ remote assistance like screen mirroring to help mobile users. • Use VNC so help desk personnel can help users from their mobile devices. • Remotely wipe a lost or stolen device. • Ensure sensitive data is backed up before wiping a device.
Guidelines for Addressing Security and Privacy Concerns for Mobile Devices
• Consider how mobile devices may be storing data in insecure storage spaces. • Choose a strong device authentication method. • Recognize the risks involved in rooting/jailbreaking devices. • Consider restricting rooting/jailbreaking capabilities. • Identify how unsigned sideloaded apps can bring risk to Android devices. • Select mobile devices that incorporate hardware anti-tamper technology. • Consider using newer Bluetooth devices for improved tethering availability. • Be aware of how contactless mobile payment methods have NFC vulnerabilities. • Be aware that some card readers may have been compromised in the supply chain.• Use a mobile wallet app that incorporates tokenization. • Use a mobile wallet app that incorporates tokenization. • Use encrypted messaging apps to protect mobile communications. • Consider testing third-party anti-malware apps on Android devices. • Identify security/privacy risks involved in wearable technology.
Guidelines for Implementing Network Security Controls
• Implement secure configuration and baseline of network components. • Lock down security configurations. • Implement change monitoring for network configurations. • Implement availability controls on network infrastructure. • Implement ACLs on network devices. • Construct DMZs around public-facing resources. • Separate critical assets using VLANs. • Use network sensors and monitors to see high-level network flows. • Use DPI to verify the content of data transmissions conforms to policy. • Configure network devices to use security mechanisms like port security. • Establish NAC systems to enforce policies on network hosts. • Choose network management/monitoring tools that fulfill security needs. • Write custom rules and alert definitions. • Prevent alert fatigue by tuning alert thresholds to be more precise.
Guidelines for Implementing Advanced Network Design
• Implement secure protocols like SSH and SSL/TLS for remote access. • Enable transport encryption on remote desktop applications. • Be aware that IPv6 is not backwards-compatible with IPv4. • Investigate what technologies in your network support IPv6. • Identify strengths and weaknesses of IPv6 transitional technologies. • Implement strong authentication methods in the network's design. • Implement 802.1X to force users to authenticate to the network. • Follow best design practices for implementing 802.1x. • Consider constructing your network around a mesh topology if feasible. • Secure connections between network controllers and forwarders in SDN. • Place resources in virtual topology with respect to availability and security concerns. • Secure the physical topology as well as the virtual.
Availability Controls
• Lack of availability controls can make it difficult to rebuild after an incident. • You want to keep network-based data accessible and resistant to failure. • Example: UPS maintains power to network devices. • After a power outage, reserve power kicks in. • Devices continue to serve users without interruption. • Redundant network devices can also support availability. • Additional switches and routers can act as fallback devices. • Load balancers can keep traffic from overloading servers.
Configuration Profiles
• Make mobile device management much easier. • Construct a group identity for MDM devices. • All devices can be in one profile, or groups of devices can have their own profile. • You can deploy policies/payloads to groups. • Example: Devices running older versions of Android. • Devices are stuck in these versions. • You want to allow them in the MDM environment. • You want to ensure they don't bring unwanted risk. • Construct a special profile that is more strict with policies. • Enable fine-tune control over mobile infrastructure.
Messaging
• Messages with sensitive contents must be secured against attacks. • SMS communicates text over mobile networks. • Data link between device and base station can be encrypted. • Encryption is optional, and most algorithms are weak. • Data is not necessarily encrypted outside of the link. • Attacker can intercept messages outside the link. • SMS is also susceptible to spoofing. • MMS communicates media over mobile networks. • No strong encryption. • Also susceptible to interception/spoofing. • TextSecure added an encryption layer to SMS/MMS, but was dropped. • Encrypted messaging apps can use other channels. • TextSecure's successor, Signal Protocol, provides end-to-end encryption. • Used by Signal, WhatsApp, Facebook Messenger, and more. • Supports confidentiality, integrity, authentication, non-repudiation, PFS, etc. • Doesn't prevent storage of metadata on messaging provider's servers.
Mobile Payments
• Mobile devices can facilitate multiple payment methods. • Peripheral devices like card readers can attach to a device. • Through an app, device is hooked into a POS system. • Useful for conducting sales on-the-go. • Card readers may be compromised in supply chain attacks. • Contactless methods use magnetic induction. • Typically use NFC. • Users authorize a transaction and place devices in close proximity. • Electromagnetic charge exchanges data. • Susceptible to NFC vulnerabilities like intercepting RF signals. • NFC can be used with mobile wallets. • Card/bank account info is associated with an app. • Device is placed near a terminal to initiate the transaction. • Wallets are at risk if device is lost/stolen and card info is not secured.
Mobile Malware
• Most mobile OSes provide native protections against malware. • Example: Non-rooted Android phones place software in a user context. • Limits the software's effects on the system. • OS design influences malware protections. • Android is less restrictive than iOS, but more vulnerable. • Anti-malware software does not come with most mobile platforms. • iOS anti-malware apps don't exist in the App Store. • Would require same privileges that are considered a risk. • Anti-malware apps do exist in Google Play. • Provided by third parties. • Vary in effectiveness. • Potential effects of mobile malware: • Send fraudulent SMS messages. • Deleted unprotected files in storage. • Spy on user activity. • And more.
Alerting
• Most network tools provide alerting functionality. • Alerts can target high-level or low-level analysis. • You should customize alerts and the rules that trigger them. • Constructs scenarios to go into alerts by writing rules. • Example: Rule that monitors bandwidth usage on a router. • Multiple rules can form an alert definition. • Alert may only trigger after multiple rule parameters are met. • Should be precise to minimize false positives. • Excessive alerts lead to alert fatigue. • Analysts/admins become desensitized. • Alerts are less meaningful and more likely to be ignored. • Combat alert fatigue by fine-tuning thresholds. • Strict, but not so strict they generate false negatives. • For bandwidth usage, establish an accurate baseline and record normal deviations. • Tune alert threshold to include usage that's right outside these deviations.
Mobile Devices and VPNs
• Personnel increasingly access network resources from mobile devices. • Also need access when they are away from the office. • You can implement VPN services in MDM solutions. • Device enrolls in MDM and uses a VPN client to connect to gateway server. • Can use MDM agent's VPN client. • Can use third-party VPN client. • Encryption/tunneling protocol depends on MDM solution. • Some support IPSec. • Others may support SSL/TLS. • Ensure MDM VPN aligns with traditional VPN policies.
Remote Assistance Access
• You can provide remote assistance to mobile device users. • Help desk worker can use desktop to gain access to a phone/tablet. • Remote assistance console enables configuration of device. • Monitor apps, terminating apps, changing settings, etc. • Consoles can also support screen mirroring. • Provides a view into remote mobile device's OS in real-time. • Similar to standard remote assistance viewers. • Help desk workers can also use assistance technology from their own mobile devices. • Can provide assistance to users when help desk worker is away from their desk. • VNC apps available on Android and iOS. • Mobile device can take control of Windows/macOS PC. • PC runs VNC server, help desk worker connects to it through mobile client. • Remote machine's desktop appears on help desk worker's mobile device.
Network Management and Monitoring Tools
• You need to monitor and manage the network constantly. • Many tools available for this. • You may need to use more than one to get a complete picture. • Tools differ based on cost and effectiveness. • Examples: Wireshark, Cacti, Nagios Core, ntopng.
Implementing Security Controls for Mobile Devices
•Implement Mobile Device Management •Address Security and Privacy Concerns for Mobile Devices
Analyzing Advanced Network Design
•The design of Develetech's network is as important as choosing specific devices. • Analyzing advanced design concepts will aid in securing the network.