Endpoint Security

Endpoint Security #

Operating System Vulnerability Types #

  • Vulnerabilities in the OS itself
  • Default passwords & Insecure (Default) Settings
  • Insecure configurations
  • Misconfiguration

Hardware Vulnerability Types #

Note: Often hard to deal directly with, so compensating controls are key.

  • Firmware - embedded software of devices
    • Not always possible to update
    • Requires sometimes manual updates, and not part of automated updates.
    • Attacks: Via any way that allows access to the firmware itself
      • Examples: executable updates, user download malicious firmware and network enabled updates that provide remote-acces to firmware and management.
      • Reintalling the OS wouldn’t change a thing
    • Defenses
      • Firmware validation!
  • End-Of-Life or Legacy hardware - means no moe support or patches from cendor
    • Tips/watch for
      • End-Of-Sales: Last day the device will be sold (might be still in supply chain via resellers for a grace period)
      • End-Of-Life: Not sold anymore, but still supported, should get rid of it though.
      • End-Of-Support: Last day that vendor will provide support/updates/patches.
      • Legacy: Unsupported.

Protecting Endpoints #

  • Endoint - They’re at the endpoint of a network (wired & wireless)
    • Examples: Servers, mobiles, laptops, desktops,

Preserving Boot Integrity #

  • Protection of the endpoint starts already at bootup.
  • If untrusted/malicious code is inserted into the boot process, the system can’t be protected.
  • Unifued Extensible Firmware Interface (UEFI) (replacement of BIOS)
    • Has 2 security techniques
        1. Secure Boot ensure that the system boots omly software that the Original Equipment Manufacturer (OEM) trusts.
        • HOW: UEFI uses signature database db and revoked signature database dbx with all signatures of trusted and revoked boot software/firmware.
          • Signature Databases are validate with platform public key (platform = the motherboard, installed on manufacturing)
            • The platform private key is at the manufacturer, for signing the database updates (not actual firmware/updates).
          • If a violation is found, attempt to restore to original trusted firmware, so you depend on the logic/decision of the boot process on how to deal with an untrusted signature.
        • img
        1. Measured Boot - Boot proceses that measure each component
        • UEFI measures (hashes) each component as it loads
        • Stores measurements in TPM (Trusted Plaform Module) Platform Configuration Registers (PCRs)
        • Does NOT compare against expected values
        • Does NOT stop boot if something is different
        • Just creates a tamper-evident log
        • This allows a remote server to maie decisions.
  • Boot Integrity starts with the hardware root of trust comntaining the cryptographic keys that secure the boot process. This usually lives in the TPM (Trusted Plaform Module).
    • There is an unconditional, implicit trust in the hardware root, or more specific the TPM.
  • Trusted Plaform Module (TPM) frequently used for built-in encryption
    • 3 major functions
        1. Remote Attestation - allowing hardware & software configs to be verified
        1. Binding - encrypts data
        1. Sealing - encrypts data + set requirements for the state of the TPM chip before decrypting
  • Phsycially Unclonable Functions (PUFs) - unique to the specific hardware.
  • Apple’s secure enclave dedicated secure system for hardware key management.
    • Full processor - ARM-based coprocessor with its own OS
    • Active computation - runs security-sensitive operations itself
    • Isolated execution - processes cryptographic operations in hardware isolation
    • Real-time operations - handles Touch ID, Face ID, payment processing
    • Application processor - can run complex security applications
    • Fare more advance than the TPM.
  • Key Management Services used to store keys and certificates and maange them centreally.

Summary #

  • TPM -> Used for system securty
  • HSM -> to create, store and manage keys for multiple systems
  • KMS -> a servuce for managung secrets

Endpoint Security Tools #

  • Antivirus and Antimalware - Still useful
    • Detection methods
      • Signature-Based Hash/patterns recogintion of known virus/malware (IoC)
      • Heuristic or Behavior-based looks for similar behavior as known malware’s behavior
      • AI/ML Use large datasets to build signature and behavior based signatures.
      • Sandboxing Let run malicious code run in a sandbox and analyze it.
        • Sandboxing having an isolated environment.
        • Some malware tries to identify if they’re in a sandbox, so they don’t behave as usual.
        • Cuckoo Sandbox GitHub and Docs which is an automated malware analysis tool.
    • Last line of defence on an endpoint, so strongly recommended, but not sufficient.
    • When consider using it… ask:
      • What are threats are you likely to face? in some organizations it’s mostly workstations and email, so have antimalware that focuses on those areas.
      • Integration with other security tools do you need monitoring/reporting of malware solutions into another tool?
      • Detection capabilities you use and how likely will you catch stuff? Using more than one antimalware technology might further decrease risk.
  • Allow/White Lists and Deny/Black/Block Lists
    • Control what software can be installed
    • Allow lists good for highest secure environments
    • Deny lists good when there should be more flexibility for unknown software.
    • Maintaining the lists is time consuming.
  • (Endpoint Detection and Response (EDR)
    • Offer monitoring of Endpoints using an agent/client
      • Focus on: Network monitor and log analysis => To Correlate/analyze events
      • Able to search and explore all collected data for investigations + detection of suspicious data.
      • Search for anomalies and IoCs
      • Magic is in the detection and reporting.
    • XDR (THe extended version of EDR) - takes broader perspective
      • Ingest from a broader perspect logs and such to aim the same goals as EDR.
  • Data Loss Prevention (DLP)
    • Protect against intentional and accidental data loss/exfiltration.
    • Feature: Able to classify data - data labeling, tagging, soyou know what to treat different or apply policies.
    • Feature: Encrypt data when sent outside certain trust boundry - or use other techniques like tokenization, etc…
    • Feature: Map organizational data and apply policies
  • Network Defenses
    • Host-Based Firewall are firewalls installed or part of the host. Don’t allow analyzing traffic.
    • Host-based Intrusion Prevention System (HIPS) - Analyzes traffic before it “enters” the host.
      • This can decide on its own logic to block traffic (unlike the firwall that has fixed clear rules), so comes with caution!
        • Example: A new OS update caused a new behavior, but the HIPS itself was not not updated yet to know about this new update’s behavior, BLOCK.
    • Host-based Intrusion Detection System - Can only detect, but not take action.
      • Ideal to combine with the Host-Based firewall, so you have fixed clear rules, but you can also analyze the traffic, without unpredictable behavior.

Hardening Techniques #

Hardening #

Changing the settings to increase its overall level fo security and reduce its vulnerability.

Service Hardening #

  • Reduce number of open ports and protocols
    • If a port is closed, its hard to exploit remotly
    • Port scanners are usually used to seek for first vulnerabilities
    • Rule of thumb: Only ports and services that must be available to provide necessary services should be open. Those that are open should be limited to the networks and services that use them.
  • Most common
    • 21/TCP - FTP
    • 22/TCP - SSH (Linux)
    • 23/TCP - Telnet
    • 53/TCP and UDP - DNS (Linux & Windows)
    • 80/TCP - HTTP (Linux & Windows)
    • 125-129/TCP and UDP - NetBIOS (Linux & Windows)
    • 389/TCP and UDP - LDAP (Linux & Windows)
    • 443/TCP - HTTPS (Linux & Windows)
    • 3389TCP and UDP - RDP (Windows)
  • Block ports AND STOP services
    • Stop SSH systemd or RDP services.msc services.

Network Hardening #

  • Use VLAN or subnets (VPCs) to segment the network. Create trust boundries.
    • Example: Use guest networks

Default Passwords #

Removing Unnecessary Software #

  • Less patching, maintenance, no risk of them running by accident
  • Kill bloatware

Operating System Hardening #

Again, check CIS Benchmarks for hardening. CIS Benchmark example for Windows

* Set password history to 24 or more
* Max password age to 1 year or les, but not 0.
* Min password length 0f 12
* Require password complexity
* Disable password storage with reversible encryption

It’s a long list! Just remember to use tools to automate this.

  • Hardening the windows registry
    • Configure the permission for the registry
    • Block remore registry access
  • Windows Group Policy and Hardening
    • Group Policy Objects allow to stricten permissions to key thigs (min password, guest account enablement)
  • Hardening Linux: Security Enhanced Linux (SELinux)

Configuration, Standards, and Schemas #

  • Configuration management is probbably the most scalable to do hardening.
    • Make good baselines
    • Monitors for changes
    • Enforces configuration
    • Phases
      • Establish baseline - Use CIS benchmarks for example
      • Deploying - deploy this baseline configuration throug automation or manual
      • Maintain - Updated based on needs and feedback, ideally with again a centralized tool.
  • Patching and Patch Management
    • Ideally patch, but patching can cause also issues just a reminder.
      • Example: Delay patches for just a few days to see if any reports happened
      • Example: Gradual roll out
    • When using enterprise software, you should be able to plan, monitor, report, measuree and block updates

Encryption #

  • Self Encrypting Drive - The encryption is in the hardware itself, so even transaprent to the OS and other components.

Securing Embedded and Specialized Systems #

Embedded Systems #

  • Use often Real Time Operating System (OS).
    • Where data is more important than interrupts.
  • Assess an embedded system
    • Identify maufacturer and docs
    • How does it interface with the world?
    • Does it have a network connection? DO usually network hardening
    • How is it updated?
    • Document what to do if there is an issue or compromise
    • Document findings
  • Controller Area Network (CAN) used in cars to communicate between all controllers and sensors

SCADA and ICS #

Industrial and manufacturing systems

  • Industrial Controls Systems (ICS)
  • Supervisory Control and Data Acquisition (SCADA)
  • These systems often use general purpose computers as control/monitor and then sensors and controllers for others. It’s a mix off all. These non general purpose systems unfortunatly are often not designed for security, so it can be risky sometimes to make them “secure”.

Securing the Internet of Things #

  • Often poor security practices and weak default settings
  • Short suppot lifespans
  • Vendor data-handling often immature

Communication Considerations #

  • In some environments cullar networks are used instead of traditional network/wifi
    • Here the devices must be configured so the cullar network does not pose a risk.
    • They basically connect directly to public internet.
  • Protect SIM cards physically is key, else someone can change it and do shady things.
  • Embedded systems may use radio frequency protocols like Zigbee
    • A Wireless Personal Area network (WPAN)
    • Used in home automation
    • Often limited security
    • They can’t connect to traditional network, so no chance to patch/update…

Security Constraints of Embedded Systems #

  • Very Low compute power - Might not be able to do cryptographic processing or run security tools on the system.
  • MAyu not connect to network - So inable to monitor/patch/access.
  • Security can be undesirable sometimes - Authentication might be undeseriabe due to safety or usability.
  • Replacing can be expensive- the embedded system might be affordible, but it’s part of a bigger system.
  • Conclusion - Because of these limitations, embedded devices ay rely on implicit trust. The person/handler/operator that can physically access it is implicityl trusted. So here you can see the risk and vulnerabilities.

Asset Management #

Also know as enumeration of assets. You want a list of all assets bought, who owns it, we uses it, metadata it, lifespan, etc.. Helps to know if something is lost or stolen.

  • Decommisioning

    • Remove/deal with sensitive data (e.g wipe disk)
    • Deggausers are used to wipe magnetic drives quickly.
    • DBAN to safe wipe disks
    • Or you can just discard the private key of an encrypted drive
    • Or just destroy instread of wipe, it’s brute force but is efficient
  • Retention

  • Sometimes data needs to be retained, for legal reasons (e.g. invoices etc…), make sure to backup that data.