Endpoint Security #
Operating System Vulnerability Types #
- Vulnerabilities in the OS itself
- Default passwords & Insecure (Default) Settings
- Insecure configurations
- Misconfiguration
Hardware Vulnerability Types #
Note: Often hard to deal directly with, so compensating controls are key.
- Firmware - embedded software of devices
- Not always possible to update
- Requires sometimes manual updates, and not part of automated updates.
- Attacks: Via any way that allows access to the firmware itself
- Examples: executable updates, user download malicious firmware and network enabled updates that provide remote-acces to firmware and management.
- Reintalling the OS wouldn’t change a thing
- Defenses
- Firmware validation!
- End-Of-Life or Legacy hardware - means no moe support or patches from cendor
- Tips/watch for
- End-Of-Sales: Last day the device will be sold (might be still in supply chain via resellers for a grace period)
- End-Of-Life: Not sold anymore, but still supported, should get rid of it though.
- End-Of-Support: Last day that vendor will provide support/updates/patches.
- Legacy: Unsupported.
- Tips/watch for
Protecting Endpoints #
- Endoint - They’re at the endpoint of a network (wired & wireless)
- Examples: Servers, mobiles, laptops, desktops,
Preserving Boot Integrity #
- Protection of the endpoint starts already at bootup.
- If untrusted/malicious code is inserted into the boot process, the system can’t be protected.
- Unifued Extensible Firmware Interface (UEFI) (replacement of BIOS)
- Has 2 security techniques
- Secure Boot ensure that the system boots omly software that the Original Equipment Manufacturer (OEM) trusts.
- HOW: UEFI uses signature database
db
and revoked signature databasedbx
with all signatures of trusted and revoked boot software/firmware.- Signature Databases are validate with platform public key (platform = the motherboard, installed on manufacturing)
- The
platform private key
is at the manufacturer, for signing the database updates (not actual firmware/updates).
- The
- If a violation is found, attempt to restore to original trusted firmware, so you depend on the logic/decision of the boot process on how to deal with an untrusted signature.
- Signature Databases are validate with platform public key (platform = the motherboard, installed on manufacturing)
- Measured Boot - Boot proceses that measure each component
- UEFI measures (hashes) each component as it loads
- Stores measurements in TPM (Trusted Plaform Module) Platform Configuration Registers (PCRs)
- Does NOT compare against expected values
- Does NOT stop boot if something is different
- Just creates a tamper-evident log
- This allows a remote server to maie decisions.
- Has 2 security techniques
- Boot Integrity starts with the hardware root of trust comntaining the cryptographic keys that secure the boot process. This usually lives in the TPM (Trusted Plaform Module).
- There is an unconditional, implicit trust in the hardware root, or more specific the TPM.
- Trusted Plaform Module (TPM) frequently used for built-in encryption
- 3 major functions
- Remote Attestation - allowing hardware & software configs to be verified
- Binding - encrypts data
- Sealing - encrypts data + set requirements for the state of the TPM chip before decrypting
- 3 major functions
- Phsycially Unclonable Functions (PUFs) - unique to the specific hardware.
- Apple’s secure enclave dedicated secure system for hardware key management.
- Full processor - ARM-based coprocessor with its own OS
- Active computation - runs security-sensitive operations itself
- Isolated execution - processes cryptographic operations in hardware isolation
- Real-time operations - handles Touch ID, Face ID, payment processing
- Application processor - can run complex security applications
- Fare more advance than the TPM.
- Key Management Services used to store keys and certificates and maange them centreally.
Summary #
- TPM -> Used for system securty
- HSM -> to create, store and manage keys for multiple systems
- KMS -> a servuce for managung secrets
Endpoint Security Tools #
- Antivirus and Antimalware - Still useful
- Detection methods
- Signature-Based Hash/patterns recogintion of known virus/malware (IoC)
- Heuristic or Behavior-based looks for similar behavior as known malware’s behavior
- AI/ML Use large datasets to build signature and behavior based signatures.
- Sandboxing Let run malicious code run in a sandbox and analyze it.
- Sandboxing having an isolated environment.
- Some malware tries to identify if they’re in a sandbox, so they don’t behave as usual.
- Cuckoo Sandbox GitHub and Docs which is an automated malware analysis tool.
- Last line of defence on an endpoint, so strongly recommended, but not sufficient.
- When consider using it… ask:
- What are threats are you likely to face? in some organizations it’s mostly workstations and email, so have antimalware that focuses on those areas.
- Integration with other security tools do you need monitoring/reporting of malware solutions into another tool?
- Detection capabilities you use and how likely will you catch stuff? Using more than one antimalware technology might further decrease risk.
- Detection methods
- Allow/White Lists and Deny/Black/Block Lists
- Control what software can be installed
- Allow lists good for highest secure environments
- Deny lists good when there should be more flexibility for unknown software.
- Maintaining the lists is time consuming.
- (Endpoint Detection and Response (EDR)
- Offer monitoring of Endpoints using an agent/client
- Focus on: Network monitor and log analysis => To Correlate/analyze events
- Able to search and explore all collected data for investigations + detection of suspicious data.
- Search for anomalies and IoCs
- Magic is in the detection and reporting.
- XDR (THe extended version of EDR) - takes broader perspective
- Ingest from a broader perspect logs and such to aim the same goals as EDR.
- Offer monitoring of Endpoints using an agent/client
- Data Loss Prevention (DLP)
- Protect against intentional and accidental data loss/exfiltration.
- Feature: Able to classify data - data labeling, tagging, soyou know what to treat different or apply policies.
- Feature: Encrypt data when sent outside certain trust boundry - or use other techniques like tokenization, etc…
- Feature: Map organizational data and apply policies
- Network Defenses
- Host-Based Firewall are firewalls installed or part of the host. Don’t allow analyzing traffic.
- Host-based Intrusion Prevention System (HIPS) - Analyzes traffic before it “enters” the host.
- This can decide on its own logic to block traffic (unlike the firwall that has fixed clear rules), so comes with caution!
- Example: A new OS update caused a new behavior, but the HIPS itself was not not updated yet to know about this new update’s behavior, BLOCK.
- This can decide on its own logic to block traffic (unlike the firwall that has fixed clear rules), so comes with caution!
- Host-based Intrusion Detection System - Can only detect, but not take action.
- Ideal to combine with the Host-Based firewall, so you have fixed clear rules, but you can also analyze the traffic, without unpredictable behavior.
Hardening Techniques #
Hardening #
Changing the settings to increase its overall level fo security and reduce its vulnerability.
- Hardening guidelines for various OS, software, …
Service Hardening #
- Reduce number of
open ports
andprotocols
- If a port is closed, its hard to exploit remotly
- Port scanners are usually used to seek for first vulnerabilities
- Rule of thumb: Only ports and services that must be available to provide necessary services should be open. Those that are open should be limited to the networks and services that use them.
- Most common
- 21/TCP - FTP
- 22/TCP - SSH (Linux)
- 23/TCP - Telnet
- 53/TCP and UDP - DNS (Linux & Windows)
- 80/TCP - HTTP (Linux & Windows)
- 125-129/TCP and UDP - NetBIOS (Linux & Windows)
- 389/TCP and UDP - LDAP (Linux & Windows)
- 443/TCP - HTTPS (Linux & Windows)
- 3389TCP and UDP - RDP (Windows)
- Block ports AND STOP services
- Stop SSH
systemd
or RDPservices.msc
services.
- Stop SSH
Network Hardening #
- Use VLAN or subnets (VPCs) to segment the network. Create trust boundries.
- Example: Use guest networks
Default Passwords #
Removing Unnecessary Software #
- Less patching, maintenance, no risk of them running by accident
- Kill bloatware
Operating System Hardening #
Again, check CIS Benchmarks for hardening. CIS Benchmark example for Windows
* Set password history to 24 or more
* Max password age to 1 year or les, but not 0.
* Min password length 0f 12
* Require password complexity
* Disable password storage with reversible encryption
It’s a long list! Just remember to use tools to automate this.
- Hardening the windows registry
- Configure the permission for the registry
- Block remore registry access
- Windows Group Policy and Hardening
- Group Policy Objects allow to stricten permissions to key thigs (min password, guest account enablement)
- Hardening Linux: Security Enhanced Linux (SELinux)
Configuration, Standards, and Schemas #
- Configuration management is probbably the most scalable to do hardening.
- Make good baselines
- Monitors for changes
- Enforces configuration
- Phases
- Establish baseline - Use CIS benchmarks for example
- Deploying - deploy this baseline configuration throug automation or manual
- Maintain - Updated based on needs and feedback, ideally with again a centralized tool.
- Patching and Patch Management
- Ideally patch, but patching can cause also issues just a reminder.
- Example: Delay patches for just a few days to see if any reports happened
- Example: Gradual roll out
- When using enterprise software, you should be able to plan, monitor, report, measuree and block updates
- Ideally patch, but patching can cause also issues just a reminder.
Encryption #
- Self Encrypting Drive - The encryption is in the hardware itself, so even transaprent to the OS and other components.
Securing Embedded and Specialized Systems #
Embedded Systems #
- Use often Real Time Operating System (OS).
- Where data is more important than interrupts.
- Assess an embedded system
- Identify maufacturer and docs
- How does it interface with the world?
- Does it have a network connection? DO usually network hardening
- How is it updated?
- Document what to do if there is an issue or compromise
- Document findings
- Controller Area Network (CAN) used in cars to communicate between all controllers and sensors
SCADA and ICS #
Industrial and manufacturing systems
- Industrial Controls Systems (ICS)
- Supervisory Control and Data Acquisition (SCADA)
- These systems often use general purpose computers as control/monitor and then sensors and controllers for others. It’s a mix off all. These non general purpose systems unfortunatly are often not designed for security, so it can be risky sometimes to make them “secure”.
Securing the Internet of Things #
- Often poor security practices and weak default settings
- Short suppot lifespans
- Vendor data-handling often immature
Communication Considerations #
- In some environments cullar networks are used instead of traditional network/wifi
- Here the devices must be configured so the cullar network does not pose a risk.
- They basically connect directly to public internet.
- Protect SIM cards physically is key, else someone can change it and do shady things.
- Embedded systems may use radio frequency protocols like Zigbee
- A Wireless Personal Area network (WPAN)
- Used in home automation
- Often limited security
- They can’t connect to traditional network, so no chance to patch/update…
Security Constraints of Embedded Systems #
- Very Low compute power - Might not be able to do cryptographic processing or run security tools on the system.
- MAyu not connect to network - So inable to monitor/patch/access.
- Security can be undesirable sometimes - Authentication might be undeseriabe due to safety or usability.
- Replacing can be expensive- the embedded system might be affordible, but it’s part of a bigger system.
- Conclusion - Because of these limitations, embedded devices ay rely on implicit trust. The person/handler/operator that can physically access it is implicityl trusted. So here you can see the risk and vulnerabilities.
Asset Management #
Also know as enumeration
of assets. You want a list of all assets bought, who owns it, we uses it, metadata it, lifespan, etc.. Helps to know if something is lost or stolen.
Decommisioning
- Remove/deal with sensitive data (e.g wipe disk)
- Deggausers are used to wipe magnetic drives quickly.
- DBAN to safe wipe disks
- Or you can just discard the private key of an encrypted drive
- Or just destroy instread of wipe, it’s brute force but is efficient
Retention
Sometimes data needs to be retained, for legal reasons (e.g. invoices etc…), make sure to backup that data.