Endpoint Security #

Operating System Vulnerability Types #

• Vulnerabilities in the OS itself
• Default passwords & Insecure (Default) Settings
• Insecure configurations
• Misconfiguration

Hardware Vulnerability Types #

Note: Often hard to deal directly with, so compensating controls are key.

• Firmware - embedded software of devices
  • Not always possible to update
  • Requires sometimes manual updates, and not part of automated updates.
  • Attacks: Via any way that allows access to the firmware itself
    • Examples: executable updates, user download malicious firmware and network enabled updates that provide remote-acces to firmware and management.
    • Reintalling the OS wouldn’t change a thing
  • Defenses
    • Firmware validation!
• End-Of-Life or Legacy hardware - means no moe support or patches from cendor
  • Tips/watch for
    • End-Of-Sales: Last day the device will be sold (might be still in supply chain via resellers for a grace period)
    • End-Of-Life: Not sold anymore, but still supported, should get rid of it though.
    • End-Of-Support: Last day that vendor will provide support/updates/patches.
    • Legacy: Unsupported.

Protecting Endpoints #

• Endoint - They’re at the endpoint of a network (wired & wireless)
  • Examples: Servers, mobiles, laptops, desktops,

Preserving Boot Integrity #

• Protection of the endpoint starts already at bootup.
• If untrusted/malicious code is inserted into the boot process, the system can’t be protected.
• Unifued Extensible Firmware Interface (UEFI) (replacement of BIOS)
  • Has 2 security techniques
    • 1. Secure Boot ensure that the system boots omly software that the Original Equipment Manufacturer (OEM) trusts.
      • HOW: UEFI uses signature database db and revoked signature database dbx with all signatures of trusted and revoked boot software/firmware.
        • Signature Databases are validate with platform public key (platform = the motherboard, installed on manufacturing)
          • The platform private key is at the manufacturer, for signing the database updates (not actual firmware/updates).
        • If a violation is found, attempt to restore to original trusted firmware, so you depend on the logic/decision of the boot process on how to deal with an untrusted signature.
      • 
    • 2. Measured Boot - Boot proceses that measure each component
      • UEFI measures (hashes) each component as it loads
      • Stores measurements in TPM (Trusted Plaform Module) Platform Configuration Registers (PCRs)
      • Does NOT compare against expected values
      • Does NOT stop boot if something is different
      • Just creates a tamper-evident log
      • This allows a remote server to maie decisions.
• Boot Integrity starts with the hardware root of trust comntaining the cryptographic keys that secure the boot process. This usually lives in the TPM (Trusted Plaform Module).
  • There is an unconditional, implicit trust in the hardware root, or more specific the TPM.
• Trusted Plaform Module (TPM) frequently used for built-in encryption
  • 3 major functions
    • 1. Remote Attestation - allowing hardware & software configs to be verified
    • 2. Binding - encrypts data
    • 3. Sealing - encrypts data + set requirements for the state of the TPM chip before decrypting
• Phsycially Unclonable Functions (PUFs) - unique to the specific hardware.
• Apple’s secure enclave dedicated secure system for hardware key management.
  • Full processor - ARM-based coprocessor with its own OS
  • Active computation - runs security-sensitive operations itself
  • Isolated execution - processes cryptographic operations in hardware isolation
  • Real-time operations - handles Touch ID, Face ID, payment processing
  • Application processor - can run complex security applications
  • Fare more advance than the TPM.
• Key Management Services used to store keys and certificates and maange them centreally.

Summary #

• TPM -> Used for system securty
• HSM -> to create, store and manage keys for multiple systems
• KMS -> a servuce for managung secrets

Endpoint Security Tools #

• Antivirus and Antimalware - Still useful
  • Detection methods
    • Signature-Based Hash/patterns recogintion of known virus/malware (IoC)
    • Heuristic or Behavior-based looks for similar behavior as known malware’s behavior
    • AI/ML Use large datasets to build signature and behavior based signatures.
    • Sandboxing Let run malicious code run in a sandbox and analyze it.
      • Sandboxing having an isolated environment.
      • Some malware tries to identify if they’re in a sandbox, so they don’t behave as usual.
      • Cuckoo Sandbox GitHub and Docs which is an automated malware analysis tool.
  • Last line of defence on an endpoint, so strongly recommended, but not sufficient.
  • When consider using it… ask:
    • What are threats are you likely to face? in some organizations it’s mostly workstations and email, so have antimalware that focuses on those areas.
    • Integration with other security tools do you need monitoring/reporting of malware solutions into another tool?
    • Detection capabilities you use and how likely will you catch stuff? Using more than one antimalware technology might further decrease risk.
• Allow/White Lists and Deny/Black/Block Lists
  • Control what software can be installed
  • Allow lists good for highest secure environments
  • Deny lists good when there should be more flexibility for unknown software.
  • Maintaining the lists is time consuming.
• (Endpoint Detection and Response (EDR)
  • Offer monitoring of Endpoints using an agent/client
    • Focus on: Network monitor and log analysis => To Correlate/analyze events
    • Able to search and explore all collected data for investigations + detection of suspicious data.
    • Search for anomalies and IoCs
    • Magic is in the detection and reporting.
  • XDR (THe extended version of EDR) - takes broader perspective
    • Ingest from a broader perspect logs and such to aim the same goals as EDR.
• Data Loss Prevention (DLP)
  • Protect against intentional and accidental data loss/exfiltration.
  • Feature: Able to classify data - data labeling, tagging, soyou know what to treat different or apply policies.
  • Feature: Encrypt data when sent outside certain trust boundry - or use other techniques like tokenization, etc…
  • Feature: Map organizational data and apply policies
• Network Defenses
  • Host-Based Firewall are firewalls installed or part of the host. Don’t allow analyzing traffic.
  • Host-based Intrusion Prevention System (HIPS) - Analyzes traffic before it “enters” the host.
    • This can decide on its own logic to block traffic (unlike the firwall that has fixed clear rules), so comes with caution!
      • Example: A new OS update caused a new behavior, but the HIPS itself was not not updated yet to know about this new update’s behavior, BLOCK.
  • Host-based Intrusion Detection System - Can only detect, but not take action.
    • Ideal to combine with the Host-Based firewall, so you have fixed clear rules, but you can also analyze the traffic, without unpredictable behavior.

Hardening Techniques #

Hardening #

Changing the settings to increase its overall level fo security and reduce its vulnerability.

• Hardening guidelines for various OS, software, …
  • CIS Benchmarks
  • NIST Repositoryu

Service Hardening #

• Reduce number of open ports and protocols
  • If a port is closed, its hard to exploit remotly
  • Port scanners are usually used to seek for first vulnerabilities
  • Rule of thumb: Only ports and services that must be available to provide necessary services should be open. Those that are open should be limited to the networks and services that use them.
• Most common
  • 21/TCP - FTP
  • 22/TCP - SSH (Linux)
  • 23/TCP - Telnet
  • 53/TCP and UDP - DNS (Linux & Windows)
  • 80/TCP - HTTP (Linux & Windows)
  • 125-129/TCP and UDP - NetBIOS (Linux & Windows)
  • 389/TCP and UDP - LDAP (Linux & Windows)
  • 443/TCP - HTTPS (Linux & Windows)
  • 3389TCP and UDP - RDP (Windows)
• Block ports AND STOP services
  • Stop SSH systemd or RDP services.msc services.

Network Hardening #

• Use VLAN or subnets (VPCs) to segment the network. Create trust boundries.
  • Example: Use guest networks

Default Passwords #

• Password Advice

Removing Unnecessary Software #

• Less patching, maintenance, no risk of them running by accident
• Kill bloatware

Operating System Hardening #

Again, check CIS Benchmarks for hardening. CIS Benchmark example for Windows

* Set password history to 24 or more
* Max password age to 1 year or les, but not 0.
* Min password length 0f 12
* Require password complexity
* Disable password storage with reversible encryption

It’s a long list! Just remember to use tools to automate this.

• Hardening the windows registry
  • Configure the permission for the registry
  • Block remore registry access
• Windows Group Policy and Hardening
  • Group Policy Objects allow to stricten permissions to key thigs (min password, guest account enablement)
• Hardening Linux: Security Enhanced Linux (SELinux)
  • Security module om top of existing linux distrubtions
  • Wiki
  • Capabilities like:
    • Mandatory Access Control
  • See also AppArmor for security hardening

Configuration, Standards, and Schemas #

• Configuration management is probbably the most scalable to do hardening.
  • Make good baselines
  • Monitors for changes
  • Enforces configuration
  • Phases
    • Establish baseline - Use CIS benchmarks for example
    • Deploying - deploy this baseline configuration throug automation or manual
    • Maintain - Updated based on needs and feedback, ideally with again a centralized tool.
• Patching and Patch Management
  • Ideally patch, but patching can cause also issues just a reminder.
    • Example: Delay patches for just a few days to see if any reports happened
    • Example: Gradual roll out
  • When using enterprise software, you should be able to plan, monitor, report, measuree and block updates

Encryption #

• Self Encrypting Drive - The encryption is in the hardware itself, so even transaprent to the OS and other components.

Securing Embedded and Specialized Systems #

Embedded Systems #

• Use often Real Time Operating System (OS).
  • Where data is more important than interrupts.
• Assess an embedded system
  • Identify maufacturer and docs
  • How does it interface with the world?
  • Does it have a network connection? DO usually network hardening
  • How is it updated?
  • Document what to do if there is an issue or compromise
  • Document findings
• Controller Area Network (CAN) used in cars to communicate between all controllers and sensors

SCADA and ICS #

Industrial and manufacturing systems

• Industrial Controls Systems (ICS)
• Supervisory Control and Data Acquisition (SCADA)
• These systems often use general purpose computers as control/monitor and then sensors and controllers for others. It’s a mix off all. These non general purpose systems unfortunatly are often not designed for security, so it can be risky sometimes to make them “secure”.

Securing the Internet of Things #

• Often poor security practices and weak default settings
• Short suppot lifespans
• Vendor data-handling often immature

Communication Considerations #

• In some environments cullar networks are used instead of traditional network/wifi
  • Here the devices must be configured so the cullar network does not pose a risk.
  • They basically connect directly to public internet.
• Protect SIM cards physically is key, else someone can change it and do shady things.
• Embedded systems may use radio frequency protocols like Zigbee
  • A Wireless Personal Area network (WPAN)
  • Used in home automation
  • Often limited security
  • They can’t connect to traditional network, so no chance to patch/update…

Security Constraints of Embedded Systems #

• Very Low compute power - Might not be able to do cryptographic processing or run security tools on the system.
• MAyu not connect to network - So inable to monitor/patch/access.
• Security can be undesirable sometimes - Authentication might be undeseriabe due to safety or usability.
• Replacing can be expensive- the embedded system might be affordible, but it’s part of a bigger system.
• Conclusion - Because of these limitations, embedded devices ay rely on implicit trust. The person/handler/operator that can physically access it is implicityl trusted. So here you can see the risk and vulnerabilities.

Asset Management #

Also know as enumeration of assets. You want a list of all assets bought, who owns it, we uses it, metadata it, lifespan, etc.. Helps to know if something is lost or stolen.

• Decommisioning

  • Remove/deal with sensitive data (e.g wipe disk)
  • Deggausers are used to wipe magnetic drives quickly.
  • DBAN to safe wipe disks
  • Or you can just discard the private key of an encrypted drive
  • Or just destroy instread of wipe, it’s brute force but is efficient

• Retention

• Sometimes data needs to be retained, for legal reasons (e.g. invoices etc…), make sure to backup that data.