Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
50 Cards in this Set
- Front
- Back
|
Endpoints |
Desktops, mobile devices, servers, and a variety of other systems found in an organization that are found on the end of a network, whether they are wired or wireless |
|
|
UEFI |
Unified Extendable Firmware Interface leverages two different techniques to ensure that the system is secure. Those are secure boot and measured boot. |
|
|
Secure Boot |
Ensures that the system boots using only software that the original equipment manufacturer trusts. In order for the system to do this it must have a signature database listing the secure signatures of trusted software and firmware for the boot process |
|
|
Measured Boot |
Measures each component, starting with firmware and ending with the boot start drivers. It relies on the UEFI to hash the firmware, bootloader, drives, and anything else in the boot process. It is stored as a log in the Trusted Platform Model (TPM) and then the hash is compared to known good boots and administrators can inspect the hashes that deviate for issues. |
|
|
Hardware Root of Trust |
A system contains the cryptographic keys that secure the boot process. This means that the system or device inherently trusts the hardware roof of trust and it needs to be secure |
|
|
Signature based detection |
Uses a hash or other signature generation method to identify files or components of the malware that have been previously observed. This has been the traditional way of detection but polymorphism that changes malware every time it is installed bypasses this |
|
|
Heuristic or Behavior based detection |
Looks at the behavior that malicious software takes and then compares it to profiles of unwanted activities. This can find new malware based on what it is doing and not by a known fingerprint |
|
|
AI and Machine Learning |
They leverage leverage large amounts of data and use a combination of detection methods. It has been increasing been common to see this type of detection method |
|
|
Sandboxing |
It is used to run malicious code in a isolated environment. It is a protected environment that the code can be run and observed, documented, and in-depth analysis |
|
|
Choosing AntiMalware |
1st: Determine the types of threats you are likely to face and where they are likely to be encountered such as workstations or through email. 2nd: Management, deployment, and monitoring for these tools is very important. These tools can integrate together for a centralized viewpoint 3rd: Detection capabilities and the likelihood that your AntiMalware detects, stops, and removes malicious software plays a role and sometime the use of multiple AntiMalware software should be used |
|
|
Allow Lists |
Also known as White Lists, these lists show the only applications, software, or websites that are allowed on a system. This is the most restrictive option which can be good and bad in some cases |
|
|
Deny Lists |
Also known as Black Lists. This list includes applications, software, and websites that are not allowed, meaning that all others are allowed. This is the least restrictive option but can cause issues as new threat emerge and this list needs to be updated regularly |
|
|
EDR |
Endpoint Detection and Response. These tools help when AntiMalware is not sufficient by searching and exploring collected data and to use if for investigations as well as the ability to detect suspicious data. This suspicious data is known as incidents of compromise. |
|
|
IoC’s |
Incidents of Compromise are anomalies that appear in data and systems that show evidence that a vulnerability might have been exploited. |
|
|
DLP |
Data Loss Prevention focuses on protecting organizational data from both theft and inadvertent exposure. DLP tools may be deployed at endpoints in the form of clients or applications. They have the ability to: Classify data, so that organizations know which data should be protected Data Labeling or tagging, to support management and classification practices Policy Management, to enforce data management standards set by the organization Monitoring and Reporting, to quickly notify administrators or security practitioners about issues or potential issues. |
|
|
Host Based Firewalls |
Are built into most modern operating systems and are typically enabled by default. These don’t provide much insight about the traffic they are filtering because they are used to simply block or allow specific applications, services, ports, or protocols. |
|
|
HIPS |
Host Intrusion Prevention System, analyzes traffic before services or applications on the host process it. It can also take action on filtering out malicious traffic or block specific elements of data that is received. This is done after traffic has passed through the firewall. It can cause outages if it is misconfigured by blocking legitimate traffic |
|
|
HIDS |
Host Intrusion Detection Software, reports and alerts of present issues. HIDS cannot take action to block traffic therefore it has a limited use for real time security, but has a lot lower likelihood of causing a disruption |
|
|
NGFW |
Next Generation Firewall, primarily a marketing term but it primarily a firewall device that includes additional features beyond traditional firewall capabilities like: Built in IPS and IDS AntiMalware Geo-IP Proxying (allows the device to intercept traffic and analyze it by sitting in the middle of encrypted traffic) Web app firewall Sandboxing |
|
|
Hardening |
Involves changing settings on the system to increase its overall level of security and reduce its vulnerability to an attack. |
|
|
Service Hardening |
One of the quickest ways to decrease the attack surface of a system is to reduce the number of open ports and services that it provides. The use of port scanners are commonly used to quickly assess which ports are open on a system to prioritize hardening. Only services and ports that must be available to provide necessary services should be open and should be limited in their interactions |
|
|
Common Ports |
22/TCP - Secure Shell (SSH) 53/TCP and UDP - DNS 80/TCP - HTTP 125-139/TCP and UDP - NetBIOS 389/TCP and UDP - LDAP 443/TCP - HTTPS 3389/TCP and UDP - Remote Desktop Protocol |
|
|
OS Hardening |
Relies on changing setting to match the desired security stance for a given system in order to reduce the attack surface for your operating system. Tools and standards exist, such as the CIS benchmarks to help with this process along with assessing, auditing, and maintaining OS hardening. |
|
|
Hardening Windows Registry |
Configuring permissions for the registry, disallowing remote registry access if it isn’t required for a specific need, and limiting access to registry tools like re-edit so that attackers who do gain access to a system will be less likely to be able to change or view the registry |
|
|
Configuration Management |
One of the most powerful options to ensure that the multitude of systems in organizations have the right security settings and to help keep them safe |
|
|
Baseline Configuration |
Is an ideal starting place to build from to help reduce complexity and make configuration management and system hardening possible across multiple machines. Modifications can be made to better suit specific groups |
|
|
Documentation |
Is an important part of configuration management. Diagrams, including architecture, network, and data flow diagrams, are used to understand and comment how an organization’s technology and system are set up. This helps ensure that they are meeting quantity standards and helps when performing incident response and disaster recovery operations |
|
|
Naming Standards |
Helps identify systems based on purpose, location, or other elements included in the naming convention. It can be used to make systems more anonymous and can make scripting and management easier |
|
|
Patch Management |
Ensuring that systems and software are up to date helps ensure endpoint security by removing known vulnerabilities. It decreases the amount of time exploits and flaws can be used against your system, but it can also introduce risks. Patches can interrupt operations if there are issues with the patch. Allow a little time before installing a patch to see if there are any issues reported. If available perform the patch in a testing environment before deploying to entire systems |
|
|
FDE |
Full Disk Encryption encrypts the disk and requires that the bootloader or a hardware device provide a decryption key and software or hardware to decrypt the drive for use. It has its downfalls as if the key is lost then the data is pretty much impossible to recover, but if the drive is lost you can consider it not a breach or loss since the data is encrypted it counts as a lost of a system device |
|
|
Transparent Encryption |
Is largely invisible to the user, with the drive appearing to be unencrypted during use. This means that the simplest attack against a system that uses transparent FDE is to gain access to the system while the drive is unlocked. |
|
|
Volume Encryption |
Protects specific volumes of the drive, allowing different trust levels and additional security beyond that provided by encrypting the entire disk with a single key. |
|
|
Opal Storage Specification |
Standard published by the Trusted Computing Group’s Storage Workgroup it specifies both how devices must protect data when they are outside of their owners’ control, and how to ensure that devices produced by various vendors can all interoperate successfully |
|
|
SED |
Self Encrypting Drive implement encryption capabilities in their hardware and firmware. They require a key to boot from the drive, but it has the same vulnerability as Full Disk Encryption when it is unlocked it is vulnerable |
|
|
Sanitization |
Wiping data can be done with a degausser but other methods include DBAN which writes over the data with 0’s and 1’s. Data remnants is a big concern with SSD because they use wear-leveling algorithms that spreads the wear and tear over the drive meaning that the drive has more space than the listed capacity. In this case the use of built in secure Erase commands can help |
|
|
Command Line Tools |
head: lists out the first 10 lines of a file, or it can list more by using the -n flag tail: lists out the last 10 lines of a file, or it can list more by using the -n flag. The most useful flag is the -f which will show you the file as it changes cat: short for concatenate, is used to display the contents of a file along with the > command to add files together along with other capabilities grep: is a search tool and allows you to search for patterns that match the provided text. grep ‘word’ /file/location with the -A and -B option to print lines before and after the matched pattern chmod: lets you set permissions on files and directories using either symbols or numeric expressions chmod 777 example.txt is the same as chmod +rwxrwxrwx example.txt logger: will append whatever information you provide as input to the /var/log/Sysco file on the system |
|
|
SSH |
Secure Shell is an encrypted protocol used to connect to systems, typically via the command line. It is also the name of a client that uses the SSH protocol to create that connection. |
|
|
PowerShell |
A windows built in management, automation, and scripting language tool. It allows management and configuration of windows systems from the command line. It can also report on the current system, make changes both locally and to remote systems. |
|
|
OpenSSL |
Is an implementation of the TLS protocol like SSH and is often used to protect other services. It is used for HTTPS traffic and is used for secured network traffic and isn’t a good match for tunneling with SSH or VPN it is a reasonable alternative. It is an ideal solution for when two systems that may not have ever communicated before need to communicate securely. |
|
|
Securing Embedded Systems |
Embedded systems are computer systems that are built into other devices. Common in industrial machinery, appliances, and cars. They are highly specialized and run customized OS’s. To secure these systems you need to understand how the system interfaces with the world, how the device updates, and document what the organization would do if there was a security breach |
|
|
RTOS |
Real Time Operating System is an OS that is used when priority needs to be placed on processing data as it comes in , rather than using interrupts for the OS or waiting for tasks being processed to be handled before data is processed |
|
|
Raspberry Pi |
An RTOS and is a single board computer that has network connectivity, storage, video output, input, CPU and memory. Used for small scale custom use. |
|
|
Arduinos |
Known as a microcontroller which means it has a low power CPU with a small amount of memory and storage. Often used in prototyping devices that interface with sensors. Does not have wireless or wired network connection built into them reducing their attack surface |
|
|
FPGA |
Field Programmable Gate Array is a type of computer chip that can be programmed to redesign how it works, allowing it to be a customizable chip. It is a high efficiency chip but as itself is not an embedded system, it is put into embedded systems but be aware that they can be reprogrammed |
|
|
ICS |
Industrial Control Systems is a term used to describe industrial automation. It can be used to control and manage facilities heating, ventilation, and air conditioning and humidity |
|
|
SCADA |
Supervisory Control and Data Acquisition refers to large systems that run power and water distribution or other systems that cover large areas used interchangeably with ICS. It is used to acquire data, control devices, computers, communications, and interface to control and monitor the entire architecture |
|
|
RTU |
Remote Telemetry Units collect data from sensors and programmable logic controllers (PLC) that control and collect data from industrial devices like machines or robots |
|
|
IoT |
Internet of Things describes network connected devices that are used for automation, sensors, security, and similar tasks. Typically a type of embedded system. They have a number of security and privacy concerns: Weak default settings Lack of network security (firewalls) Lack of encryption Weak authentication Short support lifespans Vendor data handling practice issues |
|
|
Specialized Systems |
Medical systems like pacemakers an other medical devices can be attacked with exploits via Bluetooth. Smart meters that are used to track utility usage can be attacked to provide utility information about a building Vehicles ranging from cars to aircraft and even ships are network connected now and can be attacked to take control or monitor Drones need to have encrypted connections for their wireless command channels VoIP can be targeted for their embedded systems can be vulnerable. Segmentation and patch management is key Printers including multifunction printers are frequently attacked due to their poor security and can provide information from data that is printed, scanned, or faxed. Surveillance systems like cameras can provide attackers with a view of what is occurring inside a facility |
|
|
Communication Considerations |
Cellular connectivity can be a concern with SIM cards being removed and repurposed to run up significant bills or cloned to allow attackers to present themselves as another and send and receive information Zigbee or z-wave protocols provide low power, peer to peer communication for devices that don’t need lots of bandwidth. |
