3.2 Given a scenario, implement host or application security solutions

  • Endpoint Protection
    • Antivirus
    • Anti-malware
    • Endpoint Detection and Response (EDR)
    • DLP
    • Next-Generation Firewall (NGFW)
    • Host-Based Intrusion Prevention System (HIPS)
    • Host-Based Intrusion Detection System (HIDS)
    • Host-Based Firewall
  • Boot Integrity
    • Boot Security/Unified Extensible Firmware Interface (UEFI)
    • Measured Boot
    • Boot Attestation
  • Database
    • Tokenization
    • Salting
    • Hashing
  • Application Security
    • Input Validations
    • Secure Cookies
    • Hypertext Transfer Protocol (HTTP) Headers
    • Code Signing
    • Allow List
    • Block List/Deny List
    • Secure Coding Practices
    • Static Code Analysis
      • Manual Code Review
    • Dynamic Code Analysis
    • Fuzzing
  • Hardening
    • Open Ports and Services
    • Registry
    • Disk Encryption
    • OS
    • Patch Management
      • Third-Party Updates
      • Auto-Update
  • Self-Encrypting Drive (SED) / Full-Disk Encryption (FDE)
    • Opal
  • Hardware Root of Trust
  • Trusted Platform Module (TPM)
  • Sandboxing


Hardware/Firmware Security

It is important to select computer hardware that is secure.  Hardware is sometimes called an endpoint.  An endpoint can be a desktop, a laptop, a server, a phone, or some other device that connects to the network.  Some common security features include

  • Antivirus.  An antivirus program has two methods of detecting viruses

    • Definitions:  A definition is a specific “fingerprint” of the virus.  An antivirus program may contain hundreds of thousands of virus definitions.  It scans each new file introduced into the computer against the definitions.  If the attributes of a file match a definition, then the antivirus program knows that it has located a virus (and knows which virus it has located).

      To develop the antivirus definitions, the antivirus software manufacturer must first obtain copies of the virus and create the definition.  That means that some computers have already been infected with the virus by the time the definition has been created.  Thus, definitions do not provide complete protection against viruses.

      A polymorphic virus is one that attempts to change its code.  Each time the virus runs, the code changes slightly, but the damage that it causes remains the same.  A polymorphic virus attempts to hide from antivirus definitions.

    • Heuristics.  A heuristic is a type of artificial intelligence.  It allows the antivirus program to determine whether a specific program is legitimate or not, based on its behavior.  For example, a program that attempts to modify critical system files is likely not legitimate.

      The latest generation antivirus programs share data with the cloud.  For example, Norton Antivirus automatically collects data regarding suspicious applications from users.  This data is sent to a response center for further analysis.  Norton Antivirus then updates all user programs with the results.  By sharing data with the cloud, antivirus programs are able to detect viruses faster.
  • Anti-malware.  An antimalware program takes antivirus a step further and also detects other types of bad actors such as spyware.  Most programs combine the antivirus and antimalware features into one application.

  • Endpoint Detection and Response (EDR).  EDR is an application that monitors the endpoint in real time to see if it has violated any rules.  An administrator first programs the EDR with a set of security rules and then deploys the application.  The EDR may send the data that it collects to a central server, and it may use AI.
  • Data Leak Prevention (DLP).  DLP can be a software application that monitors whether sensitive information is leaked from the user’s computer and block the transmission.  The DLP can stop leaks from a computer to another device on the internal network.

  • Next Generation Firewall (NFGW).  A Next Generation Firewall can be a software application that blocks malicious attempts to access the endpoint.

  • Host-Based Intrusion Prevention System (HIPS).  A HIPS is a software application that monitors and blocks intrusion attempts.

  • Host-Based Intrusion Detection System (HIDS).  A HIDS is a software application that monitors and but does not block intrusion attempts.

  • FDE (Full-Disk Encryption) / SED (Self Encrypting Drives).  Full Disk Encryption is a process where the hard disk drive automatically encrypts and decrypts its data.  SEDs usually have dedicated encryption/decryption chips.  A self encrypting drive removes the encryption/decryption workload from the computer’s processor (otherwise, drive encryption could slow a computer down by up to 30%).

    • The drive randomly generates an encryption key, which it uses to encrypt and decrypt the data.  The user chooses a password.  The drive secures the encryption key with the password and stores the encrypted key on the drive.

    • When the computer boots up, the user must enter his password.  The drive uses the password to decrypt the key.  It loads the key into memory and uses it to decrypt the data.

    • If the user forgets the password, it would be impossible to retrieve the key.

    • Many organizations use BitLocker (a software-based encryption method).  BitLocker encryption keys can be stored in Active Directory and retrieved.

    • FDE can be attacked.  Some SEDs have firmware with security vulnerabilities that can be attacked.  If the drive is running, then the encryption key will be stored in memory and can be stolen.  The drive remains decrypted while it is powered on.  A running drive can be moved to another computer (without removing power), and then data on it can be accessed.

  • Opal.  Opal is a set of specifications that self-encrypting drive manufacturers follow.

  • TPM.  A Trusted Platform Module.  The TPM is a chip, and the purpose of the TPM is to ensure that a piece of computer hardware boots up using trusted hardware and software.  A TPM prevents a malicious person from booting a computer with a modified operating system.

    • For example, BitLocker encrypts the entire disk with a random key.  It stores the key inside the TPM (protected by the user’s password).  When the user enters a password, the TPM releases the key.  The TPM verifies that the Windows operating system has not been modified.  If a user removes the hard drive from the computer and attempts to boot it in another computer, it will not boot because the TPM is missing (and therefore so is the key).

    • The Department of Defense requires that all new computer hardware (including desktops, laptops, phones, and tablets) contain TPMs

  • HSM (Hardware Security Module)

    • A Hardware Security Module manages digital keys for cryptoprocessing.  The HSM

      • Generates keys

      • Stores keys securely

      • Encrypts and decrypts data

    • An HSM must have

      • Logical and physical high-level protection

      • Multi-part user authorization schema

      • Full audit and log traces

      • Secure key backup

  • UEFI/BIOS or Unified Extensible Firmware Interface / Basic Input Output System.  UEFI has replaced the legacy BIOS.  UEFI/BIOS allow the operating system to interact with the physical system devices.

  • Secure Boot and Attestation.  Secure Boot is a feature of UEFI/BIOS that ensures that a foreign operating system does not load.  Each operating system is signed with a key ensuring its authenticity.  When an operating system is first installed, its public key is stored in the Secure Boot section of the UEFI/BIOS.  The Secure Boot section is then locked.  Afterwards, each time that the computer boots, the UEFI/BIOS uses the public key to ensure that it matches that of the operating system being loaded.

  • Hardware Root of Trust.  The hardware root of trust builds on the secure boot and other security components.  It prevents a device from loading a rogue operating system. 

    Consider that each operating system, software application, or boot loader is digitally signed with a private key (that can be verified by a public key).  When a software application attempts to load, the operating system will first check that it is digitally signed.  How can a computer prevent a rogue operating system from loading? 

    In a hardware root of trust, the operating system’s public key is physically burned into the computer’s hardware.  This key cannot be changed.  When the operating system (or boot loader) loads, the hardware uses the public key to verify that it is loading a legitimate operating system.  If the signature does not match, then the computer hardware does not allow the operating system to load.

    The Hardware Root of Trust is a feature found on Apple iPhones.  It is not possible to load an operating system on an Apple iPhone unless it has been digitally signed by Apple.  If the operating system is replaced or becomes corrupted, the phone will not boot and will require the user to reload the original operating system.

  • Measured Boot.  If malware infects the computer’s boot records, then the malware can load before the operating system.  This would make the malware undetectable.  To prevent this, the measured boot feature takes a reading of each driver when the computer boots and logs it in the TPM.  Antimalware software can read the log and verify that the drivers have not been tampered with.

Operating Systems

There are multiple types of operating systems

  • Network Operating System.  A network operating system runs on a router or switch.  Examples include Cisco IOS and FortiOS.  A network operating system may be proprietary to the hardware that it runs on.

  • Server Operating System.  A server operating system runs on a server (or turns regular computer hardware into a server).  Server operating systems can run on a wide range of hardware.  A server operating system may include software applications such as web hosting, e-mail, and file storage.  Examples include Windows Server and UNIX.

  • Workstation.  A workstation operating system runs on a personal computer such as a laptop or desktop.  Examples include Microsoft Windows and Apple OS X.  Workstation operating systems are subject to frequent updates.

  • Appliance.  An appliance operating system runs on an appliance such as a firewall, network storage appliance, or network video recorder.  It is typically written by the manufacturer of the device and is proprietary.  It will contain only the features necessary to run that device.   Examples include FortiOS, which runs only on Fortinet firewalls and switches.

  • Kiosk.  A kiosk operating system is a hardened operating system that runs on a public device that is subject to abuse.  It could include Microsoft Windows (with special software to lock out most of the features) or Microsoft Windows PE (Portable Edition).

  • Mobile OS.  A mobile OS runs on a mobile device.  It may include features that allow it to interact with mobile device components such as vibration generators and accelerometers.  A mobile operating system may run on a wide range of devices (such as Android) or only on a single device (such as Apple iOS).

Prior to deploying an operating system, an organization must ask

  • How will this operating system interact with the hardware in use at this organization? 

  • Does it include the correct drivers for all of the hardware used by the organization? 

  • Is it compatible with the types of software used by the organization?

  • Is it user friendly (do users have adequate training)?

  • Are multiple versions of the operating system required (for different user roles, locations or hardware types)?

  • Does the organization have a license to deploy the operating system?

  • Can the organization deploy the operating system automatically?

  • Does the operating system provide mechanisms to secure the user data?

The organization should test different versions of the operating system on a small scale prior to deploying it across the entire organization.

Consider the following

  • Most operating system manufacturers release patches which provide additional compatibility with peripherals, improve device security, and additional features.  A patch may cause undesired operation.

    • An administrator must be able to deploy patches across all devices automatically, but must test the patches on a few sample devices first.  We must also be able to keep track of the patches that have been deployed.

    • Some organizations may allow users to automatically receive updates (such as through Windows update)

  • Unnecessary ports and services are found on every operating system.  Each unnecessary port or service could contain multiple security vulnerabilities, and the more unnecessary items running in the background, the wider the attack surface.  An organization should remove any unnecessary item.

  • Do not allow users to access the registry.

  • Least functionality.  Least functionality asks the question: what is the minimum set of components required for a user to perform his/her job?  Any extraneous components (such as games) are removed or disabled.

  • Secure configuration.  A secure configuration is one that does not allow any unnecessary changes to the operating system.

  • Trusted operating system.  A trusted operating system is one that is recognized by the computer hardware as being legitimate.  All other operating systems are prohibited from loading.

  • Application whitelisting/blacklisting.  Application whitelisting is the process of allowing only specific applications to load/be installed.  Blacklisting is the process of denying specific applications from loading/installing.

  • Disable default account/password.  Many operating systems come with a default admin account/password.  If a user or malicious individual finds this account, he could log in to the computer and compromise it.  The default account should be disabled, and/or the username/password should be changed.

Peripherals

An organization should carefully evaluate the use of any peripheral that it deploys.  It should ask

  • Does this peripheral have a legitimate business need?

  • Is the peripheral cost-effective?

  • Does the peripheral pose a security risk?

  • Is the peripheral compatible with existing computer hardware or software?

  • What is the cost of supporting the peripheral?

  • Can the firmware on the peripheral be updated automatically?

Some peripherals

  • Wireless Keyboard / Mouse.  A wireless keyboard / mouse can communicate with a computer through a wireless dongle or via Bluetooth (less common).  The connection between the keyboard / mouse and the computer can be compromised.  Keystrokes can be logged.  The connection can also be used to hijack the computer and to introduce malware.  It is important to select wireless keyboards / mice that offer encryption.

  • Display.  A computer monitor is not typically thought of as something that can be compromised, especially an analog display.  A display’s video cable can be compromised with a sophisticated device that could intercept and split the video signal.  This would require physical access to the display.  All displays should be equipped with privacy filters, especially those in public places.  Some displays have wireless capabilities (the ability to transmit or receive a wireless video signal).  This type of display can be hijacked.  Some displays can connect to the internet (such as digital signage or drive thru screens).

  • MicroSD Card (with Wi-Fi).  Full sized SD cards can be equipped with Wi-Fi, but it is rare to find a MicroSD Card with Wi-Fi (practically impossible to put a Wi-Fi chip and antenna into a card that size).  The purpose of a MicroSD card with Wi-Fi is so that a hacker can steal all the photographs.  The second purpose of the Wi-Fi is to allow a non-Wi-Fi camera to connect to the Wi-Fi and transfer the photographs.  Technically, the Wi-Fi card connects to the Wi-Fi and then a user could transfer photographs through their smartphone or computer.  A Wi-Fi card will first create an ad hoc network that a user would connect to.  The user can then configure proper WPA2 settings.  It is important to select a card that is secure enough to prevent others from connecting to it via its ad hoc network, and that uses at least WPA2 security.

  • Printers/MFDs.  A printer can be compromised in over one thousand ways.  It is impossible to list every way that a printer can be compromised.

    • A user could send a document to a printer and forget to pick it up, or arrive at the printer after another individual has viewed it

    • A printer may allow users to view documents printed or scanned by other users, either through its GUI or through a web interface

    • A printer may allow users to reprint documents printed by other users

    • A printer may allow a user to e-mail a scanned document to a user outside of the organization, bypassing DLP

    • A printer may allow a user to e-mail a scanned document to a user via an unsecured method

    • A printer may have access to network file shares to store scanned documents; a user could take the printer’s login credentials and use them to compromise the server.  The printer may store its login credentials (active directory) in plain text, which could be viewed through its web interface. 

      Once, I saw an incompetent administrator set up a printer and he entered his own admin credentials in the LDAP settings.  Each time a user scanned a document, the printer used the administrator’s login credentials (instead of an account dedicated for the printer) to access the file server.  A user who accessed the printer’s web interface could have learned the administrator’s username and password.

    • A printer may have firmware that has been compromised or that contains security vulnerabilities, allowing hackers to connect to it

    • A printer may connect to an external service (for example Xerox printers automatically report their toner levels to an external server and reorder supplies when they are low).  This external connection could be used to download malware.

    • A printer could allow a user to connect a USB drive which would introduce malware

    • A printer’s default username and password may not have been changed.

    • In November 2018, a hacker known as TheHackerGiraffe compromised over 50,000 printers.  He sent a document advertising a YouTube channel to each printer over an open network port.

  • External Storage Devices such as USB drives should be prohibited unless necessary.  As explained previously, USB drives can lead to the compromise of sensitive data and can introduce viruses into the organization.

  • Digital Cameras, also known as “web cams” are used to transmit video.  A hacker can compromise a web cam and use it to spy on a user’s most intimate moments (such as them picking their nose) and then blackmail them.  Most modern laptops have physical shutters on the camera; the camera is physically blocked from the outside world.  A camera may be physically integrated into a laptop.  It is important to select a laptop with a physical shutter and close the shutter when not in use.  An external camera should be unplugged.

Database

There are some ways to protect data in a database.  We mentioned them earlier.

  • Tokenization.  Data tokenization is a process of replacing a sensitive piece of data with a non-sensitive piece of data that uniquely identifies it.  The token must match the data type and length.  If we replace a piece of data with another that is the wrong length or type, then we might have an error in the database that stores it.

  • Hashing.  Hashing is where we convert our data into a string through a one-way mathematical function.  Even if the hash is discovered, the original data won’t be.

  • Salting.  We want to add a salt (a random string) to the data before it is hashed.  This prevents it from being reversed with a rainbow table.

Application Security

We mentioned many types of application security measures earlier, but we will summarize them again.

  • Input Validations.  We should always validate each input to ensure that it meets the defined parameters.  Input validation should take place client side and then again server side.

    Input validation reduces the risk that somebody can send in bad data or inject something into our database.

  • Secure Cookies.  A Secure Cookie is one that has a “secure” attribute.  The web browser will not send a secure cookie back to a website unless https is enabled.  That prevents a secure cookie from being sent to an insecure site.

  • Hypertext Transfer Protocol (HTTP) Headers.  We can force communication to take place only over HTTPS.

  • Code Signing.  When we digitally sign our application, then users and operating systems can verify that the code has not been tampered with.

  • Allow List.  An allow list only permits specific applications to run on the operating system.

  • Block List/Deny List.  A block list prevents specific applications from running.

  • Secure Coding Practices.  We should follow a secure template when writing code for the application.  The most common code errors are mentioned in a previous section.

  • Static Code Analysis.  We can review the code for errors and security holes prior to deploying it.

  • Dynamic Code Analysis.  The program is fed a set of pre-defined test inputs and the outputs (or resulting errors) are verified

  • Fuzzing.  Thousands or hundreds of thousands of inputs can be entered using automated tools.  Everything can be fuzzed including network protocols, files, and web protocols.  Fuzzing allows for a wide range of errors to be detected.

Sandboxing

A Sandbox is a highly controlled environment for testing new applications.  Each time that an organization chooses to modify an existing (in house) application, develop a new application, or deploy a new (off the shelf) application, it should subject it to extensive testing.

Testing can identify

  • Security vulnerabilities

  • Data corruption

  • Undesired operation

  • Applications that consume excessive system resources

  • Applications that allow users to gain administrative access into the system

The sandbox is an environment that does not allow the application to obtain additional privileges or modify sensitive system components.  It can be a virtual server, or a physical server that is air gapped.  Many application development systems contain sandboxes; they include

  • Linux

  • Google APIs

  • HTML5

  • Java Virtual Machines

  • .NET Code Access Security