Lesson 12

Implementing Host Security Solutions

Topic 12A
Implement Secure Firmware

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Syllabus Objectives Covered

• 1.2 Given a scenario, analyze potential indicators to determine the type of

attack
• 3.2 Given a scenario, implement host or application security solutions
• 5.3 Explain the importance of policies to organizational security

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3
Hardware Root of Trust

• Hardware root of trust/trust

anchor
• Attestation
• Trusted Platform Module (TPM)
• Hardware-based storage of
cryptographic data
• Endorsement key
• Subkeys used in key storage,
signature, and encryption
operations
• Ownership secured via
password
Screenshot used with permission from HP.

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4
 Boot Integrity

• Unified extensible firmware

interface (UEFI)
• Secure boot
• Validate digital signatures before
running boot loader or OS kernel
• Measured boot
• Use TPM to measure hashes of
boot files at each stage
• Attestation
• Report boot metrics and
signatures to remote server
Screenshot used with permission from HP.

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5
Drive Encryption

• Full disk encryption (FDE)

• Encryption key secured with user
password
• Secure storage for key in TPM or
USB thumb drive
• Self-encrypting drives (SED)
• Data/media encryption key
(DEK/MEK)
• Authentication key (AK) or key
encrypting key (KEK)
Screenshot used with permission from Microsoft.
• Opal specification compliant

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6
USB and Flash Drive Security

• BadUSB
• Exposes potential of malicious firmware
• Malicious USB cable
• Malicious flash drive
• Sheep dip
• Sandbox system for testing new/suspect devices
• Isolated from production network/data

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7
Third-party Risk Management

• Supply chain and vendors

• End-to-end process of supplying, manufacturing, distributing, and
finally releasing goods and services to a customer
• Could malicious actors within supply chain introduce backdoor
access via hardware/firmware components?
• Most companies must depend on governments/security services to
ensure trustworthiness of market suppliers
• Consider implications of using second-hand equipment
• Vendors versus business partners

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8
End of Life Systems and Lack of Vendor Support

• Support lifecycles
• End of life (EOL)
• Product is no longer sold to new customers
• Availability of spares and updates is reduced
• End of service life (EOSL)
• Product is no longer supported
• Lack of vendor support
• Abandonware
• Software and peripherals/devices

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9
Organizational Security Agreements

• Memorandum of understanding (MOU)

• Intent to work together
• Business partnership agreement (BPA)
• Establish a formal partner relationship
• Non-disclosure agreement (NDA)
• Govern use and storage of shared confidential and private
information
• Service level agreement (SLA)
• Establish metrics for service delivery and performance
• Measurement systems analysis (MSA)
• Evaluate data collection and statistical methods used for quality
management

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10
Topic 12B
Implement Endpoint Security

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11
Syllabus Objectives Covered

• 3.2 Given a scenario, implement host or application security solutions

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12
Host Hardening

• Reducing attack surface

• Interfaces
• Network and peripheral connections and hardware ports
• Services
• Software that allows client connections
• Application service ports
• TCP and UDP ports
• Disable application service or use firewall to control access
• Detect non-standard usage
• Encryption for persistent storage

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13
 Baseline Configuration and Registry Settings

• OS/host role
• Network appliance, server, client,
…
• Configuration baseline template
• Registry settings and group policy
objects (GPOs)
• Malicious registry changes
• Baseline deviation reporting

Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14
Patch Management

• All types of OS, application, and firmware code potentially contains

vulnerabilities
• Patch management essential for mitigating these vulnerabilities as they are
discovered
• Update policies and schedule
• Apply all latest – auto-update
• Only apply specific patches
• Third-party patches
• Scheduling updates
• Managing unpatchable systems

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15
Endpoint Protection

• Antivirus (A-V)/anti-malware
• Signature-based detection of all malware/PUP types
• Host-based intrusion detection/prevention (HIDS/HIPS)
• File integrity monitoring and log/network traffic scanning
• Prevention products can block processes or network connections
• Endpoint Protection Platform (EPP)
• Consolidate agents for multiple functions
• Combine A-V, HIDS, host firewall, content filtering, encryption, …
• Data loss prevention (DLP)
• Block copy or transfer of confidential data
• Endpoint protection deployment

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16
Next-Generation Endpoint Protection

• Endpoint detection and response (EDR)

• Visibility and containment rather than preventing malware execution
• User and entity behavior analytics driven by cloud-hosted machine learning
• Next-generation firewall integration
• Use endpoint detection to alter network firewall policies
• Block fileless threats and covert channels
• Prevent lateral movement

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17
Antivirus Response

• Signature-based detection and heuristics

• Malware identification and classification
• Common Malware Enumeration (CME)
• Manual remediation advice
• Advanced malware tools
• Manually identify file system changes and network activity
• Sandboxing
• Execute malware for analysis in a protected environment

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18
Topic 12C
Explain Embedded System Security Implications

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19
Syllabus Objectives Covered

• 2.6 Explain the security implications of embedded and specialized systems

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20
Embedded Systems

• Computer system with dedicated function

• Static environment
• Cost, power, and compute constraints
• Single-purpose devices with no overhead for additional security
computing
• Crypto, authentication, and implied trust constraints
• Limited resource for cryptographic implementation
• No root of trust
• Perimeter security
• Network and range constraints
• Power constrains range
• Emphasize low data rates, but minimize latency

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21
Logic Controllers for Embedded Systems

• Programmable logic controller (PLC)

• System on chip (SoC)
• Processors, controllers, and devices all provided on single package
• Raspberry Pi
• Arduino
• Field programmable gate array (FPGA)
• End customer can configure programming logic
• Real-time operating system (RTOS)
• Designed to be ultra-stable
• Prioritizes real-time scheduling

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22
Embedded Systems Communications Considerations

• Operational Technology (OT) networks

• Serial data and Industrial Ethernet
• Cellular networks/baseband radio
• Narrowband-IoT (NB-IoT)
• LTE Machine Type Communication (LTE-M)
• 4G versus 5G
• Subscriber identity module (SIM) cards
• Encryption and backhaul
• Z-Wave and Zigbee
• Low-power wireless over ~900 MHz and 2.4 GHz
• Encryption and pairing

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23
Industrial Control Systems (1)

• Availability, integrity, confidentiality (AIC triad)

• Workflow and process automation
• Industrial control systems (ICSs)
• Plant devices and embedded PLCs
• OT network
• Electromechanical components and sensors
• Human machine interface (HMI)
• Data historian
• Supervisory Control and Data Acquisition (SCADA)
• Runs on PCs to gather data and perform monitoring
• Manage large-scale, multiple site installations over WAN communications

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 24
Industrial Control Systems (2)

• Energy
• Power generation and distribution
• Industrial
• Mining and refining raw materials
• Fabrication and manufacturing
• Creating components and assembling them into products
• Logistics
• Moving things
• Facilities
• Site and building management systems
• Heating, ventilation, and air conditioning (HVAC)

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 25
Internet of Things

• Machine to Machine (M2M) communication

• Hub/control system
• Communications hub
• Control system for headless devices
• Smart hubs and PC/smartphone controller apps
• Smart devices
• IoT endpoints
• Compute, storage, and network functions and vulnerabilities
• Wearables
• Sensors
• Vendor security management
• Weak defaults
• Patching and updates

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26
Specialized Systems for Facility Automation

• Building automation system (BAS)

• Smart buildings
• Process and memory vulnerabilities
• Credentials embedded in application code
• Code injection
• Smart meters
• Surveillance systems
• Physical access control system (PACS)
• Risks from third-party provision
• Abuse of cameras

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27
 Specialized Systems in IT

• Multifunction printer (MFP)

• Hard drives and firmware
represent potential vulnerabilities
• Recovery of confidential
information from cached print
files
• Log data might assist attacks
• Pivot to compromise other
network devices
• Voice over IP
• Shodan
Screenshot used with permission from shodan.io.

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 28
Specialized Systems for Vehicles and Drones

• Unmanned Aerial Vehicles (UAV)/drones

• Computer-controlled or assisted engine, steering, and brakes
• In-vehicle entertainment and navigation
• Controller area network (CAN) serial communications buses
• Onboard Diagnostics (OBD-II) module
• Access via cellular or Wi-Fi

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 29
Specialized Systems for Medical Devices

• Used in hospitals and clinics but also at home by patients

• Potentially unsecure protocols and control systems
• Use compromised devices to pivot to networks
• Stealing Protected Health Information (PHI)
• Ransom by threatening to disrupt services
• Kill or injure patients

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 30
Security for Embedded Systems

• Network segmentation
• Strictly restrict access to OT networks
• Increased monitoring for SCADA hosts
• Wrappers
• Use IPSec for authentication and integrity and confidentiality
• Firmware code control
• Supply chain risks
• Inability to patch
• Inadequate vendor support
• Time-consuming patch procedures
• Inability to schedule downtime

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 31
Lesson 12
Summary

CompTIA Security+ Lesson 12 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 32