Implementing Host Security Solutions

# Implement Secure Firmware ## Hardware Root of Trust - Hardware root of trust/trust anchor - Attestation - Trusted Platform Module (TPM) - hardware security module type (TPM chip) - allows for secure boot - hardware-based storage of cryptographic data - Endorsement key - Subkeys used in key storage, signature, and encryption operations - Ownership secure via password ## Boot Integrity - unified extensible firmware (UEFI) - Secure boot - Validate digital signatures before running boot loader or OS kernel - Measured boot - Use TPM to measure hashes of boot files at each stage - Attestation - Report boot metrics and signatures to remote server ## Drive Encryption - FDE **Full Disk encryption** - Encryption key secure with user password - secure storage for key in TPM or USB thumb drive - SED **Self-Encrypting Drives** - Drive itself handles encryption - Data/media encryption key (DEK/MEK) - Authentication key (AK) or key encrypting key (KEK) - Opal specification compliant ## USB and Flash Drive Security - **BADUSB** - Exposes potential of malicious firmware - Malicious USB cable - Malicious flash drive - Drive looks blank, firmware underneath the drive is compromised and may be used for bad things - Sheep Dip - Sandbox system for testing new/suspect devices - Isolated from production network/data ## Third-Party Risk Management - **Supply chain and vendors** - End-to-end process of supplying, manufacturing, distributing, and finally releasing goods and services to a customer - Could malicious actors within supply chain introduce backdoor access via hardware/firmware components? - Most companies must depend on governments/security services to ensure trustworthiness of market suppliers - Consider implications of using second-hand equipment - Vendors versus business partners ## End of Life Systems and Lack of Vendor Support - Support lifecycles - **End of life (EOL)** - no more patches and updates - for example windows XP - Product is no longer sold to new customers - Availability of spares and updates is reduced - **End of service life (EOSL)** - Product is no longer supported - Lack of vendor support - Abandonware - Software and peripherals/devices ## Organizational Security Agreements - **Memorandum of understanding (MOU)** - Intent to work together - **Business partnership agreement (BPA)** - Establish a formal partner relationship - **Non-disclosure agreement (NDA)** - Govern use and storage of shared confidential and private information - **Service level agreement (SLA)** - Establish metrics for service delivery and performance - **Measurement systems analysis (MSA)** - Evaluate data collection and statistical methods used for quality management # Implement Endpoint Security ## Host Hardening - Reducing attack surface - ONLY have what you need on the server/machine for it to do its jobs and nothing more. This 20% will make all the difference - Interfaces - Network and peripheral connections and hardware ports - Services - Software that allows client connections - Application service ports - TCP and UDP ports - disable application service or use firewall to control access - Detect non-standard usage - Encryption for persistent storage - data *in use* (not encrypted), at rest, in transit ## Baseline Configuration and Registry Settings - OS/host rule - Network appliance, server, client, etc... - Windows AD can be extremely secure, however it ships with little security so that an administrator can get everything up and running and then go back and harden it, the more security systems added the more hoops to jump through to get something running - Configuration baseline template - Registry settings and group policy objects (GPOs) - Malicious registry changes - baseline deviation reporting ## Patch Management - Installing patches and updates - it is important to test patches & updates in a testing environment - All types of OS, application, and firmware code potentially contains vulnerabilities - Patch management essential for mitigating these vulnerabilities as they are discovered - Update policies and schedule: - Apply on latest - auto update - Only apply specific patches - Third-party patches - Scheduling updates - Managing un-patchable systems ## Endpoint Protection - **Antivirus (A-V)/anti-malware** - Signature-based detection of all malware/PUP types - **Host-based intrusion detection/prevention (HIDS/HIPS)** - File integrity monitoring and log/network traffic scanning - Prevention products can block processes or network connections - **Endpoint Protection Platform (EPP)** - Consolidate agents for multiple functions - Combine A-V, HIDS, host firewall, content filtering, encryption, … - **Data loss prevention (DLP)** - Block copy or transfer of confidential data - Endpoint protection deployment ## Next-Generation Endpoint Protection - Endpoint detection and response (EDR) - Visibility and containment rather then preventing malware execution - User and entity behavior analytics drive by cloud-hosted machine learning - Next-generation firewall integration - Use endpoint detection to alter network firewall policies - Block fileless threats and covert channels - prevent lateral movement ## Antivirus Response - Signature-based detection and heuristics - Typically viruses nowadays they change signature every-time they replicate - Heuristics can mitigate this - Malware identification and classification - Common malware enumeration (CME) - Manual remediation advice - Advanced malware tools - Manually identify file system changes and network activity - Sandboxing - Execute malware for analysis in a protected environment # Explain Embedded System Security Implications ## Embedded Systems - typically little computers within another device meant to help the host system - main server -> embedded system (maybe login if main system is off) - Static environment - Cost, power, and compute constrains - Single-purpose devices with no overhead for additional security computing - Crypto, authentication, and implied trust constraints - Limited resource for cryptographic implementation - No root of trust - Perimeter security - network and range constraints - Power constrains range - Emphasize low data rates, but minimize latency ## Logic Controllers for Embedded Systems - **Programmable logic controller (PLC)** - Control everything from stop lights, to things in nuclear facilities - **System on chip (SoC)** - Processors, controllers, and devices all provided on single package - Raspberry Pi - Arduino - **Field programmable gate array (FPGA)** - End customer can configure programming logic - **Real-time operating system (RTOS)** - Designed to be ultra-stable - Prioritizes real-time scheduling ## Embedded Systems Communications Considerations ![[Pasted image 20230706102216.png]] - zwave and zigebee - Often used to communicate and control IoT devices ## Industrial Control Systems - **Availability, integrity, confidentiality (AIC Triad) - Availability is most important, notice that it is the same legs as the CIA triad - Workflow and process automation - **Industrial control systems (ICSs) - **Plant devices and embedded PLCs** - OT network - SCADA **Supervisor Control and Data Acquisition** - Monitors important stuff like temperatures pipeline pressures - Runs of PCs to gather data and perform monitoring - Manage large-scale, multiple site installations over WAN communications - Energy - Power generation and distribution - Industrial - Mining and refining raw materials - Fabrication and manufacturing ## IoT - Machine to Machine (M2M) communication - Hub/control system - Communications hub - Control system for headless devices - Smart hubs and PC/smartphone controller apps - Smart devices - IoT endpoints - Compute, storage, and network functions and vulnerabilities - Wearables - Sensors - Vendor security management - Weak defaults - Patching and updates ## Specialized Systems for Facility Automation - Building automation system (BAS) - Smart buildings - Process and memory vulnerabilities - Credentials embedded in application code - Code injection - Smart meters - Surveillance systems - Physical access control system (PACS) - Risks from third-party provision - Abuse of cameras ## Specialized Systems in IT - Multifunction Printer (MFP) - Hard drives and firmware represent potential vulnerabilities - Recovery of confidential information from cached print files - Log data might assist attacks - Pivot to compromise other network devices - Voice over IP - Shodan ## Specialized Systems for Vehicles and Drones - Unmanned Aerial Vehicles (UAV)/drones - Computer-controlled or assisted engine, steering, and brakes - In-vehicle entertainment and navigation - Controller area network (CAN) serial communications buses - Onboard Diagnostics (OBD-II) module - Access via cellular or Wi-Fi ## Specialized Systems for Medical Devices - Used in hospitals and clinics but also at home by patients - Potentially unsecure protocols and control systems - Use compromised devices to pivot to networks - Stealing Protected Health Information (PHI) - Ransom by threatening to disrupt services - Kill or injure patients ## Security for Embedded Systems - Network segmentation - Strictly restrict access to OT networks - Increased monitoring for SCADA hosts - Wrappers - Use IPSec for authentication and integrity and confidentiality - Firmware code control - Supply chain risks - Inability to patch - Inadequate vendor support - Time-consuming patch procedures - Inability to schedule downtime