Endpoint Security - Hardening Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 20 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Endpoint Security- Hardening Part 1.
00:00
This is a big topic and I've divided it into
00:00
two lessons so that we can
00:00
make sure and cover everything.
00:00
The learning objectives for
00:00
this video are: discover hardening techniques,
00:00
define software patching and device protection,
00:00
and also explore mandatory access control.
00:00
Let's get started. Hardening is
00:00
the process of making changes to
00:00
the configuration of an operating system
00:00
or application to help secure it.
00:00
You create a standard or
00:00
a secure configuration for devices that allow
00:00
for all necessary apps to still
00:00
function but to secure the device.
00:00
The configuration should be
00:00
saved so it can be deployed again in the future.
00:00
Hardening Techniques.
00:00
The first step is to
00:00
remove unnecessary services and protocols.
00:00
For example, if you don't need
00:00
a web server software running on your computer,
00:00
then disable it, or if you can, actually remove it.
00:00
If the system doesn't need to send email,
00:00
remove all email server software.
00:00
Disable any network interfaces that aren't needed.
00:00
A lot of computers now will
00:00
come with multiple interfaces,
00:00
for example, an Ethernet port and a Wi-Fi port.
00:00
If you're using ethernet and not the Wi-Fi,
00:00
it's best to disable it so that attackers can't
00:00
use that as a back way in for your network.
00:00
Look for listening ports on the device,
00:00
and then block any that can't be
00:00
disabled with a host firewall.
00:00
Verify all user accounts on the device are
00:00
needed and they have the appropriate level of access.
00:00
A common problem in modern IT
00:00
today is what we call capability creep.
00:00
For example, at some point you may give
00:00
access rights to a user
00:00
when they only needed them temporarily,
00:00
but when that need was no longer there,
00:00
no one went back and removed
00:00
those capabilities or those access rights.
00:00
Over time, these accumulate until you have users
00:00
that have way more
00:00
privilege and access than they actually need.
00:00
The last one is disable
00:00
USB ports if they're not expressly needed.
00:00
This will help prevent people from
00:00
plugging in flash drives,
00:00
or maybe their mobile device to use as
00:00
an external device to help control data exfiltration.
00:00
Best Practice Configurations. Now,
00:00
this is already a fairly complicated process,
00:00
but there are groups that have published
00:00
best practice guidelines that
00:00
you can use for your own enterprise.
00:00
For example, the US
00:00
Department of Defense Security Technical
00:00
Implementation Guides or STIGs,
00:00
and the Center for Internet Security CIS benchmarks.
00:00
These have all the best practices
00:00
for a given operating system or
00:00
hardware device that you can use to
00:00
create your own best
00:00
practices guideline for your enterprise.
00:00
Patching. This is a big one.
00:00
Software vulnerabilities are discovered every day.
00:00
As we continue to increase
00:00
the number of software applications
00:00
that we're using on our PCs,
00:00
our mobile devices, our servers,
00:00
keeping up with all of those and making sure they're all
00:00
patched is a very daunting process.
00:00
What is required as a patch management process to
00:00
ensure that all the vulnerabilities are
00:00
patched in the appropriate timeframe.
00:00
Patch management can be manual,
00:00
automated, or be a combination of both.
00:00
To create a patch management program,
00:00
you're going to want to look at a few things.
00:00
The first is,
00:00
to have a specific person or team assigned
00:00
the responsibility for obtaining
00:00
and reviewing the security bulletins.
00:00
If you don't know there's a vulnerability
00:00
out there, you can't patch it.
00:00
Next is a way to patch
00:00
all devices regardless of their operating system,
00:00
or the applications that might be installed.
00:00
You also want to consider
00:00
patch management for your Cloud resources
00:00
that may not be the same as that
00:00
you would use on your local networks.
00:00
When you have all the patches available for you,
00:00
you want to review and classify the updates that
00:00
you're installing into urgent,
00:00
important, and non-critical.
00:00
You also want to have a way to test
00:00
patches before you actually deploy them to live systems.
00:00
I'm sure if you've been in IT for any length of time,
00:00
you have seen where
00:00
Microsoft updates have caused
00:00
machines to blue screen after they reboot.
00:00
This will help prevent that.
00:00
You can test the patches on
00:00
a little lab system or a lab network that you
00:00
create to ensure that it doesn't create
00:00
any additional problems for
00:00
you after the patch is installed.
00:00
Then you're going to want to have
00:00
logging capabilities to ensure
00:00
that once those patches are
00:00
installed it didn't create any new issues for you.
00:00
Then the ability to immediately
00:00
push out approved updates.
00:00
Finally, you want to do periodic evaluation and
00:00
then full rollouts for non-critical patches.
00:00
Preventative Security Measures.
00:00
These are extra little things you can do on
00:00
your systems to help prevent attacks.
00:00
The first one is local drive encryption.
00:00
This protects the data when the system isn't running.
00:00
For example, if you had a laptop that maybe
00:00
had some protected health information on it,
00:00
and the laptop was stolen,
00:00
then this would help protect the data on that laptop.
00:00
Some examples of this are Microsoft's BitLocker,
00:00
TrueCrypt, and Linux's cryptsetup.
00:00
Enable no execute and execute never.
00:00
These are set in the CPUs to keep areas of memory
00:00
separated that are designated for instructions or data.
00:00
Then lastly, disable CPU virtualization support.
00:00
This can cause issues for guest isolation,
00:00
and also allow data to leak
00:00
from one virtual machine to another.
00:00
Virtualization can also be used by
00:00
malware to help hide itself from detection.
00:00
Secure encrypted enclaves, memory encapsulation.
00:00
These are protected areas of
00:00
memory in a database engine that
00:00
only allows the data to be decrypted on the fly in a CPU,
00:00
a sock, or a protected region.
00:00
Shell restrictions control what
00:00
a shell is allowed to do. Pretty basic.
00:00
Then lastly, Access Space Layout Randomization,
00:00
ASLR, buffer overflow prevention controls.
00:00
These make it difficult to guess
00:00
the memory locations of executables in stored memory.
00:00
Moving onto mandatory access control.
00:00
Before we go into this,
00:00
I wanted to point out that the acronym
00:00
MAC is used for several things in IT and cybersecurity.
00:00
But in this particular occurrence,
00:00
we're using it for mandatory access control.
00:00
This is a fairly big item for the test.
00:00
Mandatory access control is
00:00
based on security clearance levels.
00:00
Then rather than setting
00:00
access controls on resources, instead,
00:00
every object and subject is
00:00
given an access level with its own label.
00:00
If you're using a hierarchical approach,
00:00
subjects may access anything in their level or below.
00:00
They wouldn't be able to go up a level.
00:00
Subjects may also not change
00:00
an object's label or rules on their own account.
00:00
One key thing to remember about
00:00
MAC is that it's non-discretionary.
00:00
That is a testable item.
00:00
SELinux. Execution control decides
00:00
what software or scripts may be installed on
00:00
a system beyond its current baseline configuration.
00:00
In Linux, this is achieved using
00:00
a MAC kernel module
00:00
known as the Linux Security Module or LSM.
00:00
SELinux is an example of an LSM.
00:00
AppArmor is another common example.
00:00
SEAndroid. Android uses MAC
00:00
through a process known as SEAndroid.
00:00
Apps are run in sandboxes.
00:00
This keeps them isolated from
00:00
each other and other parts of the system.
00:00
In addition, when apps are installed,
00:00
specific permissions are granted,
00:00
such as the access to SMS texting,
00:00
the ability to make calls, or view contacts.
00:00
If you're an Android user and you install an app,
00:00
you've probably seen this before when
00:00
the install process will tell you
00:00
this app is requesting the following permissions.
00:00
You can choose whether to allow or deny that from there.
00:00
Let's summarize what we discussed in this lesson.
00:00
We discussed system hardening,
00:00
and also the best practices for that;
00:00
how you can get resources online to help you create
00:00
your own hardening process in your own network.
00:00
Patch management, why it's important,
00:00
and how to go about doing it in your own organization.
00:00
Mandatory access controls,
00:00
and then we gave some examples
00:00
with SELinux and SEAndroid.
00:00
Let's hit some questions.
00:00
Question number 1, true or false?
00:00
MAC requires that all subjects be classified with labels?
00:00
This is true. That is a key item
00:00
for MAC is that
00:00
every object or subject have its own label.
00:00
Number 2, true or false?
00:00
Local drive encryption can prevent
00:00
a ransomware attack since
00:00
the encryption will prevent
00:00
the malware from reading your data.
00:00
This is false. Local drive encryption
00:00
only protects the data when the operating system is off.
00:00
If the operating system is running,
00:00
the malware can read the encrypted data
00:00
at the same access level that the
00:00
current logged in user can do.
00:00
It's not going to protect you from a ransomware attack.
00:00
Number 3, which of
00:00
the following is not a part of hardening?
00:00
Remove unnecessary services,
00:00
install the latest version of Microsoft Office,
00:00
verify all accounts on the system are necessary,
00:00
or close unnecessary ports.
00:00
This is a little bit of a trick question because if
00:00
Microsoft Office is necessary in your enterprise,
00:00
then you're going to want to deploy
00:00
the most current version when you deploy systems.
00:00
However, the test is usually
00:00
looking for what is the best answer,
00:00
and since not every organization uses Microsoft Office,
00:00
it would not be a part of
00:00
a hardening process that is
00:00
a generalized approach for everyone.
00:00
However, the other three,
00:00
removing unnecessary services, verifying all accounts,
00:00
and closing ports would be.
00:00
Number 4, true or false?
00:00
A patch management process should push out
00:00
all patches as soon as they're
00:00
available to decrease the chances of compromise.
00:00
This is false. Patches should first be
00:00
classified and then tested before deployment.
Up Next