Endpoint Security - Hardening Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 20 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Endpoint Security Hardening, Part 2.
00:00
The learning objectives for this lesson
00:00
are to differentiate secure boot configurations,
00:00
to explore hardware-based encryption technologies,
00:00
and to explore host-based protection technologies.
00:00
Let's get started. Secure boot configurations.
00:00
Currently, we have two main types
00:00
of secure boot configurations.
00:00
The first is the basic input/output system, or BIOS,
00:00
and also the unified extensible
00:00
firmware interface or UEFI.
00:00
Both of these are designed for
00:00
the booting and the loading of an operating system.
00:00
They could be for both computers or other devices.
00:00
BIOS uses the Master Boot Record,
00:00
or MBR, for boot information,
00:00
whereas the UEFI uses
00:00
a GUID partition table known as the GPT.
00:00
UEFI is more advanced and
00:00
allows for boot integrity checks.
00:00
Trusted Platform Module or TPM.
00:00
These are specifications for
00:00
hardware-based storage of encryption keys,
00:00
hashed passwords, and other identification data.
00:00
It's part of a chipset or also it
00:00
could be an embedded function in the CPU.
00:00
Each TPM has a hard-coded, unique,
00:00
and unchangeable asymmetric private
00:00
key known as the endorsement key.
00:00
This is used to create subkeys.
00:00
However, when a TPM owner takes ownership of
00:00
the TPM and this will destroy the subkeys.
00:00
TPMs are becoming more and more common because it is
00:00
an embedded technology that's already built onto
00:00
our device to allow us to store keys,
00:00
and it did cause some problems
00:00
when Windows 11 came out because
00:00
Windows 11 was stating that you
00:00
had to have a TPM to be able to use it,
00:00
and this caused problems for a lot of
00:00
people who had older computers that
00:00
might not be able to
00:00
migrate over to Windows 11 because of that.
00:00
We could also use secure boot.
00:00
This prevents computers from being
00:00
hijacked by a malicious operating system.
00:00
It's configured with a digital certificate from
00:00
a valid operating system vendor and then the
00:00
firmware checks the bootloader to
00:00
ensure that the certificate is valid.
00:00
This requires UEFI, but not a TPM.
00:00
We can also use measured boot.
00:00
This uses platform configuration registers,
00:00
or PCRs, that are in
00:00
the TPM at every stage of the boot process.
00:00
It validates the hashes of key
00:00
>> boot firmware, bootloader,
00:00
>> kernel, and drivers to
00:00
ensure that they have not been
00:00
altered during the boot process.
00:00
Hardware-based encryption technologies,
00:00
attestation services.
00:00
These are hardware-backed attestation that ensure
00:00
the integrity of
00:00
the startup and runtime operations of a device.
00:00
We can use remote attestation services that provide
00:00
a central way of interfacing
00:00
with these locally installed devices.
00:00
OEMs will add a secure boot data portion to
00:00
the nonvolatile RAM or
00:00
NVRAM during the manufacturing of the device.
00:00
This will contain the signature database,
00:00
the revoked signature database,
00:00
and the key enrollment database.
00:00
Hardware security module, or HSM.
00:00
These are network appliances that offer
00:00
centralized PKI management for the network.
00:00
They can offer key escrow for devices.
00:00
Comparing them to a certificate server,
00:00
a hardware security module offers
00:00
a smaller attack surface and they're also tamper-evident.
00:00
This helps to protect against insider threats.
00:00
The form factor these devices come
00:00
in could include rack-mount,
00:00
plug-in PCIe adapters,
00:00
and also USB peripherals.
00:00
The trusted computing group, or TCG,
00:00
maintains a list of self encrypting drives known as SEDs.
00:00
They have their own specs for this and they're known
00:00
as the TCG Opal 2.0.
00:00
Opal 2.0 is designed to be completely
00:00
transparent to the system or the operating system.
00:00
It incorporates FIPS 140-2
00:00
and IEEE 1667 encryption standards
00:00
and it uses an onboard encryption processor
00:00
to keep the contents of the hard drive encrypted.
00:00
Host-based protection technologies. Now,
00:00
we're all familiar with antivirus software and
00:00
originally this was just signature-based
00:00
that would scan files looking to see if anything
00:00
matched the signatures that were
00:00
in the antivirus database,
00:00
but now antivirus software has evolved
00:00
and to become anti-malware software, but not only that,
00:00
the techniques that it uses to find different points of
00:00
attack or malicious activity have
00:00
also improved over time as well.
00:00
Now, we're looking to see
00:00
if processes are being launched
00:00
and we can intercept them
00:00
and then it will look for a signature match.
00:00
We're also not looking just for viruses
00:00
anymore because now we need to look for trojans,
00:00
spyware, rootkits, and ransomware.
00:00
The Common Malware Enumeration, or CME,
00:00
this is where malware will be
00:00
tagged with an identifier so that it can be
00:00
researched for its symptoms and
00:00
its methods and that the malware will be used,
00:00
and we can use this to help
00:00
update our technology to ensure that when
00:00
a new technique is noticed that
00:00
we're able to create a way of
00:00
preventing that or catching
00:00
it and then pushing that out to
00:00
our customers through their anti-malware software.
00:00
We can also use application controls.
00:00
This determines which software
00:00
can be run and also by whom.
00:00
The software can be limited to
00:00
run only during work hours and then from
00:00
certain directories and then only if it
00:00
matches a specific digital signature.
00:00
We can use this to block software installs as
00:00
well through the use of allow list and block lists.
00:00
This is a very handy type thing
00:00
to use where, for example,
00:00
in some of our sites that use electronic medical records,
00:00
we have those EMR set to not be allowed to be
00:00
used on workstations after business hours.
00:00
The computer stay on because they need to be updated or
00:00
have different things ran on
00:00
them as part of managed services,
00:00
but no one needs to be accessing the EMR.
00:00
A lot of times when an attacker would get in,
00:00
they can login to the EMR and then steal the data through
00:00
that workstation and then just
00:00
send it straight out of the network.
00:00
There's no reason for that type of
00:00
thing to be running after business hours,
00:00
so we set those not to be able to be run.
00:00
We can also use host-based firewalls.
00:00
This is a firewall that's run on
00:00
a single host and it will protect that host only.
00:00
It's not a network firewall.
00:00
It will use packet filtering,
00:00
ACLs to allow or block traffic on that given host.
00:00
We can also use redundant and self-healing hardware.
00:00
This is because we need availability for our devices.
00:00
Availability is critical,
00:00
it's part of the CIA triad.
00:00
We can use redundant components,
00:00
such as power supplies, or drives,
00:00
and even computers in clusters to help
00:00
ensure that we have a level of redundancy there.
00:00
Self-healing hardware can detect
00:00
and react if components are
00:00
going to fail in a way
00:00
that allows for continued operation.
00:00
It can also be pre-emptive by
00:00
detecting and then alerting to an impending failure.
00:00
A good example of this at
00:00
a very basic level are redundant power supplies.
00:00
A lot of servers can come with
00:00
two power supplies in them and if one fails,
00:00
the other automatically picks up and
00:00
keeps on going and then you
00:00
get an alert to let you know that you need to
00:00
come and replace the one that died.
00:00
This is a really good way to
00:00
ensure the server stays up and running.
00:00
If you're looking at keeping
00:00
critical devices up and
00:00
running because sometimes it's not just a server,
00:00
you might need redundant firewalls.
00:00
When you're looking at this, you need to decide
00:00
what is critical and then what can you
00:00
put into it that would allow it to stay up and
00:00
running given specific failures that
00:00
you've determined in your risk assessment would
00:00
be likely or possible in your scenario.
00:00
Just like we have intrusion
00:00
detection systems for the network,
00:00
we also had them for our hosts.
00:00
Host-based intrusion detection systems or
00:00
HIDS are similar to the ones we use on our network,
00:00
but they're only on a single system.
00:00
They're going to monitor the OS logs, files,
00:00
and processes and they may also use
00:00
file integrity monitoring because
00:00
certain files in the system should never change,
00:00
and if they do, that could be
00:00
an indication of malicious activity.
00:00
Host-based intrusion prevention systems,
00:00
or HIPS, do the same thing,
00:00
but they also add the ability to respond to the anomalies
00:00
by either stopping the processes
00:00
are blocking the traffic.
00:00
We also can use endpoint detection and response, or EDR.
00:00
This is a centralized managed solution
00:00
and it's usually available from a Cloud portal that
00:00
monitors many systems at once and it's looking
00:00
for malicious activity across all the systems.
00:00
It will use artificial intelligence
00:00
and machine learning to monitor
00:00
user and system behavior and use that for analysis.
00:00
By watching all the devices in context,
00:00
a more realistic assessment can be formed.
00:00
Then once the assessment has
00:00
been determined to be malicious,
00:00
then it can respond and these responses are automated.
00:00
What's really interesting about this is you can have
00:00
these EDRs installed on your endpoints,
00:00
but they're also going to be installed on
00:00
tens of thousands of other end points around the world.
00:00
What this managed solution is
00:00
offering is they're scanning all of these at
00:00
the same time where someone in another country may be
00:00
exposed to a specific type of attack and
00:00
when the EDR responds to it,
00:00
they're going to be able to use
00:00
the machine learning and
00:00
the artificial intelligence to update
00:00
their own central detection system
00:00
and then push that out to all the customers.
00:00
You're getting the benefit in
00:00
almost real time of
00:00
an attack that happens nowhere near you,
00:00
but you're going to get the protection from it.
00:00
This is the new way, it
00:00
seems to be the industry is shifting
00:00
because we can react much faster to intrusions this way.
00:00
Finally, we have user and entity behavior analytics,
00:00
or UEBA.
00:00
They scan the indicators from
00:00
our intrusion detection systems and
00:00
logging systems looking for anomalies.
00:00
It's often integrated with our SIEMs.
00:00
It will use a baseline and then compare
00:00
the entity activity to that baseline.
00:00
Entities are machine accounts across devices.
00:00
It's dependent on AI to
00:00
reduce false positives because
00:00
you're going to get a lot of them,
00:00
especially in a large enterprise environment.
00:00
Examples of this would be
00:00
Microsoft Advanced Threat Analysis and
00:00
Splunk's UEBA. Let's summarize.
00:00
We discussed BIOS versus UEFI.
00:00
We also went over the Trusted Platform Modules or TPM.
00:00
We discussed various types of
00:00
host-based protection technologies
00:00
and hardware-based encryption technologies.
00:00
Let's do some sample questions.
00:00
Question 1, a blank can
00:00
filter network traffic from a single host and block
00:00
applications from connecting. Host-based firewall.
00:00
Question 2, sometimes it's
00:00
known as an allow/block list for applications,
00:00
this determines what apps are allowed to run and by whom.
00:00
Application controls.
00:00
Blank is a specification for
00:00
hardware-based storage of keys
00:00
that can be used for
00:00
encryption and identification purposes.
00:00
Trusted Platform Module, or TPM.
00:00
Finally Question 4,
00:00
TCG maintains the TCG Opal
00:00
2.0 specifications for this type of device.
00:00
Self-encrypting drives, or SEDs.
00:00
I hope this lesson was
00:00
helpful for you and I'll see you in the next one.
Up Next