Using Guides for Risk Assessment
Guides are not necessarily hard and fast rules. The idea of guides is to set bias. Yes, we as humans cannot get around biases, even when we are aware of them. Guides can help us set a baseline to help get a feel for where things should be. The idea is to use the incredibly fast, yet flawed built-in calculator we have evolved to optimize - intuition.
Some examples of guides
- Benchmark: See what throughput is, allows us to set a baseline
- Secure Configuration Guides: All devices need some form of configuration and we want to configure them securely. You should create platform and vendor-specific guides to help operators understand configuration requirements and why specific decisions were made.
A framework is a process idea which helps security professions provide organization in order to provide good IT security.
Lots of frameworks available
- Regulatory frameworks
- Non-regulatory frameworks
- National standards
- International standards
- Industry-specific frameworks
- NIST SP800-37 (national standard, and regulatory framework)
- ISACA IT Infrastructure (non-regulatory framework)
- ISO 27000 (international standard)
NIST Management Framework
Not part of Security+ but just an example of the steps within the NIST framework.
- Categorize - not just inventory of assets but also categorize workflows, processes, inputs, and outputs.
- Select - select which controls you need to implement based on regulations, laws, best practices, etc
- Implement - realize the controls within the environment
- Assess - verify that everything is working the way we want it to, tests. Possibly performed in a sandbox. Determine the effectiveness of the controls
- Authorize - authorization is when we move to production. It’s important to have authorization before putting bringing controls online
- Monitor - validate that controls used in practice are effective
Then repeat process - iterate and improve.
The ability of a system to withstand a negative impact. What can we do to make individual systems resilient?
- Scalability: the ability to scale up or down
- Elasticity: the ability to rapidly scale up and down based on demand
- Redundancy: a second or third component of a system or full system. Redundancy is a form of distributed allocation.
- Distributed Allocation:
- Non-Persistence: data which is collected, but will not be saved on restart
- Known State:
Redundant Array of Independent Disks (RAID)
An abstraction layer on top of hard drives which will allow multiple hard drives to act as one. Depending on the type of RAID being used, it can improve integrity and also improve access.
- RAID 0: Striping - increases the speed at which you can read data. It does this by dispersing the data among the drives within the array. If a single drive fails, the file will be unreadable. Provides no data integrity, in fact, makes it worse than a single drive
- RAID 1: Mirroring - requires an even number of drives. Each file is stored twice by mirroring. Provides data integrity but doesn’t provide a performance bonus
- RAID 2-4: Parity - Minimum of 3 drives, with a dedicated parity drive.
- RAID 5: Parity - Minimum of 3 drives, with parity data distributed among drives. Provides more predictable recovery actions when a failed drive occurs. You can lose a single drive, but not more than a single drive.
- RAID 6: Parity - Minimum of 4 drives, with parity data distributed among drives - but parity is redundant on at least two drives. You can lose up to two drives, but not more than two drives
- RAID 0+1: A mirror of stripes, requires 4 hard drives.
- RAID 10: A stripe of mirrors, requires 4 hard drives.
- Proprietary RAID: There are vendors who make their own innovations on RAID and so you may run into proprietary methods of managing disks and what data is written to them.
Network Attached Storage (NAS) & Storage Area Network (SAN)
NAS & SANs are dedicated systems designed for storage which is accessed over the network.
- NAS: uses file-based sharing protocols such as SMB (Server Message Block) or NFS (Network File System). Runs over a standard network stack (ethernet, TCP/IP), shows up as normal shares on a network.
- SAN: uses block-based storage protocols such as iSCSI. Shows up as disks in the operating system. Fiber Channel (FC) was and is pretty popular for SANs, to make it work it’s very expensive compared to ethernet. An HBA card is used with fiber channel switches to provide connectivity. iSCSI over ethernet is a lot cheaper to implement.
iSCSI Networks have two terms which describe the storage device and the computer devices.
- iSCSI Target: The storage device that the iniatior connects to using iSCSI
- iSCSI Initiator: The computer device which is accessing the block storage, it connects to the iSCSI target
- Data Integrity
- Speed / Quick Access
These combine together and form a concept known as High Availability (HA)
RAID is an example HA using hard drives. RAID is a good start, but it’s a good idea to begin thinking about systems as a whole rather than just the storage devices. An example of this is clustering systems together in an active-passive failover system. With load balancing, your systems are active-active to help distribute the load among all members of the cluster.
Hardware / Firmware Security
- Full Disk Encryption: Software or firmware based tools to encrypt the entire disk. Windows users will commonly BitLocker for full disk encryption.
- TPM: Trusted Platform Module. TPM understand difference between using TPM compared to not. The TPM stores a private key with no supported method of extracting the private key through it’s interface. Using the TPM is considered superior for security of the key used for disk encryption. TPM settings can often be configured from the BIOS/UEFI. PGP is an example of a diskencryption system, TrueCrypt was another example, however they went out of business. BitLocker is another example commonly used on Windows systems. FileVault is an example of disk encryption on Mac systems, however it doesn’t use the TPM. If using the TPM and the motherboard is ever destroyed, the data will not be recoverable without the recovery key. TPM 2.0 allows something called SecureBoot which ensures the integrity of everything required to boot the system.
- Self Encrypting Drive (SED): An alternative approach where anytime the drive is accessed it requires a passkey. All encryption is occured on the drive itself.
TPM is not exclusive to desktop PCs or servers. It’s very common on embedded systems such as cars and even phones. TPM provides something called a Hardware Root of Trust which prevenets many types of embedded systems from booting insecure code.
- Hardware Security Module (HSM): Hardware which is dedicated to calculating and performing checks of keys to offload processing from the CPU. Typically only found within organizations have high volumes.
Secure OS Types
This is CompTIA’s opinions but required knowledge for the exam.
- Server OS: built-in functionality for handling thinks like web traffic, file sharing, directory services, etc. An example is Windows Server, CentOS or Ubuntu Server.
- Workstation OS: CompTIA uses the word workstation, but this is also commonly referred to as “Desktop OS”. Typically meant for end users to work with
- Embedded Systems: Everything from routers, to refridgerators. Typically headless systems (no keyboard, mouse or monitor). An example of an embedded system OS is VxWorks and some distributions of Linux.
- Kiosk OS: Limited function for public users, typically just slimmed down / mimimal Linux distributions
- Mobile OS: Typically used for phones and tablets, such as Apple iOS or Android.
Trusted Operating Systems is a term from the Secure Computer Group who certifies operating systems for use in governments.
Examples of peripheral devices are:
- Web Cameras
Wired vs Wireless peripherals is something that’s important to consider. When you ahve something that is wired, it is much more difficult to create security problems with the peripheral. A lot more devices these days are wireless - so it’s something to consider.
Bluetooth devices come in different classes, the classes determine the approximate distance that a communication channel can remain stable.
- Bluetooth Class 1: up to 100 meters (330 feet) - hmmm are they trying to challenge CAT standards? :D
- Bluetooth Class 2: up to 10 meters (33 feet)
- Bluetooth Class 3: - up to 1 meter (3 feet)
Thinking about distance is an important factor for security - each additional meter out is many more square meters of coverage
It’s considered better for security to user modern versions of Bluetooth standards, as well as the least distance required to operate correctly, but an even better to question to ask is - do you even need to use a wireless device? Using a cable will always be more secure.
Another common wireless protocol which peripherals connect with is 802.11 or WiFi. WPS is common on peripheral devices, however it’s best practice to disable WPS on your WAPs and so you shouldn’t be using this with your peripherals.
Another common issue with peripherals is hidden WiFi.
SD devices are also possibly network enabled. There have been attacks which use SD slots as a power source for a wireless device which gathers data.
Displays often have USB ports on them. USB ports left enabled can often be considered dangerous because there are many devices which are meant for infiltration that look like a USB thumbdrive. Turn off unrequired ports when possible, USB or otherwise.
Always avoid backdoors when you can - many devices sacrifice security for convenience which may also contain backdoors or ways for attacks to get in.
Peripherals should be patched and updated just like any other system.