🖥 Endpoint Protection
Protecting endpoints in your organization is a significant portion of the daily tasks for many security professionals.
For most organizations, endpoints significantly outnumber the servers and network devices, and since end users control or use them, they also have a wide variety of threats that they face that a server is unlikely to deal with.
🌉 Preserving Boot Integrity
Security practitioners in high-security environments need a means of ensuring that the entire boot process is provably secure.
🥾 Boot security / Unified Extension Firmware Interface (UEFI)
One way to maintain boot security is using the Secure Boot function of your machine.
Secure Boot ensures that the system boots using only software that the original equipment manufacturer (OEM) trusts. To perform a secure boot operation, the system must have a signature database listing the secure signatures of trusted software and firmware for the boot process 📏 Measured Boot
Measured Boot is the process of storing hash values used for authentication during a Secure Boot sequence. Values are stored in the boot log within a TPM.
These boot processes measure each component, starting with the firmware and ending with the boot start drivers. Measured boot does not validate against a known good list of signatures before booting; instead, it relies on the UEFI firmware to hash the firmware, bootloader, drivers, and anything else that is part of the boot process. The data is stored in the TPM (or any other hardware root of trust) and security administrators can remotely validate the state of the boot. Hardware Root of Trust contains the cryptographic keys that secure the boot process. Meaning that the system or device inherently trusts the hardware root of trust, TPMs are an example of a Hardware Root of Trust. TPMs (Trusted Platform Modules) are computer chips that store security information. If the TPM chip has been tampered with or the insides of the TPM chip missing, your PC will sound an alarm. TPMs provide 3 major functions: Remote attestation, allowing hardware and software configurations to be verified Binding, which encrypts data Sealing, which encrypts data and sets requirements for the state of the TPM chip before decryption 📜 Boot Attestation
Boot Attestation means that our device is going to provide a central management server with a verification report showing all of the information that’s been gathered.
This process allows the remote server to make decisions about the state of the system based on the information it provides, allowing access control and quarantine options. UEFI Boot Attestation is when the system attests to a verification platform about the trustworthiness of the software it is running after it completes the boot process
🛠 Endpoint Security Tools
🪲 Antivirus and Antimalware
Using antimalware packages in enterprise environments remains a useful defensive layer in many situations.
Antimalware tools can be installed on mobile devices, desktops, and other endpoints.
Been a consistent security recommendation for years since Antimalware is the last line of defense before an attack. Signature-Based Detection uses a hash or other signature generation method to identify files or components of the malware that have been previously observed. Traditional antimalware tools often relied on signature-based detection as the first line of defense for systems. But attackers have increasingly used methods like polymorphism that change the malware every time it is installed, as well as encryption and packing to make signatures less useful.
Heuristic based-detection looks at what actions the malicious software takes and matches them to profiles of unwanted activities. Heuristic-based detection systems can identify new malware based on what it is doing, rather than just looking for a match to a known fingerprint. Behavior-based detection.
AI and Machine Learning Systems leverage large amounts of data to find ways to identify malware that may include heuristic, signature, and other detection capabilities.
Sandboxing is used by some tools and antimalware vendors to see the affects of malicious code in a completely separate isolated environment.
A Sandbox is an isolated protected environment where unknown, untrusted, potentially dangerous, or known malicious code can be run to observe it. Sandboxes are instrumented to allow all the actions taken by the software to be documented, providing the ability to perform in-depth analysis of malware. Malware creators look for ways to detect sandboxes so they can avoid their tools being analyzed.
🕵🏽♂️ Endpoint Detection and Response
EDR Tools combine monitoring capabilities on endpoint device and systems using a client or software agent with network monitoring and log analysis capabilities to collect, correlate, and analyze events.
Key features of EDR systems: Ability to search and explore the collected data. Use it for investigations as well as the ability to detect suspicious data. Makes the detection and reporting capability of very large quantities of data accessible. EDR security solutions analyze events from laptops, desktop PCs, mobile devices, servers, and even IoT and cloud workloads, to identify suspicious activity. Alerts are generated to help security operations analysts uncover, investigate and remediate issues. 🪣DLP (Data Loss Prevention)
DLP Tools are used to protect organizational data from both theft and inadvertent exposure.
Key elements of DLP systems include
The ability to classify data so that organizations know which data should be protected. Data labeling or tagging functions, to support classification and management practices. Policy management and enforcement functions used to manage data to the standards set by the organization. Monitoring and reporting capabilities, to quickly notify administrators or security practitioners about issues or potential problems.
🗺️Network Defenses
Host-based Firewalls can protect endpoints from network attacks. Host-based firewalls are built into most modern operating systems and are typically enabled by default.
Host-based firewalls don't provide much insight into the traffic they are filtering since they often simply block or allow specific applications, services, ports, or protocols. Host-Based Firewalls are personal and individually installed on each endpoint. 💻Host Intrusion Prevention System (HIPS)
HIPS (Host Intrusion Prevention System) analyzes traffic before services or applications on the host process it. HIPS can do the following: Filtering out malicious traffic or blocking specific elements of the data that is received. HIPS can misidentify legit traffic and potentially block it, causing an outage. 🕸️Host-Based Intrusion Detection System (HIDS)
Host-Based Intrusion Detection System (HIDS) is a type of cybersecurity solution that monitors IT systems for signs of suspicious activity to detect unusual behaviors or patterns associated either with human users or applications that could be a sign of a security breach or attempted attack. Cannot take action to block traffic, it can only report and send alerts.
🧱 Next-Generation Firewall (NGFW)
is a device that provides capabilities beyond a traditional, stateful firewall. While a traditional firewall typically provides stateful inspection of incoming and outgoing network traffic, a next-generation firewall includes additional features like: Application awareness and control Integrated intrusion prevention Cloud-delivered threat intelligence. Filter based on OSI Layer-7 (application layer) Able to identify the applications that are flowing across the network, regardless of the IP address or port number that might be in use. And you as the security professional can set policies to allow or disallow access to those applications on the network. Also called an application layer gateway, stateful multilayer inspection, or deep packet inspection. You can allow/disallow certain features on applications as well. Ex. You can allow someone to view the information on Twitter but prevent them from posting any information on Twitter. 🛡️ Hardening Endpoints and Systems
🏰Hardening
Hardening a system or application involves changing settings on the system to increase its overall level of security and reduce its vulnerability to attack.
📭Open Ports and Services
One of the fastest ways to decrease the attack surface of a system is to reduce the number of Open ports and Services that it provides. If an attacker can’t remotely access your network, this slows them down drastically.
Port Scanners are used to quickly assess which ports are open on systems on a network, allowing security practitioners to identify and prioritize hardening targets. Only business critical ports & services should be open; All other non-business critical ports/services need to be disabled asap. Instead of just blocking a service through your Firewall, it’s best to disable the service entirely. Ongoing review and maintenance is required to ensure that new services and applications do not appear over time.
🪟 Operating System Hardening
Hardening operating systems relies on changing settings to match the desired security stance for a given system.
Examples include:
Setting the password history to remember 24 or more passwords Setting maximum passwords age to “60 or fewer days, but not 0,” Preventing users from simply changing their passwords 24 times to get back to the same password while requiring password changes every 2 months Setting the minimum password length to 14 or more characters Requiring password complexity Disabling the storage of passwords using reversible encryption You do need to know this about operating system hardening:
System settings to reduce the attack surface for your operating system, that tools and standards exist to help with that process, Assessing, auditing, and maintaining OS hardening for your organization is part of the overall security management process.
📋Hardening the Windows Registry
The Windows registry is the core of how Windows tracks what is going on.
The registry is thus an important target for attackers, who can use it to automatically start programs, gather information, or otherwise take malicious action on a target machine.
Ways to harden the windows registry include:
Configuring permissions for the registry. Disallowing remote registry access if it isn't required for a specific need Limiting access to registry tools like regedit so that attackers who do gain access to a system will be less likely to be able to change or view the registry.
🧼 Disk Encryption and Sanitization
Keeping the contents of disks secure protects data in the event that a system or disk is lost or stolen. That's where disk encryption comes in.
Full-disk encryption (FDE) encrypts the disk and requires that the bootloader of a hardware device provide a decryption key and software or hardware to decrypt the drive for use.
OPAL defines a way of encrypting the stored data so that an unauthorized person who gains possession of the device cannot see the data. OPAL describes self-encrypting drives. refers to a method of encrypting data at rest, where the encryption and decryption process is transparent to the user and the application. Means that the user or application does not need to take any explicit action to encrypt or decrypt the data. The process is handled automatically by the underlying storage or database management system. Volume encryption (sometimes called filesystem-level encryption) protects specific volumes of the drive, allowing different trust levels and additional security beyond that provided by encrypting the entire disk with a single key.
Includes encrypting specific files and folders. Self-encrypting drives implement full-device encryption capabilities in their hardware and firmware.
Systems equipped with a self-encrypting drive require a key to boot from the drive, which may be entered manually or provided by a hardware token or device.
If an encryption key is lost, the data on the drive will likely be unrecoverable since the same strong encryption that protects it will make it very unlikely that you will be able to brute-force the key and acquire the data.
Losing the encryption key can be used a strong method to make sure data on the storage device is inaccessible. Sanitization is ensuring a disk is securely wiped when it is no longer needed and is being retired.
Sanitizing drives or media involves one of two processes: wiping the data or destroying the media. Degaussers expose tapes and similar magnetic media to very strong electromagnetic fields, scrambling the patterns of bits written to the drive, purging it. Degaussing allows the tape to be reused. Shredding, pulverizing, or incinerating drives so that no data could possibly be recovered is an option, and third-party vendors specialize in providing services like these with a documented trail for each asset (drive or system) that is destroyed. Wiping media overwrites or discards the data in a nonrecoverable way. Hard drives and other magnetic media, this may be accomplished with a series of writes, typically of 1s or 0s, to every storage location (bit) on the drive. ‘Drive Wipe’ utilities often will miss sections of the disk where copies of data may remain due to the wear-leveling process. 📊 Patch Management
Patch Management is required to mitigate the potential damage of vulnerabilities, ensuring that systems and software are up to date helps ensure endpoint security by removing known vulnerabilities. Timely patching decreases how long exploits and flaws can be used against systems.
Extensive Patch testing is the ideal way to go, but some organizations don’t have the resources to run patches and updates through Test Rings. Most organizations will wait a small period of time after the patch is globally released to gauge the affects in the online community before self-installing in their own greater environment. Enabling Auto-Updates isn’t the best solution most of the time. Zero-Days are security patches that are unknown and require an immediate Out-of-Band patching.
⚔ Database Security
When we are storing data we’re often putting it into some type of database. And obviously, we need to protect the data that is stored in that database, and we need to protect the data that is transmitted to and from that database.
Any Data in a storage space has to comply with any regulatory rules such as PCI DSS, HIPAA, GDPR.
Strong Database Security means the data is always available and the business can always properly operate.
Any database breach is extremely expensive to fix (monetarily and socially). 📀Tokenization
Tokenization is when we might have sensitive data that we replace with a temporary token that is not associated with the original value.
Replaces personal identifiers that might directly reveal an individual’s identity with a unique identifier using a lookup table.
Ex. Social Security Number such as 266-12-1112 is stored in the database as 691-61-8539. It’s a completely different number, and has no representation to the original social security number that was originally stored in the database.
Often seen with Credit Card processing! During the credit card use process we’ll store a temporary credit card number, or temporary token, on our device and use that during the purchase process. A temporary token is sent to a server that validates the token during the purchase process, and that token is then thrown away, and a different token will be used for the next purchase. An adversary can’t use the temporary credit card numbers later because they’re not the real thing. No encryption or hashing is involved.
#️⃣Hashing
Hashing — is essentially taking a potentially long message and generating a unique output value derived from the content of the message.
Hashing is the process of transforming any given key or a string of characters into another value. Hashing creates use of algorithms that convert blocks of information from a file in a much shorter value or key of a constant length that define those strings. Message Digests are the unique output value generated after hashing that can be used to implement a digital signature algorithm. Often called several different things: hash, hash value, hash total, CRC, fingerprint, checksum, and digital ID.
🧂Salting
Salting adds a randomly generated value to each password prior to hashing. When you salt a password, you add random integers and strings to every password before you hash it.
A Salt is a randomized, considerably large value generated when you use a secure random number generator or random bit generator. Salts get stored with each password hash value on your server, thus creating unique hash values for passwords. 👨🏾💻 Application Security
Security should be built in as part of the requirements and then designed into the environment based on those requirements.
🔐 Secure Coding Practices
One of the best resources for secure coding practices is the Open Web Application Security Project (OWASP). It is the home of a broad community of developers and security practitioners, and it hosts many community-developed standards, guides, and best practice documents, as well as a multitude of open source tools.
🐝OWASP Top 10 Proactive Controls
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project
The 10 secure code practices below are numbered in importance (1 being most important and 10 being the least important, but still definitely important).
A security requirement is a statement of needed security functionality that ensures one of many different security properties of software is being satisfied. Implementing security throughout the development process. 
3.2 Given a scenario, implement host or application security solutions
