CompTIA CASP+ CAS-004 – Chapter 04 – Implementing Security for Systems, Applications, and Storage Part 3
- Wireless Security
Now, in addition to the standards, we talked about security protocols that are necessary in order to safely implement wireless technologies, we need to talk about important measures that you can take to secure wireless communication and the different options. The first one is wired equivalent privacy. WEP It was the first security measure used with 800 and 211. It was an algorithm in the original specification that could authenticate the device as well as encrypt the data between the AP and the device. The problem with Web and Wired Equivalent Privacy sort of implied that you could have the privacy that was equivalent to that of a wired network, which is a joke. The problem is it implements the RC four encryption algorithm, and it does so in a way that it makes it easier for the hacker to crack the encryption. And so this was basically anybody who knows what they’re doing can crack Web keys in a very short period of time, and so the password doesn’t really change. And so this is not a protocol that we would use today.
WPA WiFi Protected Access was used to address the concern about the inadequacy of Web. This is a group of manufacturers that promotes interoperability, the WiFi Alliance, and they created this mechanism that was designed to improve on Web. There are four types of WPA, but we have to first discuss how this improves over Web. And the first is that WPA uses something called TKIP for encryption. That’s Temporal Key Integrity Protocol, which means that it generates a new key for every packet. Second, the integrity check used with Web is able to detect any changes to the data. Well, WPA uses an integrity check algorithm called Michael to verify the integrity of packets.
As I said, there’s two versions of WPA. Some older devices maybe only support WPA, but most devices today should support WPA. Version two, that’s an improvement over WPA it uses instead of TKIP, it uses a mouthful of an acronym counter cipher mode with blockchaining message authentication code protocol CCMP, and that’s based on the Advanced Encryption Standard. And that’s much stronger. It’s required for phipps compliant transactions. Two versions of WPA. Two just like the predecessor, and those are personal or enterprise. Enterprise versions use 821. X, so they require the use of an authentication server. Typically radius. Personal versions don’t. They use passwords that are configured on the AP and stations.
So an enterprise scenario, we would generally use computer certificates or username and passwords to log in to the access point. But the access point is simply passing that login information to a Radius server, which is validating that individual like a typical remote access type of connection. There are some additional security options that we should use to enhance wireless security. The first is the disabled SSID broadcast. As I mentioned earlier, SSID broadcast is automatically turned on for most APS. But it is something that, from what I’ve seen on every single device, can be turned off when it’s hidden, then the wireless station actually has to be configured with a profile that includes the SSID. For somebody to be able to connect, I have to know the name of it. It essentially only removes one type of frame that’s the beacon frame. So the SSID still exists in the other frame types.
It can still be easily learned by sniffing the wireless network. So it’s certainly not this great security approach, but it’s something that a lot of people will do just as one little added mechanism. Another security measure is to create Mac address filters. That’s just simply a list of allowed Mac addresses on the AP. So when you do that, then only the devices with Mac addresses on that list can make a connection. This also seems like a pretty good and foolproof security measure, but it’s really easy for a hacker to use a packet sniffer to learn the Mac address of a device that has successfully authenticated. Then they can spoof their own Mac address.
Now they’re on the list and they can gain entry. Okay, it is possible to deny access to certain devices using Mac filters as well. Open System Authentication, or OSA, is the default authentication method used in 811 networks that are using Web. That just means that the authentication request contains only the station ID and the authentication response. Now, while it can be used with Web, authentication management frames are sent in clear text because Web only encrypts data. So OSA is not secure. That’s not something we’re going to use today.
Shared key authentication uses Web and a shared secret key for authentication. So the challenge text is encrypted with Web using a shared secret key, and the client then returns the encrypted challenge text to the AP. Another implementation of shared key authentication is WPA with the pre shared key. Pre shared key is just another way of saying personal, really. It’s more secure because it uses TKIP to constantly change that key. The passphrase doesn’t change, but the underlying key will change.
- Securing Other Host Devices
Let’s talk about securing other devices, other host devices, a number of different things here that just need to be mentioned. Drive mounting is something that makes a drive available to the operating system. It does require the OS recognize the media format but it occurs automatically in most operating systems as soon as the drive is connected. So like you plug in a flash drive and it’ll automatically mounts it and it’s accessible in File Explorer. The danger in allowing that connection or mounting drive is going to be the same danger that’s presented by allowing USB drives data leaks, the introduction of malware, auto running. So we might want to go in and prevent or disable well, we can disable the port or we can just simply prevent the automatic drive mounting.
Now, it makes life easier for a user but it has the disadvantage of making the introduction of malware possible. A drive mapping is a process that we take an external storage location and it’s mapped or connected to a drive letter on the local computer so that looks like the remote drive is a local drive. Drive mapping is used all the time because it’s very convenient. It reconnects every time the computer is connected to the network. That makes that connection possible. But this is another operation that while it makes life easier for users, it can create opportunities for attackers who have ill intent because those mappings can be used to access drives with sensitive information. Webcams some malware can take control of a webcam and spy on the user. Unfortunately, that also can extend to IP cameras which are often deployed as security cameras.
In some cases we may want to prohibit the use of webcams. That is a consideration. Recording Mic there’s also malware that will allow enabling the recording mic which could allow eavesdropping on meetings or other sensitive conversations. This is especially common in Android devices so you can prohibit the use of these devices in certain scenarios. Audio output is also something that can be controlled by malicious individuals. So for example, if you use a software defined radio that’s capable of monitoring wireless transmissions, it’s possible to intercept a home security system’s unencrypted wireless communication with the sensors around the house. The hacker could then take advantage of that capability and send his own signals to the main control and prevent the sound of an alarm by preventing audio output.
Obviously, that would potentially be a bad thing if done in conjunction with a burglary SD port. Just like USB devices can be used to introduce malware or exfiltrate data from the network so it can SD memory cards most of today’s laptops, some desktops as well, will come with these ports. So organizations may want to approach this just like they approach USB drives. You can prevent their use through group policy. HDMI ports now support ethernet, so if somebody hacks into a smart TV they can gain control of other devices via the network interface. It supports. Universal Plug and Play, for instance, is known to be especially vulnerable to attacks. So if you have unnecessary HDMI ports, then we would want to disable those.
- Boot Security
Now, let’s talk a bit about boot security. When a system is booting up, there’s a window of opportunity for breaking into the system. So for instance, if I have physical access, I could set the system to do what to want to boot to other boot media.
So I got a window system, but I booted up to Linux on running on a DVD or a flash drive, and then I can access the hard drive. So it’s for that reason that we really need bootloader protective mechanisms. And there are a couple of different options, but Secure boot is the most common one and it’s simply a term that applies to several technologies that follow that particular standard. Its implementations include Windows Secure Boot, Measured Launch, and something known as Integrity Measurement Architecture. Essentially, Secure Boot will use firmware that verifies all of your UEFI, which is the standard now that has replaced the BIOS so Unified Extensible Firmware Interface, UEFI Executable Files and the operating system loader.
We’re basically looking at them, verifying them, to make sure they’re all trusted. In other words, what was used the last time to start the system. The Windows boot components will verify the signature on each component to be loaded. It’s just making sure it hasn’t been tampered with and then any nontrusted components won’t be loaded and it’ll trigger remediation the signatures also on all boot critical drivers are checked as a part of that secure boot process.
Now, the disadvantage is that systems that ship with this don’t allow the installation of any other operating system. So this prevents installing any other OS’s running live Linux media. It also prevents troubleshooting disk diagnostics drives that you have created and it would prevent the ability to even restore the operating system. So it’s easily fixed, you just simply go in and you just turn it off and go into a legacy boot mode. But it is something that is there and in enabled by default.
- Additional Boot Security Options
Some additional options. Measured Launch is one that we mentioned. This is a launch in which the software and platform components have been identified or measured and it’s been done using cryptographic techniques. So the resolving values are used every time you boot and it verifies the trust in those components. Measured Launch is designed to prevent attacks on the system, the Bio code, or at least identify when these things have been compromised. It’s actually part of the Intel Trusted Execution technology or Intel TXT that’s leveraged by software vendors, private Core, Citrix, VMware, et cetera. You also then have an integrity measurement architecture. This is just another approach that tries to create and measure the runtime environment.
This is an open source Trusted Computing component. It creates a list of all the components and anchors that list to the Trusted Platform Module chip. And so then it can use that list to attest to the system’s runtime integrity every time the system boots. And by anchoring the list into the TPM chip and hardware, it prevents that it is a compromised as well. Attestation services allow an authorized party to detect changes to an operating system. These type of services really just involve generating a certificate for the hardware that states what software is currently running and so then the computer can use that certificate to attest that unaltered software is currently executing. And Windows has been capable of this since Windows eight.
Then we have the TPM or Trusted Platform Module, which we’ve mentioned a couple of times, but we want to talk about in a little bit more detail. Two particularly popular uses of TPM are binding and ceiling. Binding actually binds the hard drive through encryption to a particular computer. And this is what BitLocker uses because the decryption key gets stored on the chip, then the hard drives contents are only available and the drive is in that computer. Keep in mind all the contents are at risk if the TPM fails and you don’t have a backup of the key. So it’s a good idea to always have backups when you’re using BitLocker.
And incidentally, if you move the drive, have to move the drive to another system, you do have recovery capabilities. Sealing, on the other hand, seals the state to a particular hardware and software configuration. So that’s going to prevent an attacker from making changes to the system. But it can also make installing new hardware, new operating systems much harder because the system really can only boot after the TPM chip verifies system integrity. And it does that by comparing a computed hash value of the config back to the hash value of the confit at boot time. The TPM chip consists of both static memory and versatile memory that’s used to retain important information even when the computer is turned off. Some of the components are the endorsement key.
This is persistent memory installed by the manufacturer. It contains a public private key pair, the SRK or storage root key is persistent memory that secures the keys inside the TPM. The Attestation identity key AIK is versatile memory that ensures the integrity of the Ek. The endorsement key, the platform configuration Register PCR Hash is versatile memory that stores data hashes for the ceiling function. And then you have storage keys that’s also versatile memory. It contains the keys used to encrypt the computer storage hard drives, flash drives, et cetera.
Like you said, BitLocker and Bit Locker to Go are well known full disk encryption products that are used that use TPM. But there are other options. PGP Hold Disk Encryption. Sofos Safeguard Secure Star Drive crypt are just some of those. And it’s possible not to have a hardware TPM, but to use a virtual TPM chip. That’s a software object that does all the functions of a TPM chip. It’s a system that allows trusted computing for virtual machines and in fact, an unlimited number of virtual machines on a single hardware platform. So in instances where we’re using virtualization, then the virtual TPM chip is very useful.
- Topic B: Mobile Device Security
In this next topic, we’re going to be covering security for mobile devices, which are certainly very prevalent in today’s workplace. We’re going to talk about enterprise mobility management, how to secure the control and administration of those mobile devices, as well as the various strategies and tools that are involved.
I’ll also just look at some security implications, some concerns in regard to privacy, the various features that mobile devices bring, and in some cases we’re even talking about wearable technologies, computing devices like cameras, watches, fitness devices and we’ll discuss the security issues related to those as well.
- Enterprise Mobility Management
So users are increasingly demanding the right to use mobile devices like smartphones and tablets on the enterprise network. They have become very popular. In fact, they’re virtually an extension of the human body at this point. But unfortunately, this bring your own device mentality is convenient for users, but it creates a headache for security professionals. At the same time, the users are embracing wearable technology cameras, watches, fitness devices as well. And so we need to understand exactly how to go about dealing with this.
The increasing use of these, combined with the fact that many of these devices use public networks with little or no security, provides us with a set of unique challenges and so we need to discuss how to deal with those challenges. One of the issues in allowing the use of personal devices is the possible mixing of sensitive corporate data with the personal data of the user. And containerization is a new feature of most mobile device management software. And MDM is something that is heavily used in nearly all of today’s corporate environments because it has become completely necessary.
- MDM Concepts
So I mentioned containerization. It is a relatively newer feature of MDM. What it does is it creates an encrypted container on the device that allows us to hold and quarantine corporate data separately from that of the user. Data that gives MDM software policies the ability to be applied only to that container and not to the entire device. We’ll use the term configuration profile in relation to mobile device management. We’re talking about the ability to control the use of devices. So when these profiles are applied to the device, they make changes to settings like passcodes, WiFi, passwords, VPN configurations and more.
Profiles can also restrict items that are available to users like the camera. The individual settings in these profiles are referred to as payloads and those payloads can be organized into various categories and different implementations. So for example, there may be a payload category for basic settings like a required passcode and then other payload categories like email settings, internet allowed applications and so on. When a personally owned corporate enabled policy is used, the organization’s users then purchase their own devices. But then we allow that device, or they allow that device rather to be managed by corporate tools like MDM software. They will be presented with a message when they connect the device that is essentially them giving their assent to the organization to have some level of control over the software.
Another technique that’s used to protect mobile devices is called application wrapping. Application wrappers, which are implemented via MDM policies, allow administrators to set policies that allow the employee with a mobile device to safely download an app. Typically this is from an internal store, some type of portal and in policy elements can include elements as to such for instance like whether the user authentication is required for a particular app or whether data associated with that particular app can be stored on the device.
So when a company chooses this type of mentality, it’s either called BYOD Bring your own device which is personally owned, corporate enabled, or it’s corporate owned, personally enabled. The Cope initiative and security professionals need to think about supporting the users especially or when either of these are in use especially, the MDM software significantly alters the users experience on their device. Now, a lot of vendors of MDM software do provide remote assistance capabilities.
So for example, the mobile device Manager Plus from a company named as Manage Engine provides an Android remote control feature and that can also be used to manage iOS and Windows phones.
- Management Options
Some additional management options include overtheair updates. An overtheair update is simply an update that occurs over a wireless connection. That’s why it’s overtheair. These can be firmware updates called Fota or firmware overtheair, and those can occur using the same process as the updates that we’ll talk about in a little bit. They can be performed with special firmware operating system update tools like Flash programming tools or just natively within the MDM. Two other types of updates for smartphones are PRI and PRL updates. PRI is product release information and that’s the connection between the mobile device and the radio.
So from time to time the PRI may need to be updated and updates may add features. They may increase data speed and other functionality. The preferred roaming list or PRL is a list of radio frequencies that resides in memory on some kinds of smartphones. The PRL list frequencies that the phone can use in different geographic areas and then the areas are ordered by the bands that the phone should try first. Essentially, it’s just a priority list that indicates the particular towers that the phone is going to use. Remote wiping are instructions sent remotely to a mobile device to erase all the data.
So typically this is going to be used when somebody has lost their device or they know that it’s been stolen. In the case of iPhones, this is closely related to the locator application that many are familiar with called Find My iPhone. Now it’s natively supported. Android phones don’t actually come with an official remote wipe, but there is an app that will do it and at that point it becomes the same as the iPhone remote app or remote wipe app.
This is something that’s necessary because it gives us as an organization the ability to remotely wipe the data on those phones. So this is another place where the containerization concept comes in handy. Additional management might be in relation to applications. Often these are called conditional access policies that control access to corporate data, control access to applications based on certain conditions. We might even have MDM software that’s granular enough to be able to control certain app actions within the application. So I could prevent screenshots, for instance, or prevent cutting and pasting. We can securely control the sharing of data or track what specifically happens after a file has been accessed in a particular application. So that can help to control all of those aspects on the mobile device itself. Side loading is a method of installing applications on a mobile device from a computer rather than using the App Store like Google Play or the App Store on iPhones. Typically these applications are going to come from third parties or they’ve been internally developed by the organization. Android apps will be installed in an Android package APK format and when they’re side loaded, it does mean that you need to or when you plan to side load. I should say it does mean you need to go in and actually make a change to the phone. You have to get into the settings, get into the developer mode, and allow unknown sources of apps. iOS makes this even a little bit more difficult. You can use a tool called Xcode Seven, which does require the creation of a developer account on the Apple developer site.
- Context Aware Management
Contextbased authentication and management is going to take multiple factors or attributes into consideration before authenticating and authorizing an entity. So rather than just simply relying on the presentation of proper credentials, the system is going to look at a number of different factors when making an access decision. This solves a lot of issues that are suffered by noncontextbased systems. A couple of things that it provides well, it helps prevent account takeovers because if you’ve just got a simple password, somebody knows you, they steal your phone or they watch you type in your password, then it’s easy to take over.
That also helps to prevent many attacks that are made possible by the increasing use of mobile devices just in general and attacks that are made possible by the user’s location. They’re going to take in a number of factors into consideration when a user requests a resource. So when they’re combined, these attributes can create a pretty complex set of rules that help prevent vulnerabilities that password systems are just simply unable to detect or stop.
One of those considerations is geolocation or geofencing. At one time, as security pros, we knew that all network users were safely in the office, right? They were behind a secure perimeter because we had created it. They were defended with every tool possible. But that’s not the case any longer. Users can access your network from just about anywhere from home, from wireless hotspots, hotel rooms, all sorts of other locations, many of which are not secure.
So when you design authentication, you can take into account the physical location of the source of the access request and you can allow or deny based on that information. So, for instance, a sales user may be allowed to access the sales folder at any time from the office, but only from nine to five in her home and never from anywhere else. So these systems are going to use the location as an attribute to identify requests to authenticate and access a resource and it will recognize two different locations in a very short amount of time.
One of those could be fraudulent and so certainly that would help to protect. Sometimes these systems can make real time assessments of threat levels in a region where the request originates. Another consideration is user behavior. It’s possible for us to track the behavior of an individual over time and then use all of that information to detect when a user or an entity is performing actions that while they have the ability to do it, it’s just different from the normal activity of that person. And of course, that could indicate that the account had been compromised.
The main security issue here is the complexity of rule creation. It really can lead to mistakes. It can actually reduce security. So you do have to have a complete understanding of the system and special training should be provided to anyone managing that type of system. The next one is security restrictions and really the key capability that sought when you’re implementing context based management is the ability to change security settings applied to a user or device based on its context. And that context is evidenced by the attributes of the connection.
Time based restrictions. We can prevent access to individual resources on a time of day basis. That was not something that has been possible, but recently it has become more of a possibility. And then frequency. You can make access decisions based on how often the requests are made because if you have multiple requests to log in coming very quickly, that could indicate a password cracking attack. And the system can then use that information to deny access or require that the connection be terminated prior to the new connection being made. Can also indicate an automated process or malware rather than the individual is attempting this operation.
- Security and Privacy
One of the biggest obstacles presented in the BYOD or Cope initiatives is going to be the security issues that are just simply inherent to mobile devices. A lot of these vulnerabilities revolve around storage devices. So data storage is really a big issue, right? While protecting data on the mobile device is always a good idea, in a lot of cases, an organization organization needs to comply with an external standard regarding the minimum level of protection that’s provided to data on the storage device. So an example of that would be the payment card industry data security standard, PCI DSS. It enumerates requirements that payment card industry players then have to meet to secure and monitor their networks, to protect cardholder data, to manage vulnerability, et cetera.
There’s a lot of different storage types and they share some issues and sometimes they present issues that are unique to each of them. Let’s start with non removable storage. This is storage that’s built into the device can’t be removed and it may not suffer all the vulnerabilities shared by the other forms, but it’s still data at risk. One tool that we have at our disposal for this type of storage that’s not available with others is the remote wipe capability if the device is stolen. At any rate, you should be looking to encrypt the device with the advanced encryption standard, and you should probably be interested in configuring backups of that device.
Removable storage is desirable in a lot of mobile devices, but it may be stolen. If the device is stolen, of course, it can still be lost and stolen itself. If removable storage of any type represents one of the primary ways that data exfiltration occurs, which it does, then we need to consider encryption. Cloud storage may seem like a great idea, but it has some unique issues. Data breaches is one of them. Cloud providers often do include safeguards and SLAs, but ultimately it’s the organization that’s responsible for protecting their own data. The SLA by the cloud provider just simply says that they’re not going to allow another tenant to access your data. It doesn’t do anything to protect an authorized user from either purposely or inadvertently allowing access to their data.
Okay, so we do have to keep that in mind. Once it’s out in the cloud, well, then it’s in the public arena and can typically be shared. Authentication system failures would allow malicious individuals into the cloud. That issue can sometimes be made worse by the organization itself because often developers will embed credentials or cryptographic keys in source code and then leave them in public facing data repositories, weak interfaces and APIs. Those tend to be the most exposed part of a system because they’re usually accessible from the open internet. So some other things that we need to or those are things that we need to keep in mind. Of course, some additional issues are that users often store sensitive data in cloud storage that’s outside the control of the organization. You’re talking about? Dropbox Google Drive OneDrive.
Even if it’s the personal version, it’s outside of the organization’s control. USB OTG or USB on the Go is a specification that was first used way back in 2001. It allows USB devices like tablets and smartphones to either act as a host or a device in relation to smartphones. It’s been used to hack around the iPhone security feature that requires a valid username and password to use a device after a factory reset, and that’s a feature that’s supplied to prevent somebody from stealing your phone and then resetting it to factory defaults and using it.
But it can be defeated by using USB on the Go. Of course, the biggest threat to mobile devices is simply the loss or the theft of the device, especially if the device has Irreplaceable or sensitive data. And so organizations have to make sure that they can remain remotely lock and remotely wipe the devices if that type of situation occurs.