Module 5:
Host and software security are crucial components of any robust cybersecurity strategy. Ensuring the security of individual devices and the software they run is paramount in safeguarding sensitive data and maintaining the integrity of systems. In this post, we’ll explore the key aspects of host and software security, their importance, and their role in the CompTIA Security+ certification.
Implementing Host Software Security
- Implement Host Security
- Implement Cloud and Virtualization Security
- Implement Mobile Device Security
- Incorporate Security in the Software Development Life Cycle
Hardening
Security technique of altering a systems configuration to remove vulnerabilities and protect the system against potential attack.
- Typically implemented so systems conform to security policy.
- Many different techniques are available.
- Hardening can also restrict a systems capabilities.
- Hardening must be balanced against accessibility.
Operating System Security
- Each OS have unique vulnerabilities for attackers to exploit.
- Different OS types and OSes from different vendors has their own weaknesses.
- Vendors try to correct vulnerabilities while attackers try to exploit them.
- Stay up-to-date with security information posted by vendors and other sources.
Different types of OS’s:
- Network
- Server
- Workstation
- Appliance
- Kiosk
- Mobile
Operating System Hardening Techniques
- Implement a Principle of least functionality.
- Disable unnecessary network ports.
- Disable unnecessary services.
- Take advantage of secure configurations.
- Disable default accounts.
- Force users to change default passwords.
- Implement a patch management service.
Trusted Computing Base
Trusted Computing Base: The Hardware, firmware, and software component responsible for ensuring computer system security.
Trusted Operating System: Operating systems that fulfill security requirements in the Trusted Computer Base (TCB).
Hardware and Firmware Security
| Component | Description |
|---|---|
| BIOS/UEFI | Basic Input/Output System and Unified Extensible Firmware Interface. Both firmware interfaces hold configurations to initialize hardware for system boot. UEFI is newer and more secure than BIOS. |
| Root of Trust and HSM | Root of Trust enforces trusted computing through encryption. The Hardware Security Module (HSM) is a physical device that implements Root of Trust. |
| Trusted Platform Module (TPM) | Secure crypto processor that generates keys for use in the TCB. |
| Secure Boot and Remote Attestation | Secure boot is a UEFI feature that prevents malicious processes from executing during system boot. Cryptographic hash taken of boot loader to ensure integrity. TPM can sign hash for third-party verification (remote attestation). |
| FDE/SDE | Full disk encryption (FDE) and self-encrypting drives (SDE). Ensures storage devices are encrypted at the hardware level. Avoids attacks targeted at software-based encryption. |
| EMI Protection | Electromagnetic Interface can leak data from hardware. |
| EMP Protection | Electromagnetic Pulse can cause hardware to malfunction. Some TCB platforms can protect against these attacks. |
Security Baselines
Security Baselines are a collection of host security settings. Compare the baseline to the security settings of hosts in your network.
Baselines are Crucial for streamlining the host hardening process, don’t harden hosts in a vacuum.
Use the Baseline as a security template. Each Baseline will differ based on the computers function and operating system.
Software Updates
| Update Type | Description |
|---|---|
| Patch | Small unit of code created to fix a security issue or functionality bug. |
| Hotfix | A patch issued on an emergency basis to resolve a potential security threat. |
| Rollup | A collection of previously issued patches and hotfixes. |
| Service Pack | A large compilation of system updates that can include functionality enhancements and any previous patches, hotfixes, and rollups. |
Application Blacklisting and Whitelisting
Blacklisting: Preventing the execution of any application added to the blacklist.
- Drawback: You can’t block malicious apps you have not identified.
Whitelisting: Preventing the execution of any application not on a list of authorized applications.
- Drawback: Creation and maintenance of list increases overhead.
Logging
The process of an operating system or application recording data about activity on a compter.
- Logs stored as text files with varying levels of detail.
- Highly detailed logging can consume vast amounts of storage space.
- Logs can reveal information about suspected attacks.
- Restrict access to logs and back them up routinely.
Auditing
Performing an organized technical evaluation of a systems security to ensure it is in compliance.
- Similar to a security assessment
Auditing is focused more on ascertaining if the system meets its set of criteria.
- Criteria comes from laws, regulations, standards, and organizational policy.
- Most audits are performed by third parties.
- Example: External auditor checks to see if online merchant is in compliance with PCI DSS.
Commonly associated with reviewing log files.
- Can also test passwords, scan firewalls, review user permissions etc.
- Audits contribute to the overall hardening process.
Anti-Malware Software
Software that scans systems and networks for malicious software.
- Most scan for known malware.
- Some can scan for unknown malware.
- Install anti-malware on all computers.
- Keep anti-malware applications updated.
Types of Anti-Malware Software
| Anti-malware Type | Description |
|---|---|
| Anti-Virus | Scans for code matching virus patterns (Signature based). Can actively monitor system for virus activity (behavior based or heuristic). |
| Anti-Spam | Anti-spam filters detect keywords used in spam messages. Can block based on IPs of known spam sources. |
| Anti-Spyware | Designed specifically to identify and stop spyware Functionality may come packaged with anti-virus software |
| Pop-up Blocker | Prevents websites from executing pop-up elements in your browser. Most browsers include this functionality. |
| Host Based Firewalls | Not specifically designed for anti-malware. Can still block network traffic used by malware. |
Hardware Peripheral Security
| Peripheral | Security Considerations |
|---|---|
| Wireless Keyboards and Mice | Attackers can send forced input to wireless receivers. Stay current on firmware updates. Research devices known to be vulnerable. |
| Displays | Internet connected displays are susceptible to hijacking. Avoid using displays where their security is of concern. Stay current on firmware updates. |
| External Storage Devices | Can be used as an attack vector to load malicious code onto a host system. Disable autorun on the operating system. Avoid using Wi-Fi enabled microSD cards or update their firmware. |
| Printers and Multifunction Devices (MFDs) | Attackers may print unwanted material, waste ink, create a denial of service etc. Strong wireless security can prevent unauthorized access. Set device to wipe memory/storage after every job. |
| Cameras and Microphones | Multimedia devices can be used for eavesdropping. Block devices from being plugged in or activated. Change default password for internet connected devices. |
Embedded Systems
Hardware and software systems that have a specific function within a larger system.
- Larger systems include everything from home appliances to industrial machines.
- Embedded systems are found in all sorts of technology and industries.
Embedded systems do not have the complexity of a PC or Server.
- Their dedicated purpose often means less sophisticated architecture.
- May use all-in-one microcontroller rather than discrete CPU/memory components.
- May not have a GUI.
- May still have an Operating System.
- Larger systems may be user-friendly even if embedded system is not.
Security Implications for Embedded Systems
| System | Security Implications |
|---|---|
| ICS/SCADA | ICS Industrial Control Systems are networked systems that support critical infrastructure. SCADA Security Control and Data Acquisition is a control system which can send and receive signals to the embedded system. Standard security controls may not work in SCADA systems. |
| Microcontroller | Consolidates CPU, Memory, and Peripherals in one component. They often come with built in encryption engines. |
| RTOS | Real-Time Operating Systems are a Specialized type of OS. The Process Scheduler is predictable and consistent which is ideal for embedded systems. RTOS developers implement security features similar to other OSes. |
| Smart Devices | Electronic devices with network connectivity. Have autonomous computing properties. Security usually very weak. |
| IoT Devices | Internet Of Things devices are objects connected to the internet. IoT devices use embedded electronic components. Like Smart Devices, Security is usually very weak. |
| Camera Systems | IP Cameras are easier to manage than CCTV. Vulnerable to standard networking risks. Can use encryption protocols to protect recorded data. |
| Special Purpose Systems | ATMs, medical devices, vehicles etc. Security depends on the purpose and functionality of systems. |
Guidelines for Securing Hosts
- Keep up-to-date with Operating System Vendor security information.
- Apply security settings to all OSes.
- Create Security Baselines for all systems.
- Compare these Baselines to your systems current configurations.
- Consider implementing application Blacklisting or Whitelisting.
- Log all Critical Activity on Hosts.
- Review logs to identify suspicious behavior.
- Prepare for audits by external parties.
- Implement anti-malware solutions on hosts.
- Consider the Unique security implications of different hardware peripherals.
- Consider the Unique security implications of embedded systems.
Virtualization
Virtualization: Creating a simulation of a computing environment.
- Simulates hardware and software.
- You create virtual operating systems within an operating system.
You can run virtual Linux on physical Windows or vice versa.
Virtual Machine: A virtualized computer.
Advantages:
- Easier to manage.
- Cost-efficient.
- Power and resource efficient.
Hypervisors
A layer of software that separates the virtual software from the physical hardware it runs on.
- Manages resources on a physical host and provide them to the virtual guests.
- Provide flexibility and increased efficiency of hardware use.
- Type I: Runs directly on hosts hardware.
- Type II: Runs as an application on the host system.
Virtual Desktop Infrastructure (VDI)
Virtual Desktop Infrastructure uses virtualization to separate personal computing environment from the physical machine.
Virtual Desktop Environment (VDE)
A Virtual Desktop Environment is Virtual Machines running within Virtual Desktop Infrastructure (VDI).
- Deploying VDEs can make it easier to manage PC environments.
- Can also help mitigate costs associated with physical computers.
Virtualization Security
| Security Concern | Description |
|---|---|
| Patch Management | Ensure all patches are installed for VM software. Also apply patches to host and guest OSes when applicable. |
| Least Privilege | Only provide access to VMs for those that need it. Monitor access on a regular basis. |
| Logging | Use and System activity on VMs should be logged. Check logs regularly for suspicious activity or violations. |
| Networking | Virtual networking devices may have unique configurations. Possibility of failure to isolate traffic between host and guest or guest and guest. |
| Snapshots | Capture the state of a VM at a certain point in time (like system restore). Makes it easy to revert in case of compromise. |
| VM Sprawl Avoidance | Occurs when a number of VMs exceeds the ability to manage them. A compromised VM could go unnoticed. Implement VMLM solutions to avoid VM Sprawl. |
| VM Escape Protection | Triggers when a malicious process in the VM tries to escape the VM. Malicious code can interact with the Hypervisor and compromise the host. Keep VM software up to date and limit resources shared. |
Cloud Computing
Computing involving real-time communication over large, distributed networks to provide various resources to a consumer.
- Typically relies on the internet.
- “The Cloud” refers to the resources available on a particular service.
Resources like:
- Business services.
- Storage services.
- System resources.
- Consumer services.
- You can access and manage resources from anywhere.
- Storage methods and location are not visible to the consumer.
- Cloud computing uses virtualization to provision resources.
Cloud Deployment Models
| Deployment Model | Description |
|---|---|
| Private | Usually distributed by a single entity over a private network. Enables entities to exercise greater control over services. Usually used for Banking and Governmental services. |
| Public | Offers services over the internet to the public. Premium subscription services or may offer a basic service for free. Security concerns whenever valuable data is communicated over the internet. |
| Community | Multiple entities sharing ownership of the cloud service. Done to pool resources for a common concern. |
| Hybrid | Combines two or more of the deployment models above. Example: Private Cloud for an organizations internal personnel, public for customers. |
Cloud Service Types
| Service | Description |
|---|---|
| Software | “Software as a Service” (SaaS) uses cloud technology to provide apps to users. It eliminates installation and purchasing of specific versions. |
| Platforms | “Platform as a Service” (PaaS) provides virtual systems to customers. Can include Operating systems and application engines. |
| Infrastructure | “Infrastructure” as a Service (IaaS) provides access to infrastructure needs. Includes data centers, servers, networking etc. |
| Security | “Security as a Service” (SECaaS) integrates a security providers security services into an organizations infrastructure. Includes authentication, anti-malware, intrusion detection etc. A few providers of SECaaS; Cloudfare, FireEye, SonicWall |
Guidelines for Securing Virtualized and Cloud Based Resources
- Consider using virtualization in your organization.
- Identify which virtualization types are most suited to the organizations needs.
- Ensure VM software and OSes on hosts and guests are kept up to date.
- Enforce privilege of least privilege for access to VMs.
- Ensure VMs log critical events.
- Configure virtual networking devices to isolate communications when necessary.
- Take snapshots of optimal VM states.
- Incorporate VM life cycle management solutions.
- Understand the different cloud deployment models and service types.
- Consider offloading some security operations to SECaaS providers.
Mobile Device Connection Methods
| Connection Method | Description |
|---|---|
| Cellular | Wireless connection to transceivers in fixed locations across the world. Used by mobile phones primarily for voice chat and text messages but also data. Uses transport encryption but users have little control over security. |
| Wi-Fi | Wi-Fi networks provide local area connections for mobile devices. Can incorporate encryption and authentication if using secure protocols. Organizations have better control over Wi-Fi than Cellular. |
| Bluetooth | Wireless technology used for short range communications. Vulnerable to Bluejacking and Bluesnarfing. |
| NFC | Wireless communication in very close proximity. Used primarily for in person data exchange. Vulnerable to RF signal interception and DoS flooding. |
| Infrared | Signals sent in pulses of infrared light. Receivers need unobstructed view of signal. Directional requirements prevent data leakage. |
| SATCOM | Satellites relay line-of-sight signal communication all over the world. Communications are encrypted but implementation may be vulnerable. Military often use SATCOM. |
| ANT | Wireless technology similar to Bluetooth using low energy. Used primarily for communication between sensors. Has access control and encryption. |
| USB | Physical connection between device and computer or another device. Primarily used to transfer data between devices. Mitigates some wireless risks but still vulnerable to transmitted malware. |
Mobile Device Management (MDM)
The process of tracking, controlling and securing an organizations mobile infrastructure.
- MDM solutions are often web based platforms with a centralized console.
- You can enforce security on all mobile devices at once, rather than individually.
Mobile Device Security Controls
| Security Control | Description |
|---|---|
| Screen lock | Options should be enabled with strict policy to unlock. Can only be accessed by code user has set. |
| Strong Passwords and PIN. | User should set up strong password/PIN for lock screen. |
| Full Device Encryption | Data on devices should be encrypted to protect sensitive data. |
| Remote Wipe/lockout | Remote wipe: remotely delete sensitive data if device is lost or stolen. Remote Lockout: remotely trigger the lock screen if device is lost or stolen. |
| Geolocation and Geofencing | Geolocation: tracking the geographic location of devices. Geofencing: creating geographic boundaries for device functionality. |
| Access Controls | Uphold principle of least privilege. Consider context-aware authentication. |
| Application and Content Management | Set restrictions on what apps/content user can access. Consider blacklisting or whitelisting apps. |
| Asset Tracking and Inventory Control | Keep stock of all provisioned devices. All devices should be accounted for. |
| Push Notification Services | Push notifications are sent out by a centralized server to multiple devices. Send notifications as alerts in the event of an incident. |
| Limit Removable Storage Capabilities | Removable storage containing sensitive data may be easily lost or stolen. Limit the type of data stored on SD cards and similar storage media. |
| Storage Segmentation | Divide data storage along certain lines based on security needs. Supports access control for mobile devices. |
| Containerization | Mobile devices can isolate sensitive apps and storage from others. Several mobile OSes come with this functionality by default. |
| Disable Unused Features | Every unnecessary feature is a potential vulnerability. |
Mobile Device Monitoring and Enforcement
| Activity | Security Considerations |
|---|---|
| App Installation from Third-Party Stores | Third-party apps are not vetted to the degree of official store apps. Monitor third-party use or block altogether. |
| App Sideloading | Directly installing an app on a mobile device outside official app store. Monitor third-party store use or block use altogether. |
| Rooting/Jailbreaking | Rooting: gaining root privileges on Android for total control. Jailbreaking: removing software restrictions on iOS for third-party execution. Both can negatively impact inherent security measures on devices. |
| Custom Firmware Configuration | Root devices can have custom firmware installed. May open device up to security flaws or render device inoperable. |
| Firmware OTA Updating | Management system can send out updates over-the-air to firmware. Ensures devices won’t be running insecure firmware. |
| Carrier Unlocking | Users can unlock a devices ability to use a different mobile carrier. You may want to force devices to use a particular carrier. |
| Camera and Microphone Use | Devices can eavesdrop on sensitive information using camera and microphone. Monitor for such usage or disable functionality when possible. |
| Geotagging | Devices may imprint geographic coordinates on recorded media like photos. May reveal the location of sensitive assets. |
| External Media Use | Limit external media usage when possible. USB On-the-Go can connect two devices over USB and may leak sensitive data. |
| SMS/MMS Use | Personnel may leak sensitive info over SMS/MMS. If appropriate, you may need to consider monitoring such communications. |
| Wi-Fi Direct Use | Two devices can connect without an access point. May make it difficult to monitor wireless traffic. |
| Tethering | Sharing wireless internet connections with multiple devices. Example: phone providing cellular service to laptop when no Wi-Fi is available. Some carriers charge for tethering. |
| Payment Method Use | Many payment service apps available for mobile devices. You may need to monitor their use or enforce the use of a single payment app. |
Mobile Deployment Models
| Deployment Models | Description |
|---|---|
| Corporate-Owned | Organization is sole owner of devices and has full engagement control. Most secure. May be too strict to be feasible. |
| Bring Your Own Device (BYOD) | Employees own and manage personal devices. Brings new risks, security issues, and question of ownership. Becoming increasingly popular. |
| Choose Your Own Device (CYOD) | Employees choose from a vetted list of devices. Employee has control of the device. Attempts to mitigate BYOD vulnerabilities without being too strict. |
| Corporate Owned Personally Enabled (COPE) | Organization has some control which raises privacy concerns. Employees can still use devices for personal reasons. |
| Virtual Mobile Infrastructure (VMI) | Similar to VDI but used for mobile OSes. Employees connect to VMs running mobile OSes. Organization has control during work, employee has control after work. |
BYOD Security Controls
| Security Control | Description |
|---|---|
| Policies | Draft Corporate Policy for how BYOD is treated in the organization. Draft Acceptable Use Policy that employees need to follow. |
| Ownership Decisions | Define clear boundaries for who owns data on personal devices. Decide who should support devices in BYOD. |
| Patch Management and Anti-Malware | Implement patch management to mitigate vulnerabilities in devices. Require users run anti-malware software. |
| Architecture and Infrastructure Requirements | Expansion of existing infrastructure. Consider mobile devices when designing network architecture. |
| Forensics | Stay up to date with forensic procedures and tools. Consider the difficulties of performing a forensic analysis on devices you dont own. |
| Privacy Support | Employees may be wary of their privacy in BYOD environments. Show them how to keep information private. Give them the tools and knowledge to stay safe. |
Guidelines for Implementing Mobile Device Security
- Be aware of the different connection methods mobile devices are capable of.
- Be aware of the differing levels of control You have over these connection methods.
- Incorporate a mobile device management platform in your organization.
- Implement security controls on mobile devices.
- Monitor certain activities associated with mobile devices.
- Enforce policies to curtail or disable the use of certain mobile device activities.
- Consider the different ways that mobile devices can be deployed.
- Consider the risks of BYOD and implement security controls to mitigate BYOD vulnerabilities.
Software Development
The Software Development Life cycle
The practice of developing software across a lifecycle from initial planning to final deployment and obsolescence.
- Each developed app goes through distinct phases of this lifecycle.
- You must integrate security into each phase of the lifecycle.
The developed app goes through defined phases of its life cycle:
- Initiate
- Design
- Implement
- Test
- Deploy
- Dispose
Software Deployment Models
Waterfall
- Each phase begins when the previous phase ends.
- Suited for projects without major time constraints.
- Issues found early are easier to fix.
- Not suitable for a modular approach.
- Unable to account for all changes to security processes in any phase.
Agile
- Focuses on adaptive measures for phases.
- Development team can respond to changes more easily.
- Tasks broken up incrementally.
- Useful for complex or unstable projects.
- Rapid development can undermine security.
- Releasing new untested code can make it difficult to keep up with new threats.
DevOps
DevOps is the integration of software development with systems operations.
- The evolution in development.
- Aims to improve speed and reliability of operations.
- DevOps supports security automation, like rapid configuration of baselines.
If the development team is building an app with network functionality, network admins assist the team providing infrastructure to stress test the apps network capabilities.
Infrastructure as Code: Can be quickly configured through programming scripts and code files.
Versioning
Versioning ensures that changes to project assets are closely managed in discrete versions.
- Marks a milestone of changes as its own version number.
- Each version has a timestamp.
- Bugs and security issues are more easily addressed.
- Developers can revert to earlier versions if needed.
Secure Coding Techniques
| Technique | Description |
|---|---|
| Proper Input Validation | Involves limiting allowed input in fields. Also involves normalization of bad input. |
| Proper Error Handling | Errors should not reveal too much information. Anticipate errors to avoid default error messages. |
| Encryption | Encryption is vital in apps that store or transmit sensitive data. Make use of existing algorithms and techniques. |
| Code Signing | Digital signature that verifies authenticity and integrity of software. Users can verify the legitimacy of the app. |
| Obfuscation | Hides code so it’s harder to read. Can mitigate reverse engineering attempts. |
| Code Reuse | Use existing secure code that has been verified. Code often comes from third party libraries and Software Development Kits (SDK) |
| Limiting Dead Code | Code that executes without the relevant results required by the app. Remove dead code to minimize potential risks. |
| Server-side Vs Client-side | Server side should validate input and execute code not meant for user. Client side should handle execution of GUI-based code. |
| Limiting Data Exposure | Limit how much data the app exposes to a user. Important in systems that provide access to multiple users. |
| Memory Management | Some languages manage memory automatically (Python, Java, etc.) Some languages require manual management (C, C++, etc.) |
| Stored Procedures | Pre-compiled database statements used for input validation. Deny user access to underlying data. |
Code Testing Methods
| Testing Method | Description |
|---|---|
| Static Code Analysis | Reviewing source code in a non-executing state. Code can be reviewed manually by developers. Code can also be reviewed automatically with analysis tools. |
| Dynamic Code Analysis | Reviewing code while it executes. Reveals issues with unpredictable user input. Fuzzing: Sending an app random and unusual input. |
| Stress Testing | Evaluate how software performs under heavy load. Identify how the app could suffer a DoS condition. |
| Sandboxing | Testers configure specific operating environments in a sandbox. Provides tester with results from different contexts. |
| Model Verification | Evaluating how a project meets specifications defined earlier in development. Helps determine if end product fulfills stakeholder needs. |
Guidelines for Incorporating Security in the Software Development Life Cycle
- Integrate security into each phase of the SDL.
- Choose a development model that suits your security and business needs.
- Consider adopting a DevOps culture.
- Take advantage of software automation and infrastructure as code.
- Incorporate a version control system in the development process.
- Incorporate secure coding techniques to avoid vulnerabilities in code.
- Put your software project through various testing methods.
Host and software security are essential for safeguarding individual devices and the software they run. By understanding and implementing the security measures discussed in this post, you’ll be better equipped to defend against various threats. Whether you’re preparing for the CompTIA Security+ certification or seeking to enhance your cybersecurity expertise, this guide offers valuable insights.
You can find all of our CompTIA Sec+ guides here: CompTIA Sec+
We also have guides for the CompTIA A+ here: CompTIA A+
Recommendation:
Basic Security Testing with Kali Linux: https://amzn.to/3S0t7Vq
You are a very capable individual!
Thank you!