ias2 (2) reviewer.pdf
Document Details
Uploaded by AdmirableAtlanta1098
Tags
Related
- 5-hardware-security-primitives-ip-protection-2.pdf
- Chapter 13 - 03 - Understand OT Concepts, Devices, and Protocols - 01 PDF
- Lecture 4: IoT Device Layer Attack Surface PDF
- Hardware Security Quiz (150 Questions) PDF
- Hardware Security & Design for Trust Lecture-1 PDF
- Week 8 - 2425-Network Planning-Hardware-Security PDF
Full Transcript
Hardware Security Fundamentals Three Common Computer Components: 1. Hardware: Physical parts of a computer like a keyboard or mouse. 2. Software: Programs or applications that run on the computer. 3. Firmware: Special software embedded in hardware that controls its operation....
Hardware Security Fundamentals Three Common Computer Components: 1. Hardware: Physical parts of a computer like a keyboard or mouse. 2. Software: Programs or applications that run on the computer. 3. Firmware: Special software embedded in hardware that controls its operation. Four Basic Computer Functions: 1. Input: Data entered into the computer (e.g., through a keyboard). 2. Processing: The computer processes the data and performs tasks. 3. Storage: Saving data for later use. 4. Output: The computer delivers processed data (e.g., displaying on a screen). Dangers of IOT Devices 1. Easily-Hacked Operating System: Many IoT devices run on operating systems that are vulnerable to hacking due to weak security measures. 2. Outdated and Insecure Hardware: IoT devices often use hardware that lacks modern security features, making them susceptible to attacks. 3. Insecure Default Settings: Devices frequently come with default settings that are not secure, such as weak passwords or open ports, which can be easily exploited. Security Threats 1. Physical Access: This threat involves unauthorized individuals physically accessing a device. This can lead to direct tampering, theft of sensitive data, or installation of malicious software. Ex: An attacker gaining access to a server room and connecting a rogue device to the network. 2. USB: USB devices can be used to introduce malware or steal data. Attackers often use infected USB drives to exploit the auto-run feature or trick users into opening malicious files. Ex: A seemingly harmless USB drive left in a public place, which when plugged into a computer, installs malware that steals sensitive information. 3. Bluetooth: Bluetooth connections can be exploited to gain unauthorized access to devices, intercept data, or spread malware. Vulnerabilities in Bluetooth protocols can be targeted by attackers. Ex: An attacker using a Bluetooth sniffer to intercept data being transmitted between a smartphone and a wireless headset. Man-in-the-middle: This attack occurs when an attacker secretly intercepts and possibly alters the communication between two Bluetooth devices without their knowledge. Ex: An attacker intercepting data being transferred between a Bluetooth-enabled smartphone and a wireless headset, potentially altering the information or injecting malicious data. - An attacker intercepts and potentially alters the communication between two Bluetooth devices. Bluebugging: This involves gaining unauthorized access to a Bluetooth- enabled device to control its functions and access its data. Attackers can exploit vulnerabilities to eavesdrop on conversations, send messages, or make calls. Ex: An attacker remotely accessing a victim's phone via Bluetooth to listen to their conversations or send unauthorized messages. - Bluetooth, often used to eavesdrop or send messages. Bluejacking: This is the practice of sending unsolicited messages to Bluetooth-enabled devices. While often considered more of a prank, it can be used to spread spam or phishing messages. Ex: An attacker sending an unsolicited message to nearby Bluetooth devices, tricking users into clicking on a malicious link. - Sending unsolicited messages to Bluetooth-enabled devices. Bluesnarfing: This threat involves unauthorized access to information on a Bluetooth-enabled device. Attackers can steal data such as contacts, messages, and other sensitive information. Ex: An attacker using specialized software to connect to a victim's phone via Bluetooth and download their contact list and text messages without their knowledge. - Unauthorized access and theft of information from a Bluetooth-enabled device. Avoid these attacks thru: 1. Turn it off: Disable Bluetooth when not in use to prevent unauthorized access. 2. 2. Pair carefully: Only pair with trusted devices to avoid connecting to malicious ones. 3. Strong PIN: Use a strong PIN for Bluetooth connections to enhance security. 4. Updates: Regularly update your device's software to patch security vulnerabilities. 5. Least functionality: Enable only necessary Bluetooth features to minimize potential attack vectors. 4. RFID: RFID (Radio-Frequency Identification) technology is used for wireless data transfer. Attackers can use RFID skimmers to read and clone RFID tags, leading to unauthorized access or data theft. Ex: An attacker using an RFID reader to clone an access card, allowing them to enter a secure facility without authorization. 1. Data theft: This threat involves unauthorized individuals intercepting and stealing data transmitted between RFID tags and readers. Attackers can use specialized equipment to capture the radio signals and extract sensitive information. Ex: An attacker using an RFID skimmer to read credit card information from RFID-enabled cards without the owner's knowledge. - Unauthorized individuals can intercept and steal data transmitted between RFID tags and readers. 2. Unauthorized tracking: Attackers can track the location and movement of RFID-tagged items or individuals without permission. This can lead to privacy violations and unauthorized surveillance. Ex: An attacker tracking the movements of a person by reading the RFID tags in their belongings, such as an RFID-enabled passport or access card. - Attackers can track the location and movement of RFID-tagged items or individuals without permission. 3. Unauthorized access: Hackers can gain access to secure areas or systems by cloning RFID tags. This allows them to bypass security measures and gain entry to restricted zones or access sensitive information. Ex: An attacker cloning an employee's RFID access card to enter a secure facility and steal confidential data or equipment. - Hackers can gain access to secure areas or systems by cloning RFID tags. --------------------------------------------------------------- Software Security Fundamentals WHY IS IT IMPORTANT TO UPDATE YOUR DEVICE? Updating your device ensures it has the latest security patches, fixes bugs, and improves performance. Security Enhancements: - Protection Against Vulnerabilities: Updates often include patches for security vulnerabilities that have been discovered since the last update. These vulnerabilities can be exploited by hackers to gain unauthorized access to your device and data. - Defense Against Malware: New types of malware and viruses are constantly being developed. Updates help protect your device by including the latest security measures to combat these threats. Bug Fixes: - Improved Stability: Updates fix bugs that can cause your device to crash or behave unpredictably. This leads to a more stable and reliable user experience. - Enhanced Performance: Bug fixes can also improve the overall performance of your device, making it run smoother and faster. New Features and Improvements: - Access to New Features: Updates often bring new features and functionalities that enhance the usability and capabilities of your device. - User Experience Enhancements: Updates can include improvements to the user interface and user experience, making your device easier and more enjoyable to use. Compatibility: - Support for New Applications: Updates ensure that your device remains compatible with the latest applications and software. This is particularly important as developers often optimize their apps for the latest operating systems. - Hardware Compatibility: Updates can also include drivers and other software that ensure your device works well with new hardware peripherals. Compliance and Standards: - Regulatory Compliance: Updates can help ensure that your device complies with the latest regulatory standards and industry best practices. - Interoperability: Keeping your device updated ensures it can effectively communicate and work with other devices and systems that are also up-to-date. Mobile Applications: Trusted Sources: - Apple Store: The official app store for iOS devices, known for its strict security standards and quality control. - Play Store: The official app store for Android devices, offering a wide range of apps that are regularly checked for security and quality. SQL Injection An SQL Injection attack, where a hacker sends malicious SQL queries through website input fields to manipulate the database, potentially gaining unauthorized access to data or administrative functions. This highlights the importance of securing web applications against such vulnerabilities. 1. Broken Authentication: This occurs when authentication mechanisms are flawed, allowing attackers to compromise passwords, keys, or session tokens to assume other users' identities. Attackers can gain unauthorized access to personal accounts and sensitive information. 2. Broken Access Control: This happens when restrictions on what authenticated users are allowed to do are not properly enforced, leading to unauthorized actions. Unauthorized users can access, modify, or delete data they shouldn't have access to. 3. Insecure Deserialization: This vulnerability arises when untrusted data is used to abuse the logic of an application, leading to remote code execution or other attacks. Attackers can execute arbitrary code, potentially taking control of the system. 4. Sensitive Data Exposure: This occurs when applications do not adequately protect sensitive information such as financial data, health records, or personal identifiers. Sensitive data can be accessed by unauthorized parties, leading to privacy breaches and identity theft. 5. Security Misconfiguration: This happens when security settings are not defined, implemented, or maintained correctly, leaving systems vulnerable to attacks. Systems can be easily exploited due to weak security settings. 6. Using Known Insecure Components: This involves using software components with known vulnerabilities, which can be exploited by attackers. Attackers can exploit these vulnerabilities to compromise the system. 7. XML External Entities (XXE): This vulnerability occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser, leading to data exposure or remote code execution. Attackers can access sensitive data or execute malicious code. 8. Cross-Site Scripting (XSS): This happens when an application includes untrusted data in a web page without proper validation or escaping, allowing attackers to execute scripts in the user's browser. Attackers can steal session tokens, deface websites, or redirect users to malicious sites. 9. Insufficient Logging & Monitoring: This occurs when security events are not logged or monitored adequately, making it difficult to detect and respond to breaches. Security incidents can go unnoticed, allowing attackers to cause more damage. --------------------------------------------------------------- Malware Fundamentals 1. Cryptomining Malware that secretly uses a computer's resources to mine cryptocurrency. Cryptomining malware, also known as cryptojacking, operates by hijacking a victim's computer or network to mine digital currencies like Bitcoin without their consent. This can severely degrade system performance and increase electricity costs, often without the user even knowing it's happening. Crypto mining malware accounts for ~20% of all malware attacks worldwide. 2. Mobile Malware Malware targeting smartphones and tablets. Mobile malware infects mobile devices through apps, links, or malicious files. It can steal sensitive data, track user activities, or even control the device remotely. This type of malware is particularly dangerous due to the widespread use of mobile devices for personal and business communications. Dropper: A type of mobile malware that "drops" or installs additional malicious software onto a device, usually hiding its true purpose during installation. Adware: Malware that forces unwanted ads to appear on a mobile device, often generating revenue for the attacker or causing a poor user experience by displaying excessive pop-ups or redirecting the user to malicious sites. 3. Botnet A network of infected devices controlled remotely. Botnets consist of large groups of computers, called "zombies," that have been infected with malware, allowing an attacker to control them remotely. These networks can be used to launch large-scale attacks like Distributed Denial of Service (DDoS), sending spam, or spreading other malware, all without the device owner's knowledge. In the first half of 2022, almost a quarter of organizations worldwide were infected by botnet malware. 4. Spyware Malware that secretly tracks user activity. Spyware is designed to covertly gather information from a user's computer or mobile device, such as passwords, browsing habits, or financial data. It runs silently in the background and sends the collected data to third parties, often leading to privacy breaches or identity theft. Symptoms of Sypware Random Reboots The device restarts unexpectedly without the user's action. Spyware can cause a device to randomly reboot as it interferes with normal system processes, often due to the execution of background activities that strain the system or conflict with legitimate software. Slow Performance The device runs much slower than usual. Spyware consumes system resources like memory and CPU power, leading to noticeable slowdowns in overall performance, making apps and processes take longer to load and operate. Strange Text Messages The device sends or receives unusual or suspicious messages. Spyware may use the device to send texts or links to contacts, spreading the malware or giving the attacker control, often resulting in unsolicited messages with unknown content appearing in your inbox. Overheating The device becomes unusually hot. Spyware running constantly in the background causes the processor to overwork, generating excessive heat, which can make the phone overheat even during light usage or when idle. Unusually High Data Usage The device uses more data than usual. Spyware often communicates with external servers, sending stolen data or receiving commands, which leads to higher-than-normal data consumption, even when the device is not actively in use. Unfamiliar Apps on Your Device Unknown apps appear on the device without your knowledge. Spyware can install additional apps without permission, often to perform malicious activities, and these unfamiliar apps are a common sign of infection, as they operate without user initiation. 5. Trojan Malware disguised as legitimate software. Trojans appear as harmless or useful software but, once installed, they execute malicious activities. These activities may include opening a backdoor for remote access, stealing sensitive information, or installing additional harmful software. Unlike viruses, Trojans do not replicate themselves but rely on deception to get installed by the user. Common Types of Spyware 1. Keylogger Records everything you type on a keyboard. Keyloggers capture and log keystrokes, allowing attackers to steal sensitive data like passwords, credit card numbers, and private communications without the user knowing. 2. Adware Displays unwanted ads on your device. Adware is designed to bombard users with intrusive ads, often redirecting them to malicious websites or slowing down the device, sometimes collecting personal data in the process. 3. Browser Hijackers Redirects your browser to unwanted websites. Browser hijackers change browser settings, redirecting users to specific websites, often to increase ad revenue for the attacker or to deliver additional malware. 4. Trojan Horse Disguises itself as legitimate software to harm your device. Trojan horses trick users into installing what seems to be harmless software, but once installed, they perform malicious activities like stealing data, creating backdoors, or spreading more malware. 5. Rootkit Hides malware deep within your system. Rootkits allow attackers to gain administrative access to a system while remaining hidden, making it difficult to detect and remove malware or other unauthorized access. 6. Cookie Trackers Tracks your online activity using cookies. Cookie trackers collect information about your browsing habits and personal preferences, often used for targeted advertising or even selling your data to third parties without your consent. 7. Password Theft Steals your stored passwords. Password theft involves malware designed to extract saved passwords from browsers or password managers, giving attackers direct access to online accounts, including email, banking, and social media. 8. Stalkerware Tracks someone's activities without their consent. Stalkerware is designed to monitor a person's private activities, including location, messages, and apps usage, often used by someone close to the victim, such as a partner or employer, for surveillance purposes. 9. Web Beacons Invisible trackers embedded in websites or emails. Web beacons, or pixel tags, are small invisible images or snippets of code used to track user behavior on websites or in emails, such as when an email is opened, often used by marketers or attackers to collect detailed information without the user knowing. Rootkit vs RAT (Remote Access Trojan) What separates a rootkit from a regular Trojan is a rootkit occupies Ring 0 (aka root or kernel level), the highest run privilege available, which is where the OS itself runs. A rootkit type, known as a "bootkit", can even start running before the OS does. Rootkits operate at a deeper system level, aiming to conceal malicious activities and other malware, making them much harder to detect and remove. A RAT serves as "backdoor" into the system, allowing an attacker to: Install/launch software Send keystrokes Download/delete files Activate microphone/camera Watch the screen Log computer activity RAT focuses on providing remote control of a system to the attacker at a user-level, allowing visible manipulations. 2 types of Keylogger Hardware Keylogger A physical device connected to a computer to record keystrokes. Software Keylogger A program installed on a computer to track and log every keystroke typed. Tips to prevent keylogging: Keep checking for unwanted software and delete it Don't download files from unwanted sources When using banking sites, use a virtual keyboard Use password managers Use a powerful and next-gen anti-virus security suite Antivirus and Malware Scanners Antivirus is a software designed to detect, prevent, and remove malicious programs (malware) from a computer. - Computer-File Focused: Antivirus scans files because malware is often embedded within files that run on the system, such as programs or documents. - Signature-Based: Antivirus relies on known malware signatures (unique patterns) to identify and block malicious files, comparing the code of scanned files to a database of known threats. NGAV went one step further by monitoring a computer's memory and using predictive analytics. Endpoint Protection Platform (EPP) EPPs are designed to detect and block malicious activities on endpoints (like computers and mobile devices). They use techniques such as: - Sandboxing: Isolating suspicious files or programs in a controlled environment to observe their behavior without risking the main system. - Filtering: Heavily filtering IP addresses, URLs, and applications to prevent access to known malicious sources. Example: Microsoft Defender Advanced Threat Protection - Function: This is an example of an EPP that provides advanced threat protection by detecting and responding to threats in real-time. EPPs are fundamental in cybersecurity because they provide a first line of defense against malware, ensuring that harmful activities are detected and blocked before they can cause damage. Endpoint Detection and Response (EDR) EDR solutions aim to provide real-time visibility into endpoint activities by continuously recording data and responding to threats. - Components: - Real-Time Visibility: EDR tools monitor and log activities on endpoints (like computers and mobile devices) to detect suspicious behavior. - Threat Response: They can automatically respond to detected threats, such as isolating infected devices or blocking malicious activities. Visual Representation - Network Diagram: The image shows a network with three platforms: - Left Platform: Represents an individual monitoring endpoints. - Central Platform: Symbolizes data storage or processing. - Right Platform: Indicates security measures with a lock and shield icon. EDR is crucial in cybersecurity as it helps organizations quickly detect and respond to potential threats, minimizing the impact of cyberattacks. Security Incident Containment Prevents the spread of security breaches. Security Incident Containment refers to the capability of an EDR system to limit the extent of a breach and prevent it from spreading to other parts of the network, effectively isolating the threat to minimize damage. Threat Detection Identifies potential security threats. Threat Detection is the process through which an EDR system continuously monitors for suspicious activities or anomalies that may indicate a security threat, allowing for early identification and mitigation of potential attacks. Incident Response Addresses and resolves security incident. Incident Response involves the set of actions taken by an EDR solution to address a detected security incident, which can include eradicating the threat, recovering affected systems, and restoring normal operations to ensure minimal disruption. Incident Investigation Analyzes the cause and impact of security incidents. Incident Investigation is the capability that allows an EDR system to perform in-depth analysis and forensics on security incidents to understand their cause, scope, impact, and the methods used by attackers, helping to improve future defenses. Extended detection and Response (XDR) XDR provides centralized visibility into advanced threats. XDR integrates multiple security tools and data sources, including EDR (Endpoint Detection and Response), SIEM (Security Information and Event Management), and SOAR (Security Orchestration, Automation, and Response), to offer a comprehensive view of security threats across an organization, enabling more effective detection and response. If you are too small, you can outsource your whole system to a Managed Detection & Response (MDR) vendor. Beware! Outsourcing has its fair share of caveats. Endpoint Detection and Response (EDR) EDR monitors and responds to threats on endpoints. EDR solutions focus on detecting, investigating, and responding to suspicious activities on endpoints like computers and mobile devices, providing real-time visibility and automated responses to mitigate threats. Security Information and Event Management (SIEM) SIEM collects and analyzes security data. SIEM systems aggregate and analyze log data from various sources within an organization to identify patterns and anomalies that may indicate security incidents, providing insights and alerts for further investigation. Security Orchestration, Automation, and Response (SOAR) SOAR automates security operations. SOAR platforms streamline and automate security operations, including threat detection, incident response, and remediation processes, by integrating various security tools and workflows, thereby improving efficiency and reducing response times. Application Control Restricts computers to run only pre-approved programs. Application Control is a security measure that transforms computers into appliances that can only execute software that has been explicitly approved by the organization. This prevents unauthorized or potentially harmful applications from running, thereby reducing the risk of malware infections and ensuring compliance with security policies.