ENDPOINT SECURITY CONCEPTS

CCST CYBERSECURITY
DURATION: 3 MONTHS
AMEER HAMZA
GOVERNMENT COLLEGE OF TECHNOLOGY, SAMANABAD,
FAISALABAD

1
 CONTENTS
 Windows, macOS and Linux  Windows and Application updates

 Security Features, CLI, PowerShell  Device Drivers, Firmware, Patching

 File and Directory Permissions  Event Viewer

 Privilege Escalation  Audit, System and Application logs

 Endpoint Tools: Netstat,NSlookup,TCPdump  Syslog, Anomaly Identification

 Hardware and Software Inventory  Scanning Systems and Logs

 Program Deployment, Data Backups  Malware Remediation

 Regulatory Compliance, BYOD

2
Windows, MAC, Linux Operating System
 Security professionals must be comfortable with the most popular
operating systems to better understand how to use their services to build a
more secure environment.
 Most computers in today's infrastructures run one of the three most
popular operating systems, Microsoft Windows, Apple macOS or a Linux
distribution.
 You may also encounter the UNIX operating system, but since Linux is an
open-source close cousin of UNIX, we will just focus on Linux distributions.
 Despite the differences in the way these operating systems appear and
function, their primary purpose is the same, to provide access to system
resources and controls to limit that access to authorized individuals.
 You should become familiar with each of the primary operating systems and
be able to use the basic functions of each one. 3
Windows Operating System
 The Windows family of operating systems are all Microsoft
products.
 Windows operating system versions come in both
workstation and server varieties.
 All Windows versions share a graphical user interface (GUI)
look and feel that makes it easy to move from one Windows
computer to another.
 Since Windows is one of the most popular operating
systems in use today, it's likely that you have already seen
what Windows looks like. 4
MAC Operating System
 The Apple macOS operating system is another operating system
based on ease of use and a native GUI.
 MAC OS is the second most popular operating system after Windows
and is the primary operating system for Apple MAC computers.
 MAC OS shares much of its history with Linux and other UNIX-like
operating systems.
 Although the MAC OS GUI may not look like a UNIX-like environment,
the core of the operating system shares its lineage with several Linux
distributions.
 MAC OS has long been the choice for anyone working with various
types of media or those involved in artistic endeavors. 5
Linux Operating System
 The last of the main three operating systems you will likely encounter is Linux.
 Although Linux is referred to as a single operating system, it is actually a growing
number of separate distributions.
 One of the more popular distributions of Linux is Ubuntu.
 Linux started as an open-source alternative to the UNIX operating system.
 The core code is open source and freely available to anyone.
 Because of its availability, multiple organizations have built their own distributions
of Linux, which has resulting in an ever-growing number of flavors of Linux
available today.
 There are several GUI desktops are available for different Linux distributions, and
many distributions are available for a wide variety of computing needs.
6
Security Features
 Most operating systems are not considered security software or security controls,
but they often include features and options that help enforce security.
 Cybersecurity professionals need to understand what operating systems do and
how they contribute to a secure environment
 One of the most important services an operating system provides is identification,
authentication and authorization.
 The first interaction with any operating system is almost always the sign-in screen.
 This is the place, a subject provides an identity and the operating system
challenges that identity by requesting authentication credentials.
 Once the operating system authenticates the identity claim, the authorization
layer takes over and determines what that identity is allowed to do. 7
Security Features
 In addition to providing authentication, authorization and supporting
accounting of activity, operating systems can provide additional
controls as they limit access to connect resources.
 One example of how an operating system can provide additional layers
of security assurance is the Microsoft Windows Defender product.
 Windows Defender is an anti-malware solution originally provided as a
downloadable program, but has been installed as part of the
Microsoft Windows operating system since Windows 8.
 Although third-party malware software is available and recommended,
Windows defender is a recommended layer of control for all Windows
computers. 8
Security Features
 Another layer of security that operating systems commonly provide is the
host-based firewall.
 Since operating systems manage interaction with hardware resources and
networking hardware falls in that domain, it makes sense that the operating
system is a good place to place controls over network traffic.
 In other words, the operating system is well-positioned to enforce rules over
what traffic is authorized and what is not.
 For this reason, most operating systems include firewall capabilities.
 Let's look at two such instances.
 We look at the Microsoft windows defender firewall and a firewall in the
Linux operating system.
 Click on Start button and type Defender, Select Windows Defender Firewall 9
CLI and PowerShell

10
CLI and PowerShell

11
CLI and PowerShell

12
 File and Directory Permissions
 Some of the primary security functions of the operating system are authentication,
authorization and accounting (AAA). The main purpose of authenticating identities and
associating authority with those identities is to use that information to enforce access
controls
 Access control is any control that limits access to protected resources based on an identity
and its authority. Provides much of the foundation of information security. The most common
class of access controls are implemented to restrict access to files and directories. Most
operating systems in use today utilize permissions to enforce access controls
 Permissions are definitions of actions that are allowed or denied based on an identity
Association
 An Identity can refer to an account or a security group to which an account belongs
 Role-based access control: Job roles are commonly implemented as user groups in Windows,
Linux and macOS 13
File and Directory Permissions

14
 File and Directory Permissions

15
For more details: https://www.pluralsight.com/blog/it-ops/linux-file-permissions
Privilege Escalation
 One of the goals of an attacker is that of privilege escalation
 When the subject signs into any operating system or software application,
the authorization layer determines what that identity is able to do
 Attackers generally start with very limited privileges and attempt to find
ways to add permissions and privileges to their identity

16
 Privilege Escalation
 One of the jobs of a cybersecurity professional is to prevent unauthorized privilege escalation
 You may have noticed from time to time that in running normal activities, you are prompted to
elevate permissions for a short period of time
 Some functions require elevated permissions to run for a limited time to carry out certain
activities
 In many cases, such privilege escalation occurs with no notice
 A program may run with elevated permissions to carry out an authorized function on the half of
a limited permission subject
 One advanced tactic that attackers use is to attempt to generate an error or break out of a
program during an elevated privileges section
 If an attacker can break out of an elevated permission session, the attacker may end up a
command line while retaining elevated permissions
 This outcome is dangerous and can lead to an attacker carrying out dangerous unauthorized
actions 17
 Endpoint Tools: Netstat
 The netstat command helps display what connections a particular node uses to
communicate with other nodes
 Most operating systems include the netstat command, typically as a CLI utility
and the usage and output are slightly different for different operating systems
 A connected socket is a program with an established network connection
 There are four main options that are commonly used with netstat. There are
many more available options beyond these four
1. The -a option lists all connections. In most systems, that will be quite a long list
2. The -l option shows all ports that are actively listening. A port that is listening
means that there is a program that has opened the port and is waiting for input
3. Adding t to the option only returns TCP information
4. Adding only u, only returns UDP information 18
 Endpoint Tools: Netstat
 The netstat utility can also display protocol use statistics. Type netstat -s to
see netstat's statistics reports.
 The netstat statistics report shows the number of packets and actions
taken by protocol
 Attackers often use netstat to identify potential attack points
 As a security professional, when you run netstat in your own environment,
you want to ensure that you recognize each listening connection that
netstat reports
 Any unknown connections could indicate that an attacker has placed
unauthorized software on a computer 19
 Endpoint Tools: NSlookup
 DNS lookup utility is another CLI utility that helps in troubleshooting DNS
servers. The utility takes a hostname as input and returns the IP address
associated with that hostname
 Alernatively, nslookup will take an IP address and return the hostname
associated with it. We can use the nslookup utility to determine whether
your DNS server is working properly, has been compromised or is simply
not returning the information you expect
 By default, the nslookup utility uses the primary DNS server from your IP
settings
 We can tell nslookup to use a different DNS server and you can even
update your DNS server settings using utility 20
 Endpoint Tools: TCPdump
 Every good cybersecurity utility toolbox should include the tcpdump utility. The
tcpdump CLI utility allows the user to monitor TCP network traffic and displays
the contents of the packets received from or sent to a connected network
 The tcpdump utility provides many options that allow network traffic to be filtered
so that the output only contains what we want to see. If we want to see all the
traffic going to and coming from a specific IP address, tcpdump can do that
 We can also look at all traffic on a particular interface or just the traffic for a
specific subnetwork
 The tcpdump utility makes it easy to sniff network traffic and examine what is
really on your network
 Type tcpdump -nSx port 443 in Kali Terminal 21
 Endpoint Systems and Standards: Hardware Inventory
 In many cases, all it took to list assets connected to a network was to visit each known network
connection and see what was plugged in
 As networks have grown more complex, more modular and include multiple wireless
components, the job of identifying network assets is increasingly complex
 Despite the complexity, it is essential to know just what devices are connected to a network at
any point in time
 Physical inventories are still important, but they only play a part in contributing to the total asset
awareness of the modern network
 Network scanners, such as the Nmap utility, are useful in identifying nodes based on network
activity
 The best approach to maintaining awareness of network assets is to frequently scan your
networks and compare the results to a hardware inventory list. Any differences should be noted
and explored
22
 Endpoint Systems and Standards: Hardware Inventory
 The main reason for maintaining network asset lists is to ensure that each node connected
to your network is an authorized node and complies with network connection requirements
 Any insecure node that is connected to your network risks the security of the entire network
 Frequent scanning can identify rogue nodes and provide input for security professionals to
take further action
 In addition to simply knowing what nodes exist on your network, is important to document
the configuration of each node with respect to network connection parameters
 It is important to manage the services running on each node and control how each one is
accessed both internally and externally
 This level of control always starts with a clear understanding of what assets are connected
to a network
23
Software Inventory and Program Deployment

24
 Software Inventory and Program Deployment
 One of the best ways to prevent cybersecurity attacks is to maintain an accurate
accounting of hardware connected to your network and the software that runs on each
hardware device
 Understanding the hardware and software running on that hardware helps security
professionals to identify any vulnerable components that may provide an attack vector
into a network environment
 Collecting inventory information for hardware and software and then examining known
vulnerabilities is a task both attackers and ethical hackers use to find vulnerabilities
first
 The main difference between a secure environment and being a victim is who finds the
vulnerabilities first. There is no substitute for knowing your environment, both its
strengths and weakness. Knowing your weaknesses allows you to deploy controls to
make your environment less vulnerable to attack 25
 Endpoint Systems and Standards: Data Backups
 Several types of integrity and availability attacks result in data that is either
untrusted or unavailable. The best way to respond to such attacks is to
restore data to a trusted and available state
 One way to restore data to a trusted and available state is to ensure that
critical data is copied to a secondary source that is safe from attack
 In the case of any form of primary data loss, the secondary copy can be
used to restore operational trust and availability
 The key to a good backup strategy is to create frequent copies, store them
in a secure manner and have sufficient procedures to restore the
secondary copy to operational status as quickly as possible. Although easy
to state, implementing these goals can be difficult 26
 Endpoint Systems and Standards: Data Backups
 Creating a backup policy involves identifying the data to back up, the frequency of creating
backups, the type of backups to create and the method to transport and store backups in
their final location
 Once aggressive backups are created and stored securely, they are useless unless a well-
planned restoration process exists to restore the backups to the original data locations
 It is little more than selecting what to backup, where to back it up and when to back it up
 In many cases, the combination of local backup transported to a secondary location and
cloud backup solutions provides multiple layers of resilience
 Always remember that the goal is to restore operations after an interruption as soon as
possible.
 Aggressive backups are good, but only if a tested restoration process exists to use those
backups 27
 Regulatory Compliance
 Compliance requirements are both a curse and a blessing
 It may seem as though organizations must jump through unusual hoops to
satisfy compliance requirements but in doing, so those organizations are likely to
become more secure
 In pursuing compliance, be careful to avoid equating compliance with security.
 Compliance should be considered the minimal level of security
 Several compliance requirements place restrictions and performance mandates
on organizations
 The specific performance mandates under which your organization must comply
depends on the nature of your organization 28
 Regulatory Compliance
 Some of the most important compliance requirements placed on organizations include PCI
DSS, HIPAA, FISMA, FERPA and GDPR
 The Payment Card Industry Data Security Standards (PCI DSS) requirements apply to any
organization that accepts, processes or even stores any payment-card-related data
 The Health Insurance Portability and Accountability Act (HIPAA) applies to any healthcare-
related organization that collects, processes or stores personal health information
 The Federal Information Security Management Act (FISMA) applies to a large range of
organizations that process or store U.S. government information
 The Family Educational Rights and Privacy Act (FERPA) governs access to educational
information, specifically data related to students
 Finally, the General Data Protection Regulation (GDPR) applies to any organization that
interacts with European Union Citizens 29
 Endpoint Systems and Standards: BYOD
 An attractive attack vector for attackers is the growing number of
personal devices used to connect to protected corporate
resources
 The commonly used term for personnel utilizing their personal
devices is bring your own device (BYOD)
 BYOD policies establish guardrails for how personal devices may
be used to access critical industry resources
 Organizations can set BYOD guardrails by establishing policies
and implementing network access control (NAC) 30
 Endpoint Systems and Standards: BYOD
 Policies and NAC implementation can define requirements for how
devices are managed, whether data stored on those devices is
encrypted, how apps are authorized for installation on personal
devices and what configuration requirements are placed on such
devices before access is granted
 While organizations cannot mandate control of personal devices,
they can require that standards be met before authorization is
granted for internal protected resources
 In short, BYOD policies and control ensure that personal devices do
not pose a risk to the organization 31
 Windows and Application updates
 As security researchers find new vulnerabilities and new attacks, they are reported
to hardware and software vendors and publicly available vulnerability repositories
 Both hardware and software vendors pay attention to vulnerabilities that affect their
products and generally do a good job of providing updates to address discovered
vulnerabilities
 To take advantage of proactive vendor actions, it is important to identify and then
apply any updates that your hardware vendors have released
 The two most volatile technical environments are operating systems and application
software
 An aggressive security posture must include frequent operating system and
application updates 32
Windows and Application updates

33
 Device Drivers
 To provide maximum flexibility among vendors, operating systems interact
with hardware devices through programs called Device Drivers
 Since device drivers are software programs, new feature and patches for
discovered software vulnerabilities may require an updated version of the
device driver
 To ensure that all devices operate optimally and securely, be aware of any
new device drivers released by vendors of hardware your organization
utilizes. Then acquire and apply the latest version of those device drivers
 Many hardware devices also have native software that is burned or flashed
into an onboard chip to control basic operation 34
Firmware

35
Patching

36
Event Viewer

37
Audit, System and Application Logs

38
Audit, System and Application Logs

39
 Audit, System and Application Logs
 A common example of application log files would be a Web server log
 We can see the web server access log file, which shows each HTTP interaction
 Several HTTP requests show the username and password in cleartext
 This is something you should definitely investigate
 The rest of the messages tell you the source IP address, date, time of the
request and what was in the header, along with the response code returned
 Log files can help isolate what type of requests your web server receives and
who is sending them
 This information can be helpful when investigating suspicious traffic
40
Syslog

41
 Syslog

 Syslog separates log file message generation from log file message storage and makes
it difficult for attackers to cleanse log files from messages that record their activities
 It is recommended to implement syslog for environments that depend on the integrity of
log files to carry out detection and post-incident investigations 42
Anomaly Identification

43
 Anomaly Identification
 For example, it is not difficult to determine that 10,000 failed login attempts within
five seconds indicate malicious activity

44
 Scanning Systems and Logs
 Malicious software (malware) is one of attackers' favorite techniques to
either initiate or continue ongoing attacks
 A popular attack that is growing in severity is ransomware. A ransomware
attack is an attack in which an attacker encrypts critical files and demands
a ransom be paid in exchange for the decryption key
 The mechanism attackers use to launch ransomware attacks is through
malware
 There is no single silver bullet when it comes to malware protection, but a
comprehensive malware control layer can help in reducing the risk of
infection 45
 Scanning Systems and Logs
 Anti-malware software typically works in one of two ways.
 The most common approach is to scan files and network messages and
compare their contents to a database of known malware signatures
Anytime a match is detected, the software issues an alert to indicate that
further investigation is necessary
 Another approach to malware detection is using heuristics. Instead of
comparing individual blocks of data against a database of known malware
signatures, the nature of the behavior of processes and traffic handling
services is examined
 The idea behind heuristics is that malware behaves in a manner that is
detectable 46
 Malware Remediation
 Regardless of the preventative controls in place to protect from malware infection,
the possibility always exists that some instance of malware will make it into your
environment
 When malware is detected and cannot be remediated automatically, it is important
to follow well-thought-out malware remediation procedures
 The first step is to contain the damage and infection by removing any detected
infected systems from the network
 Malware seeks to replicate and infect as many systems as possible, so
disconnecting infected system can reduce the degree to which malware can spread
 Disconnecting systems may be as simple as disconnecting the wired media and
disabling a wireless connection. But don't forget other connection opportunities,
such as Bluetooth, Infrared or any other wireless media a device supports 47
 Malware Remediation
 Once an infected device is disconnected from the network, the next step is to
explore options for removing the malware from the system
 An internet search from another device may provide valuable input on remediation
steps
 However, malware removal may not be feasible in some cases and may require
wiping and reinstalling all software components on a device or computer
 It is always a good strategy to assume that malware or some other attack could
incapacitate any device at any point in time
 Planning with such pessimism tends to lead toward remediation strategies that
work should an attack completely compromise any device on your network
 Good planning always results in better and more timely outcomes 48