By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective 1.5 Explain the threats and vulnerabilities associated with specialized technology Many IT specialists, and even new cybersecurity analysts, have worked with the basic technologies that we see in a corporate environment, including Windows and Linux hosts, possibly switches and routers, and maybe even firewalls or intrusion detection systems. These are all very standard systems in a corporate network infrastructure. However, there are also specialized technologies that many cybersecurity analysts don’t get exposed to during their entire professional career; when they finally do, very often they may not know how to interact with those technologies. In this module, we’re going to discuss several of these nonstandard technologies, including mobile devices, system-on-chip, embedded operating systems, real-time operating systems, building automation systems, and several others. Although we’re not going to go in depth on the particular technologies we discuss, we are going to discuss the threats and vulnerabilities inherent to these technologies. An in-depth discussion of the technical aspects of each of these technologies is beyond the scope of this book, and there are better books written to describe them. However, by the end of this module, you’ll be familiar with some of these technologies at a basic foundational level, and more importantly, their inherent threats and vulnerabilities, to be better prepared for the exam. Mobile Devices We are going to discuss the threats and vulnerabilities associated with the general class of mobile devices. Mobile devices, of course, include smartphones, laptops, tablets, PDAs, and a variety of other smart devices that may include even watches, cameras, and other specialized devices. All of these devices process data in some form or fashion that someone might like to obtain, whether it is personal data or business-related data. Most of these devices have some type of storage capacity where data is permanently stored and may be accessible simply by plugging the device into a computer. By their very nature, mobile devices are, well, mobile. This means that they are small and can be easily removed from corporate areas. While the advantages of mobile computing power and instant information access far outweigh any disadvantages, some considerations must be discussed. Mobile Device Threats and Vulnerabilities The first and most obvious threat to mobile devices is theft. Mobile devices are stolen every day. Most of them are likely stolen by people who just want to take advantage of an opportunity to grab a cool-looking device. Typically, those threats are easily mitigated by the fact that most mobile devices are also password or PIN protected. There are enterprising thieves, though, who may be able to take advantage of lax security on a device and access a user’s personal data, including photographs, e-mails, and other information. Many ordinary users don’t bother to secure their mobile devices as well as they should. The same is true for the loss of mobile devices. Even if a device is simply lost, it can be found by someone who might unscrupulously try to access data on the device. In addition to physical issues, there’s also a wide variety of other inherent threats and vulnerabilities. These include network vulnerabilities, software or app vulnerabilities, and device vulnerabilities. Network vulnerabilities can manifest by using insecure protocols, such as older versions of SSL, but can also take the form of mobile device–specific protocols, such as those used in cellular communications. Application vulnerabilities are similar to software vulnerabilities also found in traditional systems, such as workstations and servers, for example. Non-secure programming methods can result in issues associated with a lack of input validation, buffer overflows, and even web-based attacks. Like their larger system counterparts, mobile apps must be developed in a secure environment and tested for a variety of security issues. This also includes the operating systems that run mobile devices. Cross-Reference Software assurance best practices are discussed at length in Objective 2.2. Device vulnerabilities can present themselves as issues with how the device is constructed and what hardware is used. Just as it is in larger systems, hardware can be counterfeit or subverted if there is a compromised supply chain in the manufacturing and distribution process. It is incumbent on device vendors to track hardware components throughout the entire device lifecycle, from manufacture through testing, and finally assembly. Potentially compromised hardware could include wireless transmitting components, the CPU, RAM, and other sensitive pieces of hardware. Corporate Device Considerations Corporate devices, whether owned by the organization or shared with a user in a bring-your-own-device (BYOD) infrastructure, may offer a few more protections for the device and its data, but it is still subject to theft, loss, and the other vulnerabilities we discussed. In the case of a corporate device, the user may be targeted specifically, rather than randomly, to obtain sensitive business information about the organization. This would imply that the theft may be premeditated if the thief knows that the device is used in a corporate environment. Motivations might include industrial espionage, to gain a competitive advantage, to steal sensitive or proprietary information, or even blackmail. Mobile Device Protections In a corporate environment, mobile devices should be managed centrally. There are a plethora of mobile device management (MDM) enterprise applications that can easily inventory, update remotely, and secure mobile devices. To counter theft or loss, the device can also be remotely wiped to erase any corporate data. Some of the protections that a corporate environment can offer or impose on a mobile device include the following: - Geofencing (alerting or causing the device to not function if it leaves a specific physical area) - Remote wipe or erasure - Remote patching and updating - Network access control to prevent an unsecured device from joining the network - Remote messaging to someone who might find a lost device - Containerization of data to separate personal from business data on the device - GPS tracking, since most mobile devices these days are GPS enabled All of these protections, when used in combination, can be very effective encountering any threats and inherent vulnerabilities that introduce risk into the mobile device infrastructure. Exam tip: The number-one threat affecting mobile devices is theft. Internet of Things (IoT) The term Internet of Things (IoT) describes a wide variety of non-traditional devices connected to the Internet. These include devices that are not necessarily considered computers, servers, traditional network devices, and so on. You’ll see these devices in homes, such as refrigerators and smart televisions, and these days they may be connected to the home network or even the Internet. You might even see home temperature controls that can be connected to the Internet so that a homeowner can monitor them and change them remotely, usually over a smartphone app. IoT devices aren’t just used in the home for consumer convenience, however. They are also used in industry, and some examples include power and utility company monitoring devices, which may be little more than reduced footprint computers connected to the Internet. In any case, IoT devices have caused an explosion in the number of devices connected to the Internet to make life more efficient for all of us. However, there’s also a massive explosion in system and device vulnerability, since many devices that were previously considered secure because they were isolated and protected are now connected to a network where they may be accessed remotely. In this module, we’re going to discuss the vulnerabilities and threats, as well as some mitigations for some of these devices. We’re going to talk about embedded devices, physical access control devices, building automation systems, vehicles, and industrial control systems. These are but a sampling of the wide variety of devices available that are not considered traditional computing devices but are still connected to the Internet, accessible from a network, and vulnerable to attack.
All IoT devices and technologies we will discuss during this module suffer from some of the same threats and vulnerabilities, including the following: - Insecure network connectivity using older protocols - Weak or no encryption mechanisms - Low computing or process power - Limited facility for patching or configuration changes - Weak or no authentication - Limited signal range - Proprietary parts and systems that are not always interoperable with others - Physical access control vulnerabilities - Difficulty in performing vulnerability scans on the system Embedded Devices An embedded system is unique in that it may appear like a traditional computer, such as a workstation, but it runs a specialized operating system that is usually embedded on a device’s firmware, such as a computer chip. Embedded systems are difficult to update, which means they can become vulnerable if weaknesses are found in their underlying operating system configuration, since they can’t be easily patched. Embedded systems are used in a wide variety of technical applications, such as flight control computers, industrial control systems, utilities, medical devices, and so on. We will discuss the threats and vulnerabilities involved with some of these embedded systems, including real-time operating systems, system-on-chip, and field programmable gate arrays. Real-Time Operating System (RTOS) A real-time operating system is a specialized operating system, sometimes developed from an existing operating system such as Windows or Linux, that is run on electronic devices, usually system control type devices. An RTOS is installed on an electronic chip, rather than on a hard drive, and is static. That is to say, it is not easily updatable, patchable, or configurable once it is embedded into the electronic chip. The advantage of using an RTOS is that it’s extremely fast and requires very little processor or memory overhead. The disadvantage is that it’s hard to update in the event vulnerabilities are discovered in it. Many RTOSs are either Linux- or Windows-based, or something altogether different. There are even embedded RTOSs based on old Windows XP, which obviously presents issues in that any version of Windows XP is no longer supported by Microsoft, and as such there are no new security patches or updates provided for it. Another example of a popular RTOS is VxWorks. VxWorks is used in devices such as medical equipment, industrial controllers, and so on. Organizations must take extreme mitigations when one of these RTOSs is used and discovered as vulnerable. If the RTOS cannot be replaced, updated, or reconfigured, as is very often the case with medical devices, there are a few other mitigations the organization may take. These include segmentation and isolation from other network hosts, the use of encryption and strong authentication across network connections that may connect to the device, and even increased physical protection to prevent the device from being compromised. Exam tip: The biggest vulnerability with a real-time operating system is the fact that it is not easily patched or reconfigured when a vulnerability is discovered, due to its static nature. System-on-Chip (SoC) A system-on-chip is an embedded system in which software and hardware are integrated into a single computer chip. This computer chip is self-contained and consists of a processor, system RAM, and other critical components miniaturized on a single integrated circuit. The advantage of having a system-on-chip implemented into a piece of hardware is that it’s extremely fast, self-contained, and self-reliant. Also, it uses much less power and is more efficient. However, one of the downsides of using this configuration is that it is a single point of failure in hardware. If a system-on-chip becomes unstable or otherwise breaks, the entire electronic assembly or piece of hardware will fail. System or hardware redundancy would be a mitigating factor for this particular vulnerability. System-on-chip also suffers from the same vulnerability that an RTOS and other embedded systems endure, in the sense that they are embedded, and their configuration is static in nature, so it is sometimes difficult to update and patch them. Field Programmable Gate Array (FPGA) A field programmable gate array (FPGA) is an improved version of a system-on-chip configuration. FPGAs are used in a wide variety of electronic devices, including medical devices, automotive electronics, industrial control systems, and even consumer electronics. The advantage of using an FPGA is that it is more flexible and allows programmers, and even users, to install firmware updates to reconfigure the hardware so that new software functionality, as well as security mitigations, can be implemented on it. If you’ve ever used an entertainment device that connects to wireless networking, such as a smart Blu-ray player or Smart TV, then you’ve seen an FPGA in action when it prompts you to go online and perform system updates to its firmware. Vulnerabilities with FPGAs include those traditionally found on embedded systems, but since they are more accessible for change and reprogramming, they are also vulnerable to attackers who may be able to access the hardware description language and update processes to introduce malicious configuration or even malware into the system. Mitigations would include tight control over the reprogramming and update process and other system-level security mitigations such as manufacturer-enforced integrity checks on firmware updates, strong access controls and authentication, enhanced security protocols, and, of course, physical security. Exam tip: Remember that field programmable gate arrays are somewhat more flexible than system-on-chip configurations. FPGAs can be found in a wide variety of modern IoT devices because their firmware, software, patches, and configurations are more easily updatable. Physical Access Controls Physical access controls are greatly facilitated by automated control systems. Examples of physical controls that are enhanced by using embedded or automated specialized devices include the following: - Badge readers - Secure electronic door systems - Closed-circuit television systems - Physical intrusion detection systems - Alarm systems - Biometric authentication systems
Very often, embedded or automated devices are seen as sensors, so they can read an RFID badge or scan a fingerprint or accept whatever identification mechanism a person is required to use to gain physical entry to a facility or controlled area. These physical controls are typically connected to an overarching identification and authentication database and an integrated security system. This database uses stored user data to authenticate based on the identification method presented. It can also record and audit where the user has been at various points in the facility, at various times.
Physical access control vulnerabilities include some that are complex and require a concentrated technical effort to exploit, as well as those that take advantage of human vulnerability. These include, from least to most sophisticated, the following: - Tailgating - Social engineering - Badge duplication or cloning - Signal replay
Physical access control vulnerabilities and threats can be mitigated by layered defenses, including the human variety. Human beings are an integral part of physical access controls. Alarms and camera systems must be monitored; guards should be employed in sensitive areas along with automated controls. Employees and other personnel must be vigilant to potential physical threats. The electronic automated systems that connect to physical sensors must also be secured using traditional methods, including secure authentication, encryption, strict access controls, and so on. Exam tip: Traditional physical access controls, such as doors, gates, and so on, benefit from automated control systems that can centralize physical access control. Building Automation Systems As an extension of the discussion on physical access controls, many automated electronic specialized devices are used in automation systems used in buildings and other facilities. In addition to controlling physical access, building automation systems, as these are commonly referred to, can help control other aspects of physical security, including the environment and safety. Environmental controls, often automated through sensors and computerized systems, come in the form of automated temperature and humidity controls, moisture controls, and so on. These controls are usually observed by humans but typically controlled through sensors that detect variations from established baselines. Again, these are usually in areas such as temperature or humidity. If the temperature exceeds a certain predetermined level, the sensor will alert the automation system, which will take steps to turn on the HVAC system and attempt to cool the area and lower the temperature. The same would occur if the temperature is too low, or if the humidity is too low or too high. Sensors can also detect a variety of other undesirable conditions, such as floods, for example, if water levels get to be too high in sensitive areas. Again, humans must also monitor the systems to ensure they are functioning properly. Safety is another critical function automated controls can assist with. Sensors located throughout a facility can be used to detect smoke as well as variations in light and heat that can indicate a fire. The sensors can then trigger automatic controls to turn on fire suppression systems, set off fire alarms, and automatically unlock doors along a fire escape route. Sensors can also detect oxygen and gas variations, which might indicate unsafe conditions, such as a gas leak. All of these different types of sensors and automated systems are part of an overarching building automation system and can be integrated with computerized systems that also provide for physical access, intrusion detection, logging, and other functions. Exam tip: Building automation systems include not only those allowing physical access control but also environmental and safety control. Examples of environmental and safety controls that are enhanced with automation include fire detection and suppression, gas leaks, and flood control. Vehicles and Drones Automated systems are also used in various modes of transportation. The flight and ground systems of all types of aircraft depend on automated systems for a wide variety of tasks and processes. This includes flight control, location, navigation, radar, and communications. Even ground vehicles, such as modern cars and trucks, use automated systems for everything from temperature sensing to diagnosing engine issues. Drones are also a modern marvel used by everyone from hobbyists to research scientists, soldiers, and surveyors, for all manner of useful tests. In the next couple sections, we discuss the use of automated systems in vehicles and drones. Vehicles and the Controller Area Network (CAN) Bus More and more modern vehicles are manufactured with automated systems integrated into them. These automated systems can perform a wide variety of functions, including managing and monitoring environmental controls, safety controls, and system performance. If you’ve ever seen your automobile console display engine statistics, such as RPMs, temperature, and so on, then you have witnessed vehicle automation systems in use. Another more sophisticated use of this technology is through the standard vehicle OBD (onboard diagnostics) port, which can provide data to a specialized device that can read engine failure codes and determine other automobile performance issues. The standard, known as OBD-II, is essentially an onboard embedded computer that monitors various automobile factors such as emissions, speed, mileage, temperature, and so on. This embedded system notifies you through your check engine and other console monitor lights if there is an issue. Since this is a vehicle standard used throughout the industry, this embedded computer uses a standardized 16-pin port, usually located under the driver’s dashboard, where a reader can be plugged in to download diagnostics codes. Increasingly, these automated systems have been integrated with communication technologies, such as cellular and wireless networking. This is useful so that a repair shop or car dealership can communicate with your vehicle at various points (while it’s on the road or in the parking lot, for example) and figure out potential trouble issues with it before it even rolls into the repair bay. Vehicle health and performance data, as well as location, is often reported automatically through these systems to the dealership or even the user via a smartphone app. This is all made possible by automated systems. One of the core underlying technologies of vehicle automation is called the controller area network (CAN) bus. This is a commonly used vehicle standard that defines how independent vehicle control system components are connected and communicate with each other. These components communicate independently with each other in each vehicle and do not require a centralized controller located at a dealership for this to take place. Threats and vulnerabilities associated with this system include a lack of communications signal encryption between individual internal vehicle components as well as the entities who might receive this data over wireless communications networks. There’s also no standard mechanism built in for authentication in the event an over-the-air update to the vehicle’s control system firmware is initiated. This makes it possible for someone with the right technology and knowledge of the vehicle’s systems to transmit potentially malicious updates to the vehicle. This is not only theoretical; it has been physically shown to be possible through proof-of-concept demonstrations by various security researchers. This directly affects the performance and safety of the vehicle, since a flawed update or intentional communication to the vehicle could cause it to turn off a safety feature and possibly crash, at worst, or at least seriously inconvenience the driver. Consider what would happen if a malicious actor turned off the airbag system or even caused your fuel gauge to read as full on a very long trip between gas stations. Neither of these scenarios would be desirable, and could even possibly be dangerous. Exam tip: The CAN bus is a standardized architecture protocol used in vehicles to facilitate communications between internal components. Drones and Other Unmanned Aerial Vehicles (UAVs) It has been said that a drone is nothing more than a flying robot; at first, when these new types of vehicles were invented, they were primarily used by the military. These are the large-scale vehicles that more resemble aircraft than simple flying toys. They have been used in armed conflicts to deliver munitions, launch missiles, perform surveillance activities, interdict supply lines, and provide secure communications on the battlefield. These larger-scale vehicles are typically called unmanned aerial vehicles, or UAVs. While most UAVs use highly complex automated electronic systems, they can also be controlled using state-of-the-art, hardened tactical ground stations that are mounted in vans, trucks, or Humvees. They are controlled using a wide variety of secure communications, including radio, line-of-sight microwave, and so on. The little brothers of UAVs are typically called drones. Drones evolved initially as small flying toys but then gained the interest of hobbyists and working professionals. The simplest of drones can fly a few hundred feet and take high-quality photographs or high-definition movies for families on vacation. However, the more upscale models contain higher-quality cameras that are used by professional photographers, land surveyors, and even law enforcement. Law enforcement and the intelligence community use drones for crime investigation and antiterrorism activities, such as communications jamming, eavesdropping, and high-resolution, long-distance photography. UAVs and drones both suffer from some common threats and vulnerabilities, although not always of the same caliber. The larger military-grade drones can suffer from communications jamming as well as from directed missiles or other heavy munitions being fired at them. There have also been rumored instances of drones suffering from communications takeover by hostile forces, which can then direct them to land in enemy territory for further examination or send them off course and force them to crash. And even systems in these sophisticated pieces of machinery can suffer from software flaws that can be exploited by a malicious actor if the conditions are right and they have access to the systems either through faulty supply chain management or physical access. Commercial and recreational drones, on the other hand, can also suffer from some of the same vulnerabilities, albeit on a smaller scale. These can be unintentionally jammed by a stronger signal, can be knocked out of the sky by small arms fire, and can also suffer from firmware or software flaws (via the apps that sometimes control them) that can be exploited. In addition to the vulnerabilities and threats drones can experience, drones also can present their own threats. For example, it’s not uncommon for hobbyists and other individuals to violate the airspace of commercial aircraft, either accidentally or intentionally, or to fly within areas that are restricted for safety or security reasons. Drones also can infringe on the privacy of individuals, particularly if they have powerful enough eavesdropping equipment, such as microphones or cameras that can invade privacy. Mitigations to counter typical threats that drones can suffer from include being aware of the power and range restrictions for the model drone you have, making sure its software is kept up to date through vendor firmware updates, ensuring the apps you use to control the drone are updated, and having general situational awareness. Industrial Control Systems Industrial control systems (ICSs), also sometimes called cyber-physical systems, are systems used to integrate specialized software with physical devices. Also sometimes referred to as “operational technology,” these systems use specialized software that can be written in a multitude of programming languages and run various operating systems, from the centralized computer on the network. However, this technology communicates with specific automated devices that control systems and processes. Think of factory automation systems, for example. We’ll discuss a few examples of these types of systems, such as workflow and process automation systems, as well as the systems that might control utilities such as power grids, for example. Workflow and Process Automation Systems Yet another example of the use of automated systems is in professional and industrial settings. These can be simple activities where automated systems are used as timers, simple sensors, and single-function devices, all the way through complex systems that are used to run factories and assembly lines. These automation systems can be used to control the timing on the assembly line, ensure the exact amount of a chemical is poured or used in a process, or ensure that two critical pieces of an assembly are put together and sealed correctly. There are far more actual and possible uses for automation systems in factories and other workflow processes than we can mention here, but suffice it to say that a huge majority of any modern manufacturing or assembly process is controlled by automated systems. These systems, again, also suffer from the same threats and vulnerabilities the other automated technologies suffer from. Supervisory Control and Data Acquisition (SCADA) Supervisory control and data acquisition (SCADA) systems control a wide variety of geographically separated systems, including utilities such as power grids, water treatment plants, and even nuclear power plants. What distinguishes SCADA implementations from other types of ICS or consumer-grade automation systems are their sheer scale and geographical scope. Most SCADA systems are geographically dispersed and may have no permanent human presence, or are minimally crewed or only periodically maintained by people, and rely on wide-area communications systems for monitoring between sites. SCADA systems use highly specialized software, as well as specialized hardware control systems. Most SCADA systems have built-in redundancies and for the most part are fairly resilient, except where it concerns the cybersecurity aspect. This is where many of these systems are vulnerable. The same vulnerabilities inherent in other automated types of systems are also the ones found in SCADA systems. Network weaknesses include non-secure communications systems and protocols, lack of encryption, and poor authentication between devices and systems. Some of the highly specialized software used in the systems is dated and not often patched or updated. This software is also proprietary and uses proprietary protocols, such as MODBUS (discussed next), which doesn’t easily lend itself to traditional security controls. Many of these systems have never had a vulnerability scan on them, or it is difficult to conduct scans on them because of their proprietary nature, geographical dispersion, and isolation. Physical vulnerabilities are also more prominent with SCADA systems, as they often exist in uncrewed facilities that may or may not have adequate physical security controls in place. MODBUS MODBUS is a communications protocol developed in 1979 by Schneider Electric (then called Modicon) for use in industrial electronic automation systems. For those of you familiar with the popular Open Systems Interconnect (OSI) networking model, this protocol takes place at layers 1 and 2 of the OSI model, as it is a physical and signaling protocol. It is primarily used in programmable logic controllers (PLCs) and is often considered the de facto communications protocol for industrial control systems. MODBUS is both open-source and royalty-free, making its use more widespread in the industrial automation industry. Management and ownership of the protocol was transferred from Schneider Electric to the Modbus Organization in 2004, which is a consortium of industry partners and manufacturers that build MODBUS-compliant devices. Exam tip: MODBUS is an older industry-standard communications protocol used in a large majority of industrial control systems and SCADA networks. REVIEW Objective 1.5: Explain the threats and vulnerabilities associated with specialized technology In this module, we discussed specialized devices and technologies—specifically non-traditional devices such as mobile devices, embedded devices, physical access controls, building automation systems, vehicles and drones, and industrial control systems. Mobile devices have unique threats and vulnerabilities, but the largest one is probably physical theft or loss. They also suffer from threats that affect network communications and applications, and they have inherent vulnerabilities resulting from poor device design and development. Mobile device protections include geo-fencing, corporate MDM implementations, remote wipe, and location tracking. The Internet of Things is a term describing non-traditional devices with embedded operating systems that serve to control devices traditionally not connected or physically isolated. This could include consumer devices such as refrigerators and televisions, but also includes electronic systems that help to control aircraft, factories, utility grids, and so on. Embedded devices are usually found with real-time operating systems, which are implemented for speed, efficiency, and limited functionality. They also include integrated software and hardware in system-on-chip implementations, as well as the more flexible FPGA systems. Physical access controls not only include automation systems that control physical entry into restricted areas, but also environmental systems. Examples of physical access controls include badge readers, electronic doors, and temperature and humidity monitoring systems. Building automation systems also include environmental and safety systems as well, including fire detection systems, fire suppression systems, and flood monitoring. Many of these systems use older or proprietary software applications, hardware, and communications protocols. Vehicles are increasingly being manufactured with automated systems that help control their environmental and safety functions, as well as the engine and chassis systems’ performance and function. You learned that the CAN bus is the primary technology used in vehicle automation systems. Drones include the military variety as well as the hobbyist and commercial versions. Both vehicles and drones are subject to the same vulnerabilities that other specialized devices are, including network protocol issues, application vulnerabilities, communications jamming, and the inability to easily update patches and configurations. Industrial control systems include those that are implemented to manage workflow and automate different assembly processes, as well as SCADA systems. SCADA systems are characterized by larger systems, such as power utility grids, which may be geographically separated and not closely monitored by human beings. They rely heavily on proprietary software, specialized hardware, and special communications protocols. They are also vulnerable to the same vulnerabilities as other automation systems. The primary technology used in SCADA systems is MODBUS, which consists of lower-level communications protocols.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.