CompTIA CASP+ CAS-004 Certification: Basics of Securing Hosts and Devices

Securing an enterprise does not stop at network traffic monitoring, since Cyberattacks are initiated to exploit servers and user systems (hosts). This guide presents the various controls for protecting and securing servers and user systems.

This includes the use of trusted OS, bootloader security, OS hardening, and endpoint security vulnerabilities.
- Trusted OS
- Bootloader security
- OS hardening process
- Endpoint security
- Hardware & software vulnerabilities
- Application delivery
- Terminal services

Trusted OS
A trusted operating system is one that supports multilayer security and can demonstrate that it meets a certain set of government standards. Where Secure Boot leaves off, Trusted Boot takes over. Before installing the Windows 10 kernel, the bootloader checks its digital signature. The Windows 10 kernel, in turn, checks the boot drivers, startup files, and ELAM components of the Windows start-up process. The bootloader recognizes the error and refuses to load the faulty component if a file has been edited. Often, Windows can repair the faulty component automatically, restoring Windows’ integrity and allowing the PC to start properly.

The Trusted Computer System Evaluation Criteria (TCSEC) was the first to propose the objective of classifying operating systems as trusted. The TCSEC was created by the National Computer Security Center (NCSC) to help the US Department of Defense (DoD) evaluate products. TCSEC published the Rainbow Series of publications, which focus on computer systems and the networks in which they function. TCSEC’s Orange Book is a set of criteria based on the Bell-LaPadula model for grading or rating the level of security provided by a computer system product. Covert channel analysis, trusted facility management, and trusted recovery are among the subjects covered in The Orange Book.

TCSEC was superseded by the worldwide Common Criteria (CC) standard, which was developed through a collaborative effort. The CC rates systems using Evaluation Assurance Levels (EALs), with different EALs signifying varying levels of system security testing and design. The resultant score reflects the system’s ability to offer security. It is assumed that the customer would configure all security solutions effectively. To allow the consumer to completely attain the rating, the vendors must supply adequate paperwork.

The International Organization for Standardization’s version of CC is ISO/IEC 15408-1:2009.

CC offers seven assurance levels, ranging from EAL1 (lowest) to EAL7 (highest), which includes functionality testing as well as detailed testing and verification of the system design, as follows:
- EAL1: Functionally tested
- EAL2: Structurally tested
- EAL3: Methodically tested and checked
- EAL4: Methodically designed, tested, and reviewed
- EAL5: Semi-formally designed and tested
- EAL6: Semi-formally verified, designed, and tested
- EAL7: Formally verified, designed, and tested

Some examples of trusted operating systems and the EAL levels they provide are as follows:
- Mac OS X 10.6 (rated EAL 3+)
- HP-UX 11i v3 (rated EAL 4+)
- Some Linux distributions (rated up to EAL 4+)
- Microsoft Windows 7 (rated EAL 4+)

In any case where security is critical, such as in government agencies, while working as a contractor for the Department of Defense, or when putting up a web server that will be linked to sensitive networks or hold sensitive data, trusted operating systems should be utilized. However, because these operating systems are often more difficult to understand and operate, there may be a learning curve while utilizing them. Three trustworthy operating systems are discussed in the following sections – SELinux, SEAndroid, and TrustedSolaris.

SELinux
Security-Enhanced Linux (SELinux) is a security module for the Linux kernel that isolates the enforcement of security choices from the security policy itself, reducing the amount of software required to implement security policies (Figure 7.1). SELinux additionally implements obligatory access control restrictions that limit access to files and network resources, also restricting user programs and system servers. It doesn’t have a concept of a “root” superuser and doesn’t have the well-known flaws in the typical Linux security methods. In high-security scenarios, where the sandboxing of the root account is beneficial, the SELinux system should be chosen over the regular versions of Linux.

The figure below illustrates the SELinux decision process:



Figure: Security-enhanced Linux decision process

SEAndroid
SEAndroid is a version of SELinux for Android smartphones. Building on the permissive release of SEAndroid 4.3 and the partial enforcement of Android 4.4, the SEAndroid 5.0 release progressed to full SELinux enforcement. SEAndroid software operates with just the rights required to function successfully (helping to limit the harm that malware can cause), yet it can occasionally prohibit programs or functionalities that workers require. You’ll need a shell and root access to the Android devices to manage the default SEAndroid behavior. SSHDroid is a Secure Shell (SSH) program that lets you access Android devices from a computer. The Android Debug Bridge (adb) command, which is part of the Android software development kit (SDK), may be used to get root access, or you can root the device to gain complete access. Because device vendors don’t enable rooting, this method isn’t for everyone.

TrustedSolaris
TrustedSolaris is a set of security extensions incorporated in the Solaris 10 trusted OS. Solaris 10 5/09 is a common criterion certified at EAL4. Enhancements include the following:
- Accounting
- Role-based access control
- Auditing
- Device allocation
- Mandatory access control labeling

The TrustedSolaris environment allows the security administrator role to extend the list of trusted directories, as shown below:


Figure: Trusted Solaris Environment

The method is different in the TrustedSolaris 8 environment than in the previous releases.

Least functionality
The principle of least functionality calls for an organization to configure information systems to provide only essential capabilities, and specifically prohibits and/or restricts the use of other functions.

Endpoint security software
An endpoint is any device that connects to the corporate network from outside its firewall. Examples of endpoint devices include laptops, the Internet of things (IoT), Point-of-sale (POS) systems, tablets, mobiles, switches, digital printers, and any devices that communicate with the central network. Endpoint security is accomplished by ensuring that every computing device on a network meets security standards. Endpoint Security or Endpoint

Protection is the process of protection from malicious threats in the different endpoints on a network through end-user devices, such as desktops, laptops, mobile devices, as well as network servers, in a data center considered endpoints, as illustrated below:


Figure: End Point Security Functionalities

Every device remotely connecting to the client devices is the possible entry point for security threats. Endpoint security is designed to defend each endpoint on the network created by these devices. Endpoint security tools help monitor, detect, and block malicious attacks. Endpoint security solutions streamline security measures with multi-layer protection at the point of entry for many attacks as well as the point of existence for sensitive data.
An endpoint security strategy is essential because every remote endpoint can be the entry point for an attack, and the number of endpoints is only increasing with the rapid pandemic-related shift to remote work. According to a Gallup Poll, a majority of US workers worked remotely in 2020, with 51% still working remotely as of April 2021.
The risks posed by endpoints and their sensitive data are a challenge that’s not going away. The endpoint landscape is constantly changing, and businesses of all sizes are attractive targets for cyberattacks. This is common knowledge, even among small businesses. According to a study conducted by Connectwise in 2020, 77% of 700 SMB decision-makers surveyed worry they will be the target of an attack in the next six months. Last year, according to the FBI’s Internet Crime Report, they received an increase of 300,000 complaints in 2019, with reported losses of over $4.2 billion. The Verizon 2021 Data Breach Investigations Report found “Servers are still dominating the asset landscape due to the prevalence of web apps and mail services involved in incidents. And as social attacks continue to compromise people (they have now pulled past user devices), we begin to see the domination of phishing emails and websites delivering malware used for fraud or espionage.”
Each data breach costs on average $3.86 million globally with the United States averaging at $8.65 million per data breach according to Ponemon’s “Cost of a Data Breach Report 2020” (Commissioned by IMB). The study identified the biggest financial impact of a breach, “lost business”, was making up almost 40% of the data breach average cost. Protecting against endpoint attacks is challenging because endpoints exist where humans and machines intersect. Businesses struggle to protect their systems without interfering with the legitimate activities of their employees. And while technological solutions can be highly effective, the chances of an employee succumbing to a social engineering attack can be mitigated but never entirely prevented.

Endpoint protection working
The terms endpoint protection, endpoint protection platforms (EPP), and endpoint security are all used interchangeably used to describe the centrally managed security solutions that organizations leverage to protect endpoints like servers, workstations, mobile devices, and workloads from cybersecurity threats. Endpoint protection solutions work by examining files, processes, and system activity for suspicious or malicious indicators. Endpoint protection solutions offer a centralized management console (Figure 7.4) from which administrators can connect to their enterprise network to monitor, protect, investigate and respond to incidents. This is accomplished by leveraging either an on-premise, hybrid, or cloud approach.
The “Traditional or legacy” approach is often used to describe an on-premise security posture that is reliant on a locally hosted data center from which security is delivered. The data center acts as the hub for the management console to reach out to the endpoints through an agent to provide security. The hub and spoke model can create security silos since administrators can typically only manage endpoints within their perimeter.
With the pandemic-driven work from home shift, many organizations have pivoted to laptops and bring your own device (BYOD) instead of desktop devices. This along with the globalization of workforces highlights the limitations of the on-premise approach. Some endpoint protection solution vendors have in recent years shifted to a hybrid approach, taking a legacy architecture design, and retrofitting it for the cloud to gain some cloud capabilities.

The figure below illustrates the endpoint security dashboard:


Figure: Endpoint security dashboard

The third approach is a built-in “Cloud-native” solution for the cloud. Administrators can remotely monitor and manage endpoints through a centralized management console that lives in the cloud and connects to devices remotely through an agent on the endpoint. The agent can work with others or independently provide security for the endpoint, in case it does not have Internet connectivity. These solutions leverage cloud controls and policies to maximize security performance beyond the traditional perimeter, removing silos and expanding administrator reach.

Endpoint protection versus antivirus software
Endpoint security software protects endpoints from being breached – no matter if they are physical or virtual, on- or off-premises, in data centers, or in the cloud. It is installed on laptops, desktops, servers, virtual machines, as well as remote endpoints themselves.
Antivirus is often part of an endpoint security solution and is generally regarded as one of the more basic forms of endpoint protection. Instead of using advanced techniques and practices, such as threat hunting and endpoint detection and response (EDR), antivirus simply finds and removes known viruses and other types of malware. Traditional antivirus runs in the background, periodically scanning a device’s content for patterns that match a database of virus signatures. Antivirus is installed on individual devices inside and outside the firewall.

Endpoint security tools that provide continuous breach prevention must integrate the following fundamental elements:

- Prevention: NGAV: Traditional antivirus solutions detect less than half of all attacks. They function by comparing malicious signatures, or bits of code, to a database that is updated by contributors whenever a new malware signature is identified. The problem is that malware that has not yet been identified, or unknown malware, is not in the database. There is a gap between the time it takes for a piece of malware to be released into the world and the time it takes to become identifiable by traditional antivirus solutions. Next-generation antivirus (NGAV) closes that gap by using more advanced endpoint protection technologies, such as AI and machine learning, to identify new malware by examining more elements, such as file hashes, URLs, and IP addresses.
- Detection: EDR: Prevention is not enough. No defenses are perfect, and some attacks will always make it through defenses and successfully penetrate the network. Conventional security can’t see when this happens, leaving attackers free to dwell in the environment for days, weeks, or months. Businesses need to stop these “silent failures” by finding and removing attackers quickly. To prevent silent failures, an Endpoint Detection and Response (EDR) solution needs to provide continuous and comprehensive visibility into what is happening on endpoints in real-time. Businesses should look for solutions that offer advanced threat detection and investigation and response capabilities, including incident data search and investigation, alert triage, suspicious activity validation, threat hunting, and malicious activity detection and containment.
- Managed threat hunting: Not all attacks can be detected by automation alone. The expertise of security professionals is essential to detect today’s sophisticated attacks. Managed threat hunting is conducted by elite teams that learn from incidents that have already occurred, aggregate crowdsourced data, and provide guidance on how best to respond when malicious activity is detected.
- Threat intelligence integration: To stay ahead of attackers, businesses need to understand threats as they evolve. Sophisticated adversaries and advanced persistent threats (APTs) can move quickly and stealthily, and security teams need up-to-date and accurate intelligence to ensure defenses are automatically and precisely tuned.

A threat intelligence integration solution should incorporate automation to investigate all incidents and gain knowledge in minutes, not hours. It should generate custom indicators of compromise (IoCs) directly from the endpoints to enable a proactive defense against future attacks. There should be a human element as well, comprised of expert security researchers, threat analysts, cultural experts, and linguists, who can make sense of emerging threats in a variety of contexts.

Endpoint detection response
Endpoint detection and response (EDR) is a proactive endpoint security approach designed to supplement existing defenses. This advanced endpoint approach shifts security from a reactive threat approach to one that can detect and prevent threats before they reach the organization. It focuses on three essential elements for effective threat prevention: automation, adaptability, and continuous monitoring.

Some examples of EDR products are as follows:
- FireEye Endpoint Security
- Carbon Black Cb Response
- Guidance EnCase Endpoint Security
- Cybereason Enterprise Protection
- Symantec Endpoint Protection
- RSA NetWitness Endpoint

The advantage of EDR systems is that they provide continuous monitoring. The disadvantage is that the software’s use of resources could impact the performance of the device.

Patch management
Software patches are updates released by vendors that either fix functional issues with or close security loopholes in operating systems, applications, and versions of firmware that run on network devices. To ensure that all devices have the latest patches installed, a formal system should be deployed to ensure that all systems receive the latest updates after thorough testing in a non-production environment. It is impossible for the vendor to anticipate every possible impact that a change may have on business-critical systems in the network. It is the responsibility of the enterprise to ensure that patches do not adversely impact operations.

The figure below illustrates patch management:


Figure: Patch Management

Vendors generally make several types of patches available, which are as follows:
- Hot fixes: A hot fix is an update that solves a security issue and should be applied immediately if the issue it resolves is relevant to the system.
- Updates: An update solves a functionality issue rather than a security issue.
- Service packs: A service pack includes all updates and hot fixes since the release of the operating system.

Manual patch management
While manual patch management requires more administrative effort than an automated system (discussed in the following section), it can be done, using the following steps:
Step 1: Determine the priority of the patches.
Step 2: Test the patches prior to deployment to ensure that they work properly and do not cause system or security issues.
Step 3: Install the patches in the live environment.
Step 4: After patches are deployed, ensure that they work properly.

Automated patch management
Most organizations manage patches through a centralized update solution such as Windows Server Update Services (WSUS). With such services, organizations can deploy updates in a controlled yet automatic fashion. WSUS server downloads the updates, which are applied locally from the WSUS server. Group policy is also used in this scenario to configure the location of the server holding the updates. Scripts can also be used to automate the patch process. This may offer more flexibility and control of the process than using automated tools. A deeper knowledge of scripting might be required, however. In some cases, geographically dispersed servers may be used to provide the patches referenced in the scripts. In that case, proper replication must be set up to ensure that all patches are available on all patch servers. Windows PowerShell commands are increasingly being used to automate Windows functions. In the Linux environment, Linux shell scripting is used for this.

The figure below illustrates the automated patch management process:



Figure: Automated Patch Management Process

Data loss prevention
Data leakage occurs when sensitive data is disclosed to unauthorized personnel either intentionally or inadvertently. Data loss prevention (DLP) is a collection of technologies and tools that monitor and protect business data from unauthorized access. When DLP technology is implemented, it protects data in three places – in use by authorized personnel, in motion (being transferred via the intranet), or at rest (on a file server or in a database). For example, data loss prevention software can stop users from copying data to move it outside a company’s network. At the center of all data loss prevention software is content inspection, which is the software looking at pieces of data as they move on a network, evaluating the type of file that contains them, and determining whether the data is where it should be and whether it is being used for its intended purposes. Accidental exposure or nefarious activity can put sensitive data in jeopardy, which is why DLP security is important to organizations that need to protect their data assets.

The figure below illustrates the benefits of implementing DLP in an organization:



Figure: DLP Benefits

How does DLP work?
DLP software is based on content inspection, which uses a series of methods to catch policy violations, as follows:

#1. First, content inspection is based on rule-based expressions that are detected by data loss prevention software and lead to subsequent actions. A typical example is that of 16-digit credit card numbers. Organizations can create rules that state if you try to email a credit card number (that starts with a 4, 5, or 6), especially with the 3-digit security code and expiration date, the DLP software will block the email from sending or automating encryption.
#2. Next, there is exact file matching. This identifies files in use, in motion, or at rest whose content matches exactly that of an indexed file. This is also called data fingerprinting.
#3. Third is the content analysis within DLP solutions that uses conceptual/lexicon analysis. This level of analysis uses a compilation of dictionaries or other lists and rules to identify unwanted behavior, such as specific internet searches, or sharing trade secrets with those outside the network.
#4. Finally, content analysis can incorporate sophisticated statistical analysis techniques. Statistical methods use machine learning to protect specific pieces of information. When the machine learns what the data should look like, it constantly looks for anomalous data that doesn’t match the given pattern.

When looking at how to prevent data loss, technology is often the last line of defense. Its role is to apply the organization’s data security policies consistently over all egress points, identify possible violations, and take the appropriate remedial actions. Traditional DLP solutions are inflexible in the way they operate, making them difficult to configure and implement. Typically, the solutions “stop and block” any action deemed to have risk implications, often incorrectly mistaking legitimate daily actions as an exfiltration or data loss threat. This generates large numbers of “false positives” that can easily overwhelm the IT security staff who need to action the alerts and frustrate users who can’t work productively.

Log monitoring
Computers, their operating systems, and the firewalls that may be present on them generate system information that is stored in log files. You should monitor network events, system events, application events, and user events. Keep in mind that any auditing activity will impact the performance of the system being monitored. Organizations must find a balance between auditing important events and activities and ensuring that device performance is maintained at an acceptable level.

The figure below illustrates the log management dashboard:


Figure: Log Management Dashboard

When designing an auditing mechanism, security professionals should remember the following guidelines:
- Develop an audit log management plan that includes mechanisms to control the log size, backup processes, and periodic review plans.
- Ensure that the ability to delete an audit log is a two-person control that must be completed by administrators.
- Monitor all high-privilege accounts (including all root users and administrative-level accounts).
- Ensure that the audit trail includes who processed a transaction, when the transaction occurred (date and time), where the transaction occurred (which system), and whether the transaction was successful.
- Ensure that deleting the log and deleting data within the logs cannot occur.

Audit trails detect computer penetrations and reveal actions that identify misuse. As a security professional, you should use audit trails to review patterns of access to individual objects. To identify abnormal patterns of behavior, you should first identify normal patterns of behavior. Also, you should establish the clipping level, which is a baseline of user errors above which violations will be recorded. For example, your organization may choose to ignore the first invalid login attempt, knowing that initial invalid login attempts are often due to user error. Any invalid login after the first one, however, would be recorded because it could be a sign of an attack. Audit trails deter attackers’ attempts to bypass the protection mechanisms that are configured on a system or device. As a security professional, you should specifically configure the audit trails to track system/device rights or privileges being granted to a user and data additions, deletions, or modifications. You can use Group Policy in a Windows environment to create and apply audit policies to computers.
Finally, audit trails must be monitored, and automatic notifications should be configured. If no one monitors the audit trail, the data recorded in the audit trail is useless. Certain actions should be configured to trigger automatic notifications. For example, you may want to configure an email alert to occur after a certain number of invalid login attempts because invalid login attempts may be a sign that a password attack is occurring.

Host hardening
Another of the ongoing goals of operations security is to ensure that all systems have been hardened to the extent that is possible while still providing functionality. The hardening can be accomplished both on physical and logical bases. From a logical perspective, the following should be implemented:
- Unnecessary applications should be removed.
- Unnecessary services should be disabled.
- Unrequired ports should be blocked.
- External storage devices and media should be tightly controlled if allowed at all.
- Unnecessary accounts should be disabled.
- Default accounts should be renamed, if possible.
- Default passwords for default accounts should be changed.

Standard environment/configuration baselining
One practice that can make maintaining security simpler is to create and deploy standard images that have been secured with security baselines. A security baseline is a set of configuration settings that provide a floor of minimum security in the image being deployed. Security baselines can be controlled through the use of Group Policy in Windows. These policy settings can be made in the image and applied to both users and computers. These settings are refreshed periodically through a connection to a domain controller and cannot be altered by the user. It is also quite common for the deployment image to include all of the most current operating system updates and patches as well. When a network makes use of these types of technologies, the administrators have created a standard operating environment. The advantages of such an environment are more consistent behavior of the network and simpler support issues. Scans should be performed on the systems weekly to detect changes to the baseline. Virtual machine images can also be used for this purpose.

Application whitelisting and blacklisting
Application whitelists are lists of allowed applications (with all others excluded), and blacklists are lists of prohibited applications (with all others allowed). It is important to control the types of applications that users can install on their computers. Some application types can create support issues, and others can introduce malware. It is possible to use Windows Group Policy to restrict the installation of software on network computers. Using Windows Group Policy is only one option, and each organization should select a technology to control application installation and usage in the network.

Security/Group Policy implementation
One of the most widely used methods of enforcing a standard operating environment is using Group Policy in Windows. In an Active Directory environment, any users and computers that are members of a domain can be provided a collection of settings that comprise a security baseline. (It is also possible to use Local Security Policy settings on non-domain members, but this requires more administrative effort.) Group Policy leverages the hierarchical structure of Active Directory to provide a common group of settings, called Group Policy Objects (GPOs), to all systems in the domain while adding or subtracting specific settings to certain subgroups of users or computers, called containers. An additional benefit of using Group Policy is that an administrator can make changes to the existing policies by using the Group Policy Management Console (GPMC). Affected users and computers will download and implement any changes when they refresh the policy— which occurs at startup, shutdown, logon, and logoff. It is also possible for the administrator to force a refresh when time is of the essence.

The following are some of the advantages provided by the granular control available in the GPMC:
- Ability to allow or disallow the inheritance of a policy from one container in Active Directory to one of its child containers
- Ability to filter out specific users or computers from a policy’s effect
- Ability to delegate administration of any part of the Active Directory namespace to an administrator
- Ability to use Windows Management Instrumentation (WMI) filters to exempt computers of a certain hardware type from a policy

The following are some of the notable policies that relate to security:
- Account policies: These policies include password policies, account lockout policies, and Kerberos authentication policies.
- Local policies: These policies include audit, security, and user rights policies that affect the local computer.
- Event log: This policy controls the behavior of the event log.
- Restricted groups: This is used to control the membership of sensitive groups.
- Systems services: This is used to control the access to and behavior of system services.
- Registry: This is used to control access to the registry.
- File system: This includes security for files and folders and controls security auditing of files and folders.
- Public key policies: This is used to control the behavior of a PKI.
- Internet protocol security policies on Active Directory: This is used to create IPsec policies for servers.

Command shell restrictions
While Windows is known for its graphical user interface (GUI), it is possible to perform anything that can be done in the GUI at the command line. Moreover, many administrative tasks can be done only at the command line, and some of those tasks can be harmful and destructive to the system when their impact is not well understood. Administrators of other operating systems, such as Linux or UNIX, make even more use of a command line in day-to-day operations. Administrators of routers and switches make almost exclusive use of a command-line when managing those devices.
With the risk of mistakes, coupled with the possibility of those with malicious intent playing havoc at the command line, it is advisable in some cases to implement command shell restrictions. A restricted command shell is a command-line interface where only certain commands are available. In Linux and UNIX, a number of command-line shells are available, and they differ in terms of the power of the commands they allow.
In Cisco IOS, the commands that are available depend on the mode in which the command-line interface ID is operating. You start out in user mode, where very few things can be done (and none of them very significant), and then progress to privileged mode, where more commands are available. However, you can place a password on the device for which the user will be prompted when moving from user mode to privileged mode. For more granular control of administrative access, user accounts can be created on the device, and privilege levels can be assigned to control what technicians can do, based on their accounts.

Configuring dedicated interfaces
Not all interfaces are created equal. Some, especially those connected to infrastructure devices and servers, need to be more tightly controlled and monitored due to the information assets to which they lead. Some of the ways sensitive interfaces and devices can be monitored and controlled are presented in the following section.

Out-of-band management
An interface that is out-of-band (OOB) is connected to a separate and isolated network that is not accessible from the local area network or the outside world. These interfaces are also typically live even when the device is off. OOB interfaces can be Ethernet or serial.

Guidelines to follow when configuring OOB interfaces include the following:
- Place all OOB interfaces in a separate subnet from the data network.
- Create a separate virtual LAN (VLAN) on the switches for this subnet.
- When crossing wide area network (WAN) connections, use a separate Internet connection for the production network.
- Use Quality of Service (QoS) to ensure that the management traffic does not affect production performance.
- To help get more returns for the investment in additional technology, consider using the same management network for backups.
- If the network interface cards (NICs) support it, use Wake on LAN to make systems available even when they are shut down.
Some newer computers that have the Intel vPro chipset and a version of Intel Active Management Technology (Intel AMT) can be managed out-of-band even when the system is off.

When this functionality is coupled with the out-of-band management feature in System Center 2016 R2 Configuration Manager, you can perform the following tasks:
- Power on one or many computers (for example, for maintenance on computers outside business hours).
- Power off one or many computers (for example, if the operating system stops responding).
- Restart a nonfunctioning computer or boot from a locally connected device or known good boot image file.
- Re-image a computer by booting from a boot image file that is located on the network or by using a Preboot Execution Environment (PXE) server.
- Reconfigure the BIOS settings on a selected computer (and bypass the BIOS password if this is supported by the BIOS manufacturer).
- Boot to a command-based operating system to run commands, repair tools, or diagnostic applications (for example, upgrading the firmware or running a disk repair tool).
- Configure scheduled software deployments to wake up computers before the computers are running.

Management interfaces
These are used for accessing devices remotely. Typically, a management interface is disconnected from the in-band network and is connected to the device’s internal network. Through a management interface, you can access the device over the network by using utilities such as SSH and Telnet. Simple Network Management Protocol (SNMP) can use a management interface to gather statistics from a device. In some cases, the interface is an actual physical port labeled as a management port; in other cases, it is a port that is logically separated from the network (for example, in a private VLAN). The point is to keep these interfaces used for remotely managing the device separate from the regular network traffic the device may encounter.
There are no disadvantages to using a management interface, but it is important to secure management interfaces. Cisco devices have dedicated terminal lines for remote management, called VTY ports. A VTY port should be configured with a password.

To secure the 16 VTY lines on some Cisco switches, use the following command set to set the password to Ci$co:
Switch001>enable
Switch001#configure terminal
Switch001(config)#line vty 0 15
Switch001(config-line)#password Ci$c0
Switch001(config-line)#login

Data interface
Data interfaces are used to pass regular data traffic and are not used for either local or remote management. The interfaces may operate at either layer 2 or layer 3, depending on the type of device (router or switch). These interfaces can also have ACLs defined at either layer. On routers, we call them access lists, and on switches, we call them concept port security. Some networking devices, such as routers and switches, can also have logical or software interfaces. An example is a loopback interface. This is an interface on a Cisco device that can be given an IP address and it will function the same as a hardware interface. Why would you use such an interface? Well, unlike hardware interfaces, loopback interfaces never go down. This means that as long as any of the hardware interfaces are functioning on the device, you will be able to reach the loopback interface. This makes a loopback interface a good candidate for making the VTY connection, which can be targeted at any IP address on the device.

Creating a loopback interface is simple. The commands are as follows:
Switch001(config)#interface Loopback0
Switch001(config-if)#ip address 192.168.15.15 255.255.255.0

Bluetooth
Bluetooth is a wireless technology that is used to create personal area networks (PANs), which are short-range connections between devices and peripherals, such as headphones. It operates in the 2.4 GHz frequency at speeds of 1 to 3 Mbps and over a distance of up to 10 meters. Several attacks can take advantage of Bluetooth technology. With Bluejacking, an unsolicited message is sent to a Bluetooth-enabled device, often for the purpose of adding a business card to the victim’s contact list. This type of attack can be prevented by placing the device in non-discoverable mode.
Bluesnarfing involves unauthorized access to a device using the Bluetooth connection. In this case, the attacker is trying to access information on the device rather than sending messages to the device. The use of Bluetooth can be controlled, and such control should be considered in high-security environments. Increasingly, organizations are being pushed to allow corporate network access to personal mobile devices. This creates a nightmare for security administrators. Mobile device management (MDM) solutions attempt to secure these devices. These solutions include a server component, which sends management commands to the devices. There are a number of open specifications, such as Open Mobile Alliance (OMA) device management, but there is no real standard as yet. Among the technologies, these solutions may control the Bluetooth settings and wireless settings.

File and disk encryption
While largely the same in concept, file and disk encryption are different from one another. Disk encryption occurs at the hardware level. File encryption, on the other hand, is a software process. Another difference is that disk encryption is effective when the device is off, while file encryption provides security while the device is on. The following sections look at both types.

TPM
While it can be helpful to control network access to devices, in many cases, devices such as laptops, tablets, and smartphones leave your network and also leave behind all the measures you have taken to protect the network. There is also a risk of these devices being stolen or lost. For these situations, the best measure to take is full disk encryption. The best implementation of full-disk encryption requires and makes use of a Trusted Platform Module (TPM) chip. A TPM chip is a security chip installed on a computer’s motherboard that is responsible for protecting symmetric and asymmetric keys, hashes, and digital certificates. This chip provides services to protect passwords and encrypt drives and digital rights, making it much harder for attackers to gain access to the computers that have TPM chips enabled.
Two particularly popular uses of TPM are binding and sealing. Binding actually “binds” the hard drive through encryption to a particular computer. Because the decryption key is stored in the TPM chip, the hard drive’s contents are available only when the drive is connected to the original computer. But keep in mind that all the contents are at risk if the TPM chip fails and a backup of the key does not exist. Sealing, on the other hand, “seals” the system state to a particular hardware and software configuration. This prevents attackers from making any changes to the system. However, it can also make installing a new piece of hardware or a new operating system much harder. The system can only boot after the TPM chip verifies system integrity by comparing the original computed hash value of the system’s configuration to the hash value of its configuration at boot time.

TPM chip consists of both static memory and versatile memory that is used to retain the important information when the computer is turned off, as follows:
- Endorsement key (EK): The EK is persistent memory installed by the manufacturer that contains a public/private key pair.
- Storage root key (SRK): The SRK is persistent memory that secures the keys stored in the TPM.
- Attestation identity key (AIK): The AIK is versatile memory that ensures the integrity of the EK.
- Platform configuration register (PCR) hash: A PCR hash is a versatile memory that stores data hashes for the sealing function.
- Storage keys: A storage key is a versatile memory that contains the keys used to encrypt the computer’s storage, including hard drives, USB flash drives, and so on.

BitLocker and BitLocker to Go by Microsoft are well-known full disk encryption products. The former is used to encrypt hard drives, including operating system drives, and the latter is used to encrypt information on portable devices such as USB devices. However, there are other options.

Additional whole disk encryption products include the following:
- PGP Whole Disk Encryption
- Secure Star DriveCrypt
- Sophos SafeGuard
- MobileArmor Data Armor

Virtual TPM
A virtual TPM (VTPM) chip is a software object that performs the functions of a TPM chip. It is a system that enables trusted computing for an unlimited number of virtual machines on a single hardware platform. VTPM makes secure storage and cryptographic functions available to operating systems and applications running in virtual machines.

Firmware updates
The firmware includes any type of instruction stored in non-volatile memory devices such as read-only memory (ROM), electrically erasable programmable read-only memory (EPROM), or Flash memory. BIOS and UEFI code are the most common examples of the firmware. Computer BIOS doesn’t go bad; however, it can become out of date or contain bugs. In the case of a bug, an upgrade will correct the problem. An upgrade may also be indicated when the BIOS doesn’t support some component that you would like to install, such as a larger hard drive or a different type of processor. Today’s BIOS is typically written to an EEPROM chip and can be updated through the use of the software. Each manufacturer has its own method for accomplishing this. Check out the manufacturer’s documentation for complete details. Regardless of the exact procedure used, the update process is referred to as flashing the BIOS. It means the old instructions are erased from the EEPROM chip, and the new instructions are written to the chip. Firmware can be updated by using an update utility from the motherboard vendor.

In many cases, the steps are as follows:
Step 1: Download the update file to a flash drive.
Step 2: Insert the flash drive and reboot the machine.
Step 3: Use the specified key sequence to enter the UEFI/BIOS setup.
Step 4: If necessary, disable secure boot.
Step 5: Save the changes and reboot again.
Step 6: Re-enter the CMOS settings again.
Step 7: Choose the boot options and boot from the flash drive.
Step 8: Follow specific update directions to locate the upgrade file on the flash drive.
Step 9: Execute the file (usually by typing flash).
Step 10: While the update is completing, ensure that you maintain power to the device.

Boot loader protections
When a system is booting up, there is a window of opportunity for breaking into the system. For example, when physical access is possible, you could set a system to boot to other boot media and then access the hard drive. For this reason, boot loader protection mechanisms should be utilized, as discussed in the following sections.

Secure Boot
Secure Boot is a term that applies to several technologies that follow the Secure Boot standard. Its implementations include Windows Secure Boot, measured launch, and Integrity Measurement Architecture (IMA).
Step 1: The firmware verifies all UEFI executable files and OS loader to be sure they are trusted.
Step 2: Windows Boot Components verifies the signature on each component to be loaded. Any non-trusted components will not be loaded and will trigger remediation.
Step 3: The signatures on all boot-critical drivers are checked as part of secure boot verification in Winload (Windows Boot Loader) and by the Early Launch Anti-Malware driver.

The disadvantage is that systems that ship with UEFI Secure Boot enabled, do not allow the installation of any other operating system. This prevents installing any other operating systems or running any live Linux media.

Measured launch
A measured launch is a launch in which the software and platform components have been identified, or “measured,” using cryptographic techniques. The resulting values are used at each boot to verify trust in those components. A measured launch is designed to prevent attacks on these components (system and BIOS code) or at least to identify when these components have been compromised. It is part of the Intel Trusted Execution Technology (Intel TXT). TXT functionality is leveraged by software vendors including HyTrust, PrivateCore, Citrix, and VMware.
An application of measured launch is Measured Boot by Microsoft in Windows 10 and Windows Server 2016. It creates a detailed log of all components that loaded before the anti-malware. This log can be used to both identify malware on the computer and maintain evidence of boot component tampering. One possible disadvantage of measured launch is the potential slowing of the boot process.

Integrity measurement architecture
Another approach that attempts to create and measure the runtime environment is an open-source trusted computing component called Integrity Measurement Architecture (IMA). IMA creates a list of components and anchors the list to the TPM chip. It can use the list to attest to the system’s runtime integrity. Anchoring the list to the TPM chip in hardware prevents its compromise.

BIOS/UEFI
Unified Extensible Firmware Interface (UEFI) is an alternative to using BIOS to interface between software and firmware of a system. Most images that support UEFI also support legacy BIOS services.

Some of its advantages are as follows:
- Ability to boot from large disks (over 2 TB) with a GUID partition table
- CPU-independent architecture
- CPU-independent drivers
- Flexible pre-OS environment, including network capability
- Modular design

Attestation services
Attestation services allow an authorized party to detect changes to an operating system. These services involve generating a certificate for the hardware that states what software is currently running. The computer can use this certificate to attest that unaltered software is currently executing. Windows operating systems have been capable of remote attestation since Windows 8.

Vulnerabilities associated with hardware
While security professionals devote a lot of time to chasing software vulnerabilities, they often forget about hardware vulnerabilities. Remember that one of the most well-known hacks—the Target hack—took advantage of a hardware encryption flaw. Another example of a hardware vulnerability is the hacking of a car system and the subsequent takeover of the control system. Hackers have embraced hardware attacks because of the difficulty in detecting them, but the compromising of hardware goes beyond backdoors.

Vulnerabilities also include the following:
- Backdoors that affect embedded RFID chips and memory
- Eavesdropping through protected memory without any other hardware being opened
- Faults induced to interrupt normal behavior
- Hardware modification tampering with hardware or jailbroken software
- Backdoors or hidden methods for bypassing normal computer authentication systems
- Counterfeit products made to gain malicious access to systems

The only assured way of preventing such vulnerabilities is to tightly control the manufacturing process for all products. DoD uses the Trusted Foundry Program to validate all vendors in this regard. No longer can organizations simply purchase the cheapest devices from Asia; they must now begin to grapple with the creation of their own programs that emulate the Trusted Foundry Program.

Conclusion
This guide defines the concepts of Trusted OS and ways of improving system security. This includes antivirus, antimalware, antispyware and spam filters, patch management, and data loss prevention along with endpoint monitoring and response. Concepts for host hardening, boot loader protection, and hardware vulnerabilities are also discussed. This guide also includes security recommendations and measures when using terminal and application delivery services.