CompTIA CYSA+ CS0-002 – Specialized Technology Part 1

1. Mobile Vulnerabilities (OBJ 1.5)

Mobile vulnerabilities. In this lesson we’re going to start talking about mobile vulnerabilities. Now, as you look around the workforce these days, you cannot go within a couple of minutes without seeing somebody on their smartphone or on their tablet or on some other kind of mobile device, maybe a smartwatch or something like that. It’s just these devices are everywhere now and this introduces new threats and vulnerabilities to our networks and our organizations. So in this lesson we’re going to cover three specific areas associated with mobile technology. This includes the bring your own device policies that so many of our companies are using, mobile platform threats and vulnerabilities and mobile device management and enterprise mobility management. First, let’s talk about bring your own device.

Now, Bring your own device is a policy that allows people to essentially bring their own equipment into work and use it. Now, when you talk about bring your own device, it can be something generic like mice and keyboards and headphones or something like a laptop or a smartphone or a tablet. It really can be any device. And so it’s up to your organization to define your bring your own device policy. In the most general terms. A bring your own device policy or BYOD is any security policy set forth by a company that allows employees to use their personal smartphones, laptops and tablets for work or connection to the corporate network. So if I have my laptop, I can bring it to work, plug it into the network and start working on it all day.

When I’m done, I can unplug it from the network and take it home and then I can plug it into my network at home and use it for personal things or work related things. And that’s really the danger when we start talking about bring your own device. Now, when we think about bring your own device, it brings a lot of challenges with us. The first one is deprimeterization. Now, what do I mean by this? Well, when we talk about physical security of our network, we’re talking about the perimeter. If my entire network is located within my office building, it’s a lot easier for me to protect than if I allow that to go outside my office building. So if you take your laptop and you bring it to work and use it and then you take it home, well then we’ve just expanded the perimeter of the office network to your house as well.

Even if we don’t do it logically, we have now physically done it because there’s documents stored on that device that are now in your home. And so if that laptop gets stolen, that can be a problem because we don’t have the protections in place. Another big issue we have is unpatched and unsecured devices. If you’re going to bring your laptop in, I don’t know what the quality of that laptop is. I don’t know if you’ve done all your security patches, if you have the latest antivirus if you have the right security protections in place. All of those are things that you now bring into my network. And when you plug into it, you are now bringing those vulnerabilities in with it. And so this is something you have to think about as well. Another concern with bring your own device is strained infrastructure.

Now what I mean by this is that as a company we’re going to build our networks based on the number of users and the number of devices we expect to run on it. And so if I built my company expecting 50 employees and now I have 500 employees and so we start saying, oh it’s okay, it just bring your own devices because I don’t have enough laptops and desktops for you, we’ll just put up a WiFi access point, you can connect to that. Well again, that’s going to strain the infrastructure because that’s not going to be enough to handle the increased load that we’re putting on it. So all these extra devices do increase load and it becomes something that can strain your infrastructure. Another thing is forensic complications.

If you have a data breach or you suspect that that device was involved with something as part of your incident response, are you going to be able to actually look at that and go through that device? Well maybe, or maybe not because it’s not technically a corporate owned device. This is somebody’s personal device. And so if you want to look at my smartphone, well you’re going to have to get my permission. And if I don’t want to give it to you, you can’t do the forensic investigation that you want to do. And so this becomes another issue that you have to deal with. And the fifth and final thing we have to think about really with Bring Your Own Device is what happens when that device is lost or stolen. Again, this kind of goes back to our deep primeterization.

If I take that device out of the office now, I can’t protect it as well. If I leave my smartphone in the back of a taxi cab or somebody steals my laptop from my hotel room, they now have access to all those files that are part of the corporate network that are now stored on my system. And so these are things you have to think about with Bring Your Own Device. Now the next area we want to talk about is specific mobile platform threats and vulnerabilities because there are specific threats and vulnerabilities that are associated with just using certain mobile platforms. Now most of the time you’re going to be using one of two mobile operating systems. These days it’s either going to be Android or iOS and so we’re going to talk about both of those in this lesson.

Now when we talk about Android, this is a Linux based operating system that is made by Google. Now the great thing about android is it’s open source, so it’s really easy for cell phone manufacturers to be able to use it, and they don’t have to pay a licensing fee back to Google. So this is something that is very attractive and it makes it so it’s very widely accepted. Because of this, Android has the largest market share. There are the most amount of devices out there with Android audit. And because Android is so popular across the world, there’s also a larger number of older devices out there because a lot of people will get a device that might be two or three or four years old and they’ll still be using it. Now, there’s no more software updates or security patches for it, but those older devices are still out there.

Now, one of the great things about Android is it’s open nature of the operating system. One of the bad things about it is it’s open nature of the operating system. A lot of people like the fact that it’s open source and that anyone can build for it. But that also brings the vulnerabilities that anyone can build for it, including people who make malware. Now, another issue that we have is that there is a large usage of third party apps on Android. Now, unlike iOS devices made by Apple, you can actually run third party apps on an Android device. You don’t have to install apps just through Google Store, through Play Store. Instead, you can download any file you want from the Internet, and you can run that on your device. That gives you a lot of freedom, but it also gives you an exposure to a lot of malware. So it’s something you have to consider. Now, on the other side, we have the Apple devices, and if you’re running iOS, you’re running this on an iPhone. In fact, it’s the only place you can run iOS because iOS is a closed operating system. It’s made by Apple, and it has to be run on iPhones. They will not allow you to run it on any other device. So Android can be run on pretty much anything, but iOS has to be on an iPhone. Now, there’s a couple of issues when you start dealing with iOS. iOS is kind of the opposite of Android, right? But because it is a closed operating system, a lot of people don’t like that.

And so they like iOS, but they don’t like the fact that they’re being told what they can do with their own device. So they do something called jailbreaking. If you’re taking your A plus, you’re familiar with this term, when you jailbreak a device, you essentially are going to remove all of the protections that Apple has for you and all of their restrictions. So jailbreaking devices are actually the largest threat vector that’s used by attackers because if you jailbreak the device, you no longer have the protections and restrictions that Apple gives you. And that makes you more vulnerable to attack. Just because you have an iPhone and you haven’t jailbroken it doesn’t mean you’re safe though. There are vulnerabilities associated with Apple devices. In fact a lot of hackers go after Apple devices exclusively.

Why? Because a lot of people who use Apple tend to be more affluent, they have more money, so they’re a better target to go after because if you can get into their devices, you can get into their bank accounts and other things like that. In fact, Apple has a huge bounty for any zero day vulnerabilities. If you can find a zero day vulnerability for Apple they’ll pay you a million dollars, right? And so that’s something that makes a lot of hackers go after it because they’re trying to find ways into that operating system. Now there are zero day exploits out there and they are used by nation state actors and APts against high value targets. Now when it comes to Apple devices there are some zero days out there but generally they cost a lot of money to develop or you can buy them from other hackers for a lot of money.

Generally you’re going to find that these zero day exploits are actually used by nation state actors and APts advanced persistent threats against these high value targets. So when I talk about a high value target I don’t necessarily mean somebody like me, I’m not a high value target. But they did use some of these zero day exploits against people like Jeff Bezos, the owner of Amazon, to be able to get into his phone and be able to get information and be able to leak it, make him look bad publicly. Also they might use it to go after government officials if they know they’re using an iPhone. And this doesn’t just apply to iPhones either. These zero days could be made for Android but again they’re different operating systems so it would have to be a different zero day exploit.

Now the third area of this lecture that we want to talk about is mobile device management and enterprise mobility management. When I talk about MDM or mobile device management, I’m talking about the process and supporting technologies for tracking, controlling and securing the organization’s mobile infrastructure. Essentially it’s a way for us to oversee all these mobile devices and this works really well when your organization owns the devices and issues them out to employees because then you could put whatever restrictions you want on them and MDM allows you to do that. Now if you want to take it a step further you can use something known as EMM which is enterprise mobility management.

This is a mobile device management suite with broader capabilities so it can actually do things like identification and application management as well. Now you might hear these terms used interchangeably or a lot of people are still old fashioned and we’ll call it MDM even when they’re talking about something that is EMM. Either way we’re really talking about the same thing here. We’re talking about some way to manage and secure and do patch management. All those things we need to do for those mobile devices. Now as we start talking about the features of these MDM or EMM suites, there are a handful of them. For instance, one of the features is to be able to do device enrollment and authentication.

This way we can know exactly who is using that device and who it’s been issued to and basically use it as an asset tracking mechanism. Another thing we can do is remotely lock and wipe devices. So if somebody loses a device they can call their security team or their help desk and they can actually go in, lock that device and remotely wipe that data to ensure that it’s protected. Another thing we can use these for is to identify device locations. Let’s say I lost my phone in the back of a taxi cab. I can call the customer service desk and they can actually look at my phone and it’s GPS coordinates and say oh that taxi cab is on the corner of Main and first. You should go there and get it. Another thing you can do is you can do patch and deployment management through these.

So if you have a patch or a software update that needs to be pushed out, you can do that through these mobile device management. And that way you can make sure everybody’s got the latest and greatest security to make sure that they are going to be using a device that is secure and keeping your confidential information secure. Another thing we also look at is being able to prevent root or gel breaks. So as I said, jailbreaking a device is going to remove a lot of the permissions and restrictions that Apple puts on your device. If you have an iPhone, well that also makes you vulnerable to attack. So as an MDM we want to make sure that doesn’t happen. So we want to make sure jailbreaking is not allowed.

Another great thing we could do with this type of software is we can create encrypted containers for data. Now what I mean by this is if I have a device like my iPhone that I have, I can have a particular part of that that is cordoned off and it’s a secure container that is created and all the data inside of it is encrypted. So when I’m using that device to play Angry Birds, it’s not in that encrypted container. But if I’m going in there and looking at student information that relates to my business, all that information would be in that encrypted container. And again this is another feature of these mobile device management or enterprise mobility management systems.

And finally we can also restrict features and services. I just said I was playing Angry Birds on my work phone. Do you want me to be able to do that? Well if not you can actually turn that off and say you’re only allowed to have these ten applications. You can only do these categories of things. You can’t do games, but you can do productivity, you can’t use VPNs, but you can use this. Those are the things you can do by restricting different features and services within those apps. Now, the final thing you can use MDMs for is to manage incidents and conduct investigations.

So if I’m a support technician, I can actually use MDM for that as well, because they have the ability to share your screen, so I can remotely see what you’re seeing and walk you through those things and help you through that. You learned about that all the way back in A Plus. Now, if we’re doing an investigation because we have a data breach or something else, we can track that device in every place it’s been physically in the world based on its GPS, as well as what it’s connected to, based on the IP addresses and the different networks it’s connected to. And all that can be stored and rolled up and passed to us through those MDM systems. And so we can take all that information into a central database, something like a theme, and be able to use that as part of our larger instant.

2. IoT Vulnerabilities (OBJ 1.5)

Internet of things. Vulnerabilities. In this lesson we’re going to start talking about IoT or the Internet of Things. Now, when I talk about Internet of Things you may have heard this term before and you really should if you’ve talked about A Plus or Net Plus or Security Plus because these are all things that connect to our network. It can be things like trains, planes and automobiles. It can be shopping carts, it can be your smart TV, it can be your cell phone phone. Pretty much anything that can connect to the Internet could be considered an Internet of things. For instance, there’s some refrigerators out there right now that have the ability of connecting to the Internet and using things like Alexa to be able to add things or take things away from your shopping list.

All of that is part of the Internet of Things. So when we define the Internet of Things or IoT, we’re really just talking about a group of objects and they could be electronic or not and they all have to be connected to the wider Internet by using embedded electronic components. That is what we define the Internet of things. So if you think about your home, if you have a smart home, you might have a smart door lock on the front door that you use to get in. You have a camera that’s sitting there to see people as they come up to your doorbell if they press on your doorbell, that can actually ring on your cell phone so you can know who’s at the door before you get up from your couch.

You might have a smart air conditioner that can keep track of what the temperature is in the room and you can see edit and you could change it from anywhere in the world because it’s Internet connected. You might have a lighting system where you can control if it’s going to be white or red or blue lights because they’re connected to the Internet too. And you could talk to that through your smartphone. You may have energy management or appliance control. You might have a smart device like a smart TV or a smart speaker. All of these things are different. Things that we can connect inside of our house and they all give us a lot of great capability.

But the biggest problem with these things is they’re not always secure and security is most often an afterthought to convenience when we start talking about smart devices. Now, most of our smart devices are going to use an embedded version of Linux or Android as their operating system. And so because they have Linux or Android as their operating system, they are vulnerable to attack. If there’s a Linux vulnerability out there and you’re using a Linux version on that smart device and that vulnerability matches, it can actually attack your smart, smart speaker, for instance. And so these are things you have to think about as you start looking at your network. Because if they’re connected to your network, because you have a smart TV in the conference room, that could be an attack vector for somebody to get into your network.

And that is one of the most common places I see people getting into a network through is things like smart devices that are now connected to the corporate network. So you want to make sure they’re properly installed, secured and segmented when you put them into your corporate network if you’re going to put them in your corporate network now these smart devices must be secured and updated when there’s new vulnerabilities that are found. As I said, they’re just running Linux or Android, and what happens is a lot of times people will never update the software on these devices. So you might be running a version of Linux that’s five years old because it was small and easy to put on a device, but you’ve never updated. So now it’s got this huge vulnerability.

So when you think about IoT, the idea of IoT and security, they really don’t go together very well because most IoT manufacturers are not thinking about security when they build these devices. People buy smart speakers and lights and smart devices because they want convenience. And most people aren’t thinking about security. So if you’re going to install these things in your corporate network, you really have to think about this with a security lens. And one of the best things you can do is segment these devices off into their own network so they’re not talking to the rest of the corporate, corporate network. Don’t allow them to be a device that people can use to be able to pivot into your network and get your corporate data.

3. Embedded System Vulnerabilities (OBJ 1.5)

Embedded system vulnerabilities. In this lesson, we’re going to start talking about some embedded system vulnerabilities because we talked about the fact that a lot of these devices that we connect to the Internet as part of the Internet of things at large do have embedded operating systems like the Linux or Android or other things like that. Now, when we talk about an embedded system this is a computer system that is designed to perform a specific and dedicated function. Now, oftentimes when we talk about an embedded system we’re talking about things more in the manufacturing space or automation space. So we might have a microcontroller in a medical drip system that has one job. It’s to measure the amount of volume of fluid that goes through that machine and into your IV so you can give the patient what they need.

You might have another one for a control system at a water treatment plant and its responsibility is to make sure that water is flowing through at a certain rate and they’re going to open or close valves to make sure we maintain that amount of flow through the system. This is the idea of an embedded system. It can be a very, very simple device or it can be fully complex and have a full operating system like Linux or Android being used to run these type of systems. It just depends. Now, in this particular lesson I’m going to focus more on the specific embedded systems that have a single function and they have their own dedicated operating system or microprocessors to do that function.

For instance, at my house I have a smart meter so if I go out to my side of my house I can look at the electric meter on my house and it will tell me how many kilowatts per hour I am using and how much I’ve used over time. Now, this information is connected to the Internet so that the power company doesn’t have to send somebody to my house to read this meter once a month. Instead, it’s all done electronically. Now, they do this by using cellular modems and it connects to the cellular network back over the Internet, to their headquarters and to their servers to feed in the data of what we’ve used for power consumption. If you look at your meter at your house you probably have something that looks pretty similar.

Now, these types of embedded systems are considered static environments where frequent changes are not made or allowed. So when’s the last time you upgrade the software on your electric meter, for instance? You probably never have and the power company probably doesn’t do it very frequently either. That’s the idea of these embedded systems. They are a very stripped down system that is made to do one purpose and one purpose only. And by doing that, that helps them become more secure because they don’t have a lot of extra code. But if that original code wasn’t made in place in a good state. It makes it hard to do updates because these things aren’t built to be able to get frequent software updates.

Because of this, embedded systems often have very, very little support for identifying and correcting security issues. You can’t call up the power company and tell them to come secure your meter. That’s just not part of what they’re going to do for you. They’re going to do it the way they want to do it because it’s their device. And often if you have an embedded system inside your factory or inside your plant, if you’re in a manufacturing area, you’re going to have limited support from that manufacturer. And so this is an area where you really want to get all these devices onto a separate network and not have them connected back to the Internet at large. Or this could be a big area of vulnerability for you.

Now, when we talk about embedded systems, there’s a term called Plc, which is a programmable logic controller. This is the type of computer that’s designed for deployment in an industrial or outdoor setting and it can automate and modern mechanical systems. Now when you think about a Plc, I want you to think of something like manufacturing that’s going to open or shut a valve to let more or less water come in. That’s the idea of a Plc. It is a programmable logic controller. Now these PLCs run on firmware because again, these are embedded systems. So the firmware, which is software to chip, can be patched and reprogrammed to fix vulnerabilities when they occur. But again, there’s a very specific process and there’s usually limited support from the manufacturer.

It’s not like Microsoft where they’re going to give you a patch every Tuesday. With these PLCs, you might get a patch every six months or a year or two years. There’s usually a very long time in between patches. Now another way we can do this is using what’s called a system on a chip. This is another form of embedded systems. This is where a processor integrates the platform functionality of multiple logical controllers onto a single chip. So instead of having all these big PLCs all over the place, we can get all that down to one single chip. Now this system on a chip can be very power efficient and therefore they’re often used with smaller devices that need to have an embedded system.

So if I need to create something that’s going to have an embedded system and be very small, that can fit in my pocket, that would usually use something like a system on a chip. If you’re using something like a room bow or robot vacuum cleaner. Those use a system on a chip type of mentality because they try to get all that information put onto a single chip because again, it takes up less space and therefore you can leave more room for the functioning parts you need such as the vacuum. Now, the other thing we want to talk about is some of these operating systems they use. So there’s this thing known as an RTOs, which is a real time operating system. Now this is a type of operating system that prioritizes deterministic execution of operations and this will help us to ensure consistent response for time critical tasks.

Now think about this. If you’re running something that has to open or shut a valve inside of a nuclear plant can you have the ability for that to be offline at any time? Probably not, right? Well, that’s the idea of where we would use an RTOs, a real time operating system. This is because a lot of our embedded systems typically can’t tolerate reboots or crashes and they have to have these response times that are predictable within milliseconds. So if I’m building something that’s going to run parts of an airplane that’s going to help my autopilot fly and with the autopilot needs to make adjustments on the wings every couple of milliseconds, well that is something that we would want to use in real time operating system for. We can’t use a standard Windows system for that.

It’s just not fast enough or powerful enough and it’s subject to rebooting or crashing and security patches and all that other stuff. So RTOs, when you hear that term, think about this as the type of operating system that’s often used with embedded systems, especially in critical applications. Now, the last thing I want to talk about is an FPGA, which is a field programmable gate array. This is the type of processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture. So if I’m going to use something like a system on a chip that is going to be programmed by the manufacturer and whatever it’s programmed to do, that’s what it’s going to do. But with a field programmable gate array i, as the customer can actually program what I want it to do.

This is really useful if I have a more generic function like open and shut a valve. But I need to tell it what time I want it to do it or if I want to tell it how many seconds it should be open for and how many seconds it should be closed for. Those are things I can program in using a field programmable gate array. Now the end customer here has the ability to program these things by configuring the programming logic. And we can do this to run a specific application instead of using an application specific integrated circuit like I was talking about assistant system on a chip design would. When you burn a system on a chip, that is the program you’re going to have. When you’re dealing with a field programmable gate array you have the ability to change that.

• Category: Uncategorized