#CompTIA Security+ 501 exam Chapter07 Managing Hosts and Applications Deployment Part 2
Posted by Superadmin on November 16 2018 16:02:58

Chapter07 Managing Hosts and Applications Deployment Part 2

 

 

Industrial control system

 

The Industrial Control System (ICS) is a general term that encompasses several types of control systems and instrumentation used for industrial process control. They are controlled by a SCADA system and are used for:

 

 

Supervisory control and data acquisition

 

Supervisory Control and Data Acquisition (SCADA) systems are automated control systems that are crucial for industrial organizations since they help to maintain efficiency, process data for smarter decisions, and communicate system issues to help mitigate downtime.

The SCADA system can be used for oil or gas refineries where there are multiple phases of production. Iran had a uranium enrichment facility that was a SCADA system, but it suffered an attack from the Stuxnet virus that attacked the centrifuges. The Stuxnet virus was discovered in 2007, but many believe it could have been there in 2005:

Figure 2: SCADA system

The security of the SCADA system is paramount. A network firewall prevents unauthorized access to the network, then they will use a NIPS as an additional layer. If further segmentation is required, they could use VLANs internally. This is no different from protecting a corporate network.

 

 

Mobile devices – security implications of embedded systems

 

An embedded system is an electronic system that has software and is embedded in computer hardware. Some are programmable and some are not. Embedded systems are commonly found in consumer, cooking, industrial, automotive, medical, communications, commercial, and military applications.

Examples:

Let's now look at each of these:

Figure 3: IoT devices

Exam tip:
Multifunctional devices can be attacked through their network interfaces.
 

 

 

Special-purpose devices

 

Special-purpose devices are more expensive bespoke devices that provide a unique purpose. For example, there are man overboard devices that detect someone falling into the water—we are going to look at a defibrillator.

Mobile medical devices can include infusion devices that measure fluids that are given to patients in hospital. (See the following picture). Ambulances will carry life-support systems, such as defibrillators, that are used to save a person's life if they have just suffered from cardiac arrest. The defibrillators will have an SoC installed as it gives out instructions on how to use it, but if it detects a pulse, it will not send a charge:

Figure 4: Defibrillator

Some luxury vehicles have embedded systems that produce a wireless hotspot in the car so that when you are driving along, your passengers can connect to the internet. Others have the ability to carry out automatic self-parking. There have been many trials recently of self-driving cars; vendors, such as Google, are still trying to perfect their systems.

For many years, people have been flying model aircrafts that also have embedded systems, but in the past 2-3 years, unmanned aerial vehicles called drones (aircraft/Unmanned Aerial Vehicles (UAV)) have been making the headlines. The military can use these drones to carry out surveillance of areas where it is too dangerous to send manned aircrafts. Some drones can be as large as a mini-aircraft, and some can be as small as a model aircraft but can have a camera attached so that aerial photographs can be taken.

 

 

Secure application development and deployment concepts

 

Some of the concepts used while securing an application during the development and deployment phases are as follows:

 

 

Development life cycle models – waterfall vs agile

 

The Software Development Life Cycle (SDLC) is a structure followed by a development team within the software organization. It consists of a detailed plan describing how to develop, maintain, and replace specific software. There are two main models that are adopted. One is the traditional method, which is called waterfall, and the more dynamic method is called agile.

 

 

Waterfall

 

The waterfall model is the traditional method used in the SDLC as it has a linear and sequential pattern to it. The development of the software moves from the top to the bottom, with each phase needing to be completed before the next phase can begin:

Figure 5: Waterfall model

It starts with gathering information about the requirement, then it is put into the design phase, and then it is implemented. The testing phase is carried out before it goes into production; any testing carried out will be rolled back prior to deployment. The maintenance phase is for patching and fixing any bugs.

 

 

Agile

 

The agile method anticipates change and breaks down each project into prioritized requirements, delivering each individually within an iterative cycle. Adaptability and customer satisfaction by rapid delivery are the key concepts of this model:

Figure 6: Agile model

 

 

Agile versus waterfall

 

Waterfall is a structured software development methodology, and can often be quite rigid, whereas the agile methodology is known for its flexibility. Waterfall must finish one process completely before it can begin another. Agile is dynamic and is geared for rapid deployment to ensure customer satisfaction.

Exam tip:Waterfall is an SDLC model that requires each step to be completed before starting the next step.

 

 

DevOps

 

DevOps is where the IT operations and developers work together in the entire service life cycle, from design to rollout to production support. They use many of the same techniques as developers for their systems work.

 

 

Secure DevOps

 

Secure DevOps is where the security team, IT operations, and developers work together on software development; the focus is on reducing the time it takes for the software to get into production, which is why they adopt an agile SDLC. There are processes that help them and they are:

Example: Security automation could be set up to scan for vulnerabilities at 6 pm without any human intervention.

 

 

Secure coding techniques

 

Although most people that work in networking or security are not application developers, CompTIA has introduced secure coding into the syllabus. This section needs to be understood so it is written in the simplest format we could think of:

If the data is not input in the correct format, it will not be accepted. Input validation on web pages lists errors in red at the top of the page of the incorrect entries; this prevents SQL injection, integer overflow, and buffer overflow attacks.

Exam tip:System errors to the users should be generic, but the logging of errors for administrators should log the full details.

Exam tip:
Stored procedures and input validation can prevent an SQL injection attack.

Exam tip:Obfuscation makes code obscure so that if it is stolen, it cannot be understood.

 

 

Code quality and testing

 

When an application developer writes an application, it needs to go through thorough testing before it is put into production. We need to ensure that the code does not have flaws or bugs that could be exploited by threat actors:

String s=null;

String s1="a";

String s2=s1+s;// null pointer exception

Exam tip:A null pointer exception points to an object that is stored as a null value.

Example: Microsoft has a tool called Jetstress that simulates a storage load on an Exchange email server. The administrator defines the number of users, and when Jetstress runs, it gives an output relating to the disk i/o and storage usage. The test results in a pass or fail.

 

 

Server-side versus client-side execution and validation

 

Website scripts run in one of two places:

Client-side validation is much quicker, but an attacker can exploit the JavaScript and bypass the client side. Server-side validation takes much longer, and can use input validation to check that the input is valid and to stop the attacker who has just bypassed the client side. There is more control over server-side validation and it is more secure.

 

 

Review questions

 

  1. What is the purpose of MDM?

  2. What is BYOD?

  3. What two policies need to be agreed upon before BYOD is implemented?

  4. How do BYOD and CYOD differ, and what are the benefits of CYOD to a company?

  5. Name three types of mobile device connection methods.

  6. What is used when we make a contactless payment using our debit card?

  7. Which services allows your mobile device to be notified when an email message arrives in your inbox?

  8. What two measures should I take to secure my mobile device?

  9. What will prevent my laptop from being stolen when I am in a meeting with my boss?

  10. What can I do to protect the data at rest on my mobile device?

  11. What can I implement if I want to keep my personal data and pictures separate from my corporate data on my smartphone?

  12. Once I have been authenticated by the VPN server, what method can be implemented to ensure that my mobile device is fully patched?

  13. What is rooting and which operating system does it affect?

  14. What is the purpose of jailbreaking and which operating system does it affect?

  15. If my smartphone is with T-Mobile, what can be done at the end of my 2 year contract so that I can use Verizon as my provider?

  1. What is the purpose of sideloading an application?

  2. What is the benefit of USB OTG?

  3. If I work in the R&D department, what are the two dangers when I take my cellphone to work?

  4. When I go on holiday with friends from school, how can people on my social media know where the photograph was taken?

  1. If I have been working in the sales department and have been using my cellphone to make work-related contactless payments, what does my company need to ensure happens during offboarding?

  2. What two methods can I use to set up a wireless connection with another mobile device when using a WAP?

  3. What is the purpose of tethering?

  4. What is an embedded electronic system? Give two examples.

  5. What is the purpose of a SCADA system?

  6. What category of device are my smart TV and wearable technology?

  7. What is home automation?

  8. What is the purpose of SoC?

  9. If a process is not carried out within a specified period of time, which causes the process to fail, what method am I using?

  10. What is the most likely way an attacker would gain control of an MFD?

  11. What is the purpose of the security team controlling the HVAC in a data center?

  12. Someone at work has suffered from a cardiac arrest, the first aid delegate takes out a defibrillator that give instructions of the steps to take. What had been built into the device to give these instructions?

  13. Give an example of embedded systems that can be used with vehicles.

  14. What is an UAV? Give two examples.

  15. What is the purpose of baselining?

  16. What type of system am I using if I totally destroy the system and create a new system when an update takes place?

  17. What software development life cycle is a traditional method that needs the previous stage to be complete before the next stage can start?

  1. What software development life cycle is fast and customer-focused?

  2. What is the purpose of secure automation in secure DevOps?

  3. What is the benefit of using continuous integration in secure DevOps?

  4. What is the main problem with a race condition when using an application?

  5. What is the perfect way to set up error handling in an IT system?

  6. Explain input validation and name three types of attacks that this could prevent.

  7. How can I prevent an SQL injection attack other than with input validation?

  8. What is the purpose of code signing?

  9. What is the purpose of obfuscation?

  10. What is dead code and how should it be treated?

  1. If I am an Android developer, what can I obtain from the internet to help me make an application and get it to market quickly?

  2. Explain how pointer dereference works.

  3. What is a null pointer exception?

  4. What is the technique used by developers to ensure that the application written conforms to the original specifications given by the customer?

 

 

 

 

Answers and explanations

 

  1. MDM sets and enforces policies to protect the network from mobile devices.

  2. BYOD is where you bring your personally owned device to use in the workplace.

  3. The acceptable use policy and onboarding/offboarding policies need to be agreed upon before you can implement BYOD.

  4. BYOD are personally owned devices, whereas CYOD are company-owned devices. Using CYOD allows the security administrators to remotely wipe the device if it is stolen and can make offboarding very easy as they own the device, so data ownership will never be an issue.

  5. Mobile devices can connect through cellular, wireless, and Bluetooth connections.

  6. Near field communication is used to make a contactless payment; the device must be within 4 cm of the card.

  7. Push notification services notify your mobile device when an email message arrives at your inbox.

  8. Screen locks and strong passwords are needed to secure a mobile device.

  9. A cable lock will prevent my laptop from being stolen when I am in a meeting with my boss.

  10. Full device encryption is used to protect the data at rest on my mobile device.

  11. Storage segmentation will allow you to keep personal data separate from business data on a cellphone.

  12. Network access control ensures that devices are fully patched before they enter the corporate network.

  13. Rooting can be carried out on Android devices where custom firmware is downloaded that removes restrictions that the vendor puts on the mobile device. This then allows you to run unauthorized software on the device.

  14. Jailbreaking is the same as rooting as it lifts the restriction on Apple's iOS devices. You can then install unauthorized software but can still access the Apple App Store.

  15. Carrier unlocking will allow me to use my smartphone on another carrier's network.

  16. Sideloading allows you to install third-party, unauthorized software on your mobile device.

  17. USB On-The-Go (OTG) allows you to connect a USB device to your mobile device. Apple does not allow USB OTG.

  1. If I work in a sensitive area, my cellphone will allow me to take pictures and post them on my social media. I could also make a video or record conversations of confidential meetings.

  2. Most modern smartphones use GPS tracking to store the location where pictures were taken.

  3. When they offboard people who use contactless payment on a smartphone, they need to ensure that the business credit card details have been removed from the wallet.

  4. Wi-Fi direct and an ad-hoc network allow wireless connections with another mobile device by using a WAP.

  5. Tethering allows you to use a cellphone on a laptop to provide internet.

  6. Embedded electronic systems have software embedded into the hardware, some are using SoC. Examples are microwave ovens, gaming consoles, security cameras, wearable technology, smart TVs, medical devices such as defibrillators, or self-driving cars.

  7. SCADA systems are industrial control systems used in the refining of uranium, oil, or gas.

  8. Smart TVs and wearable technology are classified as IoT devices.

  9. Home automation is where you can control temperature, lighting, entertainment systems, alarm systems, and many appliances.

  10. An SoC is a low-power integrated chip that integrates all of the components of a computer or electronic system. An example would be the controller for a defibrillator. Think of it as an operating system stored on a small chip.

  11. The Real-Time Operating System (RTOS) processes data as it comes in without any buffer delays. The process will fail if it is not carried out within a certain period of time.

  12. An attacker would most likely gain control of an MFD through its network interface.

  13. When a security team controls the HVAC in a data center, they can ensure that the temperature is regulated and the servers remain available. They also know which rooms are occupied based on the use of air-conditioning and electricity.

  14. An SoC gives instructions of the steps to take when using a defibrillator, however, if it detects a pulse, it will not send a charge.

  15. An example of embedded systems is vehicles that are either self-parking or self-driving.

  16. Unmanned aerial vehicles are drones or small, model aircrafts that can be sent to areas where manned aircrafts cannot go. They can be fitted with a camera to record events or take Ariel photographs; an example of these would be to determine the spread of a forest fire.

  1. Baselining is the process of recording all applications on a mobile device. You could then run the baseline at a later stage to find out what applications have been added since the last baseline.

  2. An immutable system is totally destroyed when an update is made. This is ideal for the cloud or virtual environment.

  3. Waterfall is a software development life cycle model that is traditional and needs each stage to be completed before the next stage can proceed.

  4. Agile is a software development life cycle model that is fast and customer-focused.

  5. Secure automation is where tasks, such as vulnerability scanning, are done by the computer and not the security administrator.

  6. Continuous integration is where the developer will send code to a central repository two or three times a day so that it can be validated.

  7. A race condition is when two threads of an application access the same data.

  8. The perfect way to set up error handling is for the user to get generic information but for the log files to include a full description of the error.

  9. Input validation is where data that is in the correct format is validated prior to being inserted into the system. SQL injection, buffer overflow, and integer overflow are prevented by using input validation.

  10. Other than input validation, a stored procedure can prevent an SQL injection attack.

  11. Code signing confirms that the code has not been tampered with.

  12. Obfuscation is taking code and making it obscure so that if it is stolen it will not be understood.

  13. Dead code is never used, but could introduce errors into the program life cycle, it should be removed.

  14. Using a third-party library will help a developer obtain code from the internet to help make an application and get it to market quickly? There are many for Android and JavaScript.

  15. When an object in programming has its value retrieved, this is known as a dereference.

  16. A null pointer exception is a runtime exception where the application has tried to retrieve an object with a null value.

  17. Model verification is a process used by developers to ensure that the application conforms to the original specifications.