CompTIA CYSA+ CS0-002 – Hardware Assurance Best Practices

1. Supply Chain Assessment (OBJ 5.2)

Supply chain assessment. In this lesson we’re going to talk about supply chain assessment and why it’s so important. When you think about supply chain assessment and more largely supply chain management, you have to think about all the components that go into a particular product. So for example, when I buy something off the shelf and I get something like a router or a switch, there are hundreds of different pieces inside of that and each of those pieces could have been tampered with by somebody along the way. By conducting a supply chain assessment you’re going to be able to understand where those parts come from and can you trust that end product? Now I’m not saying you need to go down to the individual component here, but you do have to understand where do the devices that you’re putting into your network come from and can you trust them.

After all, we’re trying to conduct secure working in an unsecure environment and this involves mitigating the risks that are caused by the supply chain. Now, to create a trusted computing environment, an organization really has to ensure that the operation of every element which includes the hardware, the firmware, the drivers, the operating systems and the applications are all consistent and tamper resistant. If you can do that, you will have created a trusted computing environment. Now, in some organizations this is really, really important, in others it’s not nearly as important. And so this is going to be one of those things that the risk appetite of your organization is going to define how much time, effort and resources you put into this concept of supply chain assessment.

Now when you get a new vendor, you should conduct due diligence. Now, due diligence is a legal principle that says the subject has used best practice or reasonable care when setting up, configuring and maintaining a system. When you’re trying to hire a vendor you need to ensure that they have done due diligence on their supply chain and you need to do your due diligence on them. This includes things like ensuring that their cybersecurity program is properly resourced. You also want to make sure that they have security assurance and risk management processes and programs in place. And by doing this, this will help make sure that they have a valid organization and a way of doing due diligence within themselves. Another thing you want to look at is the product support lifecycle.

If you’re going to buy a product you need to make sure that they’re going to be able to support it for the long term. For example, if you buy Microsoft Windows, you know that they’re going to give you patches and updates and supports for a certain amount of time. That’s known as an end of life date. That’s part of the product support lifecycle. If I buy a product from some brand new company, do I know they’re going to be around in five years when I have a problem and need them to solve it. This is all things you have to consider as part of your due diligence. Another thing you’ll want to consider is, do they have the proper security controls in place for confidential data? If you’re giving them access to your data because they’re doing something like software as a service, you want to make sure they have the proper security controls in place to ensure your data remains confidential.

Another thing you have to think about is, when things go wrong, will they be there to help you if you have to conduct an instant response or do forensic investigations, will that company be able to support you and provide you assistance? And finally, we want to think about the general and historical company information. When you look at a company, do they have strong enough financials that they’re going to be in business next year to support your needs, or are they going to be a fly by night organization that’s out of business in the next six to twelve months? These are all things you want to consider as you’re doing your due diligence. Now, your due diligence should apply not only to your suppliers, but also to your contractors. If I’m going to hire people to work on my team as contractors, I need to do due diligence on them and make sure I can trust them.

Now, another area that we have to start talking about is this concept of the hardware itself I mentioned earlier. You have to think about where does this hardware come from? And based on your organization, you’re going to either have more or less of a risk appetite for hardware. Now, one of the organizations that has a very low tolerance or low risk appetite for hardware is the Department of Defense. And so they created something known as the Trusted Foundry. Now, the Trusted Foundry is a microprocessor manufacturing utility that’s part of a validated supply chain, one where the hardware and software does not deviate from its documented function. And again, this was created and operated by the Department of Defense, which is the US. Military.

Because if they’re going to put a microprocessor to run a jet or a bomb or something like that, they want to make sure it does exactly what it’s supposed to do each and every time. And that’s what the Trusted Foundry program is all about. For the exam, you really just need to understand that Trusted Foundry is a way to ensure that microprocessors in the supply chain are secure, and it’s run by the Department of Defense. Now, another thing we want to talk about is hardware source authenticity. This is the process of ensuring the hardware is procured tamper free from trustworthy suppliers. Now, the idea here is we have to know where our stuff comes from. Now, if you need a new router, do you buy it directly from Cisco, from one of their authorized resellers, or do you go on ebay and buy a second hand one.

Well, depending on which way you do, that thing is going to be more or less trustworthy. There is a much greater risk of inadvertently obtaining counterfeited or compromised devices when you purchase from secondhand or aftermarket sources. So whenever possible, go straight to the source. When I look at these routers and switches, just by looking at them, I can’t tell if they’ve been modified on the inside. This is something that can be done inside of those machines. And there’s been cases where there has been malware embedded into the firmware of these devices or extra chips being put inside these devices, and then they’re sold at a cheap price online. And that way you install this and now they have access to your entire network. So you have to be careful with this stuff. And that is why supply chain assessments are so critical to the security of your network.

2. Root of Trust (OBJ 2.3)

Root of trust. In this lesson we’re going to talk about the concept of a hardware root of trust or rot. Now this is a cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics. Now this may sound like a complicated concept, but you use a root of trust all the time. If you think about your TPM module inside your BIOS, that is a root of trust. Essentially a root of trust is used to scan the boot metrics of the system and the operating system files and it verifies their signatures. And then we can use that root of trust to sign a digital report, to send that over to the processor and say I trust these things. Essentially it’s a digital certificate, but it’s embedded inside your processor or inside your firmware.

Now, as I mentioned earlier, the most common root of trust is a trusted Platform module or TPM. This is a specification for hardware based storage of digital certificates, keys, hash passwords and other user and platform identification information. Now, as you look inside of a TPM, there are lots of different functions inside of it. First it’s going to provide you with secured input and output. Then we have this cryptographic processor that provides us with a true random number generator. It has an RSA key generator, it has a Shaw One hash generator and encryption decryption signature engines. In addition to that, we also have persistent memory. And inside of that we have an endorsement key, which is a digital key and a storage root key or an SRK. And then we have versatile memory.

This includes things like platform configuration registers or PCRs, attestation identity keys or AIK’s and storage keys. Now, do you have to memorize all of these different things on this chart for TPM for the exam? Well, not really. Instead, you really need to remember that TPM, the trusted platform module, is this part of your system that allows you to have the ability to ensure that when you’re booting up it is done securely. And we could take those reports and digitally sign them using the TPM. TPM is also used with fold disk encryption. So if you’re using something like Bit locker in Windows, it uses TPM and that key inside of TPM to make sure that data is secure. Now, when you’re dealing with TPM, your TPM can be managed inside of Windows using TPM MSC, which is a console.

Or you could do it through a group policy. Either these are ways you can configure TPM. Now, for the exam you don’t need to go in depth of how to configure these things in the real world. You may be asked to work on this and if so, you could look up the documentation@microsoft.com. Now, the other thing we need to talk about here is a hardware security module. This is an appliance for generating and storing cryptographic keys that is less susceptible to tampering and insider threats than using storage based solutions. So typically, when we do encryption, we do that using some sort of a long key, right? And so I might type in a long password, and that becomes my key. Well, the problem with that is it’s a lot easier to crack those things, because that key could be compromised by an insider or by somebody telling somebody else it or typing it in or something of that nature.

Now, there are lots of different ways to create an HSM. They come in lots of different form factors. For example, here on the screen, you could see Ncipher, and there’s three different models. We have one that’s an internal card that could be put in. There’s one that is a rack method system, and then there’s one that’s more of an Internet of Things type of solution. The real advantage of these types of systems is that they are automated. And that means the keys cannot be compromised by human involvement. So we’re removing the person from the equation and ensuring the systems are secure.

Now, another thing we need to think about is how do we make sure people can’t tamper with our different devices? Well, that’s where the concept of anti tamper comes into play. These are methods that make it difficult for an attacker to alter the authorized execution of software. Now, if you think about anti tampering, you think about it in the physical world. You buy a thing of aspirin and you open up the bottle. What do you see on top that sealed layer that says, this has been protected? This is a sealed for your protection. This is an antitamper device because if you pull that seal off, you can’t put it back on. And so this shows you that somebody has either been in the bottle or not been in the bottle.

But we want to do the same thing within our electronics. And there are two main ways of doing that. We have antitamper mechanisms that include things like an FPGA, which is a field programmable gate array, or a physically unclownable function or PU. Both of these are antitamper mechanisms that could be used and designed inside your systems. This means that if somebody tries to tamper with the system, what these things will do is actually zero out your cryptographic key, which then can automatically wipe out the information on that system, making sure you know it’s been tampered with, and therefore, nobody can get the information. That’s the idea when you start using things like antitamper.

3. Trusted Firmware (OBJ 2.3)

Trusted Firmware. In this lesson, we’re going to talk about a handful of different types of things that we use within Trusted Firmware. This is going to include seven different items. Now, as I talk about Trusted Firmware, we have to think about the idea of a firmware exploit because we’re trying to prevent firmware exploits by using Trusted Firmware. Now, a firmware exploit is going to give an attacker an opportunity to run any code at the highest level of CPU privilege. Because if you’re at the firmware, for instance, in the BIOS or the UFI, you can actually have essentially a rootkit that runs over the entire system and that’s loaded even before Windows is. So your antimalware is not going to find it.

Now, when we talk about these different Trusted Firmwares, there’s lots of different terms we have to cover. This includes things like UEFI, the Unified Extensible Firmware Interface Secure Boot, measured boot attestation EFUs Trusted Firmware updates and self encrypting drives. As we go through this lesson, we’re going to talk about each of these seven. The first one is the Unified Extensible Firmware Interface, or UEFI. This is the type of system firmware providing support for 64 bit CPU operations at boot. It also gives you a full GUI and mouse operations at boot and better boot security. To be able to run a lot of the other things we’re going to talk about in this lesson, you have to have UFI and not BIOS for your system.

The good news is most systems nowadays, in fact I think almost all of them, will use UFI and not BIOS. If you’re using Biosignite system, it’s most likely a legacy device that is several years old. Now, the first thing we want to talk about inside of UFI is this idea of a secure boot. This is a feature of UFI that prevents unwanted processes from executing during the boot operation. Essentially, as the computer is booting up, it’s going to check things and make sure that there’s digital signatures installed from those operating system vendors. If Microsoft Windows isn’t signed by Microsoft, we’re not going to boot it. That’s the idea of secure boot. We want to make sure that the boot loader is only loading things that are valid and not loading malware.

The next thing we have is what’s known as a measured boot. Now, a measured boot is a Uefy feature that gathers secure metrics to validate the boot process in an Attestation report. So as you’re booting up, it’s going to be taking different measurements. How much time does it take for you to do this, how much process does it take to do that? And based on that, it’s going to collect that data, it’s going to create a report, and then it’s going to attest to it. Which brings us to the idea of Attestation. Now, Attestation is a claim that the data presented in a report is valid, and it does this by digitally signing it. Using the TPM’s private key. So the UF is going to take that report, it’s going to sign it with that digital key and then send it on to the operating system and to the processor.

This way we know we can trust it. Now, the next thing we need to talk about as far as trusted firmware goes is the concept of Efuse. Now, EFUs is a means for software or firmware to permanently alter the state of a transistor on a computer chip. Now, this comes from the idea of a fuse. If you’ve ever worked with electricity before and you’ve worked in a breaker panel, you may have seen things like these. These are fuses. Notice on the left we have four fuses that are good. They have a straight line going through them. But the fifth one is actually a blown fuse. This means there is too much power that went through and that wire actually got broken. You can see it physically there that the wire is broken and there’s kind of that burntness to it.

You can’t go back and replace this fuse back to looking like the ones on the left. It’s going to be permanently and altered forever. That’s the same idea here with an Efuse. An Efuse is an electronic fuse. It essentially uses one time programming that’s used to seal these cryptographic keys and other security information during the firmware development process. If somebody tries to mess with that, it will actually blow that fuse making that product, that firmware no longer valid or trusted. The next thing we want to talk about is Trusted firmware updates because we have to update our firmware over time. So when we have a trusted firmware update, this is a firmware update that is digitally signed by the vendor and trusted by the system before it’s installed.

Anytime you’re going to go and do a firmware update you need to make sure that it is trusted. Because if it’s trying to do something that’s not trusted, you have the potential to blow one of these E fuses that we just talked about. And the final concept with Trusted firmware is a self encrypting drive. Now, we’ve talked about self encrypting drives before. These are disk drives where the controller can automatically encrypt the data that is written to it. Now, why are we talking about self encrypting drives when we’re talking about trusted firmware? Well, because these drives have firmware to run that encryption process that is software on a chip and that is what firmware is.

And so we need to make sure that the firmware on these self encrypting drives is trusted. And it follows a lot of the same basic principles that we’ve talked about through this lesson. The idea with these self encrypted drives is that they have firmware on them that is used to do the encryption when data is being written to the drive. It also decrypts that information when data is being read from the drive. All of this is done at the hardware level. So it takes the processing load off of your own computer and off of your operating system because it’s all done here in the firmware.

4. Security Processing (OBJ 2.3)

Secure processing. In this lesson, we’re going to talk about secure processing and a couple of key concepts associated with it. Now, when we talk about secure processing, this is a mechanism for ensuring the confidentiality, integrity and availability of software, code and data as is executed in volatile memory. Because after all, we’re going to take data off of our hard drive or off of our network, and we’re going to put it into Ram and then from Ram into our process processor. And all of that time going from Ram to the processor or while it’s stored in Ram has the potential for it to be modified, or for it to be stolen, or for it to be not available. And so by doing secure processing, we want to harden that area of this process.

Now, there are lots of ways to do secure processing, but we’re going to focus on five of them. In this lesson, we’re going to talk about processor security extensions, trusted execution, secure enclaves, atomic execution, and Bus encryption. The first one is processor security extensions. Now, these are low level CPU changes and instructions that enable secure processing. And these are built into your microprocessor. Now, they’re called different things depending on if you’re using an AMD or an intel processor. If you’re using an AMD processor. This is known as Secure Memory Encryption SME or Secure Encrypted Virtualization Sev. On the other hand, if you’re using intel processors, you’re going to be using trusted execution technology or TXT, or software guard extensions, SGX.

All four of these things are a form of processor security extensions. And for the exam, that’s pretty much as deep as you need to go. The next thing we want to talk about is trusted execution, the CPU security extensions invoke TPM, and a secure boot attestation to ensure a trusted operating system is running. So anytime we want to boot up the system, we want to make sure that we are using that trusted firmware, using UFI and using TPM and secure boot to tell us that this operating system that’s being booted is something we trust. This is very common inside the world of using Microsoft’s on an intel or AMD processor set. Next, we have a secure enclave. Now, a secure enclave is an extension that allows a trusted process to create an encrypted container for sensitive data.

This will help us prevent things like buffer overflow attacks and typical application usage here would be able to store encryption keys and other sensitive data inside of the secure enclave. Once we have that trusted operating system, we can then create the secure enclave for us to be able to store that data within. The next one we want to talk about is atomic execution. Now, there are certain operations that should only be performed once or not at all. For example, initializing a memory location. This should only happen one time, right? And so once you’ve initialized it, that should be it. Well, the idea of atomic execution is there are these extensions in place to make sure somebody can’t reuse or hijack an atomic execution operation, like doing a memory initialization.

This can help you prevent buffer overflows and race conditions by being able to control these processes. And again, this is something that’s built into most processors these days. And finally, we have bus encryption. Now, bus encryption is data that is encrypted by an application prior to being placed on the data bus. This will ensure that the data being sent over the network or over a bus is going to be protected because it’s going to have end to end encryption. Now, for this to work, we have to ensure the device at the other end of the bus is trusted to decrypt that data. Now, what does this look like in the real world? Well, I’ve had this happen to me myself as I’ve plugged in something like my Roku device to my my TV.

If I have my Roku device and I have a cheap HDMI cable connecting it to my TV, sometimes they can’t do the three way handshake that’s required for HDCP. Now, HDCP was a copyright protection thing, so it encrypts the data going from your device to your TV. And so when that handshake happens, if it doesn’t happen properly, you’ll get something that looks like this HDCP unauthorized. And this is because the bus encryption failed. The TV or the Roku didn’t trust each other. And so you have to unplug the cable, plug it back in, and try again. And then eventually, they’ll make the three way handshake, and now you can watch your TV. That’s the idea here. This is a form of bus encryption that most of us use and we may not even realize we’re using on a daily basis.

• Category: Uncategorized