WEBVTT

1
00:00:00.090 --> 00:00:01.380
In this lesson,

2
00:00:01.380 --> 00:00:04.500
we will learn about attack surface management.

3
00:00:04.500 --> 00:00:08.880
Attack surface management involves identifying, reducing,

4
00:00:08.880 --> 00:00:12.420
and continuously monitoring all potential paths

5
00:00:12.420 --> 00:00:15.480
of attack into a systems architecture.

6
00:00:15.480 --> 00:00:19.410
This minimizes the exposure to security threats.

7
00:00:19.410 --> 00:00:22.050
Let's quickly discuss a few concepts

8
00:00:22.050 --> 00:00:25.470
that relate directly to attack surface management.

9
00:00:25.470 --> 00:00:27.330
First, we have hardening.

10
00:00:27.330 --> 00:00:30.600
Hardening is the process of securing systems

11
00:00:30.600 --> 00:00:33.180
by reducing their attack surface,

12
00:00:33.180 --> 00:00:37.170
in part, by disabling unnecessary services

13
00:00:37.170 --> 00:00:40.710
and applying up-to-date security patches.

14
00:00:40.710 --> 00:00:45.660
Next, defense-in-depth implements multiple security controls

15
00:00:45.660 --> 00:00:49.230
such as firewalls, intrusion detection systems,

16
00:00:49.230 --> 00:00:51.150
and access controls

17
00:00:51.150 --> 00:00:54.990
to provide redundant protections against attacks.

18
00:00:54.990 --> 00:00:59.850
Then vulnerability management can be used to regularly scan

19
00:00:59.850 --> 00:01:03.450
and address network and asset security weaknesses,

20
00:01:03.450 --> 00:01:06.570
including those in legacy components

21
00:01:06.570 --> 00:01:09.120
that may no longer receive updates,

22
00:01:09.120 --> 00:01:11.160
but are still a critical part

23
00:01:11.160 --> 00:01:13.350
of the enterprise architecture.

24
00:01:13.350 --> 00:01:16.980
Let's learn more about hardening, defense-in-depth,

25
00:01:16.980 --> 00:01:20.670
vulnerability management, and legacy components.

26
00:01:20.670 --> 00:01:24.330
Then we will conduct a device hardening demonstration.

27
00:01:24.330 --> 00:01:26.460
First, we have device hardening.

28
00:01:26.460 --> 00:01:30.150
Device hardening is the process of securing a system

29
00:01:30.150 --> 00:01:32.520
by reducing its attack surface.

30
00:01:32.520 --> 00:01:36.030
Hardening involves running only essential services,

31
00:01:36.030 --> 00:01:37.950
applying regular patches

32
00:01:37.950 --> 00:01:40.650
and tightening system configurations.

33
00:01:40.650 --> 00:01:44.940
This applies not only to servers, but also to endpoints,

34
00:01:44.940 --> 00:01:48.300
mobile devices and network infrastructure.

35
00:01:48.300 --> 00:01:50.130
Hardening involves actions

36
00:01:50.130 --> 00:01:53.910
such as disabling unused services and ports,

37
00:01:53.910 --> 00:01:56.520
ensuring that critical security software

38
00:01:56.520 --> 00:01:59.670
like antivirus, host-based firewalls

39
00:01:59.670 --> 00:02:02.700
and log collection agents are installed

40
00:02:02.700 --> 00:02:06.030
and using encryption for data protection.

41
00:02:06.030 --> 00:02:09.330
For example, if you are managing a Linux server

42
00:02:09.330 --> 00:02:11.790
that isn't using printing services,

43
00:02:11.790 --> 00:02:15.240
you should disable the Common UNIX Printing System

44
00:02:15.240 --> 00:02:19.080
or CUPS Daemon to minimize the attack surface.

45
00:02:19.080 --> 00:02:20.970
Other hardening steps include:

46
00:02:20.970 --> 00:02:23.940
removing unnecessary applications,

47
00:02:23.940 --> 00:02:26.010
renaming default accounts,

48
00:02:26.010 --> 00:02:27.780
and applying group policies

49
00:02:27.780 --> 00:02:30.420
to enforce strict security settings.

50
00:02:30.420 --> 00:02:33.390
Additionally, modern hardware features

51
00:02:33.390 --> 00:02:38.390
such as the Unified Extensible Firmware Interface or UEFI,

52
00:02:38.400 --> 00:02:41.250
Trusted Platform Module or TPM,

53
00:02:41.250 --> 00:02:44.790
and Hardware Security Module or HSM

54
00:02:44.790 --> 00:02:47.730
contribute to stronger device security

55
00:02:47.730 --> 00:02:50.400
by offering secure boot processes

56
00:02:50.400 --> 00:02:52.620
and cryptographic functions.

57
00:02:52.620 --> 00:02:56.460
The goal is to balance usability with security

58
00:02:56.460 --> 00:02:59.250
by only enabling the minimum number of

59
00:02:59.250 --> 00:03:02.610
and features required for operation.

60
00:03:02.610 --> 00:03:05.580
Second, we have defense-in-depth.

61
00:03:05.580 --> 00:03:09.720
defense-in-depth refers to a layered approach to security

62
00:03:09.720 --> 00:03:13.140
where multiple security measures work together

63
00:03:13.140 --> 00:03:14.880
to protect a system.

64
00:03:14.880 --> 00:03:16.590
This strategy ensures

65
00:03:16.590 --> 00:03:19.560
that if one defense mechanism is compromised,

66
00:03:19.560 --> 00:03:22.800
others remain in place to protect the system.

67
00:03:22.800 --> 00:03:27.330
For example, an organization may use a combination

68
00:03:27.330 --> 00:03:31.860
of firewalls, intrusion detection systems or IDSs,

69
00:03:31.860 --> 00:03:33.870
endpoint protection software

70
00:03:33.870 --> 00:03:37.560
and data encryption to safeguard its network.

71
00:03:37.560 --> 00:03:42.030
In this example, multiple layers of security can be applied

72
00:03:42.030 --> 00:03:44.520
to protect an organization's systems,

73
00:03:44.520 --> 00:03:47.970
each focusing on a specific type of threat.

74
00:03:47.970 --> 00:03:50.490
The first layer is a firewall.

75
00:03:50.490 --> 00:03:54.660
Firewalls prevent unauthorized external access

76
00:03:54.660 --> 00:03:56.310
by filtering incoming

77
00:03:56.310 --> 00:03:58.530
or outgoing network traffic

78
00:03:58.530 --> 00:04:01.470
based on established security rules.

79
00:04:01.470 --> 00:04:04.140
Firewalls can block malicious traffic

80
00:04:04.140 --> 00:04:07.230
while allowing legitimate communications.

81
00:04:07.230 --> 00:04:11.850
The second layer is an intrusion detection system, or IDS.

82
00:04:11.850 --> 00:04:16.650
An IDS monitors network activity for unusual behavior,

83
00:04:16.650 --> 00:04:19.590
alerting administrators to potential threats

84
00:04:19.590 --> 00:04:21.895
that may bypass the firewall.

85
00:04:21.895 --> 00:04:26.370
Next, encryption of data in transit adds protection

86
00:04:26.370 --> 00:04:30.030
by securing data as it moves across the network,

87
00:04:30.030 --> 00:04:33.000
ensuring that even if intercepted,

88
00:04:33.000 --> 00:04:37.200
it cannot be read without the proper decryption keys.

89
00:04:37.200 --> 00:04:40.770
The fourth layer is endpoint detection software,

90
00:04:40.770 --> 00:04:44.280
such as antivirus and anti-malware tools,

91
00:04:44.280 --> 00:04:48.660
which protect individual devices from threats like malware

92
00:04:48.660 --> 00:04:52.170
that could enter the network through other means.

93
00:04:52.170 --> 00:04:55.260
Finally, encryption of data at rest

94
00:04:55.260 --> 00:04:59.280
secures sensitive information stored within systems,

95
00:04:59.280 --> 00:05:03.510
making it inaccessible to unauthorized users even

96
00:05:03.510 --> 00:05:05.700
if the data is compromised.

97
00:05:05.700 --> 00:05:08.760
Additionally, a good defense-in-depth approach

98
00:05:08.760 --> 00:05:11.310
also includes physical security,

99
00:05:11.310 --> 00:05:14.070
such as securing server rooms.

100
00:05:14.070 --> 00:05:17.250
Each layer of security compliments the others,

101
00:05:17.250 --> 00:05:21.390
together creating a more resilient security posture.

102
00:05:21.390 --> 00:05:24.300
Third, we have a vulnerability management.

103
00:05:24.300 --> 00:05:28.230
Vulnerability management is the process of identifying,

104
00:05:28.230 --> 00:05:32.400
prioritizing, and addressing security vulnerabilities

105
00:05:32.400 --> 00:05:34.140
within a system.

106
00:05:34.140 --> 00:05:37.170
This involves regularly scanning systems

107
00:05:37.170 --> 00:05:39.900
with tools like Nessus or the Center

108
00:05:39.900 --> 00:05:43.950
for Internet Securities Configuration Assessment Tool

109
00:05:43.950 --> 00:05:46.290
to detach potential weaknesses

110
00:05:46.290 --> 00:05:49.620
and ensure compliance with security benchmarks

111
00:05:49.620 --> 00:05:52.710
such as the Center for Internet Security

112
00:05:52.710 --> 00:05:56.520
or DOD Security Technical Implementation Guides.

113
00:05:56.520 --> 00:06:00.240
Effective management also requires

114
00:06:00.240 --> 00:06:02.970
keeping all software up-to-date

115
00:06:02.970 --> 00:06:06.930
with the latest patches to mitigate known threats.

116
00:06:06.930 --> 00:06:08.310
For example,

117
00:06:08.310 --> 00:06:10.800
if a vulnerability is discovered

118
00:06:10.800 --> 00:06:15.630
in a widely used service like in Apache HTTP server,

119
00:06:15.630 --> 00:06:20.220
a patch should be applied promptly to prevent exploitation.

120
00:06:20.220 --> 00:06:21.600
Beyond patching,

121
00:06:21.600 --> 00:06:24.990
Vulnerability management also includes actions

122
00:06:24.990 --> 00:06:28.170
such as removing unnecessary services,

123
00:06:28.170 --> 00:06:30.060
closing unused ports,

124
00:06:30.060 --> 00:06:34.151
and disabling default accounts to reduce risk further.

125
00:06:34.151 --> 00:06:37.740
Automated tools like SCAP compliance checkers

126
00:06:37.740 --> 00:06:39.450
help system administrators

127
00:06:39.450 --> 00:06:42.240
continuously monitor configurations

128
00:06:42.240 --> 00:06:45.300
to ensure compliance with industry standards.

129
00:06:45.300 --> 00:06:48.720
Regular assessments of vulnerabilities are essential

130
00:06:48.720 --> 00:06:51.750
for maintaining a strong security posture

131
00:06:51.750 --> 00:06:54.330
and mitigating the risk of attack.

132
00:06:54.330 --> 00:06:57.420
Fourth, we have legacy components.

133
00:06:57.420 --> 00:07:00.060
Legacy systems are those approaching

134
00:07:00.060 --> 00:07:03.510
or exceeding their End of Life or EOL

135
00:07:03.510 --> 00:07:06.780
or End of Support, or EOS dates.

136
00:07:06.780 --> 00:07:10.920
Legacy systems pose significant security risks.

137
00:07:10.920 --> 00:07:13.080
This security risk exists

138
00:07:13.080 --> 00:07:16.080
because after a system reaches End of Life,

139
00:07:16.080 --> 00:07:20.250
the manufacturer no longer sells or updates the product,

140
00:07:20.250 --> 00:07:22.500
and when it hits End of Support,

141
00:07:22.500 --> 00:07:26.460
no further patches or security updates are provided.

142
00:07:26.460 --> 00:07:30.330
This makes legacy systems vulnerable to new attacks

143
00:07:30.330 --> 00:07:34.680
since any discovered vulnerabilities will go unpatched.

144
00:07:34.680 --> 00:07:37.440
For instance, Microsoft will cease

145
00:07:37.440 --> 00:07:42.440
selling Windows Server 2019 licenses in 2024,

146
00:07:42.660 --> 00:07:46.890
and support for the system will end in 2029.

147
00:07:46.890 --> 00:07:48.810
Organizations that continue

148
00:07:48.810 --> 00:07:52.890
using the unsupported Windows server 2019

149
00:07:52.890 --> 00:07:55.470
after these dates will face the risk

150
00:07:55.470 --> 00:07:59.850
of known vulnerabilities being exploited indefinitely.

151
00:07:59.850 --> 00:08:03.600
To address this, organizations must plan upgrades

152
00:08:03.600 --> 00:08:06.090
or replacements ahead of time,

153
00:08:06.090 --> 00:08:09.960
ensuring they remain within supported lifecycles.

154
00:08:09.960 --> 00:08:13.143
Legacy systems left in place without support

155
00:08:13.143 --> 00:08:17.760
can create weak points in an otherwise secure environment,

156
00:08:17.760 --> 00:08:22.650
so managing the lifecycle of every component is essential

157
00:08:22.650 --> 00:08:25.350
for maintaining overall security.

158
00:08:25.350 --> 00:08:27.810
Finally, let's conduct a demonstration

159
00:08:27.810 --> 00:08:30.240
of hardening a Linux machine.

160
00:08:30.240 --> 00:08:31.800
In this example,

161
00:08:31.800 --> 00:08:36.800
our Kali Linux machine does not require printing services,

162
00:08:37.290 --> 00:08:41.490
so let's disable the common Unix printing system

163
00:08:41.490 --> 00:08:45.960
or CUPS Daemon to minimize the attack surface.

164
00:08:45.960 --> 00:08:48.990
First, I'm going to bring up a command line

165
00:08:48.990 --> 00:08:52.590
and we'll check the status of the CUPS service.

166
00:08:52.590 --> 00:08:55.530
This is done by entering the following command

167
00:08:55.530 --> 00:09:00.530
into the terminal: sudo systemctl status cups.

168
00:09:02.430 --> 00:09:06.720
You can see here that the service is active and running

169
00:09:06.720 --> 00:09:09.552
and that it is enabled.

170
00:09:09.552 --> 00:09:11.790
Active running means

171
00:09:11.790 --> 00:09:14.670
that the service is currently operational

172
00:09:14.670 --> 00:09:18.000
and performing its functions on the system.

173
00:09:18.000 --> 00:09:20.850
Enabled means that the service is configured

174
00:09:20.850 --> 00:09:23.790
to start automatically at boot time,

175
00:09:23.790 --> 00:09:27.960
ensuring it runs whenever the system is powered on.

176
00:09:27.960 --> 00:09:31.410
Since CUPS on this machine is not needed,

177
00:09:31.410 --> 00:09:33.780
we are going to disable it.

178
00:09:33.780 --> 00:09:36.930
First, let's stop the CUPS Daemon.

179
00:09:36.930 --> 00:09:40.770
This is done by entering the following into the terminal:

180
00:09:40.770 --> 00:09:44.277
sudo systemctl stop cups.

181
00:09:51.090 --> 00:09:54.300
Now let's check on the status.

182
00:09:54.300 --> 00:09:57.630
As you can see here, the service has stopped

183
00:09:57.630 --> 00:10:00.630
and is now marked inactive or dead.

184
00:10:00.630 --> 00:10:04.290
However, because the service is still enabled,

185
00:10:04.290 --> 00:10:07.140
it will restart when the machine starts,

186
00:10:07.140 --> 00:10:10.290
so we need to disable the service too.

187
00:10:10.290 --> 00:10:13.590
To disable the CUPS service, we'll enter the following

188
00:10:13.590 --> 00:10:18.590
into the terminal: sudo systemctl disable cups.

189
00:10:24.570 --> 00:10:25.860
There we go.

190
00:10:25.860 --> 00:10:28.023
Now let's check that status again.

191
00:10:30.057 --> 00:10:34.350
Here we can see that the service is both inactive and dead

192
00:10:34.350 --> 00:10:36.870
and disabled.

193
00:10:36.870 --> 00:10:40.320
Aside from removing the CUPS package altogether,

194
00:10:40.320 --> 00:10:44.100
there is one additional hardening step we can take.

195
00:10:44.100 --> 00:10:47.310
This is masking the CUPS Daemon.

196
00:10:47.310 --> 00:10:50.490
Masking a service prevents it from being started

197
00:10:50.490 --> 00:10:53.190
either manually or automatically

198
00:10:53.190 --> 00:10:58.190
by linking the service to /dev/null.

199
00:10:58.380 --> 00:11:02.340
When the service is masked, it is entirely disabled

200
00:11:02.340 --> 00:11:06.750
and cannot be accidentally or intentionally started.

201
00:11:06.750 --> 00:11:08.820
This is a more restrictive action

202
00:11:08.820 --> 00:11:11.190
than simply disabling a service

203
00:11:11.190 --> 00:11:13.710
which prevents it from starting automatically,

204
00:11:13.710 --> 00:11:16.650
but would still allow it to be started manually.

205
00:11:16.650 --> 00:11:19.650
Masking add an extra layer of security

206
00:11:19.650 --> 00:11:22.110
by fully blocking the service.

207
00:11:22.110 --> 00:11:26.171
So let's mask the CUPS service by entering:

208
00:11:26.171 --> 00:11:31.171
sudo systemctl mask cups.

209
00:11:35.757 --> 00:11:40.757
As you can see, the cup service is now linked to /dev/null.

210
00:11:43.080 --> 00:11:47.820
Let's just take one last look at that status of CUPS.

211
00:11:47.820 --> 00:11:51.900
As you can see here, the service is inactive and dead,

212
00:11:51.900 --> 00:11:53.880
and also masked.

213
00:11:53.880 --> 00:11:57.330
This is the end of our demonstration.

214
00:11:57.330 --> 00:11:59.490
So remember,

215
00:11:59.490 --> 00:12:04.110
attack surface management involves identifying, reducing,

216
00:12:04.110 --> 00:12:08.460
and continuously monitoring all potential entry points

217
00:12:08.460 --> 00:12:10.530
that attackers might exploit

218
00:12:10.530 --> 00:12:13.500
within an organization's infrastructure.

219
00:12:13.500 --> 00:12:16.080
Hardening is one key strategy,

220
00:12:16.080 --> 00:12:18.090
which involves securing systems

221
00:12:18.090 --> 00:12:20.788
by disabling unnecessary services

222
00:12:20.788 --> 00:12:23.490
and applying security patches.

223
00:12:23.490 --> 00:12:26.250
Another concept is defense-in-depth,

224
00:12:26.250 --> 00:12:29.850
which layers multiple security measures like firewalls,

225
00:12:29.850 --> 00:12:31.290
intrusion detection,

226
00:12:31.290 --> 00:12:36.290
and encryption to protect systems even if one defense fails.

227
00:12:36.330 --> 00:12:40.440
Next, vulnerability management plays a significant role

228
00:12:40.440 --> 00:12:43.140
by scanning systems regularly to find

229
00:12:43.140 --> 00:12:47.280
and address security weaknesses, ensuring all components,

230
00:12:47.280 --> 00:12:50.970
including those that are outdated, remain protected.

231
00:12:50.970 --> 00:12:55.710
Finally, legacy systems which no longer receive updates,

232
00:12:55.710 --> 00:12:58.350
pose a higher security risk,

233
00:12:58.350 --> 00:13:01.560
so it's vital to manage their lifecycle

234
00:13:01.560 --> 00:13:03.720
and replace or upgrade them

235
00:13:03.720 --> 00:13:06.693
before they become vulnerabilities.