Hardware Security – CompTIA Security+ SY0-501 – 3.3

We rely on many different hardware components to keep our networks secure. In this video, you’ll learn how these hardware devices work together to provide the highest levels of security.

<< Previous Video: Securing SDN Next: Operating System Security >>

If you’re concerned about protecting the data that’s on your storage devices, then you probably want to use full disk encryption, or FDE. Full disk encryption will encrypt everything on the storage drive, not just a single file or a set of folders, every bit of information written to the drive is encrypted. This protects the operating system, all of your files, and you don’t have to decide whether you want to encrypt something or not. Everything written to the drive is automatically encrypted.

Access to this encrypted drive is usually provided through a password. So if you have this on a laptop and you lose the laptop, you don’t have to worry about the data being available to someone else. They won’t have access to any of that encrypted data unless they have that password. This also protects the data if you removed the drive from the laptop and move it to another device. You have to have the password to be able to gain access to the encrypted information on that drive, regardless of what system it’s connected to.

This is often built into the operating systems that we use. Microsoft has BitLocker, Apple uses FileVault, and Linux has the Unified Key Setup. There are even drives you can get that have this capability built into the circuitry of the drive itself. These are self-encrypting drives that perform all of the encryption and decryption on the drive itself. You don’t need to use any of this operating system software if you’re using a self-encrypting drive.

All of these advanced cryptographic functions that we use on our devices need some type of hardware to support this functionality, and we do that through a trusted platform module, or TPM. This is a piece of hardware that’s in your computing device that’s in charge of handling all of these high-level cryptographic functions. For example, a lot of the encryption and decryption that we use today requires random numbers. And there’s a random number generator and a key generator built in to the trusted platform module. The TPM also includes persistent memory. And inside that memory are some hard-coded keys that are unique to the individual TPM.

There’s also versatile memory inside of the TPM that’s used to store other types of data. For example, you can store encryption keys in this versatile memory, or you can store configurations of the current hardware so that later, that configuration can be compared to what’s currently running. This is a way that administrators can use to determine if any of the hardware of a system may have changed over time.

And the TPM is very secure. It requires authentication to gain access to the information stored on the TPM, and it’s designed to prevent any type of dictionary attack. If you’re providing secure access to a large number of web servers, then you may be taking advantage of a hardware security module, or HSM. This is sometimes a plug-in card that you can have as an option to a load balancer, or it may be a standalone appliance like the one here.

AN HSM is designed to store keys in a secure location. This way, you can take all of the different keys that you’re using on your web servers and store them in one secure environment. This can also act as an SSL accelerator or SSL offloading device, so that the CPU cycles associated with the encryption are moved from the web server onto the HSM. We often see these HSMs used in very large environments where security is important, and you need to be able to scale that security over many different systems. HSMs can be clustered together or configured with redundant power, so that you always have availability to all of these cryptographic functions.

Most aspects of information security are based on trust. When we set up encryption to and from a device, we’re trusting that that data is going to be properly encrypted. When we connect to a website over a secure connection, we want to know that the website that we’re connecting to is the legitimate site and not one that’s posing as something else. In this video, we’ve already seen a couple of examples of a hardware route of trust. This would be hardware that all of our security relies upon. So our trusted platform modules and hardware security modules are two good examples of a hardware device that’s used as the basis of our trust.

We trust this hardware because we’ve designed it to be difficult to circumvent. We can’t write code to somehow change physical hardware. And if you remove the hardware, the security that everything is based upon doesn’t work anymore. A common piece of security hardware we have in many of our desktops and laptop computers is a UEFI BIOS. UEFI is the Unified Extensible Firmware Interface, and it’s based on a specification from Intel that is the extensible firmware interface.

This unified version of the extensible firmware interface is a standard that all of the manufacturers have implemented in their hardware. It’s designed to replace the legacy BIOS that we previously used, and it not only provides a modern look to the BIOS, it also adds additional security functions. One of those security functions is secure boot. Prior to having secure boot, systems could be infected at the BIOS level or at the operating system level. And systems, once they booted, would be infected with this malware. Secure boot is built into the UEFI BIOS specifications, so if your system has a UEFI BIOS, it also has the secure boot functionality.

Secure boot has a set of known-good digital signatures built in to the BIOS. If the system that’s booting doesn’t have one of these known-good digital signatures, the BIOS will not boot that operating system. This means if malware infects part of the BIOS or part of the operating system, the BIOS digital signature check will fail and the system won’t boot. This secure boot function is built into many operating systems such as Windows and Linux, and if you’re running MacOS from Apple, they have their own EFI implementation that has a similar secure boot functionality.

From a security perspective, it might be good to know when you turn on your computer if there have been any changes to the hardware or the software since the last time you used the system. If you have a single computer it might be relatively easy to determine this. But imagine if you’re an administrator that has thousands of computers, and you need to know if any of those systems has any type of change that could affect the security.

To address this challenge that we have remote attestation. Remote attestation is going to provide a centralized reporting function so that all of your systems can analyze whether anything has changed with that system over time. A remote device runs an inventory of the hardware and the software, and then encrypts and digitally signs this information using the TPM that’s in that device. When the system is booted again, the same check is performed and compared to the previous inventory. If anything is different, you could have the system fail to boot. That’s one significant advantage of this remote attestation is that it takes place in the hardware of the computer. That way, if something is changed on the system, the entire boot process could be stopped before the operating system is infected.

In September of 2015, security researchers began finding that a number of Cisco routers connected to the internet were infected with a piece of malicious firmware called SYNful Knock. This firmware allowed the bad guys to gain backdoor access to all of these important infrastructure devices. This brought up a number of questions for people that were installing routers, and switches, and other infrastructure devices, because they aren’t really sure where the device is coming from and what checks have been put in place to make sure that the firmware in these devices is secure.

End users have realized they need vendors in the supply chain that they can trust, so they know exactly where this hardware is coming from. They also need to check and make sure that these very critical devices are not connected to the internet before security is in place. And it’s always useful if there’s some way to verify that the hardware, and the firmware inside of that hardware, is genuine and secure.

Security researchers are also trying to find ways to take advantage of the EMI, or electromagnetic interference, or the EMP, the electromagnetic pulses, that are created by this hardware. One aspect of this security research focuses on EMI leakage. Researchers are able to listen in to the electromagnetic interference that’s created by these devices, whether this is video, or keyboards, or hard drives. And by listening in to the interference, the researchers have been able to recreate what people are typing on a keyboard or even recreate what video people may be seeing on their screen.

Another aspect of security in this area is not just listening to the EMI, but injecting their own signals into the EMI. By doing this, they can change data that may be captured on sensors, or input information into the keyboard input by using their own electromagnetic signals. This is just a few of the reasons why organizations will put special precautions in place to protect or shield against electromagnetic interference or electromagnetic pulses. You’ll certainly find this in military installations, places that deal with national security, or networks that are highly secure.