CCT 212: Memory Protection and Virtualization Security for CISSP Success (Domain 3.4)

Unlock the secrets to fortified cybersecurity with our latest episode, promising to equip you with the knowledge to safeguard your digital infrastructure. We explore the vital role memory protection plays in maintaining system stability and integrity, emphasizing the need to shield it from unauthorized access. Discover the strategies for defending against notorious vulnerabilities like Meltdown and Spectre and learn why it's crucial to address zero-day threats, such as those recently identified in Fortinet firewalls.

Venture into the realm of virtualization with a comprehensive comparison of type one and type two hypervisors. Whether you're a large enterprise or a small business, understanding the nuances of these technologies is crucial for maximizing performance and security. We'll dissect memory isolation techniques and delve into potential threats, including VM escape and side-channel attacks. Our discussion extends to Trusted Platform Modules (TPMs) and their critical contribution to cryptographic security, navigating regulations across different regions.

As we conclude, explore the importance of Trusted Platform Modules (TPMs) and Hardware Security Modules (HSMs) in forming robust cybersecurity strategies. We'll break down the types of TPM 2.0 and guide you in selecting the best fit for your organization's needs. Discover how to mitigate risks associated with direct memory access attacks and ensure fault tolerance through memory protection techniques. Finally, gain insights into crafting a successful path through the CISSP exam, and learn about the consulting resources available at reducecyberrisk.com to bolster your security posture.

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Shon Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go cybersecurity knowledge.

Speaker 2: 0:28 

All right, let's get started. Hey everybody, it's Shon Gerber with CISSP, cyber Training, and hope you all are having a beautifully blessed day today. Today we're going to be getting into domain 3.4 and we're going to be getting into understanding security capabilities of information systems, getting into TPMs and also a little bit of tied to encryption and decryption related to that. But I hope everybody is doing all right and staying warm during this very cold time. And also wanted to give a shout out to the folks in LA and all the stuff that they're going through. It's just it's mind boggling to see what they're having to deal with and big chunks of Los Angeles just being leveled. It looks like a war zone. It is terrible, it's absolutely terrible. But yeah, we just hope and pray that everybody there is safe. That's listening to this? Yeah, I know. Unfortunately it's not going to be the case for everybody, so it's just a sad, sad state of affairs. So today we're going to get into 3.4 and we're going to go into some of the aspects, but before we do, we're going to get into some of just something that came up around FortiGate firewalls and vulnerability associated with it. All right, this is again with InfoSec Magazine and they had affirmed the fact that Fortinet has confirmed that there's a zero-day vulnerability against their firewalls and they highly recommend that you patch.

Speaker 2: 1:39 

I don't know if any of you out there listening have Fortinet firewalls. I know I've worked with them in the past. It works really well. They're a good firewall for an organization. But they've considered it a 9.6 on the vulnerability scale and it's pretty substantial. So if you do have Fortinet firewalls, I would highly recommend you go take a look at it and see if yours might be affected by this. But what it is, it's an authentication bypass vulnerability affecting the FortiOS and their proxy, fortiproxy, and it can be basically exploited to hack various other FortiGate devices within the ecosystem itself. This was discovered by Arctic Wolf. I've worked with them in the past as well. They discovered a massive exploitation campaign going on against these devices and it happened in December of 24. So obviously they did the responsible thing for disclosure and they waited a while to get the patch and everything ready to go before they actually disclosed it. But, that being said, it was in December and it had been probably manipulated for some time. They say that the threat actors are alternating or alternating. They're altering the firewall configurations and extracting credentials using DC sync. So I would highly recommend that if you do have Fortinet firewalls within your organization, you take a look at it immediately, because it would be bad. We just we don't want anything to happen and the firewalls are a key linchpin in your overall network security place.

Speaker 2: 3:04 

Okay, so let's go and let's get into what we're going to be talking about today. So today is 3.4, understanding Security Capabilities, and let's get into what we're going to chat about. Well, the overall goal in this domain is around memory protection and protecting the overall attitude and memory, whether it's in virtualization, whether it's in the TPM, whether it's in virtualization, whether it's in the TPM, whether it's just in the devices itself. So we're going to kind of go over some of those aspects of it. And memory protection is a very important part of your overall security schema and it really must be enforced. Many times people will think well, it's in the bowels of this system and for someone to get access to the memory is going to be really challenging. And in some respects that is true. But you also have to take into account that you have a much more mobile infrastructure now than you had in the past. And also the fact is that if these hackers get into your network, they will have access to the memory as well. So it's important that you have a good plan and that you articulate that plan and you plan for it. Manipulation of the memory will result in instability and loss of integrity, obviously, of the system itself, and if you do have issues, it can result in the corruption of the kernel, which is some very recent or not necessarily recent, but some issues. I think it was like 2015, 2017, where there were issues related to Meltdown and Spectre. We'll kind of go into both of those here in just a little bit.

Speaker 2: 4:32 

So what is memory protection? It involves a set of mechanisms to safeguard the memory from unauthorized access and then, obviously, because of doing that, it'll ensure the stability of the system so that you are able to do what you need to do right. This includes techniques in both hardware and software, so you're going to have memory protection. That's going to be required in a hardware environment, because I know not everybody here is in the cloud and you have some level of hardware devices within your data centers. Many people are trying to migrate to the cloud, but that isn't everyone and you may not be the right choice for you, depending upon your architecture and your overall business situation.

Speaker 2: 5:09 

But the goal of this memory protection is around data confidentiality, and this protects sensitive data from being accessed by unauthorized people and unauthorized devices, and so you want to ensure the confidentiality of this data as it's sitting on these systems. The data integrity is where it prevents the corruption or unauthorized modification to the memory, and that's so. You have the confidentiality to keep it protected. You have the integrity that helps prevent from corruption. And then you have the isolation, the process isolation, which means that it's operating by itself, independently, and it's not operating in a way that it could be interfered with with any of the other memory spaces. So you have confidentiality, integrity and process isolation. Those are the overall goals of what you're trying to do when it relates to memory protection. So examples of memory protection techniques would be memory segmentation and paging. This is where it's used in modern operating systems and it divides the memory into manageable blocks, so they're separated, they are operating independently and they're not one big giant blob.

Speaker 2: 6:13 

The other one, obviously, is access control mechanisms where they have read, write and execute permissions on these memory environments those you want to make sure that are in place Now. In the past I will say that I've dealt with hardware where you could put some level of access controls on the memory, but they didn't do it because of the fact that other systems were taking access of this hardware and adding more restrictions, such as access controls on memory potentially could give you issues. Access controls on memory potentially could give you issues and so the folks just didn't do it. They didn't turn it on. Now, with these new systems again, I will tell you I have not dealt with that, but I would assume that it's probably an easier process than it was in the past. So there are abilities to add access control mechanisms to your overall memory schema. So here's the.

Speaker 2: 7:02 

We're going to talk about Meltdown and Spectre just a little bit. Now the reason for Meltdown this was a flaw of in a speculative execution which allowed basically user level applications to read the privileged kernel memory. And, as we all know, the kernel memory sits in the bowels of the beast of your computer and it allowed applications to read it. It should not be. The kernel should not be allowed to be accessed by any sort of application. It is a standalone system, not system, but it's standalone memory that is set aside specifically for running operations.

Speaker 2: 7:34 

Now the meltdown. It did cause out-of-order executions to bypass memory isolation mechanisms that were already in place, and then what it did is it gave exposed potentially sensitive data, such as passwords and encryption keys, to individuals or applications. So that was the meltdown vulnerability and again, I think it was right around 2015,. Maybe, yeah, somewhere in that range. It's been a while since it occurred, but it was a pretty big deal because of the fact that it did a lot of times. The passwords and the encryption keys are kept in memory, right, and that's where they're kept so that they can decrypt and encrypt the data, and therefore it now allowed access to it. The specter vulnerability this tricks the processor into executing incorrect, speculative instructions, right, that leaks potentially sensitive data and again, it's getting more data out of the system.

Speaker 2: 8:21 

Now, let's be realistic here as well. So if you're looking at it from an overall risk standpoint one, you want to patch it if it's available. Two, you have to understand if there is a risk to your memory, is it worth dealing with the patching Now? In many cases, it may not be something you want to actually go do. You may be in a situation where it's like you know what my systems are, so protected because I'm behind firewalls, behind this, behind that that they don't necessarily need an update to the operating system or, in this case, maybe the device itself.

Speaker 2: 8:52 

But you need to kind of weigh all that out now. If your, your computers that are going to be dealing with potentially memory challenges, are running highly sensitive and highly secure environments, then most definitely you'd want to address that. So you have to really kind of weigh the risk and and also understand how many systems might be affected by this potential vulnerability. So if it's only a couple, then they're much easier to fix. If it's an entire enterprise, you may want to just determine which ones will you address and which ones will you not. So again, when we talk about vulnerability management, it's an important thing to remember. You may not patch everything. It may not be in the best interest of the organization or the company to do that. You may decide that we're just going to let some of this live for a while until we come back and address it, either with potentially new hardware or other mechanisms in place to protect that information.

Speaker 2: 9:41 

In this case, here with Spectre, it impacted the CPUs across multiple vendors and architecture. So there it would be something you'd probably want to go and address, because it's affecting multiple vendors and it could affect multiple systems in a more or less kind of a fratricide kind of aspect. One of the mitigations around it was the Miracode updates and then all as well as compiler changes to induce memory fences and disabling certain CPU features. So again, it's not a simple thing as going, hey, I'm just going to go add a little button here and it's going to go work. No, that would be a pretty intense update that you'd have to do. Little button here and it's going to go work. No, that would be a pretty intense update that you'd have to do. So you'd want to make sure that it is going to meet your needs, as well as a good plan on when you would resolve this issue and when.

Speaker 2: 10:23 

We're dealing with virtualization. That's the next topic. One or more operating systems are operating within a single host, and this is where you the simple idea is you have one PC within a very large server farm and they are virtualized within this environment. And I know you all have probably dealt with virtualization at some point in your careers, especially those that listen to this podcast, because many of the folks that listen to this, you guys, are well-seasoned and you've at least heard of it and maybe understand the concepts around it. Now, some of the common types around virtualization are Hyper-V and then VMware, sphere as well, and there's many others that are out there, but those I've dealt with Hyper-V and VMware specifically.

Speaker 2: 11:00 

But bottom line is, all it does is it's creating multiple little computers inside a virtualized environment. That, and so they have just multiplicity versions of it. It's extremely useful, right. It has multiple instances of the same or different OSs. You can have Windows working with Linux, you can have all that stuff kind of in the same hypervisor, and it just really kind of comes down to what you're trying to accomplish. These are optimized for computing power and it helps to reduce the overall cost within your organization. So you'll pay for a very big, expensive server, you'll pay for the hypervisor that will then run all these virtual machines and then you'll have licensing that it's tied to each of these machines, but overall you're not paying for all these different hardware devices that all cost money and on the other side is you have to then turn around and dispose of them over periods of time. So there's a lot of really good value in virtualization and hence the cloud.

Speaker 2: 11:57 

Aws is an example, and Azure would not be where they're at today without some form of virtualization. I mean down to the point where they're running scripts that are running pieces, just parts of a computer. So you don't even have a full operating system running. It's just running specific scripts that are then you're getting charged for, but now you don't have to dedicate an entire system to run some small little thing that's occurring. So that's an important part as well. So the virtualization piece has really changed a lot over the past 10 years, to the point where it's extremely profitable to use it. But, like we mentioned in previous podcasts, you also have to run the risk of having too much virtualization and then it ends up costing you a lot more money that maybe you didn't necessarily need. So it does.

Speaker 2: 12:45 

Virtualization will allow multiple machines to run on a single physical host, with the hypervisor managing all the resources. That's the purpose of of it. Now you have a memory protection in virtualization and this deals with virtual memory management and guest and host memory isolation. The virtual memory management this maps the virtual addresses to the physical memory using page tables and it's managed all by the hypervisor. One of the things you want to avoid and one of the concerns is that when you have a hypervisor that is basically acting as the intermediary between all of these virtual addresses, could someone who gains access to one virtual machine then turn around and pivot to multiple virtual machines just because they gain access to the hypervisor? And that has been a real concern, and there's been various vulnerabilities that have come out there around that that have had to be addressed, abilities that have come out there around that that have had to be addressed. So, when you're dealing with hypervisors, be very cognizant of the fact that if there's something that affects that, you'd probably want to address it relatively quickly because you own one, you own them all. So it's an important part that you just need to be aware of.

Speaker 2: 13:46 

Now, the guest and host memory isolation. This prevents guest OSs from accessing other guests or host memory directly. Again, same concept, and this is where if you have a tenant that is specifically set up for you, but it's all under the same hypervisor, and then there's somebody else that has a little tenant that's set up for them, could you go and blend between the two different hosts that are there, and that's something that could be done. Now, this could be done through the hypervisor or it could be done through the operating systems themselves. So it's just something to consider when you're dealing with memory protection.

Speaker 2: 14:16 

On virtualization, now, some key concepts around this is you get the hypervisor types. You have a type 1 and a type 2. Type 1 is your bare metal hypervisor, and we'll get into those just a little bit here in just a second, and then your type 2 is your hosted hypervisor. Now there's some various threats that can attack hypervisors. These are side channel attacks, which is we'll get into this a little bit too L1, terminal faults and then breakouts, where a compromised VM can attack a specific hypervisor, and this kind of comes into is that you have a VM that may specifically be compromised and it can go after the host hypervisor specifically and try to run exploits against it. If they are vulnerable, that could be a problem.

Speaker 2: 14:56 

There's mitigation techniques around this using hardware assisted virtualization, such as your Intel VT and AMD-V, and then implement strong isolation and patch hypervisors against their vulnerabilities. Again, that's the key question here you need to understand the systems that are within your network and understand the virtual systems within your network so that you can properly protect them. Again, even the virtual or hardware doesn't matter and therefore you have a good plan in place when a vulnerability pops up, such as what we talked about just a little while ago, is the fact that the Fortinet firewalls when we recorded this is that there's a big vulnerability with them. If you know that you have Fortinet firewalls and you know you have a specific OS in the proxy versions, then you would be one that would go and go hey, we need to patch this immediately, whereas if you don't have a good clue of what's in your environment, it's really hard to patch something you don't know exists. So that's just kind of a little tidbit.

Speaker 2: 15:49 

So a type one hypervisor we talk about bare metal. This runs directly on the hardware without needing the host operating system. So an example of that would be VMware ESX and Microsoft Hyper-V. Those are ones that I've worked, like I said, I've worked with before. The strengths of these is that they're a higher performance and they have better resource management and they're used in enterprise environments such as data centers and server consolidation areas as well. So this is your bare metal type one Hyper-V. Now, the protections around memories is it's strong process isolation between the guest VMs that are there, so it does keep them well separated. And then there's direct hardware level access controls with the CPUs, which means you have to have directly connections to it to be able to mess with the CPU and so forth. So if it's in your data center, you actually have to connect to it through an ILO port or something like that. You're not allowed to just go in and get access to it directly through, potentially, one of the VMs that are there.

Speaker 2: 16:45 

Type 2 hypervisor this is a hosted hypervisor, now. This runs on top of a host operating system, acting as an application. So the first one is a dedicated hypervisor. The second one is more or less kind of an application that's running on a system itself a host operating system. Examples of this would be Oracle VirtualBox, VM Workstations, I mean, and I know VM Workstations are really easy to get access to. Microsoft Workstations is another one. These are real easy to install and they're very good for desktop environments, and they're a really good way that companies have migrated away from, like even Citrix to something like this as well. The weaknesses, though, it does rely on the security of the host operating system. So if that thing has been compromised well now, it could potentially compromise all of the entire hosts as well. So it's important for you to have a really good understanding of which ones are running within your organization.

Speaker 2: 17:37 

Small medium businesses may use more of a hypervisor hosted model versus, like we mentioned above, with the hypervisor bare metal. The type one is more of an enterprise and the reason is is I mean, the type ones are very expensive, you have to put them in a server farm and they are not cheap at all, in tens of thousands of dollars. So in a case of a small medium business, that might be overkill for what they need. But again, those are the different options you have. Now, when you're dealing with considerations around protection, the host OS vulnerabilities again can affect the VM's memory isolation, so it's important that you do keep those updated. Now, the nice part about VMs is that you can set this on auto update and you are good to go. Now the question you may run into is if you're virtualizing applications, you'll want to make sure that you have obviously good backups for those and you have the ability to reinstall those if something were to go bad with the host OS. Now there's various threats to virtualization and memory.

Speaker 2: 18:30 

You have the VM escape and what this is is. This is where an attacker will compromise a guest VM to gain control of the hypervisor or other VMs. Some examples that came out the Venom. This was in 2015. This exploded flaws in a virtual okay, because these don't exist really the virtual floppy drive in certain hypervisors. There are some places that still need a floppy drive yeah, go figure, but they do so some applications. I should say so. If that's the case, this is where this came out. Now again, this is nine years old, so it's been a while since this occurred, but it's just trying to give you an example where the VM escape could occur.

Speaker 2: 19:05 

Side channel attacks this is where they exploit shared resources, such as your CPU cache that may be utilized by multiple systems, and this is where it would infer potentially sensitive data from other vms. So you're basically sharing in the everybody's in the pool and you are now sharing data between each other in the pool. That can be really disgusting, but it is possible. Uh, memory over commitment risks. Uh, this is where you allocate more virtual memory than the physically available. That can lead to performance degradation and I've seen this happen specifically. Yeah, you've done this. This runs into a big issue. Sometimes, when you're dealing with VMs and they are almost maxed out, you will run into a lot more memory virtual memory issues than what's physically available. So keep that in mind. And then malicious software installs on operating systems, such as malware and rootkits. Those can happen directly. Again, if your compromised OS has access to the internet and they're able to get rootkits to those or some sort of malware, it potentially could get pushed to the hypervisor as well.

Speaker 2: 20:05 

Now we're going to get into Trusted Platform Module, or TPM. Now the TPM is a specification for a crypto processor chip. Now this stores what happens on these, the crypto keys on this TPM. Now it's typically a hardware supported versus hardware versus software. Tpms will be a like a hardware chip that's sitting within a computer and because of such, it's much faster. It's also harder to dink with. It's harder for some people to mess with. One of the aspects around this would be full disk encryption, bitlocker and DMCrypt. They do use the TPM for encryption.

Speaker 2: 20:42 

Now, if you're dealing with places such as China, there are some restrictions around TPM. I ran into this when I was working for my multinational that they would not allow TPM version chips into the country, and the reason is is because they wanted to make control of the keys. If they deploy their own tpm version, like the china tpm, then what can happen is. Ideally. If they need to get access to the crypto keys, they can gain access to them because they have access to all the tpms. In the united states the tpms are very separate I should say united western countries and as far as we know, those TPMs are not controlled by any other foreign government. So the keys would be safe and static within that TPM module within the system. Again, I say that, but I don't really know. Who knows, maybe the NSA has got their fingers knee deep or they're knee deep into all that, I don't know.

Speaker 2: 21:34 

Random number generator is also incorporated into the TPM as well. So you typically have a random number generator within your computer and it would be incorporated within your TPM chip that's sitting in your system. Again, the TPM it provides cryptographic functions to enhance security. There's a secure boot and measured boot. This prevents tampering with the bit loader and the kernel by verifying your cryptographic signatures. That's how you can protect your memory. That's in the TPM. It does provide proof that the system's hardware and firmware have not been altered. So it does have an attestation. Comment to that, or compatibility or whatever. I'm trying to figure the word, but it does have the attestation. Yeah, it can verify. Forget the I can't speak. And on top of that that's a big $10 word Key storage. It does store the keys for disk encryption and protects data in the memory as well, so it will keep all of that within your TPM module.

Speaker 2: 22:27 

Microsoft, we talked about, uses TPM, and then your trusted computing and cloud environments do use a TPM as well. I think we're on TPM 2.0, if I'm not mistaken, it could be higher than that right now. I haven't dealt with it in probably about a year. But that being said, the trusted platform module is something that you really truly want to be concerned about, and this is why buying equipment from other places other than Western countries can be problematic. You just don't know what you're going to get, and I would assume that the system potentially has been compromised.

Speaker 2: 22:59 

Other concepts computers can use TPMs to authenticate hardware devices. That's part of that. There, the TPM chip has unique and secret RSA key burned specifically into it at production. Again, talking Western, I'm not talking anybody else outside of that, and I'll just kind of a little side note. I know when you're manufacturing hard, or I should say motherboards within other countries, many times the TPM chip would come from outside and then be soldered in this kind of comes back to what we dealt with China. China would actually request the TPM not be installed so that it would be installed in-country. So yeah, is the TPM Chinese-based or is it US-based? Hard to say. Is the TPM Chinese-based or is it US-based? Hard to say. The TPM is considered a requirement for all laptops, tablets and smartphones, and then it's used for identification, authentication and encryption to maintain the device integrity. So again, I hope you understand what the TPM is. We've kind of burned this thing to death right.

Speaker 2: 23:48 

One other thing that's an aspect around this is not necessarily a TPM, but it's the hardware security module and we've talked about this in the cloud space. This does act like a TPM in some respects, but it does store your crypto keys, it manages and stores those within cloud environments. It does accelerate crypto processing as well, and a TPM is an example of an HSM. But an HSM necessarily isn't a TPM. I know and I'm splitting hairs there, because the TPM was first, the HSM was second and it is used quite extensively though. So I would highly recommend in your security world, because you're dealing with keys and crypto keys I would dig a little bit deeper into TPM and then understand HSM as well. That would be an important part of your overall security strategy.

Speaker 2: 24:35 

Now TPM 2.0, tpm 1.2 is currently deployed in large numbers, but 2.0 will be required. That's what it was. I couldn't remember and I believe probably at the time when I did this first slide, I think 2.0 was just coming out. I think it's pretty much deployed now. All manufacturers are deploying 2.0.

Speaker 2: 24:54 

Now there's five different types of TPM 2.0. There's discrete and integrated firmware, software and virtual. So your discrete TPM this has got dedicated chips that implement TPM functions on their own tamper-resistant semiconductor package. So that's the discrete ones. The integrated TPMs these reside within another chip. So your discrete is specifically by itself Integrated is it's embedded within another chip and therefore are not tamper resistant because they're inside another chip.

Speaker 2: 25:21 

Then you have your firmware TPM. This is hardware only solutions which will run in the CPU's trusted environment. So it's specifically a firmware TPM. That's just for the firmware, not for anything else. It's not for any crypto keys, it's not for anything that's outside of the specific firmware. Then you have your software TPM. This is where you have software emulators of TPMs which run with no more protection than a regular program. So they're out there in the wild. They act as a trusted platform, but they're not designed as the main storage of crypto keys. They are, but you have to assume, with the use of a software TPM, that it could be compromised. So again, you just think about all of these things when you're deploying your cybersecurity strategy.

Speaker 2: 26:02 

The virtual TPM. This is provided by virtual hypervisors and requires isolated execution environment within the virtual machine itself. But again, it's a virtual TPM and it is sitting in within the hypervisor. So there are some challenges with that as well. And I tell you all of that, saying that none of this is bad. It's just do you have to determine when your security strategy, what are you trying to protect? And if the data you're trying to protect requires extreme levels of security, then some of these systems, such as a software TPM, may not be something you want to use. You want to be very dedicated on what kind of platform or TPM you're going to be using for your organization. So just kind of keep that in the back of your cranium Memory interfaces. Now these interfaces manage communication between the memory and the CPU or potentially other components that are within this computer system itself.

Speaker 2: 26:50 

So you have DDR and SDRAM. This is the double data rate, and SDRAM is what it is. It's just one word, sorry SDRAM. This is the double data rate and SDRAM is what it is. It's just one word, sorry. Sdram is something separate. They're used in modern PCs for high-speed, volatile memory, right? So you're just basically, your SDRAM is there. It's used for high-speed access of memory and it's fast, right, it's really good.

Speaker 2: 27:11 

You have your MVRAM, which is non-volatile RAM. This retains data even without power and it's commonly used for servers. So power goes down, the memory is still there. Most other types of RAM will lose and there might be ghost RAM. I tried when I was in the red teams we would try to exfiltrate some of that ghost RAM. It didn't. It worked a little, but it was very problematic. So it would be more on those systems that are really super highly sensitive that you would be most concerned about Security risks.

Speaker 2: 27:40 

You have a direct memory access attack. This is a DMA attack. Now this exploits the memory bus for unauthorized access, and then you have bus snooping. This is what captures data being transferred on the data bus itself. So there's some different aspects that could happen between the memories. So if you have memory that's going on back and forth, your DMA attack again exploits memory buses and then you have bus snooping, which is actually capturing data that's being transferred across the overall bus of your system. Now the mitigation strategies obviously is your input-output memory management unit, or IOMMU yeah, that just sounds like something out of a I don't know some TV show, i-o-m-m-u To restrict your access to your memory, so to restrict direct memory access. So you want to make sure that you would put something in place to limit that. Now again, I've never I've heard of them. I've kind of dabbled with them a little bit, but I've never really seen them work within systems themselves. So I can't give you a whole lot of knowledge around that, other than to say that you would.

Speaker 2: 28:39 

If memory potentially snooping is a big deal to you, you're going to want to make sure that you at least put something in place to mitigate it. A little of that. Fault tolerance and memory protections this is again fault tolerance ensures continuous operations despite the hardware faults. We have error correcting code, ecc memory. This detects and corrects single bit errors. We have redundant memory modules. These provide backups in case of memory failure as well. And then you have memory scrubbering. This is where you have periodic checks and corrections to the memory errors themselves. So those are different things you can put in place for fault tolerance around this, and this was well to help and basically ensure that you have continuous operations in the event that there's hardware faults or potentially power outages, and so you want to have some level of.

Speaker 2: 29:21 

Now, a lot of this is all baked into what the systems you're already buying. This wouldn't be something you would actually have to go do, but it's important for you, as a security professional, to understand what are some of the controls in place. Again, if you're dealing with the super secret sauce, you're going to want to. You're going to be part of the procurement chain and they're going to ask you very specific questions. You're going to want to know these key concepts and understand it. Now, if you don't know, that's fine too. But you're going to want to be able to talk logically to some of your architects or your engineers around this information, because your architects may not know specifically what you need from a requirement standpoint, and if you come to them and say, hey, I need X, y and Z, I need two point because I did this, this happened. I needed TPM 2.0. I need it on the devices. It cannot be Chinese made. It has to be US based. And if I have to ship equipment into that lab, then it's what's going to have to happen, and then I had to work through the Chinese government to make that happen. So the point of it is is you, as a security professional, are going to have to know those things at least to be able to talk logically to the people that are much smarter than you, and that's good. You need to be able to do that, and that's also your senior leaders are going to expect you to do that. That's a key factor when getting the CISSP. Yeah, taking the test, yeah, that's great, you pass it. But there's a lot of stuff that you're going to have to remember besides just passing the CISSP exam. Again, that's why we're here Pass it, but there's some great, great information that you can use to help you with your overall security strategy. Now, the security implications around this. It does prevent memory corruption, which again could lead to system crashes or exploitable conditions. So, again, you want to make sure that you put things in place to help remediate that.

Speaker 2: 31:06 

Now, encryption and decryption for memory protection. What is this? Now? This is where encryption transforms data into a ciphertext to prevent unauthorized access, right? So it basically encrypts it, puts it. You can't see it, can't do anything with it. Decryption reverses the process, the overall thing, right.

Speaker 2: 31:20 

We all have dealt with encryption and decryption a lot, especially in the CISSP. So there's types of memory encryption. You have data at rest and you have data in use. We've talked about this extensively around data at rest, and this is where the data is stored on the disks. Data is very rarely ever at rest, but when it is, you want it encrypted. Data in use is where it protects it actively being used in memory, right. So if it's in memory being transmitted, you want it to be protected and encrypted.

Speaker 2: 31:47 

The problem with all this encryption is it adds additional drama to the overall plan with the fact that it takes a lot more stuff to make it happen. Hardware implementations you use the Intel SGX, which is their software guard extension. This protects enclaimed memory from external access. And then you have the AMD SEV, which is their secure, encrypted virtualization chip, and this encrypts the entire VM memory. So lots of great tools out there. Again, as we've talked about, though, adding encryption does have drama in the fact that it will slow down the system. It adds latency. You just end up and I will say Pete the operations. Folks will complain because their system is slow. So you're just going to have to work through all of that. Right, I'm talking kind of like, I guess, like a whiny little 10-year-old, but it's true they will. They'll complain, they will not be happy.

Speaker 2: 32:36 

Benefits Defends against cold boot attacks, which, again, this allows the attacker to extract encryption keys and other data from the computer memory after it's been powered off. So, again, this is where the keys are kept within the memory itself. Yeah, I've heard of it happening. I know it can happen. I know people have done it can happen. I know people have done it. I've never seen it myself, never witnessed.

Speaker 2: 32:54 

It Enhances protection in multi-tenant environments as well. So those are the benefits of having encryption. So, again, it's an important part. You want to figure out how you can use it within your environment. So these are some of the best practices for, again, for memory protection. You want to regularly update firmware and microcode to address any new vulnerabilities that come out. This, therefore, you need to be aware of these vulnerabilities. Just because you become the CISO of a large organization does not mean that you sit in your ivory tower and wait for people to feed you grapes and wine. No, you have to be involved and you need to understand the vulnerabilities.

Speaker 2: 33:25 

I had a goal. My goal was to let my security architects know before they knew if there was a vulnerability. Now, granted, we didn't play catch the mouse or whack-a-mole or anything like that, but if I saw stuff, I sent it to them, and what it did is it created a culture where, if they saw stuff, they sent it to me, and it's very good. It was very, very important Because one at a minimum. I didn't always get a chance to look at some of the stuff they sent me, but I knew they were on top of it.

Speaker 2: 34:03 

And again, we talk about this with security, it's not about how smart you are. It's about how you can find smart people that will help you make the right choices. And it's about influence the more you can influence the decision makers that you want you know what you're doing. You have your ducks in a row, which they're never in a row, but if you have them in a row, then it gives them confidence that you actually know what you're doing. So important for you to be involved and engaged with everything that goes on within your company, and this can start off just as an architect. It doesn't have to be where. You have to wait until you're a security leader within an organization for this to occur. You can do it as at any point within your organization and if you do that, I will tell you right now. If you take this aggressive approach, they will look to you as the leader in many ways. So just a little piece of advice there Use TPM enabled devices for better key management.

Speaker 2: 34:54 

Again, use that as much as possible and be aware of what you have for TPM within your environment. Implement error code, error correcting code Again, this is going to help with scrubbing the memory for fault tolerances. Again, a lot of this is baked in, but at least you need to understand it where the ECC can help identify and fix errors within the data that's stored there and then enable full disk and memory encryption wherever and whenever possible. But I will caveat that with based on risk, you need to understand the overall risk to your organization and then implement these tools. It does not mean, hey, Shon said, implement full disk encryption everywhere. No, no, no, no. That may not be the best thing for you and your company. Your risk may not warrant that. Now, parts of your company may warrant that. But this is where you need to know data flows. This is where you need to understand where the data is at and then understand who's the owner.

Speaker 2: 35:46 

So lots of little things in there. That little nugget there has got chopped full of all kinds of good stuff, of all kinds of good stuff. Okay, that is all I have for you today. Head on over to CISSP, cyber Training, and check out what we've got. A lot of great free stuff. We also have some stuff that you can purchase that will get you all the content you need to pass the CISSP exam.

Speaker 2: 36:06 

The first time. I have a blueprint that will walk you through the book step by step by step. It is broken out to the point where, if you just follow the blueprint, you will pass the test, I guarantee you. The part where it gets into goofiness is when you go I already know that stuff and you move on. Then it gets a little squirrely, so you need to take the. If you get in there, follow the blueprint, go through the blueprint step by step by step, and it will pay off for you. Also, if you are interested in consulting aspects, go to reducecyberriskcom.

Speaker 2: 36:37 

I'm going to have my podcast. I just released an episode of that. There'll be some more coming out for reducecyberriskcom here in the coming months, but go there if you need consulting work, if you need virtual CISO work or just like a security, like an outfit, a security. Look at your program, just let me know. Reach out to me. I've got some stuff out there as well, as I have a security assessment checklist that you can go through. And again, this is one that you can take and run with and look to your organization and see if how you're doing, what are you doing? Is everything good, am I not good? These are some of the key questions that I would ask within a security assessment. That will probably give you some guidance around what you should ask your senior leaders if you're trying to figure all this out. So again, that's at reducecyberriskcom. Okay, that is all I have. Guys, have a wonderful, wonderful day and we will catch you all on the flip side, see ya.