Intro To Cyber

Lecture 9 & 10

Date Taken: Fall 2025
Status: Completed
Reference: LSU Professor Joseph Khoury, ChatGPT

Hardware Vulnerabilities

Modern Computing isn't just about desktops and phone, we are surrounded by hardware devices and many don't run on a traditiotnal operating system or having very limited protectopn which introduce new security risks.

Hidden weaknesses - Devices like cameras, printers, and smart appliances often lack built-in security features
Attractive Targets - Since they are connected to the network, they can be exploited as an entry point for attackers
IoT Expansion - Everyday items like light bulbs, garage doors, refrigerators, and door locks are part of Internet of Things (IoT), increasing the numbers of vulnerable devices

Vulnerabilities of security in devices had grown dramtically because almost everything is connected to the internet. Traditional security approach are no longer enough in which case the defender will need to rethink their appoarch. Hardware protection has become as important as protecting software due to IoT being everywhere.

Firmware

Firmware is software that lives inside hardware devices. You can think of it as the operating system of the hardware, controlling how the device works at a low level.

What is Firmware? - Firmware tells the hardware what to do, without it the device would not function
Who Controls It? - Only the manufacturer can usually update or fix firmware. This means that the security can only depend on the manufacturer on whether he knows about the vulnerabilities and if he cares enought to fix it.
Why It Matters - if firmware has a bug or vulnerability, the entire device can be compromised and users usually cannot fix them themselves.

Firmware is powerful but risky; if it is not updated quickly, attackers can exploit devices before the fix is released.

End-Of-Life (EOL) and End-Of-Service-Life (EOSL)

When hardware or software reaches the end of its life cycle, it has big security and maintenacne implications

End-Of-Life (EOL) - The manufacturer stop selling the product, but may still provide support and security updates. Even if you can't buy it new, the product can still be kept safe with ongoing patches and updates.
End-Of-Service-Life (EOSL) - The manufacturer stops selling and stop supporting the product. This means no more security patches, bug fixes, or updates. This device beocmes the prime targets of attackers because vulnerbilities will never be fixed

Device/Techonologies reaching EOSL is a serious security risk. Always track which systems are or near EOL/EOSL because no security patches will be update in which open doors for attackers

Legacy Platforms

Some devices and system stick around longer then intended. Although they can still work they often pose to security challenges.

Some older devices, operating system, applications, or middleware that are still in use. They may be running on EOL software, meaning no new security patches or vendor support

May be running end-of-life (EOL) software, meaning no new security patches or vendor support

May require additional security measures to protect them from vulnerabilities

Virtualization Security

Virtualization technology allows multiple virtual machines (VMs) to run on a single physical machine. While this offers benefits like resource efficiency and isolation, it also introduces unique security challenges. Quantity of resources varies between VMs and the host machine can lead to vulnerabilities if not properly managed.

Hypervisor Vulnerabilities - The hypervisor, which manages VMs, can be a target for attacks. If compromised, an attacker could gain access to all VMs running on that host.
VM Escape - This is a type of attack where malware in a VM escapes its confines to affect the host system or other VMs.
Misconfiguration Risks - Virtual environments can be complex, and misconfigurations can lead to security gaps. Properly securing each VM and the hypervisor is crucial.
Local Privilege Escalation - If an attacker gains access to a VM, they may attempt to escalate their privileges to access the host system or other VMs.
Command Injection - Attackers may try to inject malicious commands into a VM, potentially affecting the host or other VMs.
Information Disclosure - Sensitive information from the host or other VMs may be exposed if a VM is compromised.

VM Escape Protection

Virtual Machine (VM) escape is a security vulnerability that allows an attacker to break out of a virtual machine and gain access to the host system or other VMs running on the same host. This can lead to unauthorized access, data breaches, and other security issues. Once an attacker escapes a VM, they can potentially control the host system and all other VMs on it. This would be a huge security risk, especially in environments where multiple VMs are used for different purposes. To protect against VM escape attacks, consider the following strategies:

Isolation - Ensure strong isolation between VMs. This can include using separate physical hosts for critical VMs and employing network segmentation.
Regular Patching - Keep the hypervisor and all VMs up to date with the latest security patches to mitigate known vulnerabilities.
Monitoring - Implement monitoring solutions to detect unusual behavior within VMs and the hypervisor.
Access Controls - Enforce strict access controls to limit who can interact with the hypervisor and VMs.

Escaping The VM

VM escape attacks exploit vulnerabilities in the hypervisor or the VM software itself. Attackers may use techniques such as buffer overflows, code injection, or exploiting misconfigurations to break out of the VM. Once they have escaped, they can potentially access the host system and other VMs, leading to a wide range of security issues.

Resource Reuse

The hypervisor manages the relationship between physical and virtual resources. Available RAM, storage space, CPU availability, etc. These resources can be reused between VMs to optimize performance and efficiency. Data can inadvertently be shared between VMs, and timely updates to the memory management features and security patches can mitigate these risks. Resource reuse in virtualized environments can lead to security risks if not properly managed. Attackers may attempt to exploit shared resources between VMs to gain unauthorized access or escalate privileges.

Shared Memory - If VMs share memory resources, an attacker may be able to access sensitive information from other VMs.
Resource Contention - VMs competing for limited resources may inadvertently expose vulnerabilities that can be exploited.
Improper Cleanup - Failing to properly clean up resources after a VM is terminated can leave residual data that may be accessed by other VMs.

Supply Chain Risks

Supply chain risks refer to the potential vulnerabilities and threats that can arise from the various components and services involved in the production, distribution, and maintenance of hardware and software. These risks can originate from third-party vendors, manufacturers, or even internal processes within an organization. Supply chain attacks can lead to the introduction of malicious code, backdoors, or other vulnerabilities into products before they reach the end user. To mitigate supply chain risks, organizations should implement robust security measures throughout their supply chain, including:

Vendor Assessment - Evaluate the security practices of third-party vendors and suppliers to ensure they meet your organization's security standards.
Code Reviews - Conduct thorough code reviews and security assessments of third-party software and components before integrating them into your systems.
Monitoring - Continuously monitor for signs of compromise or unusual activity within your supply chain.
Incident Response - Develop and implement an incident response plan specifically for supply chain attacks.

By proactively addressing supply chain risks, organizations can reduce the likelihood of successful attacks and enhance their overall security posture.

SolarWinds Supply Chain Attack

The SolarWinds supply chain attack, discovered in December 2020, is one of the most significant cyber espionage incidents in recent history. Attackers compromised the SolarWinds Orion software platform, which is widely used for IT management and monitoring. By injecting malicious code into a software update, the attackers were able to gain access to the networks of numerous organizations, including government agencies and Fortune 500 companies. This attack highlighted the vulnerabilities present in supply chains and the potential impact of third-party software on organizational security.

The SolarWinds attack demonstrated the importance of supply chain security and the need for organizations to implement robust security measures throughout their supply chains. It also underscored the challenges of detecting and responding to sophisticated cyber threats that can exploit trusted relationships between organizations and their vendors.

In response to the SolarWinds attack, many organizations have reevaluated their supply chain security practices and implemented additional measures to protect against similar threats in the future. This includes increased scrutiny of third-party vendors, enhanced monitoring for unusual activity, and improved incident response capabilities.

Misconfiguration Vulnerabilities: Open Permissions

Misconfiguration vulnerabilities occur when security settings are not properly configured, leading to potential security risks. One common example is open permissions on cloud resources, which can expose sensitive data and services to unauthorized access. Organizations must implement strict access controls and regularly audit their configurations to mitigate these risks.

Very easy to exploit, attackers can easily scan for misconfigured resources and gain access to sensitive data or services. Regularly review and update security configurations to ensure they align with best practices and organizational policies.

Unsecured Admin Accounts

Unsecured admin accounts pose a significant security risk, as they often have elevated privileges that can be exploited by attackers. Common issues include weak passwords, lack of multi-factor authentication (MFA), and failure to regularly review and update access permissions. To mitigate these risks, organizations should enforce strong password policies, implement MFA, and conduct regular audits of admin accounts to ensure they are secure.

Admin accounts should be closely monitored for unusual activity, and any suspicious behavior should be investigated promptly. By securing admin accounts, organizations can reduce the risk of unauthorized access and protect their systems and data from potential threats.

Disable direct login to root or admin accounts, and use the su or sudo command to perform administrative tasks. What su and sudo do is that they allow a permitted user to execute a command as the superuser or another user, as specified by the security policy. This adds an extra layer of security by requiring users to authenticate themselves before performing actions that require

Insecure Protocols

Insecure protocols are communication protocols that lack adequate security measures, making them vulnerable to interception, eavesdropping, and other attacks. Examples of insecure protocols include FTP, Telnet, and HTTP, which transmit data in plain text without encryption. To enhance security, organizations should replace insecure protocols with secure alternatives, such as SFTP, SSH, and HTTPS, which provide encryption and authentication mechanisms to protect data in transit.

Open Ports and Services

Open ports and services can expose organizations to security risks, as they may provide attackers with potential entry points into the network. Organizations should regularly scan their networks for open ports and services, and implement strict access controls to limit exposure. Additionally, unnecessary services should be disabled, and only essential ports should be left open to minimize the attack surface.

Use firewalls and intrusion detection/prevention systems to monitor and control network traffic, and ensure that only authorized users and devices can access critical resources. Firewalls rulesets should be regularly reviewed and updated to reflect changes in the network environment and security policies. Always test firewall rules to ensure they are functioning as intended and effectively blocking unauthorized access.

Default Settings

Default settings on devices and software can pose significant security risks, as they are often well-known and can be easily exploited by attackers. It is crucial to change default usernames, passwords, and configurations to enhance security. Organizations should implement a process for reviewing and updating default settings during the initial setup and configuration of devices and software.

Mobile Device Security

Mobile devices are often targeted by attackers due to their portability and the sensitive data they contain. Organizations should implement security measures to protect mobile devices, including:

Enforcing strong password policies and biometric authentication.
Implementing mobile device management (MDM) solutions to enforce security policies and remotely wipe lost or stolen devices.
Regularly updating mobile operating systems and applications to patch vulnerabilities.
Educating users about the risks of using public Wi-Fi and the importance of using VPNs.

Jailbreaking/rooting

Jailbreaking (iOS) and rooting (Android) are processes that allow users to gain elevated privileges on their mobile devices. While these processes can provide users with greater control over their devices, they also introduce significant security risks. Organizations should implement policies to prevent jailbreaking and rooting, and educate users about the potential risks, including:

Increased vulnerability to malware and attacks.
Bypassing of security controls and restrictions.
Potential data loss or corruption.

Regularly monitor mobile devices for signs of jailbreaking or rooting, and take appropriate action if such activity is detected.

Sideloading

Sideloading refers to the process of installing applications on a mobile device from sources other than the official app store. While sideloading can provide users with access to a wider range of applications, it also introduces significant security risks. Organizations should implement policies to restrict sideloading and educate users about the potential risks, including:

Increased exposure to malware and malicious applications.
Bypassing of security controls and app vetting processes.
Potential data loss or corruption.

Organizations should regularly monitor mobile devices for signs of sideloading and take appropriate action if such activity is detected.

Zero-Day Vulnerabilities

Zero-day vulnerabilities are security flaws that are unknown to the software vendor and have not yet been patched. These vulnerabilities can be exploited by attackers to gain unauthorized access to systems and data. Organizations should implement a robust vulnerability management program to identify and remediate zero-day vulnerabilities, including:

Regularly updating and patching software and systems.
Implementing intrusion detection and prevention systems to monitor for suspicious activity.
Conducting regular security assessments and penetration testing.

Stay informed about emerging threats and vulnerabilities through threat intelligence feeds and security advisories. By proactively addressing zero-day vulnerabilities, organizations can reduce the risk of successful attacks and enhance their overall security posture.