A retail store has a business requirement to deploy a kiosk computer in an open area. The kiosk computer’s operating system has been hardened and tested. A security engineer is concerned that someone could use removable media to install a rootkit. Which of the following should the security engineer configure to BEST protect the kiosk computer?
Measured Boot is a feature that helps protect systems from boot-level malware such as rootkits. It operates by measuring each component at startup, including the firmware and boot drivers, and storing this information in the Trusted Platform Module (TPM). This ensures that any unauthorized change to the boot components will be detected, thereby preventing the rootkit from taking control of the system. UEFI and Boot Attestation are related, but the direct security measure to prevent the introduction of unauthorized code during the boot process is specifically Measured Boot.
"Measured Boot is a new feature of Windows 8 that was created to help better protect your machine from rootkits and other malware. Measured Boot will check each start up component including the firmware all the way to the boot drivers and it will store this information in what is called a Trusted Platform Module (TPM)." https://www.microcenter.com/tech_center/article/8862/what-is-measured-boot
CHat GPT says EDR is typically used to detect and respond to threats after they have already bypassed other security measures. It is a reactive measure, rather than a preventative one. In this scenario, it would be better to prevent the rootkit from being installed in the first place, rather than relying on EDR to detect and respond to the threat after the fact. Measured boot, on the other hand, is a preventative measure that ensures the system starts with a known good state and can block the boot process or alert the security team if any changes are detected. Therefore, Measured boot is the BEST option for protecting the kiosk computer from the installation of a rootkit via removable media.
It sounds ok, but ChatGPT often hallucinates info it provides, even making up the sources. I would not depend on it in search for "truth"
Yup, it just told me the answer is D. So there you go
I meant C
ChatGPT is often wrong and lacks true understanding, so take it's suggestions with a grain of salt. In this case an EDR is useless for a bootable USB (which you can disable all bootable devices in the UEFI) and would only detect a rootkit delivery system, not a rootkits. Also you have to consider that EDR is mostly useless for zero-day attacks and consider that, even if the USB malware did install a rootkit from the OS, on the next boot, it would be immediately detected, if you configured boot attestation correctly.
Very confusing, but I believe since it talks about configuring, the UEFI provides options to configure. The rest are described as processes. https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/boot-integrity/
what a stupid question According to the official cert guide "The second security feature intended to help prevent boot-level malware is measured boot. These boot processes measure each component, starting with the firmware and ending with the boot start drivers. Measured boot does not validate against a known good list of signatures before booting; instead, it relies on the UEFI firmware to hash the firmware, bootloader, drivers, and anything else that is part of the boot process" That seems to suggest option A is a part of option C. But it doesn't end there, it goes on to say "The data gathered is stored in the Trusted Platform Module (TPM), and the logs can be validated remotely to let security administrators know the boot state of the system. This boot attestation process allows comparison against known good states, and administrators can take action if the measured boot shows a difference from the accepted or secure known state" So that then says measured boot is a uefi drive boot attestation process so take your pick from A, B or C!
I'm over this exam. A,B,& C could all be right. But it's their game and we must bow before them.
Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer's firmware to its operating system (OS). UEFI is expected to eventually replace basic input/output system (BIOS) but is compatible with it.
Measured Boot is intended to prevent boot-level malware. unlike secure boot, measured boot does't validate against a known good list of signatures before booting. instead it relies on the UEFI firmware to hash the firmware, bootloader, drivers, and anything else that is part of the boot process. then the data gathered is stored in the TPM. This boot attestation process allows comparison against known good states and admins can take action if the measured boot shows a difference from the accepted or secure known state.
I go with answer A: According to CompTIA sec+ Study Guide, Secure Boot or Measured Boot is a feature of Unified Extensible Firmware Interface(UEFI) that ensures that code that ius executed during boot process has been authenticated b y a cryptographic signature. Secure Boot prevents malicious code from running at boot time, thus providing assurance that the system is executing only the code that is legitimate. This provides a measure of protection against rootkits and other malicious code that is designed to run at boot time.
UEFI, especially when combined with Secure Boot, provides a robust defense against rootkits. Secure Boot is a feature of UEFI that ensures only signed and trusted operating system bootloaders and drivers can be loaded during the boot process. This helps prevent unauthorized code, such as rootkits, from being loaded, even if someone tries to install them via removable media.
Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer's firmware to its operating system (OS). UEFI is expected to eventually replace basic input/output system (BIOS) but is compatible with it.
im thinking uefi
The best answer is A. Measured boot. Measured boot is a security feature that helps to protect systems from rootkits and other malware. It works by creating a cryptographic hash of all critical system components during the boot process. This hash is then stored in a trusted platform module (TPM). If any changes are detected to the critical system components, the boot process is halted and the user is alerted.
Measured boot will check startup components including firmware/boot drivers and only allow approved versions.
Measured boot is typically for hardware and driver checking. I don't see it helping prevent a rootkit. Boot attestation, on the other hand, confirms the OS has not been tampered with. That said, B would be the most prudent choice, IMO. The problem with EDR is that it loads AFTER the OS and can't detect if a rootkit was installed or not (if a zero-day, you're screwed). If you configure your boot process, you can prevent a bootable USB from ever running in the first place. (you can disable all the USB ports as well, in UEFI, but then you can't use them and the kiosk may need it - depending on what the kiosk's function is)
I'm going with A, actually. The reason is that Boot Attestation is something that Measured Boot is part of -> it reports boot measurements to the attestation service, which then verifies the state of the computer. The Boot Measurements include: Secure Boot (UEFI) and Trusted Boot (Verifies that the OS and system drivers are properly signed and trusted). As I said before EDR is useless in preventing bootable USB (rootkits generally need the system to re-boot after deposition to become truly active), especially for a zero-day attack
Many organizations implement boot integrity processes. These processes verify the integrity of the operating system and boot loading systems. For example, it can verify that key operating system files haven’t been changed. A measured boot goes through enough of the boot process to perform these checks without allowing a user to interact with the system. If it detects that the system has lost integrity and can no longer be trusted, the system won’t boot.
Since the question says, the OS has been "hardened and tested" I know that the OS has already been installed and Secure boot must be enabled before the installation of an OS. (Even though most computers these days have UEFI Secure boot enabled by default) A, B, and C are are processes or provided by UEFI Secure boot Even if I do not assume, UEFI secure boot is enabled by default, the question asks what should be "CONFIGURED?" UEFI secure boot is enabled (not configured) and the main concern is removable media installing rootkits. D. EDR (makes the most sense to configure endpoint detection for removable media on the kiosk)
https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process