3.3 Implement secure systems design

¡Supera tus tareas y exámenes ahora con Quizwiz!

hardware root of trust

A known secure starting point. TPM/HSMs have a private key burned into the hardware that provides a hardware root of trust.

Evaluation Assurance Level (EAL)

A level of assurance, expressed as a numeric value, based on standards set by the Common Criteria Recognition Agreement (CCRA). -EAL1 - EAL7 -EAL4 is minimal acceptance.

Unified Extensible Firmware Interface (UEFI)

An interface between firmware on the motherboard and the operating system and improves on legacy BIOS processes for booting, handing over the boot to the OS, and loading device drivers and applications before the OS loads.

Microsoft FDE

BitLocker

Printer/Multifunction Devices

Can be used for Printing, scanning, faxing, network activity and have local storage. May be used as reconnaissance containing log files for all activity and address books. If accessed may be able to print from it. Sometimes gather information in the spooling file.

EMI/EMP

Can listen in to the electronic interference and can recreate the video. May also be able to inject electro magnetic impulse.

Wifi enabled microSD cards vulnerabilities

Can transfer over Wifi 802.11. Many have multiple vulnerabilies by gaining access to the card. Some have APIs where there are vulnerabilites. some vendors have security for those APIs

Service packs

Contains a lot of updates to be installed at once.

Application whitelisting/blacklisting

Creating a list of applications that are permitted (whitelisting) or denied (blacklisting) to run.

Server OS

Designed to operas as a server. Web server, database server

Disable default/unnecessary accounts

Disabling accounts that you are not using. Disabling accounts used as services eg. Guest account

Displays

Display can be reconstructed over EM signals. Firmware hacks are vulnerabilities withing this harware. There is ransomeware used to disable display.

Blacklisting

Everything runs except the listed applications.

Apple FDE

FileVault

Secure Configurations

Fine tuning the operating system making least functionality very secure.

Disabling unnecessary services

Identifying services that will not be used on an OS to improve security posture.

Patch Management

Incredibly important for system stability and security fixes. -Service pack -Monthly updates -Emergency out-of-band updates

Monthly updates

Incremental updates

Least functionality

Limit the operating system to only whats needed based on the use.

FDE (Full Disk Encryption)

Method to encrypt an entire disk. TrueCrypt is an example. Need password to decrypt data to have access to it. Built in OS

Whitelisting

Nothing runs unless its approved which is very restrictive.

External storage devices

Often dont require authentication anyone that has it can copy and xfer the data within it. If its encrypted it cant be more secure.

Workstation OS

Optimized for user application. -email, browsing, office apps, video editing.

Kiosk OS

Public use and OS is tightly locked down

Appliance OS

Purpose-built may not be able to see OS

SED

Self encrypting drive come in hardware disk

Network OS

Supports server, workstations, and other network-connected devices

Linux FDE

Unified Key Setup (LUKS)

Supply Chain

Using trusted vendors that will vouge that the appliances/devices have not touched the internet before any security is in place. Also a way to verify the hardware and software are genuine and secure.

Update options

Windows update WSUS - Windows Server Update Services. Mac OS - Software update, App Store Linux - yum, apt-get, rpm graphical front-ends

Mobile OS

designed for devices such as smartphones and tablet computers. Optimized for mobile hardware/applications

Wireless keyboard and mice

some of these are support AES encryption. Data can be captured over. KeySniffer is an exploit used to capture data from keyboard as a keylogger. over 2.4ghz

Emergency out-of-band updates

zero-day and important security discoveries

Examples of application whitelisting

-Decisions made in the operating system built into the OSM -Application Hash only allows applications with this unique identifier -Certificate allow digitally signed apps from certain publishers -Path only run applications in these folders -Network zone apps can only run from this network zone

Types of Operating Systems

-Network -Server -Workstation -Appliance -Kiosk -Mobile OS

Secure Configuration Policies

-Stay updated with he latest patches. -Compromised systems are re-imaged -Changes to the standard build (gold image) must go through change management. -Perform regular integrity checks of operating system files

Secure Boot

A UEFI feature that prevents a system from booting up with drivers or an OS that are not digitally signed (Digital Signatures) and trusted by the motherboard or computer manufacturer.

Remote attestation

A centralized station that reports to a verification server that reports any changes to the hardware or software to any systems that might effect the security over time. TPM signs the list of software and hardware inventory to compare upon bootup.

Trusted Platform Module (TPM)

A chip on the motherboard of the computer that provides cryptographic services. Random number generator. Comes with unique keys burned in during production. Password protected

Hardware Security Module (HSM)

A device that can safely store and manage encryption keys. This can be used in servers, data transmission, protecting log files, etc. Can also be an SSL accelerator. SSL offloading device. Usually seen in large environments and clustered together with redundant power.


Conjuntos de estudio relacionados

Conceptual Physics, 11e (Hewitt) Chapter 9 Gravity

View Set

Introduction to Psychology Final

View Set

Chapter 52: Assessment and Management of Patients with Endocrine Disorders (Exam 2)

View Set

Ch 15 Communicating in the Job Search

View Set