Module 4 - Endpoint/App Dev Security
Securing endpoint computers primarily involves three major tasks:
- confirming that the computer has started securely (confirm boot security) - protecting the computer from attacks (protect endpoints) - hardening endpoints for even greater protection
File and code repositories
A storage area in which victims of an attack can upload malicious files and software code that can then be examined by others to learn more about these attacks and craft their defenses. - Several entities of the U.S. government—including the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense (DoD) U.S. Cyber Command—are particularly active in posting to these - Often samples of recently discovered malware variants are uploaded to the VirusTotal malware aggregation repository along with published detailed malware analysis reports (MARs) containing IOCs for each malware variant. - Source of Threat Intelligence
4. production stage
An application development stage in which the application is released to be used in its actual setting.
Trusted Automated Exchange of Intelligence Information (TAXII)
An application protocol for exchanging cyberthreat intelligence over Hypertext Transfer Protocol Secure (HTTPS). - defines an application protocol interface (API) and a set of requirements for clients and servers exchanging cybersecurity threat information
blacklisting
Creating a list of unapproved software so that any item not on the list of blacklisted applications can run. - default-allow
quarantine (Confinement Tools for OS security)
The process that holds a suspicious DOCUMENT - most commonly used with email attachments - process removes the attachment and, depending upon the policy set by the organization, either sends to the user sent a sanitized version of the attachment or a URL to the document on a restricted computer so that the user can view, print, or delete the attachment.
One of the steps that is often overlooked in securing endpoint computers is to:
confirm that the computer has started without any malicious activity taking place. - Ensuring secure startup involves the Unified Extensible Firmware Interface (UEFI) and its boot security features.
(T/F) AIS is used more extensively with public information sharing centers than private centers.
true
(T/F) Cookies are a workaround of the stateless protocol HTTP.
true
(T/F) Dynamic analysis uses heuristic monitoring.
true
(T/F) Today users have fewer—if any—options regarding patches
true - usually patches are automatically downloaded and installed whenever they become available. - This is called auto-update, and it ensures that the software is always up to date.
heuristic monitoring (newer approach to antivirus monitoring)
uses a variety of techniques to spot the characteristics of a virus instead of attempting to make matches - also called dynamic analysis - one technique is called code emulation in which a virtual environment is created that simulates the CPU and memory of the computer. - Any questionable program code is executed in the virtual environment (no actual virus code is executed by the real CPU) to determine if it is a virus.
The cause of most unsecure applications
usually the result of how the application was designed and written. - Creating and developing secure software involves understanding application development concepts, secure coding techniques, and code testing.
Advantages of using an automated patch update service
- Downloading patches from a local server instead of using the vendor's online update service can save bandwidth and time - Administrators can approve or decline updates for client systems, force updates to install by a specific date, and obtain reports on what updates each computer needs. - Administrators can approve updates for "detection" only; this allows them to see which computers require the update without installing it
the stages of general application development
1. development 2. testing 3. staging 4. production
the 3 types of monitoring and response systems for endpoint computers
1. host intrusion detection systems (HIDS) 2. host intrusion prevention systems (HIPS) 3. endpoint detection and response (EDR)
hardening endpoints involves 2 major functions:
1. patch management 2. OS protections
two major concerns around public information sharing centers
1. the privacy of shared information - An organization that is the victim of an attack must be careful not to share proprietary or sensitive information 2. the speed at which the information is shared - automated indicator sharing (AIS) can help speed up the distribution of threat intelligence information
sandbox (Confinement Tools for OS security)
A "container" in which an application can be run so that it does not impact the underlying OS. - anything that occurs in here is not visible to other applications or the OS outside the sandbox. - Also, the contents of it are not saved when it is closed. - often used when downloading or running suspicious programs to ensure that the endpoint will not become infected. - is not the same as a virtual machine. A virtual machine is a "computer within a computer" in which an entire OS runs as an application on top of the regular OS. However, its contents can be saved for future use. - used to contain an APPLICATION
measured boot
A boot attestation procedure in which the computer's firmware logs the boot process so it can be sent to a trusted server to assess the security. - advantages: Provides highest degree of security - disadvantages: Could slow down the boot process
secure cookie
A cookie that is only sent to the server with an encrypted request over the secure HTTPS protocol. - means of protecting cookies over the web - prevents an unauthorized person from intercepting a cookie that is being transmitted between the browser and the web server.
securing the registry (OS security configuration)
A database that contains low-level settings used by the Windows OS and for those applications that elect to use it. - Threat actors who can modify the registry could be able to disable antivirus and antimalware protections, - To mitigate this risk, the Windows 10 Tamper Protection security feature prevents Windows security settings from being changed or disabled by a threat actor who modifies the registry. - also prevents changes to security settings by programs, Windows command line commands, or through Group Policy. - a Group Policy setting can prevent access to the tool that can alter the registry. - This setting is Prevent access to registry editing tools
HTTP response header
A header that can inform the browser how to function while communicating with the website. - When users visit a website through their web browser, the web server answers back with these
Structured Threat Information Expression (STIX)
A language and format used to exchange cyberthreat intelligence. - All information about a threat can be represented with objects and descriptive relationships. - information can be visually represented for a security analyst to view or stored in a lightweight format to be used by a computer.
public information sharing centers
A repository by which open source cybersecurity information is collected and disseminated. - ex. the U.S. Department of Homeland Security (DHS) Cyber Information Sharing and Collaboration Program (CISCP) - enables actionable, relevant, and timely unclassified information exchange through trusted public-private partnerships across all critical infrastructure sectors. - enables its members to not only share threat and vulnerability information but also take advantage of the DHS's cyber resources
vulnerability database
A repository of known vulnerabilities and information as to how they have been exploited. - These databases create "feeds" of the latest cybersecurity incidences. - Common cybersecurity data feeds include vulnerability feeds that provide information on the latest vulnerabilities and threat feeds that outline current threats and attacks - Source of Threat Intelligence
host intrusion detection system (HIDS)
A software-based application that runs on an endpoint computer and can detect that an attack has occurred. - primary function is automated detection, which saves someone from sorting through log files to find an indication of unusual behavior - relies on agents installed directly on the endpoint, and these agents work closely with the OS to observe activity. - endpoint computer functions that are monitored: - system calls: an instruction that interrupts the program being executed and requests a service from the operating system. can monitor calls based on the process, mode, and action being requested - file system access: System calls usually require specific files to be opened to access data. works to ensure that all file openings are based on legitimate needs and are not the result of malicious activity. - host input/output: monitors all input and output communications to watch for malicious activity
3. staging stage
A stage in application development that tests to verify that the code functions as intended
2. testing stage
A stage in which an application is tested for any errors that could result in a security vulnerability.
1. development stage
A stage of application development in which the requirements for the application are established and it is confirmed that the application meets the intended business needs before the actual coding begins.
antimalware
A suite of software intended to provide protections against multiple types of malware, such as ransomware, cryptomalware, Trojans, and other malware - some protect against spam that has evaded the corporate email gateway and monitors emails for spam and other unwanted content - spam protection is often performed using a technique called Bayesian filtering. - The software divides email messages that have been received into two piles, spam and nonspam. - The filter then analyzes every word in each email and determines how frequently a word occurs in the spam pile compared to the nonspam pile. - Bayesian filters generally trap a much higher percentage of spam than other techniques.
automated intelligence sharing (AIS)
A technology that enables the exchange of cyberthreat indicators between parties through computer-to-computer communication. - NOT email communication - Threat indicators such malicious IP addresses or the sender address of a phishing email can be quickly distributed to enable others to repel these attacks. - Those participating in AIS generally are connected to a managed system controlled by the public information sharing center that allows bidirectional sharing of cyberthreat indicators. Not only do participants receive indicators, but they can also share indicators they have observed in their own network defenses to the public center - 2 tools facilitate this: 1. structured threat information expression (STIX) 2. trusted automated exchange of intelligence information (TAXII)
predictive analysis
An evaluation used for discovering an attack before it occurs. - indicators of compromise (IOCs) are used to aid in this - helps determine when and where attacks may occur.
threat map
An illustration of cyberthreats overlaid on a diagrammatic representation of a geographical area. - help in visualizing attacks and provide a limited amount of context of the source and the target countries, the attack types, and historical and near real-time data about threats. - may look impressive, but in reality, they provide limited valuable information. - Many maps claim that they show data in real time, but most are simply a playback of previous attacks. - Because threat maps show anonymized data, it is impossible to know the identity of the attackers or the victims. - many cybersecurity professionals question the value of these - Source of Threat Intelligence
UEFI (Unified Extensible Firmware Interface)
An improved firmware interface developed to replace the BIOS. - includes the ability to access hard drives that are larger than two terabytes (TB), support for an unlimited number of primary hard drive partitions, faster booting, and support for networking functionality in the UEFI firmware itself to aid in remote troubleshooting. - also has a more advanced user interface for configurations and information - this is now the standard (BIOS support ended 2020 for motherboard manufacturers)
indicator of compromise (IOC)
An indicator that malicious activity is occurring but is still in the early stages. - making this info available to others can prove to be of high value as it may indicate a common attack that other organizations are also experiencing or will soon experience. - this info aids others in their predictive analysis or discovering an attack before it occurs
antispyware
Another component of an antimalware suite - helps prevent computers from becoming infected by spyware - common technique is to use a pop-up blocker - A pop-up is a small web browser window that appears over a webpage.
open source information
Anything that could be freely used without restrictions. - category of threat intelligence sources
Whitelisting
Approving in advance only specific applications to run on the OS so that any item not approved is either restricted or denied. - default-deny
secure boot
Each firmware and software executable at boot time must be verified as having prior approval. - advantages: All system firmware, bootloaders, kernels, and other boot-time executables are validated. - disadvantages: Custom hardware, firmware, and software may not pass without first being submitted to system vendors like Microsoft.
memory management vulnerabilities (Attacks Based on Application Vulnerabilities)
Failure of programmers to create secure code, which allows vulnerabilities that manipulate computer RAM. - weaknesses in an application can create vulnerabilities in computer memory or buffer areas that can be easily exploited - result in attacks such as buffer overflow, integer overflow, pointer/object deference, and DLL injection attacks.
HTTP Strict Transport Security (HSTS) (response header)
Forces browser to communicate over more secure HTTPS instead of HTTP - Encrypts transmissions to prevent unauthorized user from intercepting
more efficient distribution (patch reception)
If many Windows 10 devices are connected to a network, each device does not have to download the updates over the Internet individually. - Instead, once one device has downloaded the updates, they can then be distributed to the other devices across the local network. - In addition, Windows will not download updates on mobile devices unless that device is connected to an unrestricted Wi-Fi network (so that it does not use the cellular data connections that users pay for).
Appliance OS
OS in firmware that is designed to manage a specific device like a digital video recorder or video game console. - example: Linpus Linux
Mobile OS
Operating system for mobile phones, smartphones, tablets, and other handheld devices - examples: Google Android, Apple iOS, Apple iPadOS
Server OS
Operating system software that runs on a network server to provide resources to network users - examples: Microsoft Windows Server, Apple macOS Server, Red Hat Linux
private information sharing centers
Organizations participating in closed source information that restrict both access to data and participation. - are similar to public sharing centers in that members share threat intelligence information, insights, and best practices, private sharing centers are restrictive regarding who may participate. - All candidates must go through a vetting process and meet certain criteria.
dark web
Part of the web is beyond the reach of a normal search engine and is the domain of threat actors. - Using special software such as Tor or I2P (Invisible Internet Project) this software will mask the user's identity/hide IP address to allow for malicious activity such as selling drugs and stolen personal information and buying and selling malicious software used for attacks. - Some security professionals and organizations use the dark web on a limited basis to look for signs that information critical to that enterprise is being sought out or sold - Source of Threat Intelligence
third party updates
Patch updates for application and utility software. - These patches, however, can sometimes create new problems, such as preventing a custom application from running correctly. - Organizations that have these types of applications usually test patches when they are released to ensure that they do not adversely affect any customized applications. - In these instances, the organization delays the installation of a patch from the vendor's online update service until the patch is thoroughly tested.
X-Frame-Options (response header)
Prevents attackers from "overlaying" their content on the webpage - Foils a threat actor's attempt to trick a user into providing personal information
Cross Site Scripting Protection (X-XSS) (response header)
Prohibits a page from loading if it detects a cross-site scripting attack - Prevents XSS attacks
closed source information
Proprietary information owned by an entity that has an exclusive right to it. - Organizations that are participants in this are part of private information sharing centers that restrict both access to data and participation
Application whitelisting/blacklisting (Confinement Tools for OS security)
Requiring preapproval for an application to run or not run. - Whitelisting is approving in advance only specific applications to run on the OS so that any item not approved is either restricted or denied ("default-deny") - blacklisting is creating a list of unapproved software so that any item not on the list of blacklisted applications can run ("default-allow")
Content Security Policy (CSP) (response header)
Restricts the resources a user is allowed to load within the website - Protects against injection attacks
Endpoint detection and response (EDR)
Robust tools that monitor endpoint events and take immediate action. - have a similar functionality to HIDS of monitoring endpoint events and of HIPS of taking immediate action. - however, tools are considered more robust - can aggregate data from multiple endpoint computers to a centralized database so that security professionals can further investigate and gain a better picture of events occurring across multiple endpoints instead of just on a single endpoint. - can help determine if an attack is more widespread across the enterprise and if more comprehensive and higher-level action needs to be taken. - tools can perform more sophisticated analytics that identify patterns and detect anomalies. - many of them allow for a manual or user analysis of the data.
hardware root of trust
Security checks that begin with hardware checks. - strongest starting point for chain of trust in ensuring boot security - strongest starting point is hardware, which cannot be modified like software. - Because this chain of trust begins with a hardware verification, each subsequent check can rely upon it (called boot attestation)
antivirus (AV) software
Software that can examine a computer for FILE-BASED virus infections as well as monitor computer activity and scan new documents that might contain a virus. - If a virus is detected, options generally include cleaning the file of the virus, quarantining the infected file, or deleting the file. - Log files created by AV products can also provide beneficial information regarding attacks. - Many AV products use signature-based monitoring, also called static analysis. The AV software scans files by attempting to match known virus patterns against potentially infected files (called string scanning). - Other variations include wildcard scanning (a wildcard is allowed to skip bytes or ranges of bytes instead of looking for an exact match) - mismatch scanning (mismatches allow a set number of bytes in the string to be any value regardless of their position in the string)
Workstation OS
Software that manages hardware and software on a client computer - examples: Microsoft Windows, Apple macOS, Ubuntu Linux
host intrusion prevention system (HIPS)
Software that monitors endpoint activity to immediately block a malicious attack by following specific rules. - not only monitors to detect malicious activities but also attempts to stop them. - activity watched for includes an event that attempts to control other programs, terminate programs, and install devices and drivers. - when it blocks an action, it then alerts the user so an appropriate decision about what to do can be made.
Network OS
Software that runs on a network device like a firewall, router, or switch - examples: Cisco Internetwork Operating System (IOS), Juniper JUNOS, MikroTik RouterOS
Disabling default accounts/passwords (OS security configuration)
Some OSs include unnecessary accounts. For example, Microsoft Windows 10 includes a built-in Administrator account that can be used for those building new computers to run programs and applications before a user account is created. - In addition, some accounts may come with default passwords that should be changed.
Kiosk OS
System and user interface software for an interactive kiosk - examples: Microsoft Windows, Google Chrome OS, Apple iOS, Instant WebKiosk, KioWare (Android)
An IOC (indicator of compromise) occurs when what metric exceeds its normal bounds?
The KRI (key risk indicator)
caution when utilizing the secure boot function
The Secure Boot security standard is designed to ensure that a computer boots using only software that is trusted by the computer manufacturer. - Manufacturers can update the list of trusted hardware, drivers, and OS for a computer, which are stored in the Secure Boot database on the computer. - Although it is possible for the user to disable Secure Boot to install hardware or run software or OS that have not been trusted by the manufacturer, this makes it difficult or impossible to reactivate Secure Boot without restoring the computer back to its original factory state.
boot security (improvement over BIOS by using UEFI)
The ability to update the BIOS in firmware also opened the door for a threat actor to create malware to infect the BIOS. - Called a BIOS attack, it would exploit the update feature of the BIOS. Because the BIOS resides in firmware and an infected BIOS would then persistently re-infect the computer whenever it was powered on, BIOS attacks were difficult to uncover and hard to disinfect. - UEFI, used along with other components, is designed to combat these BIOS vulnerabilities and provide improved boot security. - involves validating that each element used in each step of the boot process has not been modified. - This process begins with the validation of the first element (boot software). - Once the first element has been validated, it can then validate the next item (such as software drivers) and so on until control has been handed over to the OS. - This is called a chain of trust: each element relies on the confirmation of the previous element to know that the entire process is secure. - chain of trust requires strong starting point
auto-update
The automatic download and installation of patches as they become available. - ensures that the software is always up to date.
boot attestation
The process of determining that the boot process is valid. - works best with hardware root of trust
Executable files attack (Attacks Based on Application Vulnerabilities)
Trick the vulnerable application into modifying or creating executable files on the system - defense: Prevent the application from creating or modifying executable files for its proper function
Process spawning control (Attacks Based on Application Vulnerabilities)
Trick the vulnerable application into spawning executable files on the system - defense: Take away the process spawning ability from the application
Disabling unnecessary ports and services (OS security configuration)
Turning off any service that is not being used and closing any unnecessary TCP ports to enhance security. - examples: Microsoft Windows ASP.NET State Service, Portable Device Enumerator Service, and Apple macOS Spotlight Indexing
important note about UEFI and boot security
UEFI by itself does not provide enhanced boot security. It must be paired with other boot security functions.
no selective updates (patch reception)
Unlike in previous versions of Windows, users cannot select individual Windows updates to download and install. - However, users can select if they want to receive updates for other installed Microsoft products (such as Office).
system tampering (Attacks Based on Application Vulnerabilities)
Use the vulnerable application to modify special sensitive areas of the operating system (Microsoft Windows registry keys, system startup files, etc.) and take advantage of those modification - defense: Do not allow applications to modify special areas of the OS
forced updates (patch reception)
Users can no longer refuse or indefinitely delay security updates. - By default, all updates will be downloaded and installed automatically. However, users can defer the "quality updates" (those with security patches) but only for seven days (Windows 10 Home edition) or 35 days (all other versions). - New feature updates (those without security patches) can be delayed for 35 days (Windows 10 Home edition) or 365 days (all other versions).
legacy BIOS boot
Uses BIOS for boot functions - advantages: Compatible with older systems - disadvantages: No security features
UEFI Native Mode boot
Uses UEFI standards for boot functions - advantages: Security boot modules can be patched or updated as needed - disadvantages: No validation or protection of the boot process
trusted boot
Windows OS checks the integrity of every component of boot process before loading it. - advantages: Takes over where Secure Boot leaves off by validating the Windows 10 software before loading it - disadvantages: Requires using Microsoft OS
security template (Windows)
a collection of security configuration settings. - These settings typically include account policies, user rights, event log settings, restricted groups, system services, file permissions, and registry permissions. - Once a single endpoint computer has been configured properly, a security template from that device can be developed and used for deploying to other systems. - Predefined security templates are also available to be imported, and these settings then can be modified - requires an administrator to access each computer and apply the security template either through using the command line or a snap-in, which is a software module that provides administrative capabilities for a device - preferred method is to use Group Policy, which is a feature that provides centralized management and configuration of computers and remote users who are using specific Microsoft directory services known as Active Directory (AD)
adversary tactics, techniques, and procedures (TTP)
a database of the behavior of threat actors and how they orchestrate and manage attacks. - Source of Threat Intelligence
drawback of host intrusion prevention system (HIPS)
a high number of false positives can be generated. - Both legitimate and malicious programs often access the same resource, and each can cause a HIPS to then block the action.
Key risk indicators (KRIs)
a metric of the upper and lower bounds of specific indicators of normal network activity. - indicators may include the total network logs per second, number of failed remote logins, network bandwidth, and outbound email traffic - one of these that exceeds its normal bounds could be an indicator of compromise (IOC)
root directory
a specific directory on a web server's file system, and users who access the server are usually restricted to the root directory and directories and files beneath the root directory, but they cannot access other directories.
directory traversal attack (Attacks Based on Application Vulnerabilities)
attack takes advantage of vulnerability in the web application program or the web server software so that a user can move from the root directory to other restricted directories. - The ability to move to another directory could allow an unauthorized user to view confidential files or even enter commands to execute on a server known as command injection
how can an organization prevent its employees from installing the latest patch until it has passed testing and still ensure that all users download and install necessary patches?
automated patch update service
cookies
can contain a variety of information based on the user's preferences when visiting a website - can also store any personally identifiable information (name, email address, work address, telephone number, and so on) that was provided when visiting the site - however, a website cannot gain access to private information stored on the local computer. - can pose security risks as well as privacy risks. - First-party cookies can be stolen and used to impersonate the user, while third-party cookies can be used to track the browsing or buying habits of a user. - When multiple websites are serviced by a single marketing organization, cookies can be used to track browsing habits on all the client's sites.
fist party cookie
cookie created from the website that a user is currently viewing; whenever the user returns to this site, that cookie is used by the site to view the user's preferences and better customize the browsing experience.
session cookie
cookie that is stored in random-access memory (RAM), instead of on the hard drive, and only lasts for the duration of visiting the website.
third party cookie
cookies that come from third parties that advertise on the site and want to record the user's preferences. - some websites attempt to place these cookies on the local hard drive
(T/F) In a Trusted Boot, the endpoint's firmware logs the boot process to the OS can send it to a trusted server to assess the security.
false - this is a measured boot
BIOS (Basic Input/Output System)
firmware used on early personal computers, both Apple Mac and Windows PC to help with a secure boot - The BIOS was a chip integrated into the computer's motherboard. When the computer was powered on, the BIOS software would "awaken" and perform the following steps in a legacy BIOS boot: 1. The BIOS would first test the various components of the computer to ensure that they were functioning properly (called the POST or Power-On Self-Test). 2. the BIOS would reference the Master Boot Record (MBR) that specified the computer's partition table, which instructed the BIOS where the computer's operating system (OS) could be located. 3. the BIOS passed control to the installed boot loader, which launched the OS. - Originally, BIOS firmware was stored in a ROM (read-only memory) chip on the motherboard, supplemented by a CMOS (complementary metal-oxide-semiconductor) chip that stored any changes to the BIOS. - Later computer systems stored the BIOS contents in flash memory so it could be easily updated. - Although BIOS chips were nonvolatile (they retained the information even when the computer was turned off), CMOS needed its own dedicated power source, which was a lithium-ion battery about the size of a coin that could hold a charge for up to 10 years before needing to be replaced. - If the CMOS battery died, the BIOS settings were not lost but instead were reset to their default settings.
deep web
includes exclusive and protected websites (corporate email, material behind a digital paywall, cloud hosting services, etc.) that are hidden from a search engine and cannot be accessed without valid credentials
clear web
includes ordinary websites (social media, ecommerce, news, etc.) that most users access regularly and can be located by a search engine
HTTP (Hypertext Transfer Protocol) (security in web browsers)
is the Internet-based protocol that is the foundation of all data exchanges on the web. - It is a client-server protocol so that requests are initiated by the recipient or client, usually a web browser, to a web server. - one limitation is that it is a stateless protocol. Unlike a stateful protocol, which "remembers" everything that occurs between the browser client and the server, a stateless protocol "forgets" what occurs when the session is interrupted or ends. - 3 ways stateless protocol HTTP can mimic a stateful protocol 1. Using a URL extension so the state is sent as part of the URL as a response 2. Using "hidden form fields" in which the state is sent to the client as part of the response and returned to the server as part of a form's hidden data 3. Storing user-specific information in a file on the user's local computer and then retrieve it later in a file called a cookie.
One of the most important steps in securing an endpoint computer
patch management - promptly install patches - Effective patch management involves two types of patch management tools to administer patches. - The first type includes tools for patch distribution, while the second type involves patch reception.
automated patch update service
service is used to manage patches within the enterprise instead of relying upon the vendor's online update service. - typically consists of a component installed on one or more servers inside the corporate network - usually only one of the servers must be connected to the vendor's online update service
Employing least functionality (OS security configuration)
states a user should only be given the minimum set of permissions required to perform necessary tasks; all other permissions should be configured as not available to the user. - For example, a user should not have the ability to modify system security features.
weakness in signature based monitoring in antivirus software
the AV vendor must constantly be searching for new viruses, extracting virus signatures, and distributing those updated databases to all users. - Any out-of-date signature database could result in an infection.
While all endpoints must be protected from attacks, endpoint desktop and laptop computers must be secured because:
they are connected to corporate networks and its data, they contain data stored locally, and they can be used as a springboard to attack other endpoints.
open source threat intelligence information (OSINT)
threat intelligence information that is freely available to the public
OS hardening
tighten security during the design and coding of the OS - An OS that has been designed in this way to be secure is a trusted OS.
