security+ chapter2

The following is a list of those essential items that should be implemented to ensure that any operating system is secure:

1. Make certain that the operating system is patched. Without updating the operating system itself, other security measures will be less effective. 2. Turn off any unneeded services, accounts, or other methods of accessing the system. 3. Turn on sufficient logging to allow you to audit the system and to understand what has occurred on the operating system. 4. If the operating system has an inherent firewall, turn it on and see that it is properly configured. 5. Run an appropriate antimalware software package.

Patch Management

1. Read the description of the patch in question. Is this simply an update to functionality, or is it a vital security patch? Depending on the nature of the patch, you will decide when to schedule deployment. 2. Deploy the patch on a test system that is identical to the systems to which you intend to roll it out. This should let you quickly detect any serious or obvious issues. 3. If the patch passes the initial test, then roll it out to a small number of live systems. Wait some appropriate period of time and then continue the rollout in stages. What is an appropriate wait time will depend on the nature of the patch. Critical security patches should be deployed with as much haste as you can while still testing the patch. Capability upgrades can be slowly rolled out over a period of time. Another critical aspect is to have a backout plan. Documentation is also an important aspect of patch management.

VPN concentrator

A VPN concentrator is a hardware device used to create remote access VPNs.

information security management system (ISMS)

A broad term that applies to a wide range of systems used to manage information security.

Honeypot

A fake system designed to divert attackers from your real systems. It is often replete with logging and tracking to gather evidence. The concept of a honeypot is a separate system that appears to be an attractive target but is in reality a trap for attackers (internal or external).

Packet Filter Firewalls

A firewall operating as a packet filter passes or blocks traffic to specific addresses based on the type of application.

Stateful Packet Inspection (SPI)

A firewall that not only examines each packet but also remembers the recent previous packets.

bastion host

A host that exists outside the DMZ and is open to the public is often called a bastion host. Routers and firewalls, because of where they must exist, often constitute bastion hosts.

Demilitarized Zone (DMZ)

A network segment between two firewalls. One is outward facing, connected to the outside world, the other inward facing, connected to the internal network. Public-facing servers, such as web servers, are often placed in a DMZ. A demilitarized zone (DMZ) is an area where you can place a public server for access by people whom you might not trust otherwise.

Honeynet

A network that functions in the same manner as a honeypot. A honeynet is the next logical extension of a honeypot. In this case, there is a fake net- work segment that appears to be a very enticing target.

Proxy Firewalls

A proxy firewall can be thought of as an intermediary between your network and any other network. Proxy firewalls are used to process requests from an outside network; the proxy firewall examines the data and makes rule-based decisions about whether the request should be forwarded or refused. isolating the user from the external network. it can increase the efficiency of data delivery. uses two network interface cards (NICs)

root of trust (RoT)

A root of trust is a security process that has to begin with some unchangeable hardware identity often stored in a TPM

self-encrypting drive (SED)

A self-encrypting drive (SED) has a controller chip built into it that automatically encrypts the drive and decrypts it, provided the proper password is entered. The encryption key used in SEDs is called the media encryption key (MEK). Locking and unlocking a drive requires another key, called the key encryption key (KEK), supplied by the user. The KEK is used to decrypt the MEK, which in turn is what encrypts and decrypts the drive.

intrusion prevention system (IPS)

A system that monitors the network for possible intrusions and logs that activity and then blocks the traffic that is suspected of being an attack.

Intrusion Detection System (IDS)

A system that monitors the network for possible intrusions and logs that activity.

Tunneling/VPN

A virtual private network (VPN) is a private network connection that occurs through a public network.

When implementing controls to mitigate any security issue, controls can be classified into one of three categories

Administrative controls are all the policies, procedures, and processes that are in place to support security. Technical controls involve software and hardware. You must couple technical controls to administrative controls in order to mitigate security threats effectively. First and foremost, users (including technical users) must be properly trained in the use of technical controls. End users also need to be trained in how to deal with the threats they face

personally identifiable information (PII)

Any information that could identify a particular individual.

Appliance operating systems and kiosk operating systems

Appliance operating systems and kiosk operating systems are both limited to a specific purpose.

Appliances

Appliances are freestanding devices that operate in a largely self-contained man- ner, requiring less maintenance and support than a server-based product.

BIOS (basic input/output system)

BIOS (basic input/output system) was the older method for handling bootup information for a computer. to store information that the computer needs when booting up

Client and server operating systems

Client and server operating systems are very similar.

Extranets

Extranets present more security issues than do intranets. You are now allowing an out- side entity access to a part of your internal network.

separate environments

For applications, the first stage is the development environment. This is where the application is developed For applications, operating systems, and devices, there should be a test environment. Next is staging. Normally, any new addition to a network is deployed in stages, not simply put out to the entire network. This is particularly important with applications or even patches for existing applications and operating systems. When there is any doubt about a new item on the network, put the new item into a sand- box. A sandbox is a term for a test environment that is completely isolated from the rest of the network. The concept is to test the new item completely while it is isolated from the network and cannot affect it.

Full Disk Encryption (FDE)

Full disk encryption (FDE) is encrypting the entire disk, rather than a specific file or folder.

Hardware security modules (HSMs)

Hardware security modules (HSMs) are devices that handle digital keys.

ISA/IEC-62443

ISA/IEC-62443 is a series of standards that define procedures for implementing electronically secure industrial automation and control systems (IACSs).

ISO 27017 standard

ISO 27017 is guidance for cloud security. It does apply the guidance of ISO 27002 to the cloud but then adds seven new controls. CLD.6.3.1 This is an agreement on shared or divided security responsibilities between the customer and cloud provider. CLD.8.1.5 This control addresses how assets are returned or removed from the cloud when the contract is terminated. CLD.9.5.1 This control states that the cloud provider must separate the customers' virtual environment from other customers or outside parties. CLD.9.5.2 This control states that the customer and the cloud provider both must ensure the virtual machines are hardened. CLD.12.1.5 It is solely the customer's responsibility to define and manage administrative operations CLD.12.4.5 The cloud provider's capabilities must enable the customer to monitor their own cloud environment. CLD.13.1.4 The virtual network environment must be configured so that it least meets the security policies of the physical environment

ISO 27018

ISO 27018 defines privacy requirements in a cloud environment—particularly how the customer and cloud provider must protect personally identifiable information (PII).

Stateful inspection is also referred to as stateful packet inspection (SPI) filtering

In an SPI firewall, the entire conversation between client and server is examined.

Defense in Depth

It simply means that it should never be the case that your security is either all or primarily focused on your network's borders.

Intranet

Many organizations utilize websites that are only accessible within the organization's network. These are referred to as intranets.

Mobile operating systems

Mobile operating systems are now similar to server and client operating systems.

NERC CIP 007-6

NERC CIP (Critical Infrastructure Protection) 007-6 in par- ticular addresses patching of all systems. This standard requires that all registered entities check for new patches at least once every 35 days.

NIST 800-30

NIST 800-30 is the U.S. standard for how to conduct risk assessments.

Network operating systems

Network operating systems define how the network will function. The network operat- ing system is determined by the operating system used on the domain controller.

Zones

One of the most elementary aspects of network security is to segment your network into zones. Each zone has a different level of security.

Secure Boot

Secure boot is a process whereby the BIOS or UEFI makes a cryptographic hash of the operating system boot loader and any boot drivers and compares that against a stored hash. Another option is to store the hash in some secure server remote from the computer being protected. This leads to remote attestation.

Software-defined networking (SDN)

Software-defined networking (SDN) is a relatively recent trend that can be useful both in placing security devices and in segmenting the network. Essentially in an SDN, the entire network is virtualized. This allows a relatively easy segmentation of the network. It also allows the administrator to place virtualized security devices in any place that he or she wishes.

Stateless firewalls

Stateless firewalls make decisions based on the data that comes in the packet, for example, and not based on any complex decisions.

software-defined network (SDN)

The entire network, including all security devices, is virtualized.

Secure Configurations

The first is least functionality. This is similar to the concept of least privileges. The system itself should be configured and capable of doing only what it is intended to do and no more. The next issue is to lock down the system as much as possible.

Payment Card Industry Data Security Standard (PCI-DSS)

The main focus of the PCI-DSS is the security controls and objectives that companies that process credit cards should implement. PCI-DSS control objectives 1. Build and Maintain a Secure Network 2. Protect Cardholder Data 3. Maintain a Vulnerability Management Program 4. Regularly Monitor and Test Networks 5. Maintain a Vulnerability Management Program

Vendor Diversity

The probability of all three products, created by different vendors and using different detection algorithms, missing a specific malware is far lower than any one of them alone missing it.

operating system hardening

The process of making a system as secure as it can be, with- out the addition of third-party software, devices, or other security controls, is often termed operating system hardening.

correlation engines

These are applications that look at firewall logs, often from diverse firewalls, and attempt to correlate the entries to understand possible attacks. The placement of the correlation engine need not be proximate to the firewall, as long as the correlation engine can access and examine the firewall logs.

Special Publication 800-82

This document begins by examining the threats to these systems in detail. The standard then dis- cusses how to develop a comprehensive security plan for such systems.

NIST SP 800-53

This document organizes security measures into families of controls, such as risk assessment, access control, incident response, and others. The document also defines three levels of minimum security controls.

air gap

This occurs when one or more systems are literally not connected to a network Obviously, this can reduce the use- fulness of many systems, and it is not the right solution for every situation. In some cases, however, a system can be sensitive enough that it needs not to be connected to a network. Having an air-gapped backup server is often a good idea. This is one certain way of pre- venting malware infections on that system.

ISO 27002 Standard

This standard recom- mends best practices for initiating, implementing, and maintaining information security management systems (ISMSs). 5. Information Security Policies 6. Organization of Information Security 7. Human Resource Security 8. Asset Management 9. Access Control 10. Cryptography 11. Physical and Environmental Security 12. Operation Security: Procedures and Responsibilities 13. Communication Security 14. System Acquisition, Development and Maintenance 15. Supplier Relationships 16. Information Security Incident Management 17. Information Security Aspects of Business Continuity Management

Trusted platform modules (TPMs)

Trusted platform modules (TPMs) are dedicated processors that use cryptographic keys to perform a variety of tasks.

UEFI (Unified Extensible Firmware Interface)

While UEFI has a number of newer and better features compared to BIOS to store information that the computer needs when booting up

The easiest device to place is the firewall.

You are probably already aware that you need a firewall at your network's perimeter. Beyond that, you should in fact place a firewall at every junction of a network zone. Each segment of your network should be protected by a firewall.

control diversity

You should not rely on a single control to address any security threat.

NIST Special Publication 800-14

describes common security principles that should be addressed within security policies. The purpose of this document is to describe 8 principles and 14 practices that can be used to develop security policies. A significant part of this document is dedicated to auditing user activity on a network. The eight principles are as follows: 1. Computer security supports the mission of the organization. 2. Computer security is an integral element of sound management. 3. Computer security should be cost-effective. 4. System owners have security responsibilities outside their own organizations. 5. Computer security responsibilities and accountability should be made explicit. 6. Computer security requires a comprehensive and integrated approach. 7. Computer security should be periodically reassessed. 8. Computer is security is constrained by societal factors. The 14 practice areas are as follows: 1. Policy 2. Program Management 3. Risk Management 4. Life Cycle Planning 5. Personnel/User Issues 6. Preparing for Contingencies and Disasters 7. Computer Security Incident Handling 8. Awareness and Training 9. Security Considerations in Computer Support and Operations 10. Physical and Environmental Security 11. Identification and Authentication 12. Logical Access Control 13. Audit Trails 14. Cryptography

NIST 800-35

is an over- view of information security. In this standard, six phases of the IT security life cycle are defined: Phase 1: Initiation At this point the organization is looking into implementing some IT security service, device, or process. Phase 2: Assessment This phase involves determining and describing the organization's current security posture. It is recommended that this phase use quantifiable metrics. Phase 3: Solution This is where various solutions are evaluated and one or more is selected. Phase 4: Implementation In this phase, the IT security service, device, or process is implemented. Phase 5: Operations Phase 5 is the ongoing operation and maintenance of the security service, device, or process that was implemented in Phase 4. Phase 6: Closeout At some point, whatever was implemented in Phase 4 will be concluded. Often this is when a system is replaced by a newer and better system.

NIST Special Publication 800-12

provides a broad overview of computer security. It primarily deals with areas of security controls. it emphasizes the need to address computer security throughout the system development life cycle, not just after the system is developed.

Standard: ISO IEC 27001:2013

specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. it encourages you to look at those issues specific to your organization. This includes your organization's capabilities as well as its corporate culture. These factors can significantly influence what security measures are even feasible for your organization. identify all the relevant parties that have an interest in your organization's security management. This includes executives and department heads, but it could also include vendors, partners, and, in some cases, customers. After identifying the relevant parties, next identify their requirements as well as their expectations. This framework will not provide you with specific to-do lists. However, a generalized approach of how you manage security is the correct place to begin.

Establishing a secure baseline is an important concept in secure networking.

this is a process whereby you find a baseline for any system, application, or service that is considered secure. to monitor that system to ensure that it has not deviated from that baseline. This process is defined as integrity measurement.