3.3 Implement secure systems design
hardware root of trust
A known secure starting point. TPM/HSMs have a private key burned into the hardware that provides a hardware root of trust.
Evaluation Assurance Level (EAL)
A level of assurance, expressed as a numeric value, based on standards set by the Common Criteria Recognition Agreement (CCRA). -EAL1 - EAL7 -EAL4 is minimal acceptance.
Unified Extensible Firmware Interface (UEFI)
An interface between firmware on the motherboard and the operating system and improves on legacy BIOS processes for booting, handing over the boot to the OS, and loading device drivers and applications before the OS loads.
Microsoft FDE
BitLocker
Printer/Multifunction Devices
Can be used for Printing, scanning, faxing, network activity and have local storage. May be used as reconnaissance containing log files for all activity and address books. If accessed may be able to print from it. Sometimes gather information in the spooling file.
EMI/EMP
Can listen in to the electronic interference and can recreate the video. May also be able to inject electro magnetic impulse.
Wifi enabled microSD cards vulnerabilities
Can transfer over Wifi 802.11. Many have multiple vulnerabilies by gaining access to the card. Some have APIs where there are vulnerabilites. some vendors have security for those APIs
Service packs
Contains a lot of updates to be installed at once.
Application whitelisting/blacklisting
Creating a list of applications that are permitted (whitelisting) or denied (blacklisting) to run.
Server OS
Designed to operas as a server. Web server, database server
Disable default/unnecessary accounts
Disabling accounts that you are not using. Disabling accounts used as services eg. Guest account
Displays
Display can be reconstructed over EM signals. Firmware hacks are vulnerabilities withing this harware. There is ransomeware used to disable display.
Blacklisting
Everything runs except the listed applications.
Apple FDE
FileVault
Secure Configurations
Fine tuning the operating system making least functionality very secure.
Disabling unnecessary services
Identifying services that will not be used on an OS to improve security posture.
Patch Management
Incredibly important for system stability and security fixes. -Service pack -Monthly updates -Emergency out-of-band updates
Monthly updates
Incremental updates
Least functionality
Limit the operating system to only whats needed based on the use.
FDE (Full Disk Encryption)
Method to encrypt an entire disk. TrueCrypt is an example. Need password to decrypt data to have access to it. Built in OS
Whitelisting
Nothing runs unless its approved which is very restrictive.
External storage devices
Often dont require authentication anyone that has it can copy and xfer the data within it. If its encrypted it cant be more secure.
Workstation OS
Optimized for user application. -email, browsing, office apps, video editing.
Kiosk OS
Public use and OS is tightly locked down
Appliance OS
Purpose-built may not be able to see OS
SED
Self encrypting drive come in hardware disk
Network OS
Supports server, workstations, and other network-connected devices
Linux FDE
Unified Key Setup (LUKS)
Supply Chain
Using trusted vendors that will vouge that the appliances/devices have not touched the internet before any security is in place. Also a way to verify the hardware and software are genuine and secure.
Update options
Windows update WSUS - Windows Server Update Services. Mac OS - Software update, App Store Linux - yum, apt-get, rpm graphical front-ends
Mobile OS
designed for devices such as smartphones and tablet computers. Optimized for mobile hardware/applications
Wireless keyboard and mice
some of these are support AES encryption. Data can be captured over. KeySniffer is an exploit used to capture data from keyboard as a keylogger. over 2.4ghz
Emergency out-of-band updates
zero-day and important security discoveries
Examples of application whitelisting
-Decisions made in the operating system built into the OSM -Application Hash only allows applications with this unique identifier -Certificate allow digitally signed apps from certain publishers -Path only run applications in these folders -Network zone apps can only run from this network zone
Types of Operating Systems
-Network -Server -Workstation -Appliance -Kiosk -Mobile OS
Secure Configuration Policies
-Stay updated with he latest patches. -Compromised systems are re-imaged -Changes to the standard build (gold image) must go through change management. -Perform regular integrity checks of operating system files
Secure Boot
A UEFI feature that prevents a system from booting up with drivers or an OS that are not digitally signed (Digital Signatures) and trusted by the motherboard or computer manufacturer.
Remote attestation
A centralized station that reports to a verification server that reports any changes to the hardware or software to any systems that might effect the security over time. TPM signs the list of software and hardware inventory to compare upon bootup.
Trusted Platform Module (TPM)
A chip on the motherboard of the computer that provides cryptographic services. Random number generator. Comes with unique keys burned in during production. Password protected
Hardware Security Module (HSM)
A device that can safely store and manage encryption keys. This can be used in servers, data transmission, protecting log files, etc. Can also be an SSL accelerator. SSL offloading device. Usually seen in large environments and clustered together with redundant power.