Chapter 12
What are the basic steps needed in the process of securing a system?
*1.* patch operating systems and applications using auto-update *2.* patch third-party applications *3.* restrict admin privileges to users who need them *4.* white-list approved applications
A plan needs to identify appropriate personnel to install and manage the system, noting any training needed. *A.* True *B.* False
*A.* True
Each layer of code needs appropriate hardening measures in place to provide appropriate security services. *A.* True *B.* False
*A.* True
It is possible for a system to be compromised during the installation process. *A.* True *B.* False
*A.* True
The ______ process retains copies of data over extended periods of time in order to meet legal and operational requirements. *A.* archive *B.* virtualization *C.* patching *D.* backup
*A.* archive
The first critical step in securing a system is to secure the __________. *A.* base operating system *B.* system administrator *C.* malware protection mechanisms *D.* remote access privileges
*A.* base operating system
Cryptographic file systems are another use of _______. *A.* encryption *B.* testing *C.* virtualizing *D.* acceleration
*A.* encryption
Lower layer security does not impact upper layers. *A.* True *B.* False
*B.* False
Most large software systems do not have security weaknesses. *A.* True *B.* False
*B.* False
__________ applications is a control that limits the programs that can execute on the system to just those in an explicit list. *A.* Virtualizing *B.* White listing *C.* Logging *D.* Patching
*B.* White listing
The ______ process makes copies of data at regular intervals for recovery of lost or corrupted data over short time periods. *A.* logging *B.* backup *C.* hardening *D.* archive
*B.* backup
The needs and policy relating to backup and archive should be determined ______. *A.* as a final step *B.* during the system planning stage *C.* during security testing *D.* after recording average data flow volume
*B.* during the system planning stage
______ systems should not run automatic updates because they may possibly introduce instability. *A.* Configuration controlled *B.* Policy controlled *C.* Change controlled *D.* Process controlled
*C.* Change controlled
Once the system is appropriately built, secured, and deployed, the process of maintaining security is ________. *A.* complete *B.* no longer a concern *C.* continuous *D.* sporadic
*C.* continuous
The first step in deploying new systems is _________. *A.* security testing *B.* installing patches *C.* planning *D.* secure critical content
*C.* planning
______ are resources that should be used as part of the system security planning process. *A.* Texts *B.* Online resources *C.* Specific system hardening guides *D.* All of the above
*D.* All of the above
Security concerns that result from the use of virtualized systems include ______. *A.* guest OS isolation *B.* guest OS monitoring by the hypervisor *C.* virtualized environment security *D.* all of the above
*D.* all of the above
The following steps should be used to secure an operating system: *A.* test the security of the basic operating system *B.* remove unnecessary services *C.* install and patch the operating system *D.* all of the above
*D.* all of the above
The most important changes needed to improve system security are to ______. *A.* disable remotely accessible services that are not required *B.* ensure that applications and services that are needed are appropriately configured *C.* disable services and applications that are not required *D.* all of the above
*D.* all of the above
security planning process? *A.* how users are authenticated *B.* the categories of users of the system *C.* what access the system has to information stored on other hosts *D.* all of the above
*D.* all of the above
The range of logging data acquired should be determined _______. *A.* during security testing *B.* as a final step *C.* after monitoring average data flow volume *D.* during the system planning stage
*D.* during the system planning stage
What steps are used to maintain system security?
*1.* Initial Setup and Patching *2.* Remove unnecessary Services, Applications, and Protocols *3.* Configure Users, Groups, and Authentication *4.* Configure Resource Controls *5.* Install Additional Security Controls *6.* Test the System Security
What are the basic steps to secure virtualized systems?
*1.* carefully plan the security of the virtualized system *2.* secure all elements of a full virtualization solution, including the hypervisor, guest OSs, and virtualized infrastructure, and maintain their security *3.* ensure that the hypervisor is properly secured *4.* restrict and protect administrator access to the virtualization solution
What virtualization alternatives do we discuss securing?
*1.* full virualization - multiple full operating system instances execute in parallel *2.* virtual machine monitor - coordinates access between each of the guests and the actual physical hardware resources: CPU, memory, disk, network, and other devices *3.* native virtualization - goal of improving the execution efficiency of the hardware *4.* Hosted virtualization - they run aside other applications on the host OS, and are used to support applications for alternate operating system versions or types
What are the main security concerns with virtualized systems?
*1.* guest OS isolation, ensuring that programs executing within a guest OS may only access and use the resources allocated to it, and not covertly interact with programs or data either in other guest OSs or in the hypervisor *2.* guest OS monitoring by the hypervisor, which has privileged access of the programs and data in each guest OS, and must be trusted as secure from subversion and compromised use of this access *3.* virtualized environment security, particularly as regards image and snapshot management, which attackers may attempt to view or modify
What are the basic steps needed to secure the base operating system?
*1.* install and patch the operating system *2.* harden and configure the operating system to adequately address the identified security needs of the system by: > removing unnecessary services, applications, and protocols > configuring users, groups, and permissions > configuring resource controls *3.* install and configure additional security controls, such as anti-virus, host-based firewalls, and intrusion detection systems (IDS), if needed *4.* test the security of the base operating system to ensure that the steps taken adequately address its security needs
What are mandatory integrity controls used for in Windows systems?
These label all objects, such as processes and files, and all users, as being of low, medium, high, or system integrity level. It first ensures that the subject's integrity is equal or higher than the object's level.
What are the major differences between the implementations of the discretionary access control models on Unix and Linux systems and those on Windows systems?
Unix and Linux implements to all file system resources not only files, and directories but devices, processes, memory, and most system resources. Windows applies to files, shared memory, and name pipes and much of the configuration information is centralized in the Registry.
What types of additional security controls may be used to secure the base operating system?
anti-virus software, host-based firewalls, IDS or IPS software, or application white-listing
What permissions may be specified, and for which subjects?
as granting read, write and execute permissions to each of owner, group, and others, for each resource
Why is keeping all software as up to date as possible so important?
because of the continuing discovery of software and other vulnerabilities for commonly used operating systems and applications
What are the pros and cons of automated patching?
because security patches can, on rare but significant occasions, introduce instability. You should stage and validate all patches on test systems before deploying them in production
What type of access control model do Unix and Linux systems implement?
discretionary access controls to all file system resources
What commands are used to manipulate extended file attributes access lists in Unix and Linux systems?
getfac1 setfac1
Where is application and service configuration information stored on Unix and Linux systems?
in the /etc directory or in the installation tree for a specific application
Where are two places user and group information may be stored on Windows systems?
in the Security Account Manager (SAM). Or centrally managed by Active Directory (AD)
What is the aim of system security planning?
is to maximize security while minimizing costs
What is the main host firewall program used on Linux systems?
perimeter firewall
What effect do set user and set group permissions have when executing files on Unix and Linux systems?
programs can execute with Superuser rights, or with access to resources belonging to the privileged group.
Where is application and service configuration information stored on Windows systems?
registry
How is a chroot jail used to improve application security?
restricts the server's view of the file system to just a specified portion. This is done using the chroot system call that confines a process to some subset of the file system by mapping the root of the system / to some other directory
What is the point of removing unnecessary services, applications, and protocols?
so that a suitable level of functionality is provided
What is virtualization?
technology that provides an abstraction of the computing resources used to run in a simulated environment
On Windows, which privilege overrides all ACL checks, and why?
the ability to backup the computer, privileges give user accounts permission to backup. explicit deny permissions takes precedence over Allow permissions
Why is it important to rotate log files?
to rotate any logs for debugging and for the greatest and latest
What additional steps are used to secure key applications?
traffic monitoring, file integrity check, white-list applications that limits the programs that can execute on the system to just those in an explicit list