3.3 Given a scenario, implement secure systems design. Flashcards
Hardware/Firmware Security
When implementing system and device security, it is critical to look to hardware features or firmware features that can add to the security of the system or device.
Hardware/Firmware Security - FDE/SED
As discussed earlier, full disk encryption (FDE) is a security feature that allows a device to encrypt the entire hard disk to help maintain confidentiality in cases where a device is lost or stolen. You can also use a stream editor (SED) to transform text inside a file to an unreadable format.
Hardware/Firmware Security - TPM
When working with full disk encryption, you can use a Trusted Platform Module (TPM module), which is a computer chip located on the motherboard, to store encryption keys for the FDE feature.
Hardware/Firmware Security - HSM
Environments needing a high level of security can leverage a hardware security module (HSM), which is an add-on card or a separate device that takes care of managing encryption keys for the environment.
Hardware/Firmware Security - UEFI/BIOS
There are a number of UEFI or BIOS features that can be enabled to help with hardware security. For example, you can add bootup passwords to a device, prevent booting from optical drives or USB drives, and password protect the UEFI/BIOS setup program.
Hardware/Firmware Security - Secure Boot and Attestation
Secure boot is a device security feature that can be enabled that involves the system digitally signing the bootup files. Once the files are signed, the system will only load digitally signed files during bootup. This helps prevent someone from booting another operating system on that system in order to gain access to the system and its data. Attestation in this context means that the system has booted the way it was supposed to based on the digital signature.
Hardware/Firmware Security - Supply Chain
The supply chain is the list of organizations and people
that a product must move through before it reaches its customer. Be sure to get confirmation that you will be able to order parts and receive delivery quickly should a hardware failure occur.
Hardware/Firmware Security - Hardware Root of Trust
Hardware roots of trust are hardware components trusted by the system that perform security functions. For example, a TPM module that generates and stores a key pair.
Hardware/Firmware Security - EMI/EMP
Electromagnetic interference (EMI) is interference from an external source that distorts information being transmitted. An electromagnetic pulse (EMP) is a burst of electromagnetic energy. Ensure that you use technologies that are immune to EMI/EMP, such as fiber optic cabling instead of twisted-pair cabling, in order to protect your data.
Operating Systems
.
Operating Systems - Types
Depending on the type of operating system you are reviewing, you will need to refine the steps that you take to put the system in a secure state.
Operating Systems - Types - Network
A network operating system is designed to run on servers. Be sure to load only the services that are required of the network operating system to help reduce the number of vulnerabilities being exposed.
Operating Systems - Types - Server
Server operating systems are designed to provide resources to clients such as files and printers. Lockdown each server by only installing the software required and keep it up to date with patches.
Operating Systems - Types - Workstation
A workstation is what the user uses to access network resources. Be sure to install anti-malware software and keep the client up to date.
Operating Systems - Types - Appliance
An appliance is any device used by the users. Be sure to
investigate any services or protocols that are running on the appliance so that you can disable if needed.
Operating Systems - Types - Kiosk
A kiosk is a computer system in a public place, such as the front foyer of the building, that people can use for selected reasons. Be sure to lock down the kiosk and limit the applications that can run on it.
Operating Systems - Types - Mobile OS
Apple also uses closed source OSs—macOS for its Macintosh computers and iOS as a mobile OS for mobile devices such as iPhones and iPads. Because they are closed source, only Apple updates or modifies these OSs.
Linux is derived from Unix and is open source, meaning that it is freely available to anyone. Developers have access to the code and can modify, improve, and, at times, freely redistribute it. Because of this, there is an almost endless assortment of Linux versions. As an example, the Android OS is open source software, and it was derived from the open source Linux OS. Additionally, many mobile device manufacturers modify the Android OS and use it as a mobile OS for their devices. It’s worth noting that the use of Linux in many systems has steadily increased. More, CompTIA has been adding additional Linux-based objectives in their exams, including the Security+ exam.
Operating Systems - Patch Management
Be sure to patch all systems, including applying updates to mobile devices and their applications.
Operating Systems - Disabling Unnecessary Ports and Services
Always look at the default software running on a device and disable any unnecessary ports that are open and any unnecessary services that are running.
Operating Systems - Least Functionality
When dealing with devices such as mobile devices, look at the features offered by the device and disable any features that you are not going to use.
Operating Systems - Secure Configurations
Be sure to review the configuration of the system or device and enable any security features. For example, a mobile device should have an auto-lock feature enabled
Operating Systems - Trust Operating System
Use a trusted OS. A trusted OS is a system that implements multiple layers of security, such as authentication and authorization, to determine who can access a system and what they can do.
Operating Systems - Application Whitelisting/Blacklisting
You can restrict what software is allowed to run on a system with a whitelist, or you can block software from running with a blacklist.
Operating Systems - Disable Default Accounts/Passwords
Disable any default accounts that exist and create your own replacement accounts with a strong password.
Peripherals
Another aspect of securing systems is ensuring that the peripherals are in a secure state.
Peripherals - Wireless Keyboards/Mice
Using a wireless keyboard (or mouse) opens your system to communication from unwanted sources. The USB dongle that accepts transmissions can be hijacked by a hacker, allowing the hacker to type commands on your system. Keep the system up to date with patches to help prevent the exploit, but also do not use wireless keyboards and mice in highly secure environments.
Peripherals - Displays
To secure displays, be sure to put screen dampeners over the displays to help prevent someone from eavesdropping over a user’s shoulder and seeing sensitive information.
Peripherals - WiFi-enabled MicroSD Cards
Wi-Fi-enabled MicroSD cards are SD cards that have a wireless chip in them that allows them to receive data remotely from devices such as cameras.
Peripherals - Printers/MFDs
When it comes to printers and other multifunction devices, you should first disable any features that are not being used, such as wireless functionality or, if applicable, the built-in web server. Before you dispose of a printer, check whether there is a drive in the printer that is used to queue print jobs, as this could be a way for someone to access data after you get rid of the printer. Be sure to destroy the drive when you dispose of the printer.
Peripherals - External Storage Devices
Allowing a user to connect an external storage device to a system can expose that system to worm-based viruses that exist on the external or removable drive. Also, allowing someone to connect an external drive allows them to easily copy data and take it away with them. To help protect the system, restrict the use of external storage devices and implement DLP to prevent data leaks.
Peripherals - Digital Cameras
Be aware of any technologies built into the camera, such as wireless communication and storage, and be sure to disable the features that you are not using. For example, if you are not using the wireless capabilities of the camera, disable wireless to prevent a hacker from exploiting the device via wireless.
