3.3 Given a scenario, implement secure systems design.

Question 1

Hardware/Firmware Security

Answer 1

When implementing system and device security, it is critical to look to hardware features or firmware features that can add to the security of the system or device.

Question 2

Hardware/Firmware Security - FDE/SED

Answer 2

As discussed earlier, full disk encryption (FDE) is a security feature that allows a device to encrypt the entire hard disk to help maintain confidentiality in cases where a device is lost or stolen. You can also use a stream editor (SED) to transform text inside a file to an unreadable format.

Question 3

Hardware/Firmware Security - TPM

Answer 3

When working with full disk encryption, you can use a Trusted Platform Module (TPM module), which is a computer chip located on the motherboard, to store encryption keys for the FDE feature.

Question 4

Hardware/Firmware Security - HSM

Answer 4

Environments needing a high level of security can leverage a hardware security module (HSM), which is an add-on card or a separate device that takes care of managing encryption keys for the environment.

Question 5

Hardware/Firmware Security - UEFI/BIOS

Answer 5

There are a number of UEFI or BIOS features that can be enabled to help with hardware security. For example, you can add bootup passwords to a device, prevent booting from optical drives or USB drives, and password protect the UEFI/BIOS setup program.

Question 6

Hardware/Firmware Security - Secure Boot and Attestation

Answer 6

Secure boot is a device security feature that can be enabled that involves the system digitally signing the bootup files. Once the files are signed, the system will only load digitally signed files during bootup. This helps prevent someone from booting another operating system on that system in order to gain access to the system and its data. Attestation in this context means that the system has booted the way it was supposed to based on the digital signature.

Question 7

Hardware/Firmware Security - Supply Chain

Answer 7

The supply chain is the list of organizations and people
that a product must move through before it reaches its customer. Be sure to get confirmation that you will be able to order parts and receive delivery quickly should a hardware failure occur.

Question 8

Hardware/Firmware Security - Hardware Root of Trust

Answer 8

Hardware roots of trust are hardware components trusted by the system that perform security functions. For example, a TPM module that generates and stores a key pair.

Question 9

Hardware/Firmware Security - EMI/EMP

Answer 9

Electromagnetic interference (EMI) is interference from an external source that distorts information being transmitted. An electromagnetic pulse (EMP) is a burst of electromagnetic energy. Ensure that you use technologies that are immune to EMI/EMP, such as fiber optic cabling instead of twisted-pair cabling, in order to protect your data.

Question 10

Operating Systems

Answer 10

.

Question 11

Operating Systems - Types

Answer 11

Depending on the type of operating system you are reviewing, you will need to refine the steps that you take to put the system in a secure state.

Question 12

Operating Systems - Types - Network

Answer 12

A network operating system is designed to run on servers. Be sure to load only the services that are required of the network operating system to help reduce the number of vulnerabilities being exposed.

Question 13

Operating Systems - Types - Server

Answer 13

Server operating systems are designed to provide resources to clients such as files and printers. Lockdown each server by only installing the software required and keep it up to date with patches.

Question 14

Operating Systems - Types - Workstation

Answer 14

A workstation is what the user uses to access network resources. Be sure to install anti-malware software and keep the client up to date.

Question 15

Operating Systems - Types - Appliance

Answer 15

An appliance is any device used by the users. Be sure to

investigate any services or protocols that are running on the appliance so that you can disable if needed.

Question 16

Operating Systems - Types - Kiosk

Answer 16

A kiosk is a computer system in a public place, such as the front foyer of the building, that people can use for selected reasons. Be sure to lock down the kiosk and limit the applications that can run on it.

Question 17

Operating Systems - Types - Mobile OS

Answer 17

Apple also uses closed source OSs—macOS for its Macintosh computers and iOS as a mobile OS for mobile devices such as iPhones and iPads. Because they are closed source, only Apple updates or modifies these OSs.

Linux is derived from Unix and is open source, meaning that it is freely available to anyone. Developers have access to the code and can modify, improve, and, at times, freely redistribute it. Because of this, there is an almost endless assortment of Linux versions. As an example, the Android OS is open source software, and it was derived from the open source Linux OS. Additionally, many mobile device manufacturers modify the Android OS and use it as a mobile OS for their devices. It’s worth noting that the use of Linux in many systems has steadily increased. More, CompTIA has been adding additional Linux-based objectives in their exams, including the Security+ exam.

Question 18

Operating Systems - Patch Management

Answer 18

Be sure to patch all systems, including applying updates to mobile devices and their applications.

Question 19

Operating Systems - Disabling Unnecessary Ports and Services

Answer 19

Always look at the default software running on a device and disable any unnecessary ports that are open and any unnecessary services that are running.

Question 20

Operating Systems - Least Functionality

Answer 20

When dealing with devices such as mobile devices, look at the features offered by the device and disable any features that you are not going to use.

Question 21

Operating Systems - Secure Configurations

Answer 21

Be sure to review the configuration of the system or device and enable any security features. For example, a mobile device should have an auto-lock feature enabled

Question 22

Operating Systems - Trust Operating System

Answer 22

Use a trusted OS. A trusted OS is a system that implements multiple layers of security, such as authentication and authorization, to determine who can access a system and what they can do.

Question 23

Operating Systems - Application Whitelisting/Blacklisting

Answer 23

You can restrict what software is allowed to run on a system with a whitelist, or you can block software from running with a blacklist.

Question 24

Operating Systems - Disable Default Accounts/Passwords

Answer 24

Disable any default accounts that exist and create your own replacement accounts with a strong password.

Question 25

Peripherals

Answer 25

Another aspect of securing systems is ensuring that the peripherals are in a secure state.

Question 26

Peripherals - Wireless Keyboards/Mice

Answer 26

Using a wireless keyboard (or mouse) opens your system to communication from unwanted sources. The USB dongle that accepts transmissions can be hijacked by a hacker, allowing the hacker to type commands on your system. Keep the system up to date with patches to help prevent the exploit, but also do not use wireless keyboards and mice in highly secure environments.

Question 27

Peripherals - Displays

Answer 27

To secure displays, be sure to put screen dampeners over the displays to help prevent someone from eavesdropping over a user’s shoulder and seeing sensitive information.

Question 28

Peripherals - WiFi-enabled MicroSD Cards

Answer 28

Wi-Fi-enabled MicroSD cards are SD cards that have a wireless chip in them that allows them to receive data remotely from devices such as cameras.

Question 29

Peripherals - Printers/MFDs

Answer 29

When it comes to printers and other multifunction devices, you should first disable any features that are not being used, such as wireless functionality or, if applicable, the built-in web server. Before you dispose of a printer, check whether there is a drive in the printer that is used to queue print jobs, as this could be a way for someone to access data after you get rid of the printer. Be sure to destroy the drive when you dispose of the printer.

Question 30

Peripherals - External Storage Devices

Answer 30

Allowing a user to connect an external storage device to a system can expose that system to worm-based viruses that exist on the external or removable drive. Also, allowing someone to connect an external drive allows them to easily copy data and take it away with them. To help protect the system, restrict the use of external storage devices and implement DLP to prevent data leaks.

Question 31

Peripherals - Digital Cameras

Answer 31

Be aware of any technologies built into the camera, such as wireless communication and storage, and be sure to disable the features that you are not using. For example, if you are not using the wireless capabilities of the camera, disable wireless to prevent a hacker from exploiting the device via wireless.