3.3 Implement secure systems design.

Question 1

FDE

Answer 1

(Full Disk Encryption) Encryption of all data on a disk (including system files, temporary files, and the page file) can be accomplished via a supported OS, third-party software, or at the controller level by the disk device itself.

Question 2

TPM

Answer 2

(Trusted Platform Module) A computer chip (microcontroller) that can store digital certificates, key, hashed passwords, and other user and platform identification information.

Question 3

HSM

Answer 3

(Hardware Security Module) An appliance for generating and storing cryptographic keys, safeguards and digital keys, performing encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.

Question 4

UEFI/BIOS

Answer 4

(Unified Extensible Firmware Interface) A type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security.

Question 5

Secure boot and attestation

Answer 5

Secure boot: prevents a computer from being hijacked by a malicious OS.

Attestation: declare something to be true

Question 6

Supply Chain

Answer 6

The end-to-end process of supplying, manufacturing, distributing, and finally releasing goods and services to a customer.

Question 7

Hardware root of trust

Answer 7

A secure subsystem that is the foundation on which all secure operations of a computing system depend, and it’s able to provide attestation.

Question 8

EMI/EMP

Answer 8

(Electromagnetic Interference) A disruption of electrical current that occurs when a magnetic field around one electrical circuit interferes with the signal being carried on an adjacent circuit.

Question 9

Operating systems

Answer 9

An OS is HARDENED when is put into a secure configuration. The principle of LEAST FUNCTIONALITY should be implemented.

Question 10

Kiosk

Answer 10

A computer terminal deployed to a public environment. ex. ATMs, airport checkin.
In order to secure a kiosk, the hardware ports must be inaccessible

Question 11

Patch Management

Answer 11

A couple rules to follow for patches:

• Only apply patches if a particular problem is being experienced.
• Always create backups before implementing a patch

Question 12

Disabling unnecessary ports and services

Answer 12

Application service ports allow client software to connect to applications. These should be CLOSED if remote access is not necessary.

Question 13

Least functionality

Answer 13

The principle of a system only running protocols and services required by legitimate users and nothing more.

Question 14

Secure configurations

Answer 14

A few points on secure configurations:

- Disable unnecessary interfaces, services, and application service ports.

Question 15

Trusted Operating System

Answer 15

An OS that meets the criteria for a Common Criteria OS Protection Profile.

Question 16

Application whitelisting/blacklisting

Answer 16

Whitelisting: nothing can run if it is not on the approved whitelist. ex. Apple store

Blacklisting: anything not on the PROHIBITED blacklist can run. ex. Anti-virus

Question 17

Wi-Fi-enabled microSD cards

Answer 17

Attackers can modify the kernel and install any software on Wi-Fi enabled microSD cards, which connect to a host and transfer files.

Question 18

MFDs

Answer 18

(Multifunction Devices) refer to print/scan/fax machines contain images, documents, and logs which are recoverable unless deleted properly.