Chapter 5 Flashcards

Question

master images

Answer 1

A master images provides secure starting points for systems. Administrators sometimes create them with templates or with other tools to create secure baselines. They then use integrity measurements to discover when a system deviates from the baseline.

Answer 2

Software is not secure. as problems crop up, companies write and release patches or updates that correct those problems. Administrators must apply these patches to keep their systems-up-to-date and protected against known vulnerabilities.

Answer 3

Patch management ensures that systems and applications stay up-to-date with current patches. This is one of the most efficient ways to reduce operating system and application vulnerabilities because it protects systems from known vulnerabilities. Patch management includes a group of methodologies and consists of identifying, downloading, testing, deploying, and verifying patches.

Answer 4

To ensure changes to IT systems do not result in unintended outages or security failures. To provide an accounting structure or method to document all changes.

Answer 5

Application allow lists (sometimes called whitelists) and application block lists (sometimes called application deny lists or blacklists) are two additional methods used as endpoint security solutions. They can help protect hosts, including workstations, servers, and mobile devices. An application allow list is a list of authorized software, and it prevents users from installing or running software that isn’t on the list. An application block list is a list of unauthorized software and prevents users from installing or running software on the list.

Answer 6

Full disk encryption (FDE) encrypts an entire disk. This can either be done using technology built-in to major operating systems, such as Windows BitLocker or macOS FileVault, or it may be done using a third-party application. For example, VeraCrypt is an open-source utility that can encrypt partitions or an entire storage device.

Answer 7

Many hardware vendors now manufacture self-encrypting drives (SEDs), also known as hardware-based FDE drives. SEDs include encryption circuitry built into the drive. These typically allow users to enter credentials when they set up the drive. When users power up the system, they enter their credentials to decrypt the drive and boot the system.

Answer 8

A measured boot goes through enough of the boot process to perform these checks without allowing a user to interact with the system. If it detects that the system has lost integrity and can no longer be trusted, the system won’t boot.

Answer 9

The Basic Input/Output System (BIOS) includes software that provides a computer with basic instructions on starting.

Answer 10

Unified Extensible Firmware Interface Newer systems use Unified Extensible Firmware Interface (UEFI) instead of BIOS. UEFI performs many of the same functions as BIOS but provides some enhancements. As an example, it can boot from larger disks, and it is designed to be CPU-independent. Both BIOS and UEFI can be upgraded using a process called flashing. Flashing overwrites the firmware within the chip with newer software.

Answer 11

A Trusted Platform Module (TPM) is a hardware chip on the computer’s motherboard that stores cryptographic keys used for encryption. Most desktop and laptop computers include a TPM. Some servers allow for removable and replaceable TPMs. Once enabled, the TPM provides full disk encryption capabilities. It keeps hard drives encrypted and protected until the system completes a system verification and authentication process. A Trusted Platform Module (TPM) is a hardware chip included in many desktops and laptops. It provides full disk encryption support and features a secure boot process and remote attestation. The endorsement key is a unique asymmetric key pair burned into the TPM chip that provides a hardware root of trust.

Answer 12

A remote attestation process works like the secure boot process. However, instead of checking the boot files against the report stored in the TPM, it uses a separate system.

Answer 13

The TPM ships with a unique encryption key burned into it, which is used for asymmetric encryption and can be used to support authentication. This key provides a hardware root of trust, a known secure starting point. The private key remains private and is matched with a public key. Additionally, the TPM can generate, store, and protect other keys used for encrypting and decrypting disks. If the system includes a TPM, you use an application within the operating system to enable it. For example, many Microsoft systems include BitLocker, which you can enable for systems that include the TPM.

Answer 14

A hardware security module (HSM) is a security device you can add to a system to manage, generate, and securely store cryptographic keys. High-performance HSMs are external network appliances using a TCP/IP network connection. Smaller HSMs come as expansion cards you install within a server or as devices you plug into computer ports. Remember This! A hardware security module (HSM) is a removable or external device that can generate, store, and manage keys used in asymmetric encryption. Many server-based applications use an HSM to protect keys. A microSD HSM is an HSM device installed on a microSD card and can be installed on any device with a microSD or SD slot.

Answer 15

A microSD HSM is a microSD card that includes an HSM. A microSD card is small at 15 mm long x 11 mm wide x 1 mm thick, or .59 inches x .43 inches x .03 inches. You can install a microSD HSM into any device that has a microSD slot. With an adapter, you can install any microSD card into an SD card slot. HSMs support the security methods of a TPM. They provide a hardware root of trust, secure boot, and can be configured for remote attestation. The cryptographic keys stored within the HSM also support authentication solutions. One of the noteworthy differences between an HSM and a TPM is that HSMs are removable or external devices. In comparison, the majority of TPMs are embedded into the motherboard, though certain removable TPMs are also on the market. You can easily add an HSM to a system or a network. If a system didn’t ship with a TPM, it may not be feasible to add one later unless

Answer 16

The decommissioning of hardware that is no longer needed is a critical aspect of managing the security of an organization’s IT infrastructure. Retiring hardware that is no longer in use can help prevent unauthorized access to sensitive data and reduce the risk of attack.

Answer 17

Legacy hardware refers to older computer hardware that is no longer being manufactured or widely used in the industry. This can include servers, laptops, desktops, and other types of devices that were once popular but have been superseded by newer, more advanced technology.

Answer 18

End-of-life (EOL) hardware refers to hardware that has reached the end of its useful life, either because it is no longer supported by the manufacturer or because it is too outdated to meet current technology standards.

Answer 19

Data exfiltration is the unauthorized transfer of data outside an organization and is a significant concern.

Answer 20

Organizations often use data loss prevention (DLP) data loss prevention techniques and technologies to prevent data exfiltration. They can block the use of USB flash drives and control the use of removable media. They can also examine outgoing data and detect many types of unauthorized data transfers. Remember This! Data exfiltration is the unauthorized transfer of data out of a network. Data loss prevention (DLP) techniques and technologies can block the use of USB devices to prevent data loss and monitor outgoing network traffic for unauthorized data transfers.

Answer 21

Organizations recognize that removable media can be an attack vector, so it’s common for an organization to include security policy statements to prohibit the use of USB flash drives and other removable media. Some technical policies block the use of USB drives completely. A USB data blocker prevents users from writing any data to a USB drive. Some USB data blockers will also prevent systems from reading data from a USB or other removable device.

Answer 22

Data-in-use refers to data that is currently being processed or accessed by a system or application. This can include sensitive data such as passwords, encryption keys, and other types of confidential information. Protecting data-in-use is a critical

Answer 23

Secure enclave, sometimes known as trusted execution environment (TEE), is a type of security technology that provides a secure and isolated area within a system or application for processing sensitive data. Secure enclaves use hardware-based security mechanisms, such as Intel’s Software Guard Extensions (SGX), to create a trusted execution environment that is isolated from the rest of the system. This allows sensitive data to be processed and stored securely, even in a potentially insecure computing environment.

Answer 24

software as a service web-based email is an example of SaaS. This includes Gmail, Yahoo! Mail, and others. The service provides all the components of email to users via a simple web browser.

Answer 25

platform as a service The cloud hosting provider provides several features, including an installed operating system, a core software package used for web servers, Apache as a web server, antivirus software, spam protection, and more. Additionally, they keep the operating system up to date with relevant updates and patches.

Answer 26

infrastructure as a service Infrastructure as a Service (IaaS) allows an organization to outsource its equipment requirements, including the hardware and all support operations. The IaaS service provider owns the equipment, houses it in its data center, and performs all the required hardware maintenance. The customer essentially rents access to the equipment and often pays on a per-use basis. Many cloud providers refer to this as a self-managed solution. They provide access to a server and may include a default operating system installation, but customers must configure it and install additional software based on their needs. Additionally, customers are responsible for all operating system updates and patches.

Answer 27

Public cloud services are available from third-party companies, such as Amazon, Google, Microsoft, and Apple. They provide similar services to anyone willing to pay for them. They’re available to the general public, so they’re called public cloud.

Answer 28

Private cloud offerings are created for use by a single customer. For example, the Shelbyville Nuclear Power Plant might decide it wants to store data in the cloud but does not want to use a third-party vendor. Instead, the plant chooses to host its own servers and make these servers available to internal employees through the Internet. Organizations may also hire a service provider to create and operate a private cloud environment for their exclusive use.

Answer 29

Community cloud services are shared by a group of customers with shared interests (such as shared goals, security requirements, or compliance considerations). Like different school systems sharing educational tools.

Answer 30

Hybrid cloud environments combine offerings from two or more of the other deployment models. They can be a combination of private, public, or community clouds. These retain separate identities to help protect resources in private clouds. However, they are bridged together, often in such a way that it is transparent to users. Remember This! Public cloud services are available to any customer who wishes to use them. Private clouds are available for only one organization. Two or more organizations with shared concerns can share a community cloud. A hybrid cloud is a combination of two or more cloud deployment models.

Answer 31

Multi-cloud systems combine the resources from two or more cloud service providers. This is a different concept from hybrid cloud, which combines two or more deployment models. For example, if an organization makes use of IaaS offerings from Amazon Web Services and Microsoft Azure, that is a multi-cloud environment because resources from both Amazon and Microsoft are involved. It is not a hybrid cloud deployment because both of those service providers are public cloud providers. Some security professionals consider multi-cloud systems a good approach because they increase resiliency and redundancy. If one provider suffers an outage, the other provider will hopefully remain up and running. However, it’s important to understand that multi-cloud systems also add complexity to an environment.

Answer 32

An application programming interface (API) is a software component that gives developers access to features or data within another application, a service, or an operating system. It’s common for developers to use APIs with web applications, Internet of Things (IoT) devices, and cloud-based services. As an example, Amazon.com provides package tracking data by using web service-based APIs provided by different shippers. The input is the tracking ID, and the output is all the tracking data provided by the shipper. Similarly, APIs interact with IoT devices such as wireless thermostats to set and adjust temperatures.

Answer 33

Strong authentication methods will prevent unauthorized entities from using the APIs. The authentication method used can vary. For example, an API may use passwords with a second authentication factor, such as an authenticator app.

Answer 34

Authorization. Authorization methods secure access to the API. For example, developers may have one level of access, and web applications may have another level of access. APIs could use cloud-based authorization services,such as OAuth.

Answer 35

Transport level security. The API should use strong security, such as TLS when transferring any traffic over the Internet. Early implementations of some wireless thermostats sent data over the Internet leaking information about thermostat owners. TLS encrypts the traffic preventing unauthorized entities from seeing the traffic.

Answer 36

Microservices are code modules designed to do one thing well. They are typically small code modules that receive values, process them, and respond with an output. Think of the Amazon example where the value is the tracking ID, and the output is the tracking data. Amazon must use a different web services-based API for each shipper. In contrast, a single microservice code module could be used for any shipper. Customers would enter a tracking ID, and the microservice API would determine the shipper. It would then send the tracking ID to the appropriate shipper, receive the tracking data, and send the tracking data to the customer. A web services-based API is tied to a specific business, such as the individual shippers in this example. In contrast, a microservice module isn’t tied to any specific business. This allows developers to use it in different applications without modifying it.

Answer 37

A managed security service provider (MSSP) is a third-party vendor that provides security services for smaller companies. Many small companies use them to improve their companies’ overall security posture without adding an army of security professionals to their staff. In the early days of the Internet, an Internet Service Provider (ISP) provided basic services to customers. They sometimes sold firewalls to these customers and administered the firewalls remotely. A managed service provider (MSP) is like an MSSP. However, instead of focusing only on security services, an MSP provides any information technology (IT) services that an organization needs. MSSPs have expanded basic firewall service to just about anything a larger organization would have. The following list shows some of the managed services an MSSP may provide: Patch management Vulnerability scanning Spam and virus filtering Data loss prevention (DLP) Virtual private network connections Proxy services for web content filtering Intrusion detection and prevention systems Unified threat management (UTM) appliances Advanced firewalls such as next-generation firewalls (NGFWs) Remember this. A managed security service provider (MSSP) is a third-party vendor that provides security services for an organization. A managed service provider (MSP) provides any IT services needed by an organization, including security services provided

Answer 38

Cloud service provider considerations Availability. High availability indicates a system or service remains operational with almost zero downtime. It’s typically achieved by using multiple load-balancing nodes, High availability across zones indicates that the nodes are located in different cloud locations, such as separate geographic locations. If one node fails, other nodes can take on its load. Resilience. Resilience is the ability of a system to maintain its functionality even when faced with adverse conditions or unexpected events, such as natural disasters or cyberattacks. This is achieved by implementing Cost. The cost of a cloud service is an important consideration for any organization. It’s important to balance the cost of the service with the organization’s budget and requirements, and to ensure that the service is delivering value for money. Responsiveness. Responsiveness refers to the speed and reliability with which a cloud service can respond to requests and perform tasks. This is typically measured in terms of response time and throughput, and can be optimized through the use of caching, load balancing, and other techniques. Scalability. Scalability is the ability of a cloud service to handle increasing amounts of data, traffic, and user requests without degradation in performance. This is achieved through the use of elastic computing resources and auto-scaling mechanisms that can dynamically allocate resources as needed to meet demand. Segmentation. Just as local networks support segmentation with virtual local area networks (VLANs) and screened subnets, cloud-based networks can segment computers or networks. This is important for maintaining security and compliance by isolating sensitive data and applications from other parts of the network.

Answer 39

One of the primary benefits of an off-premises solution is that the CSP performs the maintenance. As discussed previously, the CSP has the most responsibility for maintaining the cloud-based resources in the SaaS model. Even in the IaaS model, the CSP still ensures the hardware is operational. If data is stored in another country, it could result in legal implications requiring the organization to comply with different laws in different countries. However, organizations can contractually require CSPs to store data in a single country only.

Answer 40

A Cloud Access Security Broker is a software solution or service deployed between an organization’s network and the cloud provider. It provides security by monitoring traffic and enforcing security policies. Anything accessible via the Internet is an attack vector, and that includes cloud-based resources. However, a CASB can help organizations mitigate risks by consistently enforcing security policies across cloud service providers.

Answer 41

Data loss prevention, It’s common for personnel within organizations to store data in the cloud. This makes it easier to access the data from any location and from almost any device. Cloud-based DLP solutions allow an organization to implement policies for data stored in the cloud. As an example, an organization can implement policies to detect Personally Identifiable Information (PII), or Protected Health Information (PHI) stored in the cloud. After detecting the data, a DLP policy can be configured to take one or more actions such as sending an alert to a security administrator, blocking any attempts to save the data in the cloud, and quarantining the data. Remember. A cloud based DLP can enforce security policies for data stored in the cloud, such as ensuring that Personally Identifiable Information (PII) is encrypted.

Answer 42

Next-Generation Secure Web Gateway A next-generation secure web gateway (SWG) is a combination of a proxy server and a stateless firewall. The SWG is typically a cloud-based service, but it can be an on-site appliance. Clients are configured to access all Internet resources via the SWG, and it filters traffic to prevent threats from infiltrating the network. Some of the services provided by the SWG include: URL filtering to prevent users from visiting unauthorized sites Packet filtering to detect and block malicious traffic. Malware detection and filtering to block malware. Network-based data loss protection (DLP) Sandboxing to check for threats.

Answer 43

A cloud access security broker (CASB) is a software tool or service deployed between an organization’s network and the cloud provider. It provides security by monitoring traffic and enforcing security policies. A next-generation secure web gateway (SWG) provides proxy services for traffic from clients to Internet sites, such as filtering URLs and scanning for malware.

Answer 44

Security groups offer you the ability to write firewall rules that affect only your resources. The cloud service provider uses their firewall to enforce the rules that you create in security groups without letting you directly modify the firewall. These security Security groups offer you the ability to write firewall rules that affect only your resources. The cloud service provider uses their firewall to enforce the rules that you create in security groups without letting you directly modify the firewall. These security should be carefully managed because, while your mistakes won’t affect other customers, those mistakes can definitely undermine the security of your own systems!

Answer 45

Infrastructure as code (IaC) refers to managing and provisioning data centers with code to define VMs and virtual networks. It reduces the complexity of creating virtual objects by allowing administrators to run a script to create them. System administrators prefer this approach because it creates reusable code and facilitates automation.

Answer 46

Software-defined networking (SDN) uses virtualization technologies to route traffic instead of using hardware routers and switches. More and more cloud service providers are implanting SDNs as part of an overall IaaS solution. An SDN separates the data plane and control plane within a network. Another way of thinking of this is that an SDN separates the logic used to forward or block traffic (the data plane) and the logic used to identify the path to take (the control plane).

Answer 47

Edge computing is the practice of storing and processing data close to the devices that generate and use the data. Many non-edge solutions store all the data in the cloud, requiring round trips to retrieve and process the data. However, this takes too much time for many situations.

Answer 48

Fog computing is almost the same thing as edge computing. The primary difference is that fog computing uses a network close to the device and may have multiple nodes sensing and processing data within the fog network. In contrast, edge computing stores and processes the data on single nodes or appliances.

Answer 49

Mobile devices represent significant challenges for organizations today. Organizations need to determine if employees can connect mobile devices to the network. If so, organizations need to identify methods to manage the security related to the devices, monitor the devices, and enforce security policies.

Answer 50

Corporate-owned. In this traditional deployment model, the organization purchases devices and issues them to employees.

Answer 51

COPE (corporate-owned, personally enabled). COPE is similar to the traditional corporate-owned model, but the primary difference is that the employees are free to use the device as if it was their personally owned device. This allows employees to use the devices for personal activities in addition to connecting them to the organization’s network. Because the organization owns the devices, it makes it easier to manage them.

Answer 52

BYOD (bring your own device). Some organizations allow employees to bring their own mobile devices to work and attach them to the network. Employees are responsible for selecting and supporting the device, and they typically must comply with a BYOD policy when connecting their device to the network. While this is simple for the employees, it is sometimes referred to as bring your own disaster among IT professionals. Because employees can have any possible device, the IT department often winds up supporting, monitoring, and managing those devices to some extent.

Answer 53

choose your own device) To avoid some of the challenges related to supporting any possible mobile devices, some organizations create a list of acceptable devices and publish the list in a CYOD policy. Employees can purchase devices on the list and bring them to work. This gives the IT department a specific list of devices to support, monitor, and manage. Some people confuse CYOD with COPE. In the COPE model, the organization purchases the device and may give the employees a choice of different devices. In the CYOD model, the employee purchases the device.

Answer 54

Cellular. Smartphones (and many tablets) include the ability to connect to a cellular network, such as a long-term-evolution (LTE), fourth generation (4G), or 5G network. Wi-Fi. Bluetooth

Answer 55

includes the technologies to manage mobile devices. The goal is to ensure these devices have security controls in place to keep them secure.

Answer 56

unified endpoint management Some vendors sell unified endpoint management (UEM) solutions to manage mobile devices.

Answer 57

An embedded system is any device that has a dedicated function and uses a computer system to perform that function. An embedded system is any device that has a dedicated function and uses a computer system to perform that function. It includes any devices in the Internet of Things (IoT) category, such as wearables and home automation systems. Some embedded systems use a system on a chip (SoC).

Answer 58

The Internet of Things (IoT) refers to a wide assortment of technologies that interact with the physical world. They commonly have embedded systems and typically connect to a central device or app and communicate via the Internet, Bluetooth, or other wireless technologies.

Answer 59

industrial control system (ICS) An industrial control system (ICS) typically refers to systems within large facilities such as power plants or water treatment facilities.

Answer 60

supervisory control and data acquisition A supervisory control and data acquisition (SCADA) system typically controls an ICS by monitoring it and sending it commands. Ideally, these systems are protected within isolated networks that can’t access the Internet. From another perspective, attackers on the Internet can’t access SCADA systems or an ICS. Common uses of ICS and SCADA systems include: Manufacturing and industrial. Facilities. Energy. Logistics

Answer 61

One key component of embedded systems is the system-on-chip (SoC). An SoC integrates many components of a computer system onto a single chip, including a processor, memory, input/output interfaces, and other components. This integration enables embedded systems to be compact and power-efficient while still providing the necessary computing power for their specific applications. SoCs are often customized for specific applications, meaning that they are designed and built specifically for a particular embedded system.

Answer 62

real-time operating system Another key component of embedded systems is the real-time operating system (RTOS). An RTOS is a specialized operating system designed for embedded systems that require precise timing and deterministic behavior. RTOSs provide real-time scheduling, which means that they can guarantee that certain tasks will be completed within a specific timeframe. This is critical for many embedded systems, such as medical devices and automotive systems, where timing is crucial for safety and reliability. RTOSs are also designed to be efficient and lightweight, with a small memory footprint and low processing overhead, making them well-suited for embedded systems with limited resources.

Answer 63

Compute The computing ability of embedded systems is typically limited compared with full computing systems. Because they are small, they don’t have full CPUs. Cryptographic limitations. With limited processing power, embedded systems can’t use all cryptographic protocols. If designers sacrifice security by not encrypting data, they may inadvertently create vulnerabilities. Power. Embedded devices don’t have their own power supplies but instead use power from the parent device. In some cases, devices must use batteries that occasionally need to be replaced. This results in a conflict with the computing capabilities. Stronger computing ability draws more power and requires batteries to be replaced more often. Cost. The cost of the device can be minimized by sacrificing features such as security. By adding features, it increases the cost. It can sometimes be a challenge between management and designers when balancing the cost against the desired features. Inability to patch/patch availability. Unlike most endpoint devices such as desktops and mobile devices, it often isn’t possible to patch embedded systems. Vendors don’t always include methods to patch devices, and even if they do, they don’t always write and release patches in a timely manner. Ease of development