Chapter 5 - Securing Hosts and Data Flashcards
Virtualization
Popular technology used within data centers that allows you to host one or more systems, or virtual machines (VMs), on a single physical system.
You can host an entire virtual network on a single physical system today which helps many organizations reduce costs.
Hypervisor
The software that creates, runsd and manages the VMs.
Example virtualization technologies: VMware products, Microsoft Hyper-V products, Oracle VM VirtualBox.
Host
The physical system hosting the VMs is the host.
Requires more resources than a typical system such as multiple processors, massive amounts of RAM, fast and abundant hard drive space and one or more fast network cards.
*Though these result in increased cost of the host it is still less expensive than paying for multiple physical systems, with less cooling and physical space as well.
Guest
Operating systems running on the host system are guests or guest machines. Most hypervisors support 32 and 64 bit OS’s.
Host scalability
Refers to the ability to resize the computing capacity of the VM by assigning it more memory, processors, disk space or network bandwidth.
Scalability is a manual process and often requires a reboot. An admin would usually manually change the resources assigned to the VM.
Host elasticity
Elasticity refers to the ability to dynamically change resources assigned to the VM based on the load.
EX: A VM has increased traffic. Monitoring software senses this increased load and automatically increases the VM resources to handle it without a reboot.
Thin client
A computer with enough resources to boot and connect to a sever to run specific applications or desktops.
A server is a powerful computer located onsite or in the cloud, supporting multiple thin clients.
VDI
Virtual desktop infrastructure hosts a user’s desktop OS on a server.
Traditional computers typically access VDIs within a network, it’s possible to deploy a VDI that users can access with their mobile device, allowing users to access applications installed on their desktop.
When organizations host a remote access solution like a VPN, users can access the mobile VDI from anywhere they have internet access.
Containers
Container virtualization runs services or applications within isolated containers or application cells.
-Containers don’t host an entire OS
-The host’s OS and kernel run the isolated service or app within each of the containers
-Because they are running in separate containers, none of the services or apps can interfere with services and apps in other containers
*Benefit of using container virtualization is it uses fewer resources and can be more efficient than a system using a traditional Type II hypervisor virtualization. ISPs often use it for customers who need specific applications.
-One drawback is containers must use the OS of the host.
VM Escape
An attack that allows an attacker to access the host system from within the virtual system. The host runs an application or process called a hypervisor to manage the virtual systems, and in some situations an attacker can rude code on the virtual system and interact with the hypervisor.
*Most virtual systems run on a physical server with elevated privileges, similar to administrator privileges. A successful VM escape attack often gives the attacker unlimited control over the host system and each virtual system within the host.
VM Sprawl
Occurs when an organization has many VMs that aren’t appropriately managed, and aren’t using a change management process in keeping servers up to date.
If an employee creates a VM and never told IT or anyone else, if the vendor releases a patch and IT applies it to all of their known servers, the extra VM would remain unpatched and vulnerable.
VM sprawl also adds additional load onto a server. If personnel add unauthorized VMs to physical servers, they can consume system resources and make the servers slow or eventually crash.
Replication
VIRTUAL MACHINES ARE SIMPLY FILES.
Because the VM is a group of files, it becomes relatively easy to replicate a VM bu copying the files from one physical server to another. If the original VM is damaged, the replicated VM can be used as a backup.
*Replication makes it easy to restore a failed virtual server. If you create a backup of the virtual server files and the original server fails, you simply restore the files and will be back up in minutes vs hours on a physical server.
Snapshots
Provide you with a copy of a VM at a moment in time, which you can use as a a backup. The hypervisor keeps a record of all changes to the VM after taking a snapshot. If the VM develops a problem you can revert the VM to the state it was in when you took the snapshot.
*Admins often take snapshots of a system prior to performing a risky operation like applying patches or updates, testing security controls or installing new apps.
Non-Persistence
In a persistent virtual desktop, each user has a custom desktop image, and users can customize them and save their data within the desktop. One drawback is it increases the amount of disk space required on the server to support unique desktop images for all users.
Virtual desktops that support non-persistence serve the same desktop for all users, and when users access the remote server it provides a desktop OS from a preconfigured snapshot. Users can make changes to the desktop while they’re using it but it reverts to a known state (the original snapshot) when they log iff.
EDR and ETDR
Endpoint Detection and Response or Endpoint Threat Detection and Response, provide continuous monitoring of endpoints. Part of a defense in depth strategy, they perform a deep investigation of all activity on endpoints. Commonly include anti-malware, HIDS, and app block/allow lists.
Hardening systems
Making an OS or application more secure from its default installation. Eliminates vulnerabilities from default configurations, misconfigurations and weak configurations.
Systems should only have the applications, protocols and services they need to meet their purpose. When you disable or close a port on a system, you disable the related protocol or service.
Also uninstall unneeded software, as software frequently have bugs and vulnerabilities. Disk encryption and modifying Registry are also common methods.
Master image
A master image is often used for baseline configurations and provides a secure starting point for systems. Admins can create them with templates or with other tools to create a secure baseline, then use integrity measurements to discover when a system deviates from the baseline
MDM
Mobile Device Management applications use application allow lists and block lists to allow or block apps on mobile devices.
API
Application Programming Interface is a software component that gives developers access to features or data within another application, service, or an OS. It’s common for developers to use APIs with web applications, IoT devices and cloud-based services.
APIs are susceptible to attacks and developers need to ensure they aren’t vulnerable to common exploits by using:
1. Authentication.
2. Authorization. Devs should have one level of access, users another.
3. Transport level security. API should use strong security like TLS when transferring any traffic over the internet.
Microservices
Code modules designed to do one thing well, typically small code modules that receive a value and respond with a value, such as tracking ID generating tracking ID, which Amazon likely uses different shippers for.
FDE
Full Disk Encryption encrypts an entire disk. Several applications are available to do this such as Veracrypt, which is open soure.
SED
Self-Encrypting Drive. Many hardware vendors now manufacture these, which include encryption circuitry built into the drive, allowing users to enter credentials when they set up the drive.
OPAL = set of specifications for SEDs.
Measured boot
Boot integrity process = verifying the integrity of the OS and boot loading systems, ie verifying that key OS files haven’t been changed.
MEASURED BOOT goes through enough of the boot process to perform these checks without allowing a user to interact with the system, and if detects that the system has lost integrity and can no longer be trusted the system won’t boot.
BIOS
Basic Input/Output System includes software that provides a computer basic instructions on starting.
Runs some basic checks, locates the OS, and boots.
Is a hardware chip you can physically see and touch, and includes software that executes code on the computer - ie it is firmware.
UEFI
Unified Extensible Firmware Interface, newer, used instead of BIOS. UEFI performs many of the same functions as BIOS but provides some enhancements, like booting from larger disks, and is designed to CPU-independent.
Both UEFI and BIOS can be upgraded using a process called flashing which overwrites the software within the chip with newer software.
TPM
Trust Platform Module, is a hardware chip on the computer’s motherboard that stores cryptographic keys use for encryption. It provides FDE and supports a secure boot process and remote attestation.
Many laptops include them but if not, it is not feasible to add one.
Once enabled, TPM provides FDE capabilities. It keeps hard drives locked or sealed until the system completes a system verification and authentication process.
TPMs are shipped with a unique RSA key burned into it to be used for asymmetric encryption and support authentication.
Privates key is matched with a public key to provide a HARDWARE ROOT OF TRUST or a known secure starting point.
An application within the OS is used to enable a TPM, ie BitLocker with Microsoft, which can detect when any critical OS files have been tampered with.
____
TPM supports secure BOOT ATTESTATION processes by capturing signatures of key files used to boot the computer and storing the signatures securely within the TPM. When the system boots, the SECURE BOOT process checks the files against the stored signatures to confirm they haven’t changed.
REMOTE ATTESTATION works like the secure boot process, however, instead of checking the boot files against the report in the TPM, it uses a separate system. The TPM while have sent the signatures of the key files to a remote system, which verifies the files are the same.
HSM
Hardware Security Module is a security device you can add to a system to manage, generate and securely store cryptographic keys.
High performing HSM’s are external network appliances using TCP/IP, while smaller HSMs come as expansion cards you install within a server or devices you plug into computer ports.
microSD HSM is a microSD card that includes a HSM.
HSMs support the security methods of a TPM, a key difference being HSMs are removable or external devices that can generate, store and manage RSA keys used in asymmetric encryption.
*Many server-based applications use an HSM to protect ketys.
DLP
Data Loss Prevention, refers to techniques and technologies to prevent data loss.
-Blocking flash drives and removable media
-Examining outgoing data
*Can direct all traffic leaving the network through an appliance that can examine the traffic, where admins configure the DLP to look for certain words, phrases or strings.
Rights Management
Refers to the technologies used to provide copyright protection for copyrighted works.
Data Exfiltration
The unauthorized transfer of data outside an organization and is a significant concern.
*The primary method of protecting the confidentiality of data is through encryption and strong access controls.
Database column encryption protects individual fields within a database, ie a table named “Customers” with the column “credit card number”.
Cloud computing
Refers to accessing computing resources via a different location than your local computer, often accessing resources through the internet or off-premises.
-You use cloud computing when using web–based email like Gmail, which is a SaaS cloud computing service. You are accessing your email via the internet but you don’t know the location of the physical server hosting your account.
Heavily utilized systems and networks often depend on cloud computing to handle increased workloads.
SaaS
Software as a Service
- SaaS delivers software applications over the internet on a subscription basis. Users access the applications through a web browser or API without needing to install or manage any software locally.
- Customers can use the software without worrying about hardware, software maintenance, or updates.
-The CSP hosts and manages the software application, including infrastructure, middleware, application software, and data.
-Customers only need to use the application.
Example: Salesforce, Microsoft Office 365.
CSP (everything):
-Data
-Applications
-Runtime
-Middleware
-Operating system
-Virtualization
-Servers
-Storage
-Networking
PaaS
Platform as a Service
- PaaS provides a platform allowing customers to develop, run, and manage applications without the complexity of building and maintaining the underlying infrastructure.
- Customers can focus on developing and deploying applications without worrying about hardware or software maintenance.
-The CSP provides a platform with development tools, middleware, databases, and operating systems, while customers are responsible for managing applications and data.
*PaaS provides customers with a fully managed platform, including hardware, operating systems, and limited applications.
Example: Google App Engine, Heroku.
CUSTOMER:
-Data
-Applications
CSP:
-Runtime
-Middleware
-Operating system
-Virtualization
-Servers
-Storage
-Networking
