Chapter 5: Securing Hosts and Data Flashcards
_____ _____ is a core secure system design principle. It states that systems should be deployed with only the applications, services, and protocols they need to function.
Least functionality
A _____ operating system meets a set of predetermined requirements such as those defined in the Common Criteria. It typically uses the mandatory access control (MAC) model.
trusted
A _____ _____ provides a secure starting point for systems. They are typically created with templates or other baselines to provide a secure starting point for systems. Integrity measurement tools detect when a system deviates from the baseline.
master image
_____ _____procedures ensure operating systems and applications are kept up to date with current patches. This ensures they are protected against known vulnerabilities.
Patch management
_____ _____ policies define the process for making changes and help reduce unintended outages from changes.
Change management
Application _____ allows authorized software to run, but blocks all other software. Application_____ blocks unauthorized software, but allows other software to run.
whitelisting
blacklisting
_____ provides a high level of flexibility for testing security controls and testing patches. Youcan create sandboxes in virtual machines (VMs) and with the chroot command on Linux systems.
Sandboxing
___ ____ comes from sources such as
motors, power lines, and fluorescent lights and can be prevented with shielding.
Electromagnetic interference (EMI)
___ ___ is a short burst of electromagnetic energy. Mild forms such as electrostatic discharge and lightning can be prevented but EMP damage from military weapons may not be preventable.
Electromagnetic pulse (EMP)
___ _____ _____ encrypts an entire disk. A self- encrypting drive (SED) includes the hardware and software necessary to automatically encrypt a drive.
Full disk encryption (FDE)
A _____ _____ _____ is a chip included with many laptops and some mobile devices and it provides full disk encryption, a secure boot process, and supports remote attestation. They have an encryption key burned into them that provides a hardware root of trust.
Trusted Platform Module (TPM)
A _____ _____ _____ is a removable or external device used for encryption. An HSM generates and stores RSA encryption keys and can be integrated with servers to provide hardware-based encryption.
hardware security module (HSM)
___ __ __ ____includes web-based applications such as web-based email.
Software as a Service (SaaS)
____ __ __ ____ provides hardware resources via the cloud. It can help an organization limit the size of their hardware footprint and reduce personnel costs.
Infrastructure as a Service (IaaS)
____ ___ ___ _____ provides an easy-to-configure operating system and on- demand computing for customers.
Platform as a Service (PaaS)
A ____ ____ ____ ____ is a software tool or service deployed between an organization’s network and the cloud provider. It monitors all network traffic and can enforce security policies acting as Security as a Service.
cloud access security broker (CASB)
____-____, ____ ____ mobile devices are owned by the organization, but employees can use them for personal reasons.
Corporate-owned, personally enabled (COPE)
___ ___ ___ ___ policies allow employees to connect their mobile device to the organization’s network.
Bring your own device (BYOD)
____ ____ ____ ____ policies include a list of acceptable devices and allow employees with one of these devices to connect them to the network.
Choose your own device (CYOD)
A ___ ___ ____ is a virtual desktop and these can be created so that users can access them from a mobile device.
virtual desktop infrastructure (VDI)
_____ devices can connect to the Internet, networks, and other devices using cellular, wireless, satellite, Bluetooth, near field communication (NFC), ANT, infrared, and USB connections.
Mobile
____ ____ ____ tools help ensure that devices meet minimum security requirements. They can monitor devices, enforce security policies, and block network access if devices do not meet these requirements.
Mobile device management (MDM)
_____ ____ ____ tools can restrict applications on devices, segment and encrypt data, enforce strong authentication methods, and implement security methods such as screen locks and remote wipe.
Mobile device management (MDM)
A ____ ____ is like a password-protected screen saver on desktop systems that automatically locks the device after a period of time. A ____ ____ signal removes all the data from a lost phone.
screen lock
remote wipe
______ uses Global Positioning System (GPS) to identify a device’s location.______ uses GPS to create a virtual fence or geographic boundary. Organizations use this to enable access to services or devices when they are within the boundary, and block access when they are outside of the boundary.
Geolocation
Geofencing
_____ uses GPS to add geographical information to files (such as pictures) when posting them on social media sites.
Geotagging
A ____-_____ app store is something other than the primary store for a mobile device. Apple’s App Store is the primary store for Apple devices. Google Play is a primary store for Android devices.
third-party
_____ removes all software restrictions on Apple devices. Rooting provides users with root-level access to an Android device. Custom firmware can also root an Android device. MDM tools block network access for jailbroken or rooted devices.
Jailbreaking
_____ is the process of copying an application to an Android device instead of installing it from an online store.
Sideloading
A _______ cable allows you to connect mobile devices.
Universal Serial Bus On-The-Go (USB OTG)
_____ allows one mobile device to share its Internet connection with other devices. Wi-Fi Direct allows you to connect devices together without a wireless router.
Tethering
An_____ system is any device that has a dedicated function and uses a computer system to perform that function. A security challenge with these systems is keeping them up to date.
embedded
Embedded systems include smart devices sometimes called the ___ ___ ___, such as wearable technology and home automation devices.
Internet of things (IoT)
A ___ __ __ ____ is an integrated circuit that includes a full computing system.
system on a chip (SoC)
A supervisory control and data acquisition (SCADA) system controls an industrial control system (ICS). The ICS is used in large facilities such as _____ ____or ____ ____. SCADA and ICS systems are typically in _____ networks without access to the Internet, and are sometimes protected by network intrusion prevention systems (NIPSs).
power plants or water treatment facilities
isolated
A ____-____ ____ ____ is an operating system that reacts to input within a specific time.
real-time operating system (RTOS)
The primary method of protecting the confidentiality of data is with _____ and strong ____ ____. File system security includes the use of encryption to encrypt files and folders.
encryption
access controls
Users should be given only the_____ they need. When they have too much access, it can result in access violations or the unauthorized access of data.
permissions
You can use the _____ command to change permissions on a Linux system.
chmod
____ ____ is the unauthorized transfer of data outside an organization.
Data exfiltration
____ _____ ____ techniques and technologies help prevent data loss. They can block transfer of data to USB devices and analyze outgoing data via email to detect unauthorized transfers. Cloud-based systems can enforce security policies for any data stored in the cloud.
Data loss prevention (DLP)
