Chapter 7 - Software Deployment, Operations, Maintenance, Disposal Flashcards
What do you need to do with software to ensure it continues to function as expected after deployment?
Monitor it.
Address incidents that impact the software
Patch vulnerabilities
Identify the conditions under which the software should be replaced
What is the goal of configuration management according to ITIL?
to enable the control of the infrastructure by monitoring and maintaining information on all the resources that are necessary to deliver services.
What are the pre and post installation security configuration management considerations?
Hardening
Enforcement of security principles
Environment configuration
Bootstrapping and secure startup
What is hardening?
The process of securing the host hardware and operating system, securing it to the most appropriate level for its purpose.
What is a MSB?
Minimum Security Baseline.
What are the some common security misconfigurations?
Hard coded credentials or keys, especially in plain text
Allowing directory listings in a web server
Installing software with default accounts or settings
Installing an administrative console with default configuration settings
Unneeded services, ports, protocols, unused pages, unprotected directories.
Missing software patches
No permeter controls, such as firewalls and filters
Enabling tracing and debugging, which can reveal sensitive state information to an attacker.
What are some methods for hardening software?
Remove maintenance hooks
Remove debugging code and flags
Remove unneeded comments and sensitive information from code
Why shouldn’t developers install software on production systems?
It violates the principle of separation of duties.
Why is granting administrative rights to software during installation a problem?
It violates least privilege.
Describe defense in depth violations in software installation
Enablind disabled services, ports, and protocols so software can run.
What is the pdb file?
The Program Database File holds debugging and project state information. It is used to link the debug configuration of the program incrementally, but can be used to discover the internal workings of the software.
What is a CMDB?
Configuration Management Database. It records all the assets in theorganization. ISO/IEC 15408 (Common Criteria) requires that the implementation, documentation, tests, project-related documentation, and tools, including build tools, are maintained in a configuration management system (CMS).
What is booting or bootstrapping?
The sequence of events and processes that self-start the system to a preset state. Also called IPL.
What is IPL?
Initial Program Load. Synonymous with bootstrapping.
What is POST?
Power On Self Test.
The first step in bootstrapping/IPL. Needs to be protected so the TCB is maintained.
What is secure startup?
The collection of processes and mechanisms that assure the environment’s TCB integrity when the system or software running on the system starts. It is usually implemented using the hardware’s trusted platform module (TPM) chip, which provides heightened tamperproof data protection during startup.
What is TPM?
Trusted Platform Module.
chip can be used for storing cryptographic keys and providing identification information on mobile devices for authentication and access management. Physically, the TPM chip is located on the motherboard and is commonly used to create a unique system fingerprint within the boot process.
Describe how acceptable risk and residual risk should interplay.
The level of residual risk in an installation should be below the level of acceptible risk, unless that risk has been formally accepted.
What are detective controls?
Controls that build historical evidence of user and system/process actions.
Auditing and IDS.
What are preventive controls?
Controls that make the success of the attcker difficult.
Input validation, output encoding, bounds checking, patching, and intrusion prevention systems (IPS)
What are deterrent controls?
Controls that dissuade an attacker without actually preventing the action.
Auditing.