Installation and Deployment Flashcards
According to ITIL, the goal of configuration management is
To enable the control of the infrastructure by monitoring and maintaining information on all the resources that are necessary to deliver services.
Some of the necessary pre- and post-installation configuration management security considerations include:
Hardening; Environment Configuration; Release Management; Bootstrapping and Secure Startup.
Hardening includes the processes of
Locking down a system to the most restrictive level so that it is secure.
Hardening is effective in its
Defense against vulnerabilities that result from insecure, incorrect, or default system configurations.
A MSB are set up to comply with
Minimum Security Baseline are set up to comply with the organizational security policies and help in
supporting the organization’s risk management efforts.
Hardening of software involves
The setting the necessary and correct configuration settings and architecting the software to be secure by default.
Some of the common examples of security misconfigurations include:
Hard coding credentials and cryptographic keys inline code or in configuration files in cleartext; Not disabling the listing of directories and files in a web server; Installation of software with default accounts and settings; Installation of the administrative console with default configuration settings; Installation or configuration of unneeded services, ports and
protocols, unused pages, and unprotected files and directories; Missing software patches; Lack of perimeter and host defensive controls such as firewalls, filters, etc; Enabling tracing and debugging can lead to attacks on confidentiality assurance.
Examples of software hardening (code centric) include:
Removal of maintenance hooks before deployment; Removal of debugging code and flags in code; Modifying the instrumentation of code to not contain any sensitive information.
Hardening is a very important process in the which phase of software development
Hardening is a very important process in the installation phase of software development and proper attention must be given to it.
In order for the software to function, it is granted administrative rights when installed. Which security principles are violated.
Least privilege (granted administrative rights); defense in depth (enabling disabled services, ports and protocols); separation of duties (when operations personnel allow developers access to production systems to install software)
Additional configuration considerations include:
Test and default accounts need to be turned off; Unnecessary and unused services need to be removed in all environments; Access rights need to be denied by default and granted explicitly even in development and test environments.
Release management is the process of
ensuring that all changes that are made to the
computing environment are planned, documented, thoroughly tested and deployed with least privilege, without negatively impacting any existing business operations, customers, end-users or user support teams.
To manage software configuration management properly, one of the first things to do is to
To document and maintain the configuration information in a formal and structured manner.
The implementation, documentation, tests, project related documentation, tools including build tools are maintained in a configuration management system (CMS) required by stardard
ISO/IEC 15408 (Common Criteria)
Booting or bootstrapping
The sequences of events and processes that self-start the system to a preset state.
