Lesson 12 - Implementing Host Security Solutions

Question 1

A cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics.

Answer 1

hardware Root of Trust (RoT)

Question 2

A specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information.

Answer 2

trusted platform module (TPM)
Each TPM is hard-coded with a unique, unchangeable asymmetric private key called the endorsement key. This endorsement key is used to create various other types of subkeys used in key storage, signature, and encryption operations.

Question 3

A type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security.

Answer 3

unified extensible firmware interface (UEFI)

Question 4

A UEFI feature that prevents unwanted processes from executing during the boot operation.

Answer 4

Secure boot
Secure boot requires UEFI, but does not require a TPM.

Question 5

A UEFI feature that gathers secure metrics to validate the boot process in an attestation report.

Answer 5

Measured Boot

Question 6

Report of boot state integrity data that is signed by a tamper-proof TPM key and reported to a network server.

Answer 6

Boot Attestation

Question 7

Encryption of all data on a disk (including system files, temporary files, and the pagefile) can be accomplished via a supported OS, thirdparty software, or at the controller level by the disk device itself.

Answer 7

Full disk encryption (FDE)
Disk encryption can be applied to both hard disk drives (HDDs) and solid state drives (SSDs).
FDE requires the secure storage of the key used to encrypt the drive contents.
One of the drawbacks of FDE is that, because the OS performs the cryptographic operations, performance is reduced.

Question 8

A disk drive where the controller can automatically encrypt data that is written to it.

Answer 8

Self-Encrypting Drives (SED)
the cryptographic operations are performed by the drive controller. The SED uses a symmetric data/media encryption key (DEK/MEK) for bulk encryption and stores the DEK securely by encrypting it with an asymmetric key pair called either the authentication key (AK) or key encryption key (KEK). Use of the AK is authenticated by the user password. This means that the user password can be changed without having to decrypt and re-encrypt the drive.

Question 9

In storage encryption, the private key that is used to encrypt the symmetric bulk media encryption key (MEK). This means that a user must authenticate to decrypt the MEK and access the media.

Answer 9

Key Encryption Key (KEK)

Question 10

Standards for implementing device encryption on storage devices.

Answer 10

Opal

Question 11

Product life cycle phase where sales are discontinued and support options reduced over time.

Answer 11

End of Life (EOL)

Question 12

Product life cycle phase where support is no longer available from the vendor.

Answer 12

End of Service Life (EOSL)

Question 13

Usually a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money.

Answer 13

Memorandum of understanding (MOU)

Question 14

Agreement by two companies to work together closely, such as the partner agreements that large IT companies set up with resellers and solution providers.

Answer 14

Business partnership agreement (BPA)

Question 15

Legal basis for protecting information assets.

Answer 15

Nondisclosure agreement (NDA)

Question 16

Operating procedures and standards for a service contract.

Answer 16

Service level agreement (SLA)
A contractual agreement setting out the detailed terms under which a service is provided.

Question 17

Evaluates the data collection and statistical methods used by a quality management process to ensure they are robust.

Answer 17

Measurement systems analysis (MSA)

Question 18

The process of making a host or app configuration secure by reducing its attack surface, through running only necessary services, installing monitoring software to protect against malware and intrusions, and establishing a maintenance schedule to ensure the system is patched to be secure against software exploits.

Answer 18

hardening
bastian system*

Question 19

A small unit of supplemental code meant to address either a security problem or a functionality flaw in a software package or operating system.

Answer 19

patches

Question 20

Identifying, testing, and deploying OS and application updates. Patches are often classified as critical, security-critical, recommended, and optional.

Answer 20

patch management

Question 21

A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats.

Answer 21

Endpoint Detection and Response (EDR)

Question 22

A computer system that is designed to perform a specific, dedicated function, such as a microcontroller in a medical drip or components in a control system managing a water treatment plant.

Answer 22

Embedded System

Question 23

A type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems.

Answer 23

programmable logic controller (PLC).

Question 24

A processor that integrates the platform functionality of multiple logical controllers onto a single chip.

Answer 24

System on chip (SoC)
This type of packaging saves space and is usually power efficient, and so is very commonly used with embedded systems.

Question 25

Open-source platform producing progammable circuit boards for education and industrial prototyping.

Answer 25

Raspberry Pi

Question 26

Open-source platform producing progammable circuit boards for education and industrial prototyping.

Answer 26

Arduino

Question 27

A processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture.

Answer 27

Field Programmable Gate Array (FPGA)

Question 28

A type of OS that prioritizes deterministic execution of operations to ensure consistent response for time-critical tasks.

Answer 28

Real-Time Operating Systems (RTOS)

Question 29

The chip and firmware in a smartphone that acts as a cellular modem.

Answer 29

Baseband Radio
Cellular Networks

Question 30

A small chip card that identifies the user and phone number of a mobile device, via an International Mobile Subscriber Identity (ISMI).

Answer 30

subscriber identity module (SIM)

Question 31

Low-power wireless communications protocol used primarily for home automation. Z-Wave uses radio frequencies in the high 800 to low 900 MHz and a mesh topology.

Answer 31

Z-Wave
Z-Wave uses ~900 Mhz frequencies.

Question 32

Low-power wireless communications open source protocol used primarily for home automation. ZigBee uses radio frequencies in the 2.4 GHz band and a mesh topology.

Answer 32

Zigbee
Zigbee uses the 2.4 GHz frequency band.

Question 33

A network managing embedded devices (computer systems that are designed to perform a specific, dedicated function).

Answer 33

Industrial Control Systems (ICSs)

Question 34

Input and output controls on a PLC to allow a user to configure and monitor the system.

Answer 34

Human-Machine Interfaces (HMIs)

Question 35

Software that aggregates and catalogs data from multiple sources within an industrial control system.

Answer 35

Data Historian

Question 36

A type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas.

Answer 36

Supervisory Control and Data Acquisition (SCADA)

Question 37

Devices that can report state and configuration data and be remotely managed over IP networks.

Answer 37

Internet of Things (IoT)

Question 38

Components and protocols that facilitate the centralized configuration and monitoring of mechanical and electrical systems within offices and data centers.

Answer 38

Building Automation System (BAS)

Question 39

A utility meter that can submit readings to the supplier without user intervention.

Answer 39

Smart Meters

Question 40

a network of monitored locks, intruder alarms, and video surveillance.

Answer 40

Physical Access Control System (PACS)

Question 41

A physical security control that uses cameras and recording devices to visually monitor the activity in a certain area.

Answer 41

Video Surveillance

Question 42

Any device that performs more than one function, but typically print devices that can also scan and fax.

Answer 42

Multifunction Printers (MFPs)

Question 43

A serial network designed to allow communications between embedded programmable logic controllers.

Answer 43

CAN bus
controller area network (CAN).