Operating System Security 3.3 Flashcards
Operating System Types
Appliances - Some OS’s are designed specifically for a purpose. Usually they are minimal and unseen by the user.
Kiosks - Other OS’s are designed for public use like a kiosk. The OS is tightly locked down.
Mobile - OS’s are designed for touch screen phones and tablets. Optimized for mobile hardware.
Patch Management
Incredibly important, must always have the very latest version of these patches. Security problems can only be fixed by these. Occasionally you will deal w/ service packs which are large packages of patches together. Other updates will be monthly, and others weekly. Generally they will be on a predictable schedule in order for security teams to work around these time frames. Urgent/critical updates will be patched asap no matter the timeframe.
Update Options
Windows Update - Can be managed through Windows Server Update Services (WSUS) which is a centralized management system for Windows devices. Mac OS will have Software Update under the Apple Menu however newer Apple devices will integrate them into the App Store so it will be through the App Store instead. Linux will have multiple options.
The Patching Process
May take planning because patching can fix some problems while creating others. In some cases you will not want to deploy every single patch. You always want to get the security related ones. This will be centrally managed on your update server and after you complete your testing of the patches, you can tell the server to roll out the patches.
Disabling Unnecessary Services
Every service on you system has the potential for trouble. It’s not easy to tell which services are necessary. Windows 7 had 130 default services while Windows 10 has over 240. You will have to do research to figure out which ones you can disable and which are needed. Sometimes it will take trial and error to figure out. Third party websites will not always be reliable.
Controlled Functionality
To reduce your security risks, you want to reduce your potential security risks. Over time you will fine tune your system configs to make it very secure.
Evaluation Assurance Level (Common Criteria)
Known as the “Common Criteria for Information Technology Security Evalutation”, the categorizing of what a secure OS looks like has already been documented. This is an international standard. They are measured in EAL 1 thru 7. EAL 4 is the most accepted minimum level.
International Security Standard - ISO/IEC 15408
App White/Black Listing
All apps can become vulnerable. You can set security polices to control if these app will execute on your systems. Whitelisting is very restrictive, Blacklisting is to stop some known bad apples and more liberal.
Whitelisting Methods
The OS has some built in system management options.
You can set your system to only allow applications with a unique hash identifier.
The same goes for certificates, the only allowed apps will have a specific certificate.
You can also only allow apps to run for a specific file path on the computer.
Additionally you can only allow apps to run on network from a specific area of that network.
Disable Unnecessary Accounts
All OS’s contain multiple user accounts. Guest accounts, root accounts, mail accounts, etc. These can be disabled/removed.