Securing Hosts & Data Flashcards
Trusted OS
Trusted OS
- Meets set of requirements (Common Criteria) with emphasis on authentication/authorization
- Ensures only authorized personnel can access/modify data based on permissions
- Helps prevent malware infections
- Uses MAC (Mandatory Access Control)
chroot
chroot
- linux command to create sandbox
- Changes root directory for application, isolating it
FDE
FDE
Full Disk Encryption
SED
SED
Self Encrypting Drive
UEFI
UEFI
- Replacement for BIOS on newer systems
- Boot from larger disks
- CPU independent
TPM
TPM
Trusted Platform Module
-HW chip that stores keys for encryption
-Many laptops ship with
-Cannot add later
-Provides full disk encryption
-Secure boot - checks key files against signatures stored in TPM; blocks boot if modified
-Remote attestation - like secure boot, but checks files and sends report to remote system, which verifies
-TPM ships with RSA private key burned into it - asymmetric encryption - hardware root of trust
-Bitlocker enables TPM
-Chip embedded into motherboard
HSM
HSM Hardware Security Module -Device that can be added to system to manage, generate, securely store keys (for multiple devices) -Provides hardware root of trust -Secure boot -Optional remote attestation -Removable or external devices
SaaS
SaaS
- Software as a Service
- ie, gmail
- Least customer maintenance or security responsibility
PaaS
PaaS
- Platform as a Service
- Fully managed platform, like host website on virtual server with OS installed and kept up to date by provider
- Middle customer maintenance or security responsibility
IaaS
IaaS
Infrastructure as a Service
-Access to hardware in a self-managed platform
-Most customer maintenance or security responsibility
CASB
-List functions
CASB Cloud Access Security Broker -Security as a Service -Monitors traffic between org's network and cloud provider -Ensures security policies
Functions
- Visibility into application use (list apps in use)
- Data security (verify encrypted data transfers)
- Verify compliance with standards
- Monitoring and identification of threats
COPE
COPE Corporate Owned, Personally Enabled -Mobile device deployment model -Device owned by org -Can use for personal
BYOD
BYOD
Bring Your Own Device
-Mobile device deployment model
CYOD
CYOD
Choose Your Own Device
-Mobile device deployment model
-List of approved devices that can connect to network
VDI
VDI
- Mobile device deployment model
- Access virtual desktop from mobile device