Securing Hosts & Data

Question 1

Trusted OS

Answer 1

Trusted OS

• Meets set of requirements (Common Criteria) with emphasis on authentication/authorization
• Ensures only authorized personnel can access/modify data based on permissions
• Helps prevent malware infections
• Uses MAC (Mandatory Access Control)

Question 2

chroot

Answer 2

chroot

• linux command to create sandbox
• Changes root directory for application, isolating it

Question 3

FDE

Answer 3

FDE

Full Disk Encryption

Question 4

SED

Answer 4

SED

Self Encrypting Drive

Question 5

UEFI

Answer 5

UEFI

• Replacement for BIOS on newer systems
• Boot from larger disks
• CPU independent

Question 6

TPM

Answer 6

TPM
Trusted Platform Module
-HW chip that stores keys for encryption
-Many laptops ship with
-Cannot add later
-Provides full disk encryption
-Secure boot - checks key files against signatures stored in TPM; blocks boot if modified
-Remote attestation - like secure boot, but checks files and sends report to remote system, which verifies
-TPM ships with RSA private key burned into it - asymmetric encryption - hardware root of trust
-Bitlocker enables TPM
-Chip embedded into motherboard

Question 7

HSM

Answer 7

HSM
Hardware Security Module
-Device that can be added to system to manage, generate, securely store keys (for multiple devices)
-Provides hardware root of trust
-Secure boot
-Optional remote attestation
-Removable or external devices

Question 8

SaaS

Answer 8

SaaS

• Software as a Service
• ie, gmail
• Least customer maintenance or security responsibility

Question 9

PaaS

Answer 9

PaaS

• Platform as a Service
• Fully managed platform, like host website on virtual server with OS installed and kept up to date by provider
• Middle customer maintenance or security responsibility

Question 10

IaaS

Answer 10

IaaS
Infrastructure as a Service
-Access to hardware in a self-managed platform
-Most customer maintenance or security responsibility

Question 11

CASB

-List functions

Answer 11

CASB
Cloud Access Security Broker
-Security as a Service
-Monitors traffic between org's network and cloud provider
-Ensures security policies

Functions

• Visibility into application use (list apps in use)
• Data security (verify encrypted data transfers)
• Verify compliance with standards
• Monitoring and identification of threats

Question 12

COPE

Answer 12

COPE
Corporate Owned, Personally Enabled
-Mobile device deployment model
-Device owned by org
-Can use for personal

Question 13

BYOD

Answer 13

BYOD
Bring Your Own Device
-Mobile device deployment model

Question 14

CYOD

Answer 14

CYOD
Choose Your Own Device
-Mobile device deployment model
-List of approved devices that can connect to network

Question 15

VDI

Answer 15

VDI

• Mobile device deployment model
• Access virtual desktop from mobile device

Question 16

MDM

Answer 16

MDM
Mobile Device Management
-Ensure devices have security controls
-Application management - restrict apps
-Full device encryption
-Storage segmentation - corporate data in encrypted segment
-Content management - ensure all content retrieved from organization source is stored in encrypted segment
-Containerization -encrypt container app run in
-Enforce strong authentication
-Block network access for jailbroken or rooted devices
-Disable camera and microphone
-Prevent use of external media and USB On-The-Go
-Block other internet connections like tethering, wifi direct
-Block cellular carrier unlocking

Question 17

Sideloading

Answer 17

Sideloading

• Copy app package in APK format to device and activate
• Device must be set to allow apps from unknown sources
• Useful for developers testing apps, otherwise risky

Question 18

SCADA

Answer 18

SCADA

-Embedded systems that control industrial control systems (ICS)

Question 19

DLP

Answer 19

DLP
Data Loss Prevention
-Monitors outgoing data
-Block USB
-Prevent users from copying or printing files with specific contents
-Log events
-Alert admins