501 CH 5 Securing Hosts and Data

Chapter 5
Securing Hosts and Data
CompTIA Security+
Get Certified Get Ahead
By Darril Gibson
GetCertifiedGetAhead.com © 2017 YCDA, LLC

Introduction
• Implementing secure systems
• Summarizing cloud concepts
• Deploying mobile devices securely

Implementing Host Security
• Least functionality
– Disabling unnecessary services
• Improves security posture
• Reduces attack surface
• Reduces risks from open ports
– Disabling unneeded applications
– Disabling unnecessary accounts
– Keeping systems up-to-date

Secure Operating Systems
• Windows
• MAC
• Linux Boot Me
– Kiosks
– Network
– Appliance
• Trusted OS
Using Master Images
• Provides
secure
starting
point
• Reduces
costs

• Resiliency and automation strategies
– Automation, scripting, and templates
– Group Policy
• Account Policies
• Standardize system configuration
• Local Policies
Policy • Standardize security settings • System Services
• Enforce strict company guidelines • Software
• Easily apply security settings Restrictions
to multiple computers

• Three steps
1.Initial baseline configuration

2.Integrity measurements for baseline deviation
3.Remediation

Implementing Secure Systems
• Patch management
– Ensure that systems are up-to-date
– Protects system against known vulnerabilities
– Test patches in a test environment that mirrors the
production environment
– Automated deployment
– Testing, deploying and verifying updates

• Change management
– Helps ensure changes to IT systems do not result in

unintended outages
– Provides an accounting structure or method to

document all changes
– Changes are proposed and reviewed before

implementation
• Unauthorized software
– Can include malware
• Compliance violations
– Licenses

Whitelisting vs Blacklisting
• Application whitelisting
– Identifies authorized software for workstations,
servers, and mobile devices
– Prevents users from installing or running software
that isn’t on the list
• Application blacklisting
– A list of prohibited applications
– Prevents users from installing or running software
on the list
Secure Staging and Deployment
• Sandboxing
– Used for testing
– Isolated area on a system
• VMs
– Isolated operating system
• Chroot
– Isolated area within a Linux OS

Secure Staging Environment
• Development
– App created in a development environment
• Test
– App tested in a testing environment
• Staging
– Simulates production environment
• Production
– Final product
Peripherals
• Wireless keyboards • Wi-Fi-enabled MicroSD
• Wireless mice card
• Displays • Printers and other
• External storage devices multi-function devices
(MFDs)
• Digital cameras

Hardware and Firmware Security
• Electromagnetic interference (EMI)
– Interference from various sources
• Motors
• Power lines
• Fluorescent lights
• Electromagnetic pulse (EMP)
– Short burst of electromagnetic energy
• Electrostatic discharge (ESD)
• Lightning
• Military weapons
• EMI • EMP
– Electromagnetic – Electromagnetic pulse
interference – Short burst of
– Interference from electromagnetic energy
various sources – Electrostatic discharge
– Motors (ESD)
– Power lines – Lightning
– Fluorescent lights – Military weapons

• Full disk encryption (FDE)
– Can be software application
• Self-encrypting drives (SED)

– Includes the hardware and software to encrypt all
data on the drive
– Securely stores the encryption keys
– Typically unlocked with user credentials

• Basic Input/Output System (BIOS)
– Firmware used to start a computer
– Software stored on hardware chip
• Unified Extensible Firmware Interface (UEFI)

– Replacement for BIOS on most newer systems
– Includes similar functions and some enhancements
• Update BIOS and UEFI by flashing

Hardware-Based Encryption
Characteristics TPM HSM
Hardware Chip in motherboard (included with Removable or external hardware
many laptops) device, (purchased separately)
Uses Full disk encryption (for laptops and High-end mission-critical servers
some servers) (SSL accelerators, high availability
clusters, certificate authorities)
Authentication Performs platform authentication Performs application
(verifies drive not moved) authentication (only used by
authorized applications)
Encryption Includes endorsement key (burned Stores RSA keys used in asymmetric
Keys into chip) and storage root key encryption and can generate keys
Storage root key generates and
protects other keys

Benefits of TPM and HSM
• Secure boot process
– Checks the files against stored signatures to
ensure files haven’t changed
– Attests that the files haven’t changed
– Blocks boot process if files have been modified
• Remote attestation
– Sends information on files to remote system
– Remote system verifies files haven’t changed

Benefits of TPM and HSM
• Hardware root of trust
– Known secure starting point
– TPM/HSM ships with a unique private key burned
into hardware
– Matched with public key
– Used during secure boot process

• Additional vulnerabilities
– End of life systems

• Sanitize before disposing
– Lack of vendor support

• No security updates
• No technical support
• Susceptible to security issues
Summarizing Cloud Computing
• Accessing computing resources on another system
• On-premise
– Cloud resources owned, operated, and maintained by an
organization for its employees
• Hosted
– Resources rented and managed by another organization
– Typically accessed via the Internet Internet

• Software as a Service (SaaS)
– Applications provided over the Internet (such as web-mail
accessed with a web browser)
• Platform as a Service (PaaS)
– Provides customers with a fully managed platform
– Vendor keeps platform up-to-date
• Infrastructure as a Service (IaaS)
– Provides customers with access to hardware in a self-managed
platform
– Customers are responsible for keeping an IaaS system up to date

• Comparing responsibilities

Understanding Cloud Computing
• Security as a service
– any services provided via the cloud that provide
security services
– Commonly viewed as a subset of Software as a
Service (SaaS)
• Cloud access security broker (CASB)
– Software tool or service
– Placed between organization’s network and the
cloud provider
Cloud Deployment Models
• Public – Available to anyone
• Private – Only available within a company
• Community – Cloud shared by two or more

organizations
• Hybrid – Combination of any two models

Mobile Device Deployment Models
• Models support connecting mobile devices to
organization’s network
– Corporate-owned
– COPE (corporate-owned, personally enabled)
– BYOD (bring your own device)
• Bring your own disaster
– CYOD (choose your own device)
• Limits supported devices
• VDI (virtual desktop infrastructure)
Mobile Device Connection Methods
• Cellular
• Wi-Fi
• SATCOM
• Bluetooth
• NFC (near field communication)
• ANT
• Infrared
• USB (Universal Serial Bus)
Mobile Device Management (MDM)
• Application management
• Full device encryption
• Storage segmentation
• Content management
• Containerization
• Passwords and PINs
• Biometrics
• Screen locks
Mobile Device Management (MDM)
• Remote wipe
Geolocation
• Geolocation
• Geofencing
• GPS tagging
• Context-aware authentication
Geofence
• Push notification services

MDM Enforcement / Monitoring
• Unauthorized software
– Third party app stores
– Rooting and jailbreaking
– Updates
– Sideloading
– SMS and MMS
– SMS

MDM Enforcement / Monitoring
• Hardware control
– USB OTG cables
• Unauthorized connections
– Tethering
– Wi-Fi Direct
– Ad hoc

Embedded System
• Any device that has a dedicated function and
uses a computer system to perform that
function
– Compare to desktop PCs, laptops, and servers
• All use central processing units (CPUs), operating
systems, and applications to perform various functions
– Embedded systems
• Use CPUs, operating systems, and
one or more applications to
perform specific functions
Embedded System
• Security implications and vulnerabilities
– Keep up-to-date
• Implement patch management processes
– Avoid default configurations

Comparing Embedded Systems
• Smart devices • Printers/MFDs

• Internet of things (IoT) • Camera systems
– Wearable technology • Special purpose
– Home automation – Medical devices
• HVAC – Vehicles
• SoC – Aircraft/UAV
• RTOS

Protecting SCADA/ICSs
• Redundancy and diversity
• Network segmentation
• Security layers
• Application firewalls
• Manual updates
• Firmware version control
• Wrappers
Protecting Data
• Data at rest
– Any stored data
– Hard drives, mobile phones, USB flash drives,
external drives, databases. and backups
• Data in transit
– Data in motion
– Any data traveling over a network

Protecting Confidentiality with Encryption
• Software-based encryption
– Full disk encryption
– Database column
encryption
– File/folder
encryption

File System Security
• Windows encryption
– Full disk
encryption
– Database
column
encryption
– File/folder-
level
encryption
Permission Issues & Access Violations
• Principle of least privilege

– Ensures users granted only the rights and
permissions needed to perform assigned tasks or
functions
– Rights identify what a user can do, such as
changing the system time or rebooting a system
– Permissions define access to resources, such as
being able to read or modify a file
– Rights and permissions combined called privileges
• Linux permissions
– Owner
– Group
– Others
Demo
– Read (r) 100 (4)

– Write (w)010 (2)
– Execute (x) 001 (1)
• Linux permissions
Demo
• Chmod
• Windows permissions
– Read
– Read & Execute
– Write
– Modify

Data Loss Prevention (DLP)
• Removable media
• Data exfiltration
– Unauthorized transfer of data outside an
organization
• Cloud-based DLP
– Can protect PII and PHI
Chapter 5 Summary
• Implementing secure systems
• Summarizing cloud concepts
• Deploying mobile devices securely
• Labs http://gcgapremium.com/501labs/

501 CH 5 Securing Hosts and Data

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

501 CH 5 Securing Hosts and Data

Uploaded by

Copyright:

Available Formats

Chapter 5

Securing Hosts and Data

GetCertifiedGetAhead.com © 2017 YCDA, LLC

• Summarizing cloud concepts

• Deploying mobile devices securely

GetCertifiedGetAhead.com © 2017 YCDA, LLC

GetCertifiedGetAhead.com © 2017 YCDA, LLC

GetCertifiedGetAhead.com © 2017 YCDA, LLC

GetCertifiedGetAhead.com © 2017 YCDA, LLC

1.Initial baseline configuration

GetCertifiedGetAhead.com © 2017 YCDA, LLC

GetCertifiedGetAhead.com © 2017 YCDA, LLC

– Helps ensure changes to IT systems do not result in

– Provides an accounting structure or method to

– Changes are proposed and reviewed before

GetCertifiedGetAhead.com © 2017 YCDA, LLC

GetCertifiedGetAhead.com © 2017 YCDA, LLC

GetCertifiedGetAhead.com © 2017 YCDA, LLC

GetCertifiedGetAhead.com © 2017 YCDA, LLC

• Self-encrypting drives (SED)

GetCertifiedGetAhead.com © 2017 YCDA, LLC

• Unified Extensible Firmware Interface (UEFI)

• Update BIOS and UEFI by flashing

GetCertifiedGetAhead.com © 2017 YCDA, LLC

GetCertifiedGetAhead.com © 2017 YCDA, LLC

GetCertifiedGetAhead.com © 2017 YCDA, LLC

– End of life systems

– Lack of vendor support

GetCertifiedGetAhead.com © 2017 YCDA, LLC

GetCertifiedGetAhead.com © 2017 YCDA, LLC

GetCertifiedGetAhead.com © 2017 YCDA, LLC

• Private – Only available within a company

• Community – Cloud shared by two or more

• Hybrid – Combination of any two models

GetCertifiedGetAhead.com © 2017 YCDA, LLC

GetCertifiedGetAhead.com © 2017 YCDA, LLC

GetCertifiedGetAhead.com © 2017 YCDA, LLC

– Avoid default configurations

GetCertifiedGetAhead.com © 2017 YCDA, LLC

• Smart devices • Printers/MFDs

GetCertifiedGetAhead.com © 2017 YCDA, LLC

GetCertifiedGetAhead.com © 2017 YCDA, LLC

GetCertifiedGetAhead.com © 2017 YCDA, LLC

• Principle of least privilege

– Read (r) 100 (4)

GetCertifiedGetAhead.com © 2017 YCDA, LLC

• Summarizing cloud concepts

• Deploying mobile devices securely

GetCertifiedGetAhead.com © 2017 YCDA, LLC

You might also like