Chapter 5 - Securing Hosts and Data Flashcards

Question

UEFI

Answer 1

Unified Extensible Firmware Interface, newer, used instead of BIOS. UEFI performs many of the same functions as BIOS but provides some enhancements, like booting from larger disks, and is designed to CPU-independent. Both UEFI and BIOS can be upgraded using a process called flashing which overwrites the software within the chip with newer software.

Answer 2

Trust Platform Module, is a hardware chip on the computer's motherboard that stores cryptographic keys use for encryption. It provides FDE and supports a secure boot process and remote attestation. Many laptops include them but if not, it is not feasible to add one. Once enabled, TPM provides FDE capabilities. It keeps hard drives locked or sealed until the system completes a system verification and authentication process. TPMs are shipped with a unique RSA key burned into it to be used for asymmetric encryption and support authentication. Privates key is matched with a public key to provide a HARDWARE ROOT OF TRUST or a known secure starting point. An application within the OS is used to enable a TPM, ie BitLocker with Microsoft, which can detect when any critical OS files have been tampered with. ____ TPM supports secure BOOT ATTESTATION processes by capturing signatures of key files used to boot the computer and storing the signatures securely within the TPM. When the system boots, the SECURE BOOT process checks the files against the stored signatures to confirm they haven't changed. REMOTE ATTESTATION works like the secure boot process, however, instead of checking the boot files against the report in the TPM, it uses a separate system. The TPM while have sent the signatures of the key files to a remote system, which verifies the files are the same.

Answer 3

Hardware Security Module is a security device you can add to a system to manage, generate and securely store cryptographic keys. High performing HSM's are external network appliances using TCP/IP, while smaller HSMs come as expansion cards you install within a server or devices you plug into computer ports. microSD HSM is a microSD card that includes a HSM. HSMs support the security methods of a TPM, a key difference being HSMs are removable or external devices that can generate, store and manage RSA keys used in asymmetric encryption. *Many server-based applications use an HSM to protect ketys.

Answer 4

Data Loss Prevention, refers to techniques and technologies to prevent data loss. -Blocking flash drives and removable media -Examining outgoing data *Can direct all traffic leaving the network through an appliance that can examine the traffic, where admins configure the DLP to look for certain words, phrases or strings.

Answer 5

Refers to the technologies used to provide copyright protection for copyrighted works.

Answer 6

The unauthorized transfer of data outside an organization and is a significant concern. *The primary method of protecting the confidentiality of data is through encryption and strong access controls. Database column encryption protects individual fields within a database, ie a table named "Customers" with the column "credit card number".

Answer 7

Refers to accessing computing resources via a different location than your local computer, often accessing resources through the internet or off-premises. -You use cloud computing when using web--based email like Gmail, which is a SaaS cloud computing service. You are accessing your email via the internet but you don't know the location of the physical server hosting your account. Heavily utilized systems and networks often depend on cloud computing to handle increased workloads.

Answer 8

Software as a Service - SaaS delivers software applications over the internet on a subscription basis. Users access the applications through a web browser or API without needing to install or manage any software locally. - Customers can use the software without worrying about hardware, software maintenance, or updates. -The CSP hosts and manages the software application, including infrastructure, middleware, application software, and data. -Customers only need to use the application. Example: Salesforce, Microsoft Office 365. CSP (everything): -Data -Applications -Runtime -Middleware -Operating system -Virtualization -Servers -Storage -Networking

Answer 9

Platform as a Service - PaaS provides a platform allowing customers to develop, run, and manage applications without the complexity of building and maintaining the underlying infrastructure. - Customers can focus on developing and deploying applications without worrying about hardware or software maintenance. -The CSP provides a platform with development tools, middleware, databases, and operating systems, while customers are responsible for managing applications and data. *PaaS provides customers with a fully managed platform, including hardware, operating systems, and limited applications. Example: Google App Engine, Heroku. CUSTOMER: -Data -Applications CSP: -Runtime -Middleware -Operating system -Virtualization -Servers -Storage -Networking

Answer 10

Infrastructure as a Service - In IaaS, the cloud service provider (CSP) delivers virtualized computing resources over the internet. This includes virtual machines, storage, and networking infrastructure. - Customers have control over the operating systems, applications, and middleware running on the provided infrastructure. -The CSP provides virtualized computing resources (servers, storage, networking) and infrastructure management tools, while customers are responsible for managing applications, data, runtime, and middleware. Example: AWS EC2 (Elastic Compute Cloud), Azure Virtual Machines. *IaaS provides customers with access to hardware in a self-managed platform. CUSTOMER: -Data -Applications -Runtime -Middleware -Operating system CSP: -Virtualization -Servers -Storage -Networking

Answer 11

Anything as a Service Refers to cloud-based services other than SaaS, PaaS or IaaS. XaaS includes services like communication, databases, desktops, storage, security and more. Often IT services delivered over the cloud.

Answer 12

Cloud deployment model where services are available from third party companies like Amazon, Google, Microsoft and Apple that provide similar services to anyone willing to pay for them.

Answer 13

Cloud deployment model that is set up for specific organizations, one organization. EX: Springfield Nuclear Power Plant wants to store data in the cloud but does not want to use a third party vendor, so chooses to host its owner servers and make these servers available to internal employees through the internet.

Answer 14

Two or more organizations with shared concerns (goals, security requirements, compliance considerations) share cloud resources. EX: several schools in a district and a library share educational resources within a cloud, each providing resources for the cloud that anyone can access.

Answer 15

Managed security service provider Third party vendor that provides security services for smaller companies.

Answer 16

Managed service provider Provides any IT services an organization needs.

Answer 17

-High availability -Resource policies -Secrets management -Integration and auditing Storage: -Permissions -Encryption -Replication -Virtual networks -Public and private subnets -Segmentation -Security groups -Dynamic resource allocation -Instance awareness -Virtual private cloud (VPC) endpoint -Transit gateway -Container security

Answer 18

Organization retains complete control over all the cloud-based resources, including any data stored in the on-premises cloud, Benefit: allows organizations to implement multiple security controls to protect on-prem cloud resources and cyber resilience. Also their own authentication and authorization controls, can use SSO etc. Downside: organization is responsible for maintenance of the on-prem resources

Answer 19

Primary benefit is that the CSP performs the maintenance, ensuring hardware is operational. Drawback is that the organization doesn't know where the data is stored. If stored in another country it could result in legal implications requiring the organization to comply with different laws in different countries. You can require a CSP to store in only specific countries if specified/negotiated.

Answer 20

Cloud-access security broker A software tool or service deployed between an organization's network and the cloud provider that provides security by monitoring traffic and enforcing security policies. CASB software can be on-prem or in the cloud - if on prem then it needs to be installed on each device, which can be a challenge. If in cloud then endpoint devices don't need additional software but the company needs to redirect all traffic to the cloud-based CASB solution.

Answer 21

Cloud based Data Loss Prevention This solution allows an organization to implement policies for data stored in the cloud, ie a policy to detect PII or PHI (protected health inf) stored in the cloud, which once detected can be configured to send an alert to security team and block any attempt to save the data in the cloud, quarantining the data.

Answer 22

Next-Generation Secure Web Gateway Provides proxy services for traffic from clients to internet sites, such as filtering URLs and scanning for malware. Typically a cloud-based service but can also be an onsite appliance.

Answer 23

Refers to managing and provisioning data centers with code to define VMs and virtual networks. Reduces the complexity of creating virtual objects by allowing administrators to run a script to create them.

Answer 24

Software Defined Network Uses virtualization technologies to route traffic instead of using hardware routers and switches. More cloud providers are implanting SDNs as part of an overall IaaS solution. -SDN separates the data planes and control planes within a network, ie separates the logic used to forward or block traffic (the data plane) and the logic used to identify the path to take (the control plane). -Allows organizations to move away from proprietary hardware routers with their own ACL controls -OSPF (Open Shortest Path First) and BGP (Border Gateway Protocol) are routing protocols that helps routers determine the best path to route traffic on the control plane. Routers use these protocols to share information, creating a map of the known network, and SDNs can still use these routing protocols but without the hardware routers. SDNs used attribute-based access control (ABAC) using plain language statements to create data plane policies to route traffic.

Answer 25

Software defined Visibility Refers to the technologies used to view all network traffic, used instead of security devices in cloud models.

Answer 26

The practice of storing and processing data close to the devices that generate and use the data. Non-edge solutions often store all the data in the cloud, requiring round trips to retrieve and process the data, which takes too much time for many situations. EX: adaptive cruise control in autonomous cars -Onboard processors monitor the sensors with edge computing, process the data, and slow your car down almost immediately, eliminating latency issues

Answer 27

Almost the same thing as edge computing, the primary difference is that fog computing uses a network close to the device and may have multiple nodes sensing and processing data within the fog network. In contrast, edge computing stores and processes the data on single nodes or appliances.

Answer 28

Cloud Security Alliance, a nonprofit that promotes best practices related to the cloud, created the CCM matrix, a cyber control framework.

Answer 29

Mobile device deployment model, a traditional deployment model where organization purchases devices and issues them to employees.

Answer 30

Corporate Owned, Personally Enabled. Mobile device deployment model similar to traditional corporate-owned model, with the main difference being that the employees are free to use the device as if it was their personally owned device.

Answer 31

Bring Your Own Device Mobile device deployment model where employees can bring their own device to work and attach it to the network. Employees are responsible for selecting and supporting the device, and they typically must comply with a BYOD policy when connecting the device to the network. Challenging for IT to support, monitor and manage any possible device owned by employees.

Answer 32

Choose Your Own Device To avoid the challenge of supporting any possible mobile device, some organizations create a list of acceptable devices and publish the list in a BYOD policy. Employees can purchase devices on the list and bring them to work, giving the IT dept a specific list of devices to support, monitor and manage. In CYOD, employees purchase the device, in COPE, the company does.

Answer 33

-Cellular -Wifi -Bluetooth -NFC -RFID -Infrared -USB -Point to point -Point to multipoint -Payment methods

Answer 34

Mobile Device Management Includes the technologies to manage mobile devices with the goal of having security controls in place to keep them secure. MDM concepts include: -FDE -Storage segmentation -Containerization, which allows for encryption of the container without encrypting the entire device -Passwords et al

Answer 35

Unified Endpoint Management A tyle of MDM solution sold to to manage mobile devices, to ensure they are kept up to date with current patches, antivirus, and more.

Answer 36

Sends a signal to a lost or stolen device to erase all data

Answer 37

Uses Global Positioning System (GPS) and can help locate a lost or stolen device

Answer 38

Creates a virtual fence or geographic boundary and can be used to detect when a device is within an organization's property.

Answer 39

Adds geographical data to files such as pictures

Answer 40

uses multiple elements to authenticate a user and a mobile device, such as a user's identity, geolocation, verification that the device is within a geofence, time of day, or type of device.

Answer 41

-Third party app stores -Jailbreaking = removing all software restrictions from an Apple device, allowing users to install software from any third party source. -Rooting = process of modifying an Android device to give the user root-level (admin) access to the device. Both introduce risks and vulnerabilities to a device, and MDM's will often block access to a network if this has taken place.

Answer 42

Over the air Over the air updates overwrite the operating system firmware to keep the device up to date. Overwriting the firmware on an Android device with custom firmware is another way to root an Android device.

Answer 43

The process of copying an application package in the APK (application packet kit) format to the device and then activating it. The device must be set up to allow apps from Unknown Sources, which can significantly weaken security. Sideloading is essentially downloading software on an Android device from a source other than an authorized store.

Answer 44

Rich communication services A newer communication protocol designed to replace SMS for text messaging. MMS = Multimedia Messaging Service, an extension of SMS that allows users to include multimedia content such as a picture/image/slideshow of images.

Answer 45

Universal Serial Bus On the Go USB OTG cables allow you to connect any device to your mobile device, including another mobile device. Companies may disable this using MDM tools to prevent connections to external media.

Answer 46

allows you to share one device's internet connection with other devices. Tethering and mobile hotspots allow devices to access the internet and bypass network controls. Wifi Direct is a standard that allows devices to connect without a wireless access point or wireless router. MDM tools can block access to devices using tethering, mobile hotspot, or Wifi Direct to access the internet.

Answer 47

Security Enhanced Android, a security model using SELinux to enforce access security. Operates on a default deny principle where anything not allowed by the SELinux policy is denied. When SELinyux is enabled it supports two modes: 1. Enforcing mode: enforced SELinux default deny policy. 2. Permissive mode: does not enforce SELinux policy, but it does log all activity that the policy would block if in enforcing mode. Often useful when testing SELinux policy.

Answer 48

Any device that has a dedicated function and uses a computer system to perform that function. -Desktop PCs, laptops, and servers all use CPUs and OS's, and applications to perform various functions --> Similarly, embedded systems use CPUs, OSs, and one or more applications to perform multiple functions. EX: a wireless multifunction printer (MFP) uses an embedded system typically. Is runs a website that you can access wireless to configure the printer. Many include faxing capabilities and can send documents via email.

Answer 49

Field Programmable Gate Array An FGPA is a programmable integrated circuit (IC) installed on a circuit board that starts off without any configuration or program, but when turned on, transfers a configuration program from a configuration memory chip or an external processor. The memory chip is non-volatile flash memory, allowing it to retain the programming even without power. It's also possible to re-write the configuration stored on the memory chip, effectively changing the function of the FPGA the next time the device is turned on. Thee external processor can send a different configuration to the FPGA each time it's turned on.

Answer 50

Arduino is a microcontroller board, and the circuit board contains the CPU, random access memory (RAM), and read-only memory (ROM). Doesn't need an OS to run but instead uses firmware, and is often used for simple repetitive tasks like monitoring the temperature and showing the results in a liquid crystal display (LCD).

Answer 51

A microprocessor-based mini-computer that uses the Rasp Pi OS to run. Has more extensive capabilities than Arduino. Instead of just monitoring and displaying the temperature the Rasp Pi system can send signals to a HVAC system to control the temperature.

Answer 52

The Internet of Things refers to a wide assortment of technologies that interact with the physical world, and commonly have embedded systems and typically connect to a central device or app that communicates via the internet, bluetooth or other wireless technologies. -Many have sensors used to monitor the environment such as temperature and humidity. -Can be used in facility automation, such as motion-controlled lighting, security cameras and recorders, fire detection and suppression systems and more. -Many automobiles use embedded systems and IoT devices to control the operation of an automobile EX: cars regularly update themselves with over the air updates. Manufacturers could decide to integrate all the embedded systems in an automobile making them all accessible via the internet and accessible by attackers.

Answer 53

Industrial Control Systems is a broad term that typically refers to systems with large facilities such as power plants or water treatment facilities The term often encompasses SCADA systems, distributed control systems, and programmable logic control (PLC) systems. These systems are widely used in power generation, chemical processing, and telecom industries. EX: ICS systems maintain the proper pressure in natural gas lines delivering gas to homes and businesses. If this pressure is too high it can cause natural gas to build up, causing explosions and fires.

Answer 54

Supervisory Control and Data Acquisition system, typically controls an ICS by monitoring it and sending it commands. Ideally these systems are protected with isolated networks that can't access the internet, thereby making it so attackers on the internet can't access SCADA systems or an ICS. Some SCADA systems and ICSs are connected to the corporate network. However, they are typically placed within an isolated virtual local area network (VLAN) and the VLAN is protected by a network intrusion prevention system (NIPS) to block unwanted traffic.

Answer 55

System on a chip, is an integrated circuit that includes all functionality of a computing system within the hardware. Typically includes an application contained within onboard memory, such as ROM, electrically erasable programmable ROM (EEPROM), or flash memory. Many mobile computing devices uses a SoC.

Answer 56

Real time operating system, is an OS that reacts to inputs within a specific time. If it can't respond within the specific time it doesn't process the data and typically reports an error. EX: stopping an assembly line making donuts, each step has a RTOS, if material isn't processed correctly the whole process stops.

Answer 57

-Keeping them up to date with security fixes. Embedded systems vendors are not as aggressive in identifying vulnerabilities and creating patches vs software vendors. -Patch management is a routine function of IT admins, but regular users don't think about patching their refrigerator. -When embedded systems are deployed with default configurations, ie a home security system with default username and password, if attackers discover the camera they can access them over the internet and exploit any vulnerability.

Answer 58

-Compute. Because they are physically small they don't have full CPUs. -Cryptography. With limited processing power, embedded systems can't use all cryptographic protocols. Designers may sacrifice security by not encrypting data, which can create vulnerabilities. -Power. Embedded devices don't have their own power supplies but instead use power from a parent device, or batteries. This results in conflict with the computing capabilities - stronger computing ability draws more power and requires batteries to be replaced more often. -Range -Authentication -Network -Cost -Inability to patch -Implied trust -Weak defaults

Answer 59

You have several choices when deciding which communication methods to use for embedded systems or IoT devices, such as: - 5G: can reach peak speeds significantly higher than 4G, allow faster data transfer. However there are lots of variabilities related to the actual speeds of each. 5G unfortunately has limited range of 1,000 feet vs 10 miles of 4G. It needs a huge boost in infrastructure to support 5G towers and antennas. Their signals can also be blocked by physical barriers like trees and walls. -Narrow band: these signals have a very narrow frequency range, commonly use in 2 way radio systems like walkie talkies. Commonly used on construction sites. -Baseband radio: these radio signals include frequencies that are very near zero. Typically used when transferring data over a cable rather than over air. -SIM cards (subscribed identity module): mobile devices with internet capabilites use SIM cards to connect with a cell provider. It has a unique serial number. A user pays a subascription fee for access and the cell provider grants access as long as the SIM card serial number matches a valid account. Different countries have different SIM card standards so you need to make sure it's compatible in the country where the embedded system or IoT device is, -Zigbee: a suite of communication protocols used for smaller networks, such as within a home for home automation. Designed to be simpler and cheaper than other wireless protocols like bluetooth and traditional wireless networks. Relatively low data range and low power consumption, with Zigbee devices often having battery life of 2+ years. Also supports strong security including data encryption.