GCGA Ch. 5 Implementing Secure Systems (ST) Flashcards
(12 cards)
Endpoints
computing devices such as servers, desktops, laptops, mobile devices, or Internet of Things (IoT) devices.
EDR
Endpoint detection and response (EDR) provides continuous monitoring of endpoints. Extended detection and response (XDR) includes other types of devices and systems.
Hardening
the practice of making an operating system or application more secure from its default installation.
Configuration management practices
help organizations deploy systems with secure configurations. A master image provides a secure starting point for systems. Master images are typically created with templates or other baselines to provide a secure starting point for systems. Integrity measurement tools detect when a system deviates from the baseline.
Patch management procedures
ensure operating systems, applications, and firmware are kept up to date with current patches. This ensures they are protected against known vulnerabilities.
Change management policies
define the process for making changes and help reduce unintended outages from changes. An application allow list identifies authorized software but blocks all other software. An application block list blocks unauthorized software but allows other software to run.
Full disk encryption (FDE)
encrypts an entire disk. A selfencrypting drive (SED) has the encryption circuitry built into the drive.
TPM: A Trusted Platform Module (TPM) is a chip included with many desktops, laptops and some mobile devices, and it supports full disk encryption, a secure boot process, and supports remote attestation. TPMs have an encryption key burned into them and they provide a hardware root of trust.
HSM
A hardware security module (HSM) is a removable or external device used for encryption. An HSM generates and stores RSA encryption keys and can be integrated with servers to provide hardware-based encryption. A microSD HSM is a microSD chip with an HSM device installed on it.
Protecting confidentiality
The primary method of protecting the confidentiality of data is with encryption and strong access controls. File system security includes the use of encryption to encrypt files and folders.
Database encryption methods
You can encrypt individual columns in a database (such as credit card numbers), entire databases, individual files, entire disks, and removable media.
DLP
Data loss prevention (DLP) techniques and technologies help prevent data loss. They can block transfer of data to USB devices and analyze outgoing data via email to detect unauthorized transfers.
Data exfiltration
the unauthorized transfer of data outside an organization.
