Installation and Deployment Flashcards
According to ITIL, the goal of configuration management is
To enable the control of the infrastructure by monitoring and maintaining information on all the resources that are necessary to deliver services.
Some of the necessary pre- and post-installation configuration management security considerations include:
Hardening; Environment Configuration; Release Management; Bootstrapping and Secure Startup.
Hardening includes the processes of
Locking down a system to the most restrictive level so that it is secure.
Hardening is effective in its
Defense against vulnerabilities that result from insecure, incorrect, or default system configurations.
A MSB are set up to comply with
Minimum Security Baseline are set up to comply with the organizational security policies and help in
supporting the organization’s risk management efforts.
Hardening of software involves
The setting the necessary and correct configuration settings and architecting the software to be secure by default.
Some of the common examples of security misconfigurations include:
Hard coding credentials and cryptographic keys inline code or in configuration files in cleartext; Not disabling the listing of directories and files in a web server; Installation of software with default accounts and settings; Installation of the administrative console with default configuration settings; Installation or configuration of unneeded services, ports and
protocols, unused pages, and unprotected files and directories; Missing software patches; Lack of perimeter and host defensive controls such as firewalls, filters, etc; Enabling tracing and debugging can lead to attacks on confidentiality assurance.
Examples of software hardening (code centric) include:
Removal of maintenance hooks before deployment; Removal of debugging code and flags in code; Modifying the instrumentation of code to not contain any sensitive information.
Hardening is a very important process in the which phase of software development
Hardening is a very important process in the installation phase of software development and proper attention must be given to it.
In order for the software to function, it is granted administrative rights when installed. Which security principles are violated.
Least privilege (granted administrative rights); defense in depth (enabling disabled services, ports and protocols); separation of duties (when operations personnel allow developers access to production systems to install software)
Additional configuration considerations include:
Test and default accounts need to be turned off; Unnecessary and unused services need to be removed in all environments; Access rights need to be denied by default and granted explicitly even in development and test environments.
Release management is the process of
ensuring that all changes that are made to the
computing environment are planned, documented, thoroughly tested and deployed with least privilege, without negatively impacting any existing business operations, customers, end-users or user support teams.
To manage software configuration management properly, one of the first things to do is to
To document and maintain the configuration information in a formal and structured manner.
The implementation, documentation, tests, project related documentation, tools including build tools are maintained in a configuration management system (CMS) required by stardard
ISO/IEC 15408 (Common Criteria)
Booting or bootstrapping
The sequences of events and processes that self-start the system to a preset state.
Booting processes in general are also sometimes referred to as
The Initial Program Load (IPL).
POST
Power-on self-test is the first step in an IPL.
POST is an event that needs to be protected from
Being tampered.
How to ensure that there is no information disclosure from the memory.
The BIOS can perform what is known as a destructive memory check during POST.
Secure startup
All the processes and mechanism that assure the
environment’s TCB integrity when the system or software running on the system starts.
TPM
Trusted Platform Module - it provides heightened tamperproof data protection during startup.
The TPM chip can be used for
storing cryptographic keys and provide identification information from mobile devices for authentication and access management.
How to determine the integrity of the system’s bootstrapping process.
TPM fingerprint
Cold boot attack
The system shutdown and bootstrapping process can
be circumvented and sensitive information can be disclosed.
