Section 7: Supply Chain Management

Question 1

What should you do when getting a new vendor?

Answer 1

Due Diligence

Question 2

What is Due Diligence?

Answer 2

A legal principle identifying a subject has used best practice or reasonable care when setting up, configuring, and maintaining a system

Question 3

What does Due Diligence include?

Answer 3

• Properly resourced cybersecurity program
• Security assurance and risk management processes in place
• Product support life cycle
• Security controls for confidential data
• Incident response and forensics assistance
• General and historical company information
  
  • financials

Question 4

Should Due Diligence apply to all suppliers and contractors?

Answer 4

Yes

Question 5

What is Trusted Foundry?

Answer 5

A microprocessor manufacturing utility that is part of a validated supply chain (one where hardware and software does not deviate from its documented function)

Question 6

Who is the Trusted Foundry Program operated by?

Answer 6

Department of Defence (DoD)

Question 7

What does the Trusted Foundry do?

Answer 7

It ensures that microprocessors in the supply chain are secure and are run by the department of defence

Question 8

What is Hardware Source Authenticity?

Answer 8

Process of ensuring that the hardware is procured tamper-free from trustworthy suppliers

• A router for example, do you buy it from CISCO directly? one of their suppliers? or Ebay?
• depending on what you do, it will be more or less trustworthy

Question 9

Does obtaining Counterfeit & Compromised devices purchased from second-hand or aftermarket sources result in greater risk?

Answer 9

Yes

Question 10

What is a Hardware Root of Trust (ROT)?

Answer 10

A cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics

Question 11

Is Trusted Platform Module a Root of Trust?

Answer 11

Yes

Question 12

What is a Hardware Root of Trust used for?

Answer 12

To scan the boot metrics and OS to verify their signatures, which we can then use to sign a digital report

• essentially a digital certificate
• embedded inside your processor or firmware

Question 13

Which is the most common form of ROT?

Answer 13

TPM - Trusted Platform Module (on motherboard)

• A specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information

Question 14

What are the TPM’s functions?

Answer 14

1. Provide Secure I/O
   - random number generator
   - RSA key generator
   - SHA-1 hash generator
   - encryption-decryption-signature engine
2. Persistent Memory
   - Endorsement Key (EK)
   - Storage Root Key (SRK)
3. Versatile Memory
   - Platform Configuration Registers (PCR)
   - Attestation Identity Keys (AIK)
   - Storage Keys

Question 15

Remember for the exam!

Answer 15

The trusted platform module is the part of your system that allows you to have the ability that when you boot up you are doing so securely and you can take those reports and digitally sign them using TPM

Question 16

Where else is TPM also used?

Answer 16

Full Disk Encryption

• BitLocker uses TPM and the key inside TPM

Question 17

TPM can be managed in Windows via

Answer 17

tpm.msc or group policy

Question 18

What is a Hardware Security Module (HSM)

Answer 18

An appliance for generating and storing cryptographic keys that is less susceptible to tampering and insider threats than software-based storage

Question 19

What are the different ways to create an HSM?

Answer 19

1. internal card
2. IoT solution

Question 20

What is the advantage of using a Hardware Security Module (HSM)?

Answer 20

Automated, and that means that the keys cannot be compromised by human involvement

Question 21

What does anti-tamper mean?

Answer 21

Methods that make it difficult for an attacker to alter the authorised execution of software
- e.g.
-pill bottle has a seal on top, if removed cannot be put back
- shows if someone has been there

Question 22

What are 2 common anti-tamper mechanisms?

Answer 22

1. Field Programmable Gate Array (FPGA)
2. Physically Un-cloneable Function (PUF)

• could be used and designed inside your systems
• if tampered with, these will zero out your cryptographic key which then it automatically wipes the system on that information, making you know, that it has been tampered with

Question 23

What does a firmware exploit do?

Answer 23

Gives an attacker an opportunity to run any code at the highest level of CPU privilege

• BIOS or UEFI

Question 24

What are some trusted firmwares?

Answer 24

1. UEFI - Unified Extensive Firmware Interface
2. Secure Boot
3. Measured Boot
4. Attestation
5. eFUSE
6. Trusted Firmware Updates
7. Self-Encrypting Drives

Question 25

What is a Unified Extensive Firmware Interface (UEFI)?

Answer 25

Type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security

Question 26

What is Secure Boot?

Answer 26

Feature of UEFI that prevents unwanted processes from executing during the boot operation - makes sure digital signatures are present from authorised vendors - if windows are not signed it will not boot - prevents loading of malware

Question 27

What is Measured Boot?

Answer 27

A UEFI feature that gathers secure metrics to validate the boot process in an attestation report - how much process does it take to do a certain task - takes the data, creates a report, and attests to it

Question 28

What is Attestation?

Answer 28

A claim that the data presented in the report is valid by digitally signing it using the TPM's private key - UEFI takes this report, signs it with the digital key and sends it to the OS and CPU

Question 29

What is eFUSE?

Answer 29

A means for software or firmware to permanently alter the state of a transistor on a computer chip - electronic fuse - uses one time programming to seal cryptographic keys during firmware development - if someone messes with it, it blows the fuse making it no longer trusted

Question 30

What is a Trusted Firmware Update?

Answer 30

A firmware update that is digitally signed by the vendor and trusted by the system before installation

Question 31

What is a Self-Encrypting Drive?

Answer 31

A disk drive where the controller can automatically encrypt the data that is written to it - a software on a chip - does the encryption when the data is written on them - does the decryption when the data is being read from the drive

Question 32

What is Secure Processing?

Answer 32

A mechanism for ensuring the confidentiality, integrity, and availability of software code and data as it is executed in volatile memory

Question 33

What are 5 ways of secure processing?

Answer 33

1. Processor Security Extensions 2. Trusted Execution 3. Secure Enclave 4. Atomic Execution 5. Bus Encryption

Question 34

What are Processor Security Extensions?

Answer 34

Low-level CPU changes and instructions that enable secure processing

Question 35

Processor Security Extensions for AMD

Answer 35

1. Secure Memory Encryption (SME) 2. Secure Encrypted Virtualisation (SEV)

Question 36

Processor Security Extensions for INTEL

Answer 36

1. Trusted Execution Technology (TXT) 2. Software Guard Extensions (SGX)

Question 37

What is Trusted Execution?

Answer 37

The CPU's security extensions invoke a TPM and secure boot attestation to ensure that a trusted operating system is running

Question 38

What is a Secure Enclave?

Answer 38

The extensions allow a trusted process to create an encrypted container for sensitive data - prevents buffer overflow attacks - can store encryption keys and other sensitive data inside the secure enclave

Question 39

What is an Atomic Execution?

Answer 39

Certain operations that should only be performed once or not at all, such as initialising a memory location - prevents buffer overflows - prevents race conditions

Question 40

What is a Bus Encryption?

Answer 40

Data is encrypted by an application prior to being placed on the data bus - ensure that the device at the end of the bus is trusted to decrypt the data

Question 41

What is HDCP?

Answer 41

An example is if you get unauthorised HDCP it means that your bus encryption failed. -This is in place to stop copyrights