Security Vulnerabilities, Threats, and Countermeasures

Question 1

Understand shared responsibility

Answer 1

The security design principle indicates that organizations do not operate in isolation. It is because we participate in shared responsibility that we must research, implement, and manage engineering processes using secure design principles.

Question 2

Be able to explain the differences between multitasking, multicore, multiprocessing, multiprogramming, and multithreading

Answer 2

Multitasking is the simultaneous execution of more than one application on a computer and is managed by the OS. Multicore is the presence of multiple execution cores in a single CPU. Multiprocessing is the use of more than one processor to increase computing power. Multiprogramming is similar to multitasking and involves the pseudo-simultaneous execution of two tasks on a single processor coordinated by the OS as a way to increase operational efficiency. Multithreading permits multiple concurrent tasks to be performed within a single process.

Question 3

Understand the concept of protection rings

Answer 3

From a security standpoint, protection rings organize code and components in an OS into concentric rings. The deeper inside the circle you go, the higher the privilege level associated with the code that occupies a specific ring.

Question 4

Know the process states

Answer 4

The process states are ready, running, waiting, supervisory, and stopped.

Question 5

Explain the two layered operating modes used by most modern processors

Answer 5

User applications operate in a limited instruction set environment known as user mode. The OS performs controlled operations in privileged mode, also known as system mode, kernel mode, and supervisory mode.

Question 6

Describe the different types of memory used by a computer

Answer 6

ROM is nonvolatile and can’t be written to by the end user. Data can be written to PROM chips only once. EPROM/UVEPROM chips may be erased with ultraviolet light. EEPROM chips may be erased with electrical current. RAM chips are volatile and lose their contents when the computer is powered off.

Question 7

Know the security issues surrounding memory components

Answer 7

Some security issues surround memory components: the fact that data may remain on the chip after power is removed and the control of access to memory in a multiuser system.

Question 8

Know the concepts of memory addressing

Answer 8

Means of memory addressing include register addressing, immediate addressing, direct addressing, indirect addressing, and base+offset addressing.

Question 9

Describe the different characteristics of storage devices used by computers

Answer 9

Primary storage is the same as memory. Secondary storage consists of magnetic, flash, and optical media that must be first read into primary memory before the CPU can use the data. Random access storage devices can be read at any point, whereas sequential access devices require scanning through all the data physically stored before the desired location.

Question 10

Understand the variations of storage types

Answer 10

The variations include primary versus secondary, volatile versus nonvolatile, and random versus sequential.

Question 11

Know the security issues surrounding secondary storage devices

Answer 11

Three main security issues surround secondary storage devices: removable media can be used to steal data, access controls and encryption must be applied to protect data, and data can remain on the media even after file deletion or media formatting.

Question 12

Know about emanation security

Answer 12

Many electrical devices emanate electrical signals or radiation that can be intercepted by unauthorized individuals. These signals may contain confidential, sensitive, or private data. TEMPEST countermeasures to Van Eck phreaking (i.e., eavesdropping), include Faraday cages, white noise, control zones, and shielding.

Question 13

Understand security risks that input and output devices can pose

Answer 13

Input/output devices can be subject to eavesdropping and tapping, are subject to shoulder surfing, are used to smuggle data out of an organization, or are used to create unauthorized, insecure points of entry into an organization’s systems and networks. Be prepared to recognize and mitigate such vulnerabilities.

Question 14

Know the purpose of firmware

Answer 14

Firmware is software stored on a ROM chip. At the computer level, it contains the basic instructions needed to start a computer. Firmware is also used to provide operating instructions in peripheral devices such as printers. Examples include BIOS and UEFI.

Question 15

Be aware of JavaScript concerns

Answer 15

JavaScript is the most widely used scripting language in the world and is embedded into HTML documents. Whenever you allow code from an unknown and thus untrusted source to execute on your system, you are putting your system at risk of compromise.

Question 16

Know about large-scale parallel data systems

Answer 16

Systems designed to perform numerous calculations simultaneously include SMP, AMP, and MPP. Grid computing is a form of parallel distributed processing that loosely groups a significant number of processing nodes to work toward a specific processing goal. Peer-to-peer (P2P) technologies are networking and distributed application solutions that share tasks and workloads among peers.

Question 17

Be able to define ICS

Answer 17

An industrial control system (ICS) is a form of computer-management device that controls industrial processes and machines (aka operational technology). ICS examples include distributed control systems (DCSs), programmable logic controllers (PLCs), and supervisory control and data acquisition (SCADA).

Question 18

Be aware of distributed systems

Answer 18

A distributed system or a distributed computing environment (DCE) is a collection of individual systems that work together to support a resource or provide a service. The primary security concern is the interconnectedness of the components.

Question 19

Understand blockchain

Answer 19

A blockchain is a collection or ledger of records, transactions, operations, or other events that are verified using hashing, timestamps, and transaction data.

Question 20

Understand data sovereignty

Answer 20

Data sovereignty is the concept that, once information has been converted into a binary form and stored as digital files, it is subject to the laws of the country within which the storage device resides.

Question 21

Understand smart devices

Answer 21

Smart devices are devices that offer the user a plethora of customization options, typically through installing apps, and may take advantage of on-device or in-the-cloud machine learning (ML) processing.

Question 22

Be able to define IoT

Answer 22

The Internet of Things (IoT) is a class of devices that are internetconnected in order to provide automation, remote control, or AI processing to appliances or devices. The security issues related to IoT often relate to access and encryption.

Question 23

Be able to define IIoT

Answer 23

Industrial Internet of Things (IIoT) is a derivative of IoT that focuses on industrial, engineering, manufacturing, or infrastructure level oversight, automation, management, and sensing. IIoT is an evolution of ICS and DCS that integrates cloud services to perform data collection, analysis, optimization, and automation.

Question 24

Be aware of specialized devices

Answer 24

Specialized equipment is anything designed for one specific purpose, to be used by a specific type of organization, or to perform a specific function. It may be considered a type of DCS, IoT, smart device, endpoint device, or edge computing system. Some common examples of specialized devices are medical equipment, smart vehicles, autonomous aircraft, and smart meters.

Question 25

Be able to define SOA

Answer 25

Service-oriented architecture (SOA) constructs new applications or functions out of existing but separate and distinct software services. The resulting application is often new; thus, its security issues are unknown, untested, and unprotected. A derivative of SOA is microservices.

Question 26

Understand microservices

Answer 26

A microservice is simply one element, feature, capability, business logic, or function of a web application that can be called upon or used by other web applications. It is the conversion or transformation of a capability of one web application into a microservice that can be called upon by numerous other web applications. It allows large complex solutions to be broken into smaller self-contained functions.

Question 27

Be able to define IaC

Answer 27

Infrastructure as code (IaC) is a change in how hardware management is perceived and handled. Instead of seeing hardware configuration as a manual, direct hands-on, one-on-one administration hassle, it is viewed as just another collection of elements to be managed in the same way that software and code are managed under DevSecOps (development, security, and operations).

Question 28

Understand hypervisors

Answer 28

The hypervisor, also known as the virtual machine monitor/manager (VMM), is the component of virtualization that creates, manages, and operates virtual machines.

Question 29

Know about the type I hypervisor

Answer 29

A type I hypervisor is a native or bare-metal hypervisor. In this configuration, there is no host OS; instead, the hypervisor installs directly onto the hardware where the host OS would normally reside.

Question 30

Know about the type II hypervisor

Answer 30

A type II hypervisor is a hosted hypervisor. In this configuration, a standard regular OS is present on the hardware, and the hypervisor is then installed as another software application.

Question 31

Be aware of VM escaping

Answer 31

VM escaping occurs when software within a guest OS is able to breach the isolation protection provided by the hypervisor in order to violate the container of other guest OSs or to infiltrate a host OS.

Question 32

Understand virtual software

Answer 32

A virtual application or virtual software is a software product deployed in such a way that it is fooled into believing it is interacting with a full host OS. A virtual (or virtualized) application has been packaged or encapsulated so that it can execute but operate without full access to the host OS. A virtual application is isolated from the host OS so that it cannot make any direct or permanent changes to the host OS.

Question 33

Know virtual networking

Answer 33

A virtualized network or network virtualization is the combination of hardware and software networking components into a single integrated entity. The resulting solution allows for software control over all network functions: management, traffic shaping, address assignment, and so on.

Question 34

Know about SDx

Answer 34

Software-defined everything (SDx) refers to a trend of replacing hardware with software using virtualization. SDx includes virtualization, virtualized software, virtual networking, containerization, serverless architecture, infrastructure as code, SDN, VSAN, software-defined storage (SDS), VDI, VMI, SDV, and software-defined data center (SDDC).

Question 35

Know about VDI and VMI

Answer 35

Virtual desktop infrastructure (VDI) is a means to reduce the security risk and performance requirements of end devices by hosting desktop/workstation OS virtual machines on central servers that are remotely accessed by users. Virtual mobile infrastructure (VMI) is where the OS of a mobile device is virtualized on a central server.

Question 36

Be aware of SDV

Answer 36

Software-defined visibility (SDV) is a framework to automate the processes of network monitoring and response. The goal is to enable the analysis of every packet and make deep intelligence-based decisions on forwarding, dropping, or otherwise responding to threats.

Question 37

Understand SDDC

Answer 37

Software-defined data center (SDDC) or virtual data center (VDC) is the concept of replacing physical IT elements with solutions provided virtually, and often by an external third party, such as a cloud service provider (CSP).

Question 38

Be aware of XaaS

Answer 38

Anything as a service (XaaS) is the catchall term to refer to any type of computing service or capability that can be provided to customers through or over a cloud solution. Examples are SECaaS, IPaaS, FaaS, ITaaS, and MaaS.

Question 39

Know some of the security issues of virtualization

Answer 39

Virtualization doesn’t lessen the security management requirements of an OS. Thus, patch management is still essential. It’s important to protect the stability of the host. Organizations should maintain backups of their virtual assets. Virtualized systems should be security tested. VM sprawl occurs when an organization deploys numerous virtual machines without an overarching IT management or security plan in place.

Question 40

Understand containerization

Answer 40

Containerization or OS virtualization is based on the concept of eliminating the duplication of OS elements in a virtual machine. Each application is placed into a container that includes only the actual resources needed to support the enclosed application, and the common or shared OS elements are then part of the hypervisor.

Question 41

Know about serverless architecture

Answer 41

Serverless architecture is a cloud computing concept where code is managed by the customer and the platform (i.e., supporting hardware and software) or server is managed by the cloud service provider (CSP). There is always a physical server running the code, but this execution model allows the software designer/architect/programmer/developer to focus on the logic of their code and not have to be concerned about the parameters or limitations of a specific server. This is also known as function as a service (FaaS).

Question 42

Understand embedded systems

Answer 42

An embedded system is typically designed around a limited set of specific functions in relation to the larger product to which it is attached.

Question 43

Be aware of microcontrollers

Answer 43

A microcontroller is similar to but less complex than a system on a chip (SoC). A microcontroller may be a component of an SoC. A microcontroller is a small computer consisting of a CPU (with one or more cores), memory, various input/output capabilities, RAM, and often nonvolatile storage in the form of flash or ROM/PROM/EEPROM. Examples include Raspberry Pi, Arduino, and FPGA.

Question 44

Know about static systems/environments

Answer 44

Static systems/environments are applications, OSs, hardware sets, or networks that are configured for a specific need, capability, or function, and then set to remain unaltered.

Question 45

Be aware of network-enabled devices

Answer 45

Network-enabled devices are any type of portable or nonportable device that has native network capabilities. Network-enabled devices may be embedded systems or used to create embedded systems. Network-enabled devices are also often static systems.

Question 46

Know about cyber-physical systems

Answer 46

Cyber-physical systems refer to devices that offer a computational means to control something in the physical world. In the past these might have been referred to as embedded systems, but the category of cyber-physical seems to focus more on the physical world results rather than the computational aspects.

Question 47

Understand embedded systems and static environment security concerns

Answer 47

Static environments, embedded systems, network-enabled devices, cyber-physical systems, HPC systems, edge computing devices, fog computing devices, mobile devices, and other limited or singlepurpose computing environments need security management. These techniques may include network segmentation, security layers, application firewalls, manual updates, firmware version control, wrappers, and control redundancy and diversity.

Question 48

Know about HPC systems

Answer 48

High-performance computing (HPC) systems are computing platforms designed to perform complex calculations or data manipulations at extremely high speeds. Supercomputers and MPP solutions are common examples of HPC systems.

Question 49

Be aware of RTOS

Answer 49

A real-time operating system (RTOS) is designed to process or handle data as it arrives on the system with minimal latency or delay. An RTOS is usually stored on read-only memory (ROM) and is designed to operate in a hard real-time or soft real-time condition.

Question 50

Understand edge computing

Answer 50

Edge computing is a philosophy of network design where data and the compute resources are located as close as possible in order to optimize bandwidth use while minimizing latency. In edge computing, the intelligence and processing are contained within each device. Thus, rather than having to send data off to a master processing entity, each device can process its own data locally.

Question 51

Know about fog computing

Answer 51

Fog computing is another example of advanced computation architectures, which is also often used as an element in an IIoT deployment. Fog computing relies upon sensors, IoT devices, or even edge computing devices to collect data, and then transfer it back to a central location for processing. Thus, intelligence and processing is centralized.

Question 52

Understand mobile device security

Answer 52

Personal electronic device (PED) security features can often be managed using a mobile device management (MDM) or unified endpoint management (UEM) solution. These include device authentication, full-device encryption, communication protection, remote wiping, device lockout, screen locks, GPS and location services management, content management, application control, push notification management, third-party application store control, storage segmentation, asset tracking and inventory control, removable storage, management of connection methods, disabling of unused features, rooting/jailbreaking, sideloading, custom firmware, carrier unlocking, firmware OTA updates, key management, credential management, and text messaging security.

Question 53

Understand mobile device deployment policies

Answer 53

A number of deployment models are available for allowing and/or providing mobile devices for employees to use while at work and to perform work tasks when away from the office. Examples include BYOD, COPE, CYOD, and COMS/COBO. You should also consider VDI and VMI options.

Question 54

Be aware of mobile device deployment policy details

Answer 54

A mobile device deployment policy should address data ownership, support ownership, patch and update management, security product management, forensics, privacy, onboarding/offboarding, adherence to corporate policies, user acceptance, architecture/infrastructure considerations, legal concerns, acceptable use policies, onboard cameras/video, recording microphone, Wi-Fi Direct, tethering and hotspots, and contactless payment methods.

Question 55

Understand process isolation

Answer 55

Process isolation requires that the OS provide separate memory spaces for each process’s instructions and data. It also requires that the OS enforce those boundaries, preventing one process from reading or writing data that belongs to another process.

Question 56

Be aware of hardware segmentation

Answer 56

Hardware segmentation is similar to process isolation in purpose—it prevents the access of information that belongs to a different process/security level. The main difference is that hardware segmentation enforces these requirements through the use of physical hardware controls rather than the logical process isolation controls imposed by an OS.

Question 57

Understand the need for system security policy

Answer 57

The role of a system security policy is to inform and guide the design, development, implementation, testing, and maintenance of a particular system. Thus, this kind of security policy tightly targets a single implementation effort.

Question 58

Be able to explain what covert channels are

Answer 58

A covert channel is a method that is used to pass information over a path that is not normally used for communication. Using a covert channel provides a means to violate, bypass, or circumvent a security policy undetected. Basic types are timing and storage.

Question 59

Know about vulnerabilities due to design and coding flaws

Answer 59

Certain attacks may result from poor design techniques, questionable implementation practices and procedures, or poor or inadequate testing. Some attacks may result from deliberate design decisions when special points of entry, built into code to circumvent access controls, login, or other security checks often added to code while under development, are not removed when that code is put into production. Poor coding practices and lack of security consideration are common sources or causes of vulnerabilities of system architectures that can be attributed to failures in design, implementation, prerelease code cleanup, or out-and-out coding mistakes.

Question 60

Be aware of rootkits

Answer 60

A rootkit is malware that embeds itself deep within an OS. The term is a derivative of the concept of rooting and a utility kit of hacking tools. Rooting is gaining total or full control over a system.

Question 61

Know about incremental attacks

Answer 61

Some forms of attack occur in slow, gradual increments rather than through obvious or recognizable attempts to compromise system security or integrity. Two such forms of attack are data diddling and the salami attack.