Ch7 - Implementing System Security

Question 1

Host-Based Firewalls (Personal Firewall)

Answer 1

A host-based firewall is a piece of software that controls inbound and outbound communication to the system.

A system connected to an untrusted network such as a hotel network or any wireless network should be protected by a host-based firewall.

Question 2

TCP Wrappers

Answer 2

TCP wrappers is another great access control feature available in Linux. TCP wrappers allows you to control access to different services running on the Linux system such as Telnet, SSH, or FTP. The TCP wrappers feature is easy to implement because you need to configure only two files:

/etc/hosts.allow
This file lists the different services you wish to allow clients to access, and you specify which clients can access those services.

/etc/hosts.deny This file lists the different services you wish to deny access to clients, and allows you to specify which clients are denied access to the different services.

If the client is listed in the allow file and the deny file, then the client is allowed access because the allow file is read first

Question 3

Host-based Intrusion Detection System (HIDS)

Answer 3

A host-based IDS is responsible for monitoring activity on the system and alerting you of any suspicious activity

Question 4

Host-based Intrusion Prevention System (HIPS)

Answer 4

A host-based IPS monitors for suspicious activity and then takes corrective action such as locking the system out or disabling network communication

Question 5

Key Areas that the HIDS/HIPS Monitors:

Answer 5

1. Memory
2. System files
3. Log files
4. File system
5. Connections

A key point to remember about HIDS as compared with NIDS is that if the network traffic is encrypted, then the NIDS will be unable to detect suspicious traffic. A strong point of using a HIDS is that it doesn’t matter if the network traffic is encrypted because the HIDS does not look there to identify issues.

Question 6

Protecting Against Malware

Answer 6

1. Patch Management
2. Using Antivirus & Anti-spam Software
3. Phish Filters and Pop-up Blockers
4. Practicing Good Habits
   a. Surfing
   b. E-mail
   c. Flash drives

Question 7

Security Aspects of Mobile Devices You Will Need to Manage:

Answer 7

1. Screen locks
2. Strong passwords and pins
3. Full device encryption
4. Remote wipe/sanitation
5. Voice encryption
6. GPS tracking
7. Geofencing
8. Geolocation
9. Lockout
10. Application management
11. Content management
12. Storage segmentation (Corporate vs. Personal Data)
13. Asset tracking
14. Inventory control
15. Mobile device management
16. Device access control
17. Removable storage
18. Disabling unused features
19. Push notification services
20. Biometrics
21. Context-aware authentication
22. Containerization

Question 8

Context-aware Authentication

Answer 8

Context-aware authentication is a new type of security feature that allows an application or cloud service to be
aware of your habits—for example, the location you usually log on from, or the device you typically use to log on. With context-aware authentication, if the system determines there is high confidence it is actually you using your credentials (based on the context), then you
have a simple logon experience. If the system rates low confidence that it is actually you who is logging in, then it resorts to enforcing a more complicated logon approach involving solutions such as two-factor
authentication.

Question 9

Considerations for Enforcement on Organization’s Policies

Answer 9

1. Third-party app stores
2. Rooting/jailbreaking
3. Sideloading
4. Custom firmware
5. Carrier unlocking
6. Firmware over-the-air (OTA) updates
7. Camera use
8. SMS/MMS
9. External media
10. USB On-the-Go (OTG)
11. Recording microphone
12. GPS tagging
13. Wi-Fi direct/ad hoc
14. Tethering
15. Payment methods

Question 10

USB On-the-Go (OTG)

Answer 10

USB On-the-Go (OTG) is a specification that enables a
compliant mobile device to have many different types of devices connect to it. For example, if your mobile device or tablet supports USB OTG, you could connect a communication device such as a keyboard or mouse and use that with your mobile device.

Question 11

Tethering

Answer 11

Tethering means sharing the mobile device’s Internet
connection with other devices. You may want to restrict the tethering features on the mobile devices to prevent users from sharing their Internet connections in this manner.

Question 12

Deployment Models

Answer 12

1. BYOD The “bring your own device” model
2. COPE A “corporate-owned, personally enabled” model
3. CYOD A “choose your own device”
4. Corporate-owned model
5. VDI - Virtual desktop infrastructure

Question 13

Virtual Desktop Infrastructure (VDI)

Answer 13

Virtual desktop infrastructure is a model where the user uses a thin client to connect to their desktop environment running in a data center. With VDI you can introduce the mobile device as the thin client so that the user can access their desktop environment from anywhere. The benefit is that the resources are not on the mobile device—it simply connects to a virtual desktop within the company.

Question 14

Data Security

Answer 14

1. File permissions
2. Encryption
3. Data loss prevention (DLP)
   Data loss prevention is software or hardware that is designed to analyze information leaving the organization to ensure that sensitive information is not being leaked. DLP can be implemented to monitor network traffic and to identify sensitive information being sent through instant messenger, e-mail, or protocols such as HTTP and FTP. DLP can also analyze data in storage to ensure sensitive information is not being stored in the wrong location.
4. Cloud storage
5. Storage Area Network (SAN)
6. Handling Big Data
7. Data-in-transit, data-at-rest, data-in-use
   Ensure that you are securing the data in storage with permissions or encryption and securing the data in transit with encryption as well. Also ensure that the data is secure when being used by limiting what actions someone can do with that data in the software.

Question 15

Windows File Permissions

Answer 15

1. NTFS Permissions
2. Sharing
   Sharing the folder is the way you publish the folder to the
   network clients. When you share the folder, you specify share permissions as well. Remember that when the NTFS permissions conflict with share folder permissions, the most restrictive permission wins.
   For example, if you give the NTFS permission of Modify and the share permission of Read, when users come through the share to access that folder, their permission will be Read because it is more restrictive.

Question 16

Areas to Encrypt Information

Answer 16

1. Full disk
2. Database
3. Individual files
4. Removable media
5. Mobile devices

Question 17

Hardware-Based Encryption

Answer 17

1. Trusted Platform Module (TPM)
2. Hardware Security Module (HSM)
3. USB and hard drive encryption

Question 18

Trusted Platform Module (TPM)

Answer 18

Trusted Platform Module is a computer chip on a system that stores the cryptographic keys that are used to encrypt data. Applications that use passwords to encrypt data are susceptible to dictionary attacks, while TPM has a dictionary attack prevention module built in. In Windows, BitLocker supports using TPM to store the key. Keep in mind that to use it, you must have a TPM supported BIOS

Question 19

Hardware Security Module (HSM)

Answer 19

The Hardware Security Module is a card that is added to a
system that contains a crypto-processor to perform asymmetric cryptographic functions at the hardware level. It also contains chips that store the crypto-keys to be used by the system.

Question 20

Implementing Data Policies

Answer 20

1. Wiping
2. Disposing
3. Retention
4. Storage

Question 21

Disposing of data in order to guard the privacy of the organization:

Answer 21

1. Burning
   One simple way of destroying sensitive documents is by burning the documents.
2. Shredding
   You can shred documents to destroy sensitive information. Be sure to obtain a cross-cut shredder; a document cut into strips by a regular shredder can be easily be put back together. You can purchase a
   special type of shredder to destroy old hard drives.
3. Pulping
   You can pulp sensitive documents by using chemicals to break down the paper into a liquid/paste-like form.
4. Pulverizing
   Pulverizing destroys the old hard drive and reduces it to small particles.
5. Degaussing
   Degaussing is the process of removing the magnetic field
   from hard drives so that the data is lost.
6. Purging
   Purging data means permanently erasing data from the
   storage media, such as a hard drive.
7. Wiping
   You can use programs to securely wipe a drive, which means overwriting the drive many times to ensure that the data cannot be retrieved.

Question 22

Hardware/Firmware Security

Answer 22

1. FDE/SED
2. TPM
3. HSM
4. UEFI/BIOS (bootup passwords…)
5. Secure boot and attestation
6. Supply chain (Value Stream)

7. Hardware root of trust
Hardware roots of trust are hardware components trusted by the system that perform security functions. For example, a TPM module that generates and stores a key pair.

8. EMI/EMP

Question 23

FDE/SED

Answer 23

As discussed earlier, full disk encryption (FDE) is a
security feature that allows a device to encrypt the entire hard disk to help maintain confidentiality in cases where a device is lost or stolen. You can also use a stream editor (SED) to transform text inside a file to an unreadable format.

Question 24

Secure Boot and Attestation

Answer 24

Secure boot is a device security feature that can be enabled that involves the system digitally signing the
bootup files. Once the files are signed, the system will only load digitally signed files during bootup. This helps prevent someone from booting another operating system on that system in order to gain access to the system and its data. Attestation in this context means that the system has booted the way it was supposed to based on the digital signature.

Question 25

EMI/EMP

Answer 25

Electromagnetic interference (EMI) is interference from
an external source that distorts information being transmitted. Electromagnetic pulse (EMP) is a burst of electromagnetic energy. Ensure that you use technologies that are immune to EMI/EMP, such as fiber-optic cabling instead of twisted-pair cabling, in order to protect
your data.

Question 26

Types of OS

Answer 26

1. Network
2. Server
3. Workstation
4. Appliance
5. Kiosk

Question 27

Trusted operating system

Answer 27

Use a trusted OS. A trusted OS is a system that implements multiple layers of security, such as authentication and authorization, to determine who can access a system and what they can do.

Question 28

Secure Deployment of Applications and

Systems

Answer 28

1. Sandboxing
2. Environment
   2a. Development
   2b. Test
   2c. Staging
   2d. Production
3. Secure baseline
4. Integrity measurement

Question 29

Sandboxing

Answer 29

Sandboxing is the process of creating separate running

environments for applications and ensuring you restrict communication between these running environments.

Question 30

VM sprawl avoidance

Answer 30

VM sprawl occurs when an organization has a large number of VMs being created without any process in place for building VMs. The problem is that the number of VMs being created outpaces the capability of network administrators to manage all of them. Having VMs pop up all over the place with no central management means no one is able to ensure that all those systems are patched when needed. Remember that a system that is unpatched could create a security hole in your network. Centrally managing VM host systems is key to solving VM sprawl with management software that is used to deploy VMs.

Question 31

VM escape protection

Answer 31

VM escape allows someone to access the host operating system from the guest OS of the VM. Virtualization vendors create patches for any VM escape vulnerabilities that exist within their products, so be sure to keep your virtualization software patched.

Question 32

Virtualization Security

Answer 32

1. Snapshots
2. Patch compatibility
3. Host availability/elasticity
4. Security control testing
5. Sandboxing

Question 33

Elasticity

Answer 33

One of the benefits of virtualization solutions is elasticity, which is the launching of new servers to handle increased load demands, but also easily reducing the running servers when the load decreases.

Question 34

VDI/VDE

Answer 34

Virtual desktop infrastructure and virtual desktop
environment is a virtualization feature that hosts the desktop environment for a user on a central server, which is then delivered to a thin client. The user interacts with the desktop OS as if it were installed locally

Question 35

Cloud Access Security Broker (CASB)

Answer 35

A cloud access security broker (CASB)
is a security service that sits between your on-premises environment and your cloud provider’s environment. The CASB allows you to define security policies that apply to network traffic flowing outside your current on-premises environment to the cloud.

Question 36

Security as a Service

Answer 36

Becoming more popular today is Security as a Service, where you pay a monthly subscription fee to use the security services of a cloud provider. This could include intrusion detection, anti-malware, authentication, and penetration testing services.