KEMBAR78
501 ch 5 securing hosts and data | PPTX
Uploaded bygocybersec
PPTX, PDF98 views

501 ch 5 securing hosts and data

This chapter discusses securing operating systems, hosts, and data. It covers implementing least functionality and keeping systems updated to reduce attack surfaces. It also summarizes cloud computing models including IaaS, PaaS, and SaaS and mobile device deployment models. The chapter discusses securing data at rest and in transit through encryption techniques.

Download to read offline
Chapter 5 Securing Hosts and Data CompTIA Security+ Get Certified Get Ahead 1
Introduction • Implementing secure systems • Summarizing cloud concepts • Deploying mobile devices securely
Implementing Host Security • Least functionality – Disabling unnecessary services • Improves security posture • Reduces attack surface – Reduces risks from open ports • Disabling unneeded applications • Disabling unnecessary accounts • Keeping systems up-to-date
Secure Operating Systems • Windows • MAC • Linux – Kiosks – Network – Appliance • Trusted OS
Using Master Images • Provides secure starting point • Reduces costs
Secure Operating Systems • Resiliency and automation strategies – Automation, scripting, and templates – Group Policy • Standardize system configuration • Standardize security settings • Enforce strict company guidelines • Easily apply security settings to multiple computers Account Policies Local Policies System Services Software Restrictions
Secure Operating Systems • Three steps – Initial baseline configuration – Integrity measurements for baseline deviation – Remediation
Implementing Secure Systems • Patch management – Ensure that systems are up-to-date – Protects system against known vulnerabilities – Test patches in a test environment that mirrors the production environment – Automated deployment – Testing, deploying and verifying updates
Implementing Secure Systems • Change management – Helps ensure changes to IT systems do not result in unintended outages – Provides an accounting structure or method to document all changes – Changes are proposed and reviewed before implementation
Implementing Secure Systems • Unauthorized software – Can include malware • Compliance violations – Licenses
Whitelisting vs Blacklisting • Application whitelisting – Identifies authorized software for workstations, servers, and mobile devices – Prevents users from installing or running software that isn’t on the list • Application blacklisting – A list of prohibited applications – Prevents users from installing or running software on the list
Secure Staging and Deployment • Sandboxing – Used for testing – Isolated area on a system • VMs – Isolated operating system • Chroot – Isolated area within a Linux OS
Secure Staging Environment • Development – App created in a development environment • Test – App tested in a testing environment • Staging – Simulates production environment • Production – Final product
Peripherals • Wireless keyboards • Wireless mice • Displays • External storage devices • Digital cameras • Wi-Fi-enabled MicroSD card • Printers and other multi-function devices (MFDs)
Hardware and Firmware Security • Electromagnetic interference (EMI) – Interference from various sources • Motors • Power lines • Fluorescent lights • Electromagnetic pulse (EMP) – Short burst of electromagnetic energy • Electrostatic discharge (ESD) • Lightning • Military weapons
Hardware and Firmware Security • EMI – Electromagnetic interference – Interference from various sources – Motors – Power lines – Fluorescent lights • EMP – Electromagnetic pulse – Short burst of electromagnetic energy – Electrostatic discharge (ESD) – Lightning – Military weapons
Hardware and Firmware Security • Full disk encryption (FDE) – Can be software application • Self-encrypting drives (SED) – Includes the hardware and software to encrypt all data on the drive – Securely stores the encryption keys – Typically unlocked with user credentials
Hardware and Firmware Security • Basic Input/Output System (BIOS) – Firmware used to start a computer – Software stored on hardware chip • Unified Extensible Firmware Interface (UEFI) – Replacement for BIOS on most newer systems – Includes similar functions and some enhancements • Update BIOS and UEFI by flashing
Hardware-Based Encryption Characteristics TPM HSM Hardware Chip in motherboard (included with many laptops) Removable or external hardware device, (purchased separately) Uses Full disk encryption (for laptops and some servers) High-end mission-critical servers (SSL accelerators, high availability clusters, certificate authorities) Authentication Performs platform authentication (verifies drive not moved) Performs application authentication (only used by authorized applications) Encryption Keys Includes endorsement key (burned into chip) and storage root key Storage root key generates and protects other keys Stores RSA keys used in asymmetric encryption and can generate keys
Benefits of TPM and HSM • Secure boot process – Checks the files against stored signatures to ensure files haven’t changed – Attests that the files haven’t changed – Blocks boot process if files have been modified • Remote attestation – Sends information on files to remote system – Remote system verifies files haven’t changed
Benefits of TPM and HSM • Hardware root of trust – Known secure starting point – TPM/HSM ships with a unique private key burned into hardware – Matched with public key – Used during secure boot process
Hardware and Firmware Security • Additional vulnerabilities – End of life systems • Sanitize before disposing • Lack of vendor support – No security updates – No technical support – Susceptible to security issues
Summarizing Cloud Computing • Accessing computing resources on another system • On-premise – Cloud resources owned, operated, and maintained by an organization for its employees • Hosted – Resources rented and managed by another organization – Typically accessed via the Internet
Summarizing Cloud Computing • Software as a Service (SaaS) – Applications provided over the Internet (such as web-mail accessed with a web browser) • Platform as a Service (PaaS) – Provides customers with a fully managed platform – Vendor keeps platform up-to-date • Infrastructure as a Service (IaaS) – Provides customers with access to hardware in a self-managed platform – Customers are responsible for keeping an IaaS system up to date
Summarizing Cloud Computing Comparing responsibilities
Understanding Cloud Computing • Security as a service – any services provided via the cloud that provide security services – Commonly viewed as a subset of Software as a Service (SaaS) • Cloud access security broker (CASB) – Software tool or service – Placed between organization’s network and the cloud provider
Cloud Deployment Models • Public – Available to anyone • Private – Only available within a company • Community – Cloud shared by two or more organizations • Hybrid – Combination of any two models
Mobile Device Deployment Models • Models support connecting mobile devices to organization’s network – Corporate-owned – COPE (corporate-owned, personally enabled) – BYOD (bring your own device) • Bring your own disaster – CYOD (choose your own device) • Limits supported devices • VDI (virtual desktop infrastructure)
Mobile Device Connection Methods • Cellular • Wi-Fi • SATCOM • Bluetooth • NFC (near field communication) • ANT • Infrared • USB (Universal Serial Bus)
Mobile Device Management (MDM) • Application management • Full device encryption • Storage segmentation • Content management • Containerization • Passwords and PINs • Biometrics • Screen locks
Mobile Device Management (MDM) • Remote wipe • Geolocation • Geofencing • GPS tagging • Context-aware authentication • Push notification services
MDM Enforcement / Monitoring • Unauthorized software – Third party app stores – Rooting and jailbreaking – Updates – Sideloading – SMS and MMS – SMS
Mobile Device Management (MDM) • Hardware control – USB OTG cables • Unauthorized connections – Tethering – Wi-Fi Direct – Ad hoc
Embedded System • Any device that has a dedicated function and uses a computer system to perform that function – Compare to desktop PCs, laptops, and servers • All use central processing units (CPUs), operating systems, and applications to perform various functions • Embedded systems – Use CPUs, operating systems, and one or more applications to perform specific functions
Embedded System • Security implications and vulnerabilities – Keep up-to-date • Implement patch management processes – Avoid default configurations
Comparing Embedded Systems • Smart devices • Internet of things (IoT) – Wearable technology – Home automation • HVAC • SoC • RTOS • Printers/MFDs • Camera systems • Special purpose – Medical devices – Vehicles – Aircraft/UAV
Protecting SCADA/ICSs • Redundancy and diversity • Network segmentation • Security layers • Application firewalls • Manual updates • Firmware version control • Wrappers
Protecting Data • Data at rest – Any stored data – Hard drives, mobile phones, USB flash drives, external drives, databases. and backups • Data in transit – Data in motion – Any data traveling over a network
Protecting Confidentiality with Encryption • Software-based encryption – Full disk encryption – Database column encryption – File/folder encryption
Permission Issues & Access Violations • Principle of least privilege – Ensures users granted only the rights and permissions needed to perform assigned tasks or functions – Rights identify what a user can do, such as changing the system time or rebooting a system – Permissions define access to resources, such as being able to read or modify a file – Rights and permissions combined called privileges
File System Security • Linux permissions – Owner – Group – Others – Read (r) 100 (4) – Write (w) 010 (2) – Execute (x) 001 (1)
File System Security • Linux permissions – Owner – Group – Others – Read (r) 100 (4) – Write (w) 010 (2) – Execute (x) 001 (1)
File System Security • Linux permissions • Chmod
File System Security • Windows permissions – Read – Read & Execute – Write – Modify
Data Loss Prevention (DLP) • Removable media • Data exfiltration – Unauthorized transfer of data outside an organization • Cloud-based DLP – Can protect PII and PHI
Chapter 5 Summary • Implementing secure systems • Summarizing cloud concepts • Deploying mobile devices securely

More Related Content

PPTX
501 ch 4 securing your network
bygocybersec
 
PPTX
501 ch 11 operational security
bygocybersec
 
PPTX
501 ch 9 implementing controls
bygocybersec
 
PPTX
501 ch 7 advanced attacks
bygocybersec
 
PPTX
501 ch 8 risk management tools
bygocybersec
 
PPTX
501 ch 2 understanding iam
bygocybersec
 
PPTX
501 ch 6 threats vulnerabilities attacks
bygocybersec
 
PPTX
IBM i Security Best Practices
byPrecisely
 
501 ch 4 securing your network
bygocybersec
 
501 ch 11 operational security
bygocybersec
 
501 ch 9 implementing controls
bygocybersec
 
501 ch 7 advanced attacks
bygocybersec
 
501 ch 8 risk management tools
bygocybersec
 
501 ch 2 understanding iam
bygocybersec
 
501 ch 6 threats vulnerabilities attacks
bygocybersec
 
IBM i Security Best Practices
byPrecisely
 

What's hot

PDF
Best Practices in IBM i Security
byPrecisely
 
PPT
Information Security Lesson 4 - Baselines - Eric Vanderburg
byEric Vanderburg
 
PDF
7. Security Operations
bySam Bowne
 
PDF
CNIT 125 Ch 8. Security Operations
bySam Bowne
 
PDF
CNIT 125: Ch 4. Security Engineering (Part 1)
bySam Bowne
 
PDF
CNIT 50: 9. NSM Operations
bySam Bowne
 
PDF
3. Security Engineering
bySam Bowne
 
PDF
CNIT 125: Ch 2. Security and Risk Management (Part 2)
bySam Bowne
 
PDF
CISSP Prep: Ch 4. Security Engineering (Part 2)
bySam Bowne
 
PDF
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
bySam Bowne
 
PDF
CNIT 125 Ch 4. Security Engineering (Part 1)
bySam Bowne
 
PDF
CISSP Prep: Ch 8. Security Operations
bySam Bowne
 
PDF
CNIT 125 7. Security Assessment and Testing
bySam Bowne
 
PDF
API Training 10 Nov 2014
byDigital Bond
 
PPTX
CISSP - Chapter 3 - CPU Architecture
byKarthikeyan Dhayalan
 
PDF
6. Security Assessment and Testing
bySam Bowne
 
PPTX
Plnog13 2014 security intelligence_pkedra_v1
byPROIDEA
 
PDF
CNIT 125 Ch 3. Asset Security
bySam Bowne
 
PDF
CISSP Prep: Ch 4. Security Engineering (Part 1)
bySam Bowne
 
PDF
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
bySam Bowne
 
Best Practices in IBM i Security
byPrecisely
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
byEric Vanderburg
 
7. Security Operations
bySam Bowne
 
CNIT 125 Ch 8. Security Operations
bySam Bowne
 
CNIT 125: Ch 4. Security Engineering (Part 1)
bySam Bowne
 
CNIT 50: 9. NSM Operations
bySam Bowne
 
3. Security Engineering
bySam Bowne
 
CNIT 125: Ch 2. Security and Risk Management (Part 2)
bySam Bowne
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
bySam Bowne
 
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
bySam Bowne
 
CNIT 125 Ch 4. Security Engineering (Part 1)
bySam Bowne
 
CISSP Prep: Ch 8. Security Operations
bySam Bowne
 
CNIT 125 7. Security Assessment and Testing
bySam Bowne
 
API Training 10 Nov 2014
byDigital Bond
 
CISSP - Chapter 3 - CPU Architecture
byKarthikeyan Dhayalan
 
6. Security Assessment and Testing
bySam Bowne
 
Plnog13 2014 security intelligence_pkedra_v1
byPROIDEA
 
CNIT 125 Ch 3. Asset Security
bySam Bowne
 
CISSP Prep: Ch 4. Security Engineering (Part 1)
bySam Bowne
 
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
bySam Bowne
 

Similar to 501 ch 5 securing hosts and data

PPTX
501 ch 5 securing hosts and data
bygocybersec
 
DOCX
Chapter 9 security vulnerabilities, threats,and countermeasur
bynand15
 
DOCX
Chapter 9Security Vulnerabilities, Threats,and Countermeasur
byJinElias52
 
PDF
INE-Security+-Domain-4-Security-Operations-I-Course-File.pdf
byahmedhossami778
 
PPTX
Slides for CC & IAAS
byMekhi Da ‘Quay Daniels
 
PPTX
Private cloud day session 5 a solution for private cloud security
byMicrosoft TechNet - Belgium and Luxembourg
 
PPTX
Securing Open Source Databases
byGazzang
 
PPTX
Securing embedded systems
byaissa benyahya
 
PDF
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
byICS
 
PDF
Cybersecurity 365 FREE PPT ___ 30May2025
byAngelina Mors
 
PDF
CompTIA-Security-Study-Guide-with-over-500-Practice-Test-Questions-Exam-SY0-7...
byemestica1
 
PPT
Intro cloud-1
byStudying
 
PPT
Intro cloud-1
byStudying
 
DOCX
REPORT1 new
bysowmya seles
 
PPTX
Bright and Gray areas of Clound Computing
bypallavikhandekar212
 
PDF
Track 5 session 1 - st dev con 2016 - need for security for iot
byST_World
 
PPTX
Operating system security
byRamesh Ogania
 
PPT
3. security architecture and models
by7wounders
 
DOCX
SECURITY SOFTWARE RESOLIUTIONS (SSR) .docx
bybagotjesusa
 
PDF
Trusted computing: an overview
byTJR Global
 
501 ch 5 securing hosts and data
bygocybersec
 
Chapter 9 security vulnerabilities, threats,and countermeasur
bynand15
 
Chapter 9Security Vulnerabilities, Threats,and Countermeasur
byJinElias52
 
INE-Security+-Domain-4-Security-Operations-I-Course-File.pdf
byahmedhossami778
 
Slides for CC & IAAS
byMekhi Da ‘Quay Daniels
 
Private cloud day session 5 a solution for private cloud security
byMicrosoft TechNet - Belgium and Luxembourg
 
Securing Open Source Databases
byGazzang
 
Securing embedded systems
byaissa benyahya
 
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
byICS
 
Cybersecurity 365 FREE PPT ___ 30May2025
byAngelina Mors
 
CompTIA-Security-Study-Guide-with-over-500-Practice-Test-Questions-Exam-SY0-7...
byemestica1
 
Intro cloud-1
byStudying
 
Intro cloud-1
byStudying
 
REPORT1 new
bysowmya seles
 
Bright and Gray areas of Clound Computing
bypallavikhandekar212
 
Track 5 session 1 - st dev con 2016 - need for security for iot
byST_World
 
Operating system security
byRamesh Ogania
 
3. security architecture and models
by7wounders
 
SECURITY SOFTWARE RESOLIUTIONS (SSR) .docx
bybagotjesusa
 
Trusted computing: an overview
byTJR Global
 

More from gocybersec

PPTX
501 ch 3 network technologies and tools
bygocybersec
 
PPTX
501 ch 10 understanding cryptography and pki
bygocybersec
 
PPTX
501 ch 9 implementing controls to protect assets
bygocybersec
 
PPTX
501 ch 8 risk managment tool
bygocybersec
 
PPTX
501 ch 7 protecting against advanced attacks
bygocybersec
 
PPTX
501 ch 6 threats vulnerabilities and common attacks
bygocybersec
 
PPTX
501 ch 4 securing your network
bygocybersec
 
PPTX
501 ch 3 network technologies tools
bygocybersec
 
PPTX
501 ch 2 understanding iam
bygocybersec
 
PPTX
501 ch 1 mastering security basics
bygocybersec
 
PPTX
501 ch 7 advanced attacks
bygocybersec
 
PPTX
501 ch 3 network technologies tools
bygocybersec
 
PPTX
501 ch-1-mastering-security-basics
bygocybersec
 
501 ch 3 network technologies and tools
bygocybersec
 
501 ch 10 understanding cryptography and pki
bygocybersec
 
501 ch 9 implementing controls to protect assets
bygocybersec
 
501 ch 8 risk managment tool
bygocybersec
 
501 ch 7 protecting against advanced attacks
bygocybersec
 
501 ch 6 threats vulnerabilities and common attacks
bygocybersec
 
501 ch 4 securing your network
bygocybersec
 
501 ch 3 network technologies tools
bygocybersec
 
501 ch 2 understanding iam
bygocybersec
 
501 ch 1 mastering security basics
bygocybersec
 
501 ch 7 advanced attacks
bygocybersec
 
501 ch 3 network technologies tools
bygocybersec
 
501 ch-1-mastering-security-basics
bygocybersec
 

Recently uploaded

PPTX
Exploring Entrepreneurial Qualities: A Curated Presentation for Grade 11 Busi...
bySamanthaNkoana
 
DOCX
PRESS STATEMENT - Response to Minority_ Press Ready.docx
bynservice241
 
DOCX
Extension Education: From theory to practice by Dr Subin K Mohan.docx
byDrSubinKMohan
 
PDF
G.O. 216, Dt. 22-10-2025, Common Zoning Regulations – Final.pdf
byssuser9d8e4e
 
PPTX
Capitol Doctoral Presentation --October 2025.pptx
byCapitolTechU
 
PDF
Umlando kaMufi. IsiZulu Ulimi Lwebele...
byNokwandaNzuza2
 
PPTX
Basics for Conducting Bibliometric Analysis - Dr Ahsan Riaz
bySystematic Reviews Network (SRN)
 
PPTX
Project Dashboard in Odoo 18 Project
byCeline George
 
PPTX
YSPH VMOC Special Report - Measles - The Americas -10-19-2025.pptx
byYale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
PPTX
Types of contract under Indian Contract Law.pptx
byKeerthana Chinnathambi
 
PPTX
psychoanalytic Theory.pptx, MSc. Nursing
byKomalJaiswal46
 
PPTX
PECTORAL REGION.pptx Human anatomy,Bmls,
byKISMAT ALI
 
PPTX
Nerve lecture 2:strength-duration curve and an introduction to action potential
bydina merzeban
 
PDF
Slit lamp parts 2/ppt/notes/download.pdf
byAnmol Singh
 
PDF
The Minority Caucus in Parliament has called on government to take immediate ...
bynservice241
 
PPTX
How to Configure Custom Addons Path in Odoo 18
byCeline George
 
PDF
Who Owns the Narrative? Data, Disinformation, and the Missing Voice of Academia
byIsmail Fahmi
 
PPTX
Agriculture Lesson Note for Grade 11 Chapter 3 & 4.pptx
byNajibMuhidin
 
PPTX
How to Create a Manifest File in Odoo 18
byCeline George
 
PPTX
Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NISO Training ...
byNational Information Standards Organization (NISO)
 
Exploring Entrepreneurial Qualities: A Curated Presentation for Grade 11 Busi...
bySamanthaNkoana
 
PRESS STATEMENT - Response to Minority_ Press Ready.docx
bynservice241
 
Extension Education: From theory to practice by Dr Subin K Mohan.docx
byDrSubinKMohan
 
G.O. 216, Dt. 22-10-2025, Common Zoning Regulations – Final.pdf
byssuser9d8e4e
 
Capitol Doctoral Presentation --October 2025.pptx
byCapitolTechU
 
Umlando kaMufi. IsiZulu Ulimi Lwebele...
byNokwandaNzuza2
 
Basics for Conducting Bibliometric Analysis - Dr Ahsan Riaz
bySystematic Reviews Network (SRN)
 
Project Dashboard in Odoo 18 Project
byCeline George
 
YSPH VMOC Special Report - Measles - The Americas -10-19-2025.pptx
byYale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
Types of contract under Indian Contract Law.pptx
byKeerthana Chinnathambi
 
psychoanalytic Theory.pptx, MSc. Nursing
byKomalJaiswal46
 
PECTORAL REGION.pptx Human anatomy,Bmls,
byKISMAT ALI
 
Nerve lecture 2:strength-duration curve and an introduction to action potential
bydina merzeban
 
Slit lamp parts 2/ppt/notes/download.pdf
byAnmol Singh
 
The Minority Caucus in Parliament has called on government to take immediate ...
bynservice241
 
How to Configure Custom Addons Path in Odoo 18
byCeline George
 
Who Owns the Narrative? Data, Disinformation, and the Missing Voice of Academia
byIsmail Fahmi
 
Agriculture Lesson Note for Grade 11 Chapter 3 & 4.pptx
byNajibMuhidin
 
How to Create a Manifest File in Odoo 18
byCeline George
 
Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NISO Training ...
byNational Information Standards Organization (NISO)
 

501 ch 5 securing hosts and data

  • 1.
    Chapter 5 Securing Hostsand Data CompTIA Security+ Get Certified Get Ahead 1
  • 2.
    Introduction • Implementing securesystems • Summarizing cloud concepts • Deploying mobile devices securely
  • 3.
    Implementing Host Security • Leastfunctionality – Disabling unnecessary services • Improves security posture • Reduces attack surface – Reduces risks from open ports • Disabling unneeded applications • Disabling unnecessary accounts • Keeping systems up-to-date
  • 4.
    Secure Operating Systems • Windows • MAC •Linux – Kiosks – Network – Appliance • Trusted OS
  • 5.
    Using Master Images • Providessecure starting point • Reduces costs
  • 6.
    Secure Operating Systems • Resiliency andautomation strategies – Automation, scripting, and templates – Group Policy • Standardize system configuration • Standardize security settings • Enforce strict company guidelines • Easily apply security settings to multiple computers Account Policies Local Policies System Services Software Restrictions
  • 7.
    Secure Operating Systems • Three steps –Initial baseline configuration – Integrity measurements for baseline deviation – Remediation
  • 8.
    Implementing Secure Systems • Patch management –Ensure that systems are up-to-date – Protects system against known vulnerabilities – Test patches in a test environment that mirrors the production environment – Automated deployment – Testing, deploying and verifying updates
  • 9.
    Implementing Secure Systems • Change management –Helps ensure changes to IT systems do not result in unintended outages – Provides an accounting structure or method to document all changes – Changes are proposed and reviewed before implementation
  • 10.
    Implementing Secure Systems • Unauthorized software –Can include malware • Compliance violations – Licenses
  • 11.
    Whitelisting vs Blacklisting • Applicationwhitelisting – Identifies authorized software for workstations, servers, and mobile devices – Prevents users from installing or running software that isn’t on the list • Application blacklisting – A list of prohibited applications – Prevents users from installing or running software on the list
  • 12.
    Secure Staging and Deployment • Sandboxing –Used for testing – Isolated area on a system • VMs – Isolated operating system • Chroot – Isolated area within a Linux OS
  • 13.
    Secure Staging Environment • Development – Appcreated in a development environment • Test – App tested in a testing environment • Staging – Simulates production environment • Production – Final product
  • 14.
    Peripherals • Wireless keyboards •Wireless mice • Displays • External storage devices • Digital cameras • Wi-Fi-enabled MicroSD card • Printers and other multi-function devices (MFDs)
  • 15.
    Hardware and Firmware Security • Electromagneticinterference (EMI) – Interference from various sources • Motors • Power lines • Fluorescent lights • Electromagnetic pulse (EMP) – Short burst of electromagnetic energy • Electrostatic discharge (ESD) • Lightning • Military weapons
  • 16.
    Hardware and Firmware Security • EMI –Electromagnetic interference – Interference from various sources – Motors – Power lines – Fluorescent lights • EMP – Electromagnetic pulse – Short burst of electromagnetic energy – Electrostatic discharge (ESD) – Lightning – Military weapons
  • 17.
    Hardware and Firmware Security • Fulldisk encryption (FDE) – Can be software application • Self-encrypting drives (SED) – Includes the hardware and software to encrypt all data on the drive – Securely stores the encryption keys – Typically unlocked with user credentials
  • 18.
    Hardware and Firmware Security • BasicInput/Output System (BIOS) – Firmware used to start a computer – Software stored on hardware chip • Unified Extensible Firmware Interface (UEFI) – Replacement for BIOS on most newer systems – Includes similar functions and some enhancements • Update BIOS and UEFI by flashing
  • 19.
    Hardware-Based Encryption Characteristics TPMHSM Hardware Chip in motherboard (included with many laptops) Removable or external hardware device, (purchased separately) Uses Full disk encryption (for laptops and some servers) High-end mission-critical servers (SSL accelerators, high availability clusters, certificate authorities) Authentication Performs platform authentication (verifies drive not moved) Performs application authentication (only used by authorized applications) Encryption Keys Includes endorsement key (burned into chip) and storage root key Storage root key generates and protects other keys Stores RSA keys used in asymmetric encryption and can generate keys
  • 20.
    Benefits of TPM and HSM •Secure boot process – Checks the files against stored signatures to ensure files haven’t changed – Attests that the files haven’t changed – Blocks boot process if files have been modified • Remote attestation – Sends information on files to remote system – Remote system verifies files haven’t changed
  • 21.
    Benefits of TPM and HSM •Hardware root of trust – Known secure starting point – TPM/HSM ships with a unique private key burned into hardware – Matched with public key – Used during secure boot process
  • 22.
    Hardware and Firmware Security • Additionalvulnerabilities – End of life systems • Sanitize before disposing • Lack of vendor support – No security updates – No technical support – Susceptible to security issues
  • 23.
    Summarizing Cloud Computing • Accessing computingresources on another system • On-premise – Cloud resources owned, operated, and maintained by an organization for its employees • Hosted – Resources rented and managed by another organization – Typically accessed via the Internet
  • 24.
    Summarizing Cloud Computing • Software asa Service (SaaS) – Applications provided over the Internet (such as web-mail accessed with a web browser) • Platform as a Service (PaaS) – Provides customers with a fully managed platform – Vendor keeps platform up-to-date • Infrastructure as a Service (IaaS) – Provides customers with access to hardware in a self-managed platform – Customers are responsible for keeping an IaaS system up to date
  • 25.
  • 26.
    Understanding Cloud Computing • Security asa service – any services provided via the cloud that provide security services – Commonly viewed as a subset of Software as a Service (SaaS) • Cloud access security broker (CASB) – Software tool or service – Placed between organization’s network and the cloud provider
  • 27.
    Cloud Deployment Models • Public –Available to anyone • Private – Only available within a company • Community – Cloud shared by two or more organizations • Hybrid – Combination of any two models
  • 28.
    Mobile Device Deployment Models • Modelssupport connecting mobile devices to organization’s network – Corporate-owned – COPE (corporate-owned, personally enabled) – BYOD (bring your own device) • Bring your own disaster – CYOD (choose your own device) • Limits supported devices • VDI (virtual desktop infrastructure)
  • 29.
    Mobile Device Connection Methods • Cellular •Wi-Fi • SATCOM • Bluetooth • NFC (near field communication) • ANT • Infrared • USB (Universal Serial Bus)
  • 30.
    Mobile Device Management (MDM) • Applicationmanagement • Full device encryption • Storage segmentation • Content management • Containerization • Passwords and PINs • Biometrics • Screen locks
  • 31.
    Mobile Device Management (MDM) • Remotewipe • Geolocation • Geofencing • GPS tagging • Context-aware authentication • Push notification services
  • 32.
    MDM Enforcement / Monitoring • Unauthorizedsoftware – Third party app stores – Rooting and jailbreaking – Updates – Sideloading – SMS and MMS – SMS
  • 33.
    Mobile Device Management (MDM) • Hardwarecontrol – USB OTG cables • Unauthorized connections – Tethering – Wi-Fi Direct – Ad hoc
  • 34.
    Embedded System • Any devicethat has a dedicated function and uses a computer system to perform that function – Compare to desktop PCs, laptops, and servers • All use central processing units (CPUs), operating systems, and applications to perform various functions • Embedded systems – Use CPUs, operating systems, and one or more applications to perform specific functions
  • 35.
    Embedded System • Security implicationsand vulnerabilities – Keep up-to-date • Implement patch management processes – Avoid default configurations
  • 36.
    Comparing Embedded Systems • Smart devices •Internet of things (IoT) – Wearable technology – Home automation • HVAC • SoC • RTOS • Printers/MFDs • Camera systems • Special purpose – Medical devices – Vehicles – Aircraft/UAV
  • 37.
    Protecting SCADA/ICSs • Redundancy anddiversity • Network segmentation • Security layers • Application firewalls • Manual updates • Firmware version control • Wrappers
  • 38.
    Protecting Data • Data atrest – Any stored data – Hard drives, mobile phones, USB flash drives, external drives, databases. and backups • Data in transit – Data in motion – Any data traveling over a network
  • 39.
    Protecting Confidentiality with Encryption • Software-based encryption –Full disk encryption – Database column encryption – File/folder encryption
  • 40.
    Permission Issues & Access Violations • Principleof least privilege – Ensures users granted only the rights and permissions needed to perform assigned tasks or functions – Rights identify what a user can do, such as changing the system time or rebooting a system – Permissions define access to resources, such as being able to read or modify a file – Rights and permissions combined called privileges
  • 41.
    File System Security • Linuxpermissions – Owner – Group – Others – Read (r) 100 (4) – Write (w) 010 (2) – Execute (x) 001 (1)
  • 42.
    File System Security • Linuxpermissions – Owner – Group – Others – Read (r) 100 (4) – Write (w) 010 (2) – Execute (x) 001 (1)
  • 43.
    File System Security • Linuxpermissions • Chmod
  • 44.
    File System Security • Windowspermissions – Read – Read & Execute – Write – Modify
  • 45.
    Data Loss Prevention (DLP) • Removablemedia • Data exfiltration – Unauthorized transfer of data outside an organization • Cloud-based DLP – Can protect PII and PHI
  • 46.
    Chapter 5 Summary • Implementingsecure systems • Summarizing cloud concepts • Deploying mobile devices securely

Editor's Notes

  • #37 This comes across as a laundry list of peripherals in the objectives. Feel free to take the time to explain any that you think your audience may not understand. However, the key point is that they need to be kept up-to-date.
  • #38 This comes across as a laundry list of peripherals in the objectives. Feel free to take the time to explain any that you think your audience may not understand. However, the key point is that they need to be kept up-to-date.
  • #39 This comes across as a laundry list of peripherals in the objectives. Feel free to take the time to explain any that you think your audience may not understand. However, the key point is that they need to be kept up-to-date.
  • #40 This comes across as a laundry list of peripherals in the objectives. Feel free to take the time to explain any that you think your audience may not understand. However, the key point is that they need to be kept up-to-date.
  • #41 This comes across as a laundry list of peripherals in the objectives. Feel free to take the time to explain any that you think your audience may not understand. However, the key point is that they need to be kept up-to-date.
  • #42 This comes across as a laundry list of peripherals in the objectives. Feel free to take the time to explain any that you think your audience may not understand. However, the key point is that they need to be kept up-to-date.
  • #43 This comes across as a laundry list of peripherals in the objectives. Feel free to take the time to explain any that you think your audience may not understand. However, the key point is that they need to be kept up-to-date.
  • #44 This comes across as a laundry list of peripherals in the objectives. Feel free to take the time to explain any that you think your audience may not understand. However, the key point is that they need to be kept up-to-date.
  • #45 This comes across as a laundry list of peripherals in the objectives. Feel free to take the time to explain any that you think your audience may not understand. However, the key point is that they need to be kept up-to-date.
  • #46 This comes across as a laundry list of peripherals in the objectives. Feel free to take the time to explain any that you think your audience may not understand. However, the key point is that they need to be kept up-to-date.
  • #47 This comes across as a laundry list of peripherals in the objectives. Feel free to take the time to explain any that you think your audience may not understand. However, the key point is that they need to be kept up-to-date.