Implementing Host and Software Security PDF
Document Details
Uploaded by AstonishedRocket
UTAS - Suhar
2018
CompTIA
Tags
Related
- Chapter 9 - 02 - Understand Software Security Standards, Models, and Frameworks_ocred.pdf
- Chapter 9 - 02 - Understand Software Security Standards, Models, and Frameworks_ocred_fax_ocred.pdf
- 4.2 Security Implications of Proper Hardware, Software, and Data Asset Management PDF
- Conducting Security Assessments PDF
- Implementing Host and Software Security PDF
- Software Security in Software Engineering PDF
Summary
This document provides a presentation on implementing host and software security, including topics such as hardening, operating systems, and software updates. Concepts like virtualization and cloud computing are explained.
Full Transcript
Implementing Host and Software Security Implement Host Security Implement Cloud and Virtualization Security Implement Mobile Device Security Incorporate Security in the Software Development Lifecycle Copyright (c) 2018 CompTIA Properties, LLC. All R...
Implementing Host and Software Security Implement Host Security Implement Cloud and Virtualization Security Implement Mobile Device Security Incorporate Security in the Software Development Lifecycle Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 1 Hardenin g The security technique of altering a system's configuration to close vulnerabilities and protect the system against attack. Typically implemented so systems conform to security policy. Many different techniques are available. Hardening may also restrict a system's capabilities. Hardening must be balanced against accessibility. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2 Operating System Security Each OS has unique vulnerabilities for attackers to exploit. Different OS types and OSes from different vendors have their own weaknesses. Vendors try to correct vulnerabilities while attackers try to exploit them. Stay up-to-date with security info posted by vendors and other references. Different types of OSes: Network Server Workstation Appliance Mobile Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3 Operating System Hardening Techniques Implement a principle of least functionality. Disable unnecessary network ports. Disable unnecessary services. Take advantage of secure configurations. Disable default accounts. Force users to change default passwords. Implement a patch management service. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4 Trusted Computing Base Trusted computing base: The hardware, firmware, and software component responsible for ensuring computer system security. Trusted operating system: Operating systems that fulfill security requirements as in a TCB. Trusted OS Firmware Hardware Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5 Hardware and Firmware Security Component Description Basic Input/Output System and Unified Extensible Firmware Interface. BIOS/UEFI Both firmware interfaces to initialize hardware for system boot. UEFI is more modern and secure. Root of trust enforces trusted computing through encryption. Root of trust and HSM Hardware security module is a physical device that implements root of trust. Trusted Platform Module. TPM Secure cryptoprocessor that generates keys for use in TCB. Secure boot is a UEFI feature that prevents malicious processes Secure boot from executing during boot. and remote Cryptographic hash taken of boot loader to ensure integrity. attestation TPM can sign hash for third-party verification (remote attestation). Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6 Security Baselines A collection of host security settings. Compare the baseline to the security settings of hosts in your network. Baselines are crucial for streamlining the host hardening process. Don't harden hosts in a vacuum; use the baseline as a security template. Each baseline will differ based on the computer's function and operating system. Server Baseli Configura ne tion Compa re Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7 Software Updates Update Description Type Patch Small unit of code meant to address a security problem or functionality flaw. Hotfix A patch issued on an emergency basis to address a specific security flaw. Rollup A collection of previously issued patches and hotfixes. A large compilation of system updates that can Service include functionality enhancements and any prior pack patches, hotfixes, and rollups. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8 Application Blacklisting and Whitelisting Blacklisting: Preventing the execution of all apps that are on a list of unauthorized apps. Drawback: You can't block malicious apps you haven't identified. Whitelisting: Preventing the execution of all apps that aren't on a list of authorized apps. Drawback: Creation and maintenance of list increases overhead. Block Allowe ed d Apps Apps Ransomware. Word.ex exe e RAT.ex Outlook.e e xe DDoS.e Chrome.e xe xe Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9 Loggin g The process of an operating system or application recording data about activity on a computer. Logs stored as text files with varying levels of detail. Highly detailed logging can consume excessive storage space. Logs can reveal information about a suspected attack. Restrict access to logs and back them up routinely. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Auditin g Performing an organized technical evaluation of a system's security to ensure it is in compliance. Similar to a security assessment. Auditing is focused more on ascertaining if the system meets a set of criteria. Criteria come from laws, regulations, standards, and organizational policy. Most audits are performed by third parties. Example: External auditor checks to see if online merchant is in compliance with PCI DSS. Commonly associated with reviewing log files. Can also test passwords, scan firewalls, review user permissions, etc. Audits contribute to the overall hardening process. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Anti-malware Software Software that scans systems and networks for malicious software. Most scan for known malware. Some can scan for unknown malware. Install anti-malware on all computers. Keep anti-malware apps updated. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Types of Anti-malware Software Type Description Scans for code matching virus patterns (signature-based). Antivirus Can actively monitor system for virus activity (behavior-based or heuristic). Anti-spam filters detect key words used in spam Anti-spam messages. Can also block based on IPs of known spam sources. Designed specifically to identify and stop spyware. Anti-spyware Functionality may come packaged with antivirus software. Prevents websites from popping up elements in the Pop-up blocker browser. Most browsers include this functionality. Not specifically designed for anti-malware. Host-based firewalls Can still block network traffic used by malware. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Embedded Systems Hardware and software systems that have a specific function within a larger system. Larger systems include everything from home appliances to industrial machines. Embedded systems are found in all kinds of technology and industries. Usually don't have the complexity of a PC or server. Their dedicated purpose often means less sophisticated architecture. May use an all-in-one microcontroller rather than discrete CPU/memory components. May not have a GUI. May still have an OS. Larger system may be user-friendly even if embedded system is not. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Security Implications for Embedded Systems System Security Implications Smart devices are electronic devices with network connectivity. Smart devices Smart devices have autonomous computing properties. Security is an afterthought or not thought of at all. IoT devices are objects (electronic or not) connected to the Internet. IoT IoT devices use embedded electronic components. Like smart devices, security is very poor or non-existent. IP cameras are easier to manager than CCTV. Camera systems Susceptible to standard networking risks. Can use encryption protocols to protect recorded data. Medical devices, ATMs, vehicles, etc. Special purpose systems Security depends on purpose and functionality of systems. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Virtualizati on Virtualization: Creating a simulation of a computing environment. Simulates hardware and software. You create virtualized computers to run on physical computers. Example: Virtual Linux computer running on physical Windows Server. Virtual machine: A virtualized computer. Advantages: Easier to manage. Cost-efficient. Power and resource- efficient. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Hyperviso rs The layer of software that separates the virtual software from the physical hardware it runs on. Manage resources on physical host and provide them to the virtual guests. Provide flexibility and increased efficiency of hardware use. Two basic types: Type I Run directly on host's hardware. Type II Run as an application on top of host operating system. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. 1 | CompTIA.org 7 Hypervisors (Cont.) Type Type I II Guest Guest Guest Guest 1 2 1 2 OS OS OS OS Hypervis or Hypervisor Host OS Hardwa Hardwa re re Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Cloud Computing Computing involving real-time communication over large distributed networks to provide various resources to a consumer. Typically relies on the Internet. "The cloud" refers to resources available on a particular service. Examples: Business sites, consumer sites, storage services, etc. You can access and manage resources from anywhere. Storage method and location are not visible to the consumer. Cloud computing uses virtualization Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | to provision resources. CompTIA.org Cloud Deployment Models Deployment Description Model Usually distributed by a single entity over a private Private network. Enables entities to exercise greater controller over services. Geared toward banking and governmental services. Done over the Internet offering services to general Public consumers. Pay-as-you-go subscriptions and lower-tier services for free. Security is a concern for anything traversing the Internet. Multiple entities sharing ownership of a cloud service. Community Done to pool resources for a common concern. Combines two or more of the previous models. Hybrid Example: Private cloud for internal personnel, public for customers. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Cloud Service Types Service Description SaaS uses cloud to provide apps to users. Software Eliminates installation and purchasing of specific versions. Examples: Office 365, Salesforce, G Suite. PaaS provides virtual systems to customers. Platform Can include operating systems and application engines. Examples: Oracle Database, Azure SQL Database, Google App Engine. IaaS provides access to infrastructure needs. Infrastructure Includes data centers, servers, networking, etc. Examples: Amazon EC2, Azure VMs, OpenStack. SECaaS provides resources for security purposes. Security Includes authentication, anti-malware, intrusion detection, etc. Examples: Cloudflare, FireEye, SonicWall. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Mobile Device Connection Methods Connection Description Method Wireless connection to transceivers in fixed locations across Cellular the world. Used primarily by mobile phones for voice and text, but also data. Uses transport encryption, but users have little control over security. Wi-Fi networks provide local area connections for mobile Wi-Fi devices. Can incorporate encryption and authentication if using secure protocols. Organizations have more control over Wi-Fi than cellular. Wireless technology primarily used for short-range Bluetooth communications. Example: Wireless headset connected to a nearby smartphone. Susceptible to bluejacking and bluesnarfing. Wireless communication in very close proximity. NFC Used primarily for in-person data Copyright (c) exchange. 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Mobile Device Management The process of tracking, controlling, and securing an organization's mobile infrastructure. MDM solutions are often web-based platforms with a centralized console. You can enforce security on all mobile devices at once, rather than individually. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Mobile Device Security Controls Security Control Description Option should be enabled with strict requirements for unlock. Screen lock Can only be accessed by code user has set. Strong User should set up strong password/PIN for lock screen. passwords and PINs Full device Data on devices should be encrypted to protect sensitive data. encryption Remote wipe: remotely delete sensitive data if device is lost or stolen. Remote wipe/lockout Remote lockout: remotely trigger lock screen if device is lost or stolen. Geolocation and Geolocation: tracking the geographic location of devices. geofencing Geofencing: creating geographic boundaries for device functionality. Uphold principle of least privilege. Access controls Consider context-aware authentication. Application and Set restrictions on what apps/content user can access. content Consider blacklisting or whitelisting apps. management Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Mobile Deployment Models Deployment Description Model Organization is sole owner of devices and has full management Corporate-owned control. Most secure. May be too strict to be feasible. Bring your own device—employees own and manage personal BYOD devices. Becoming increasingly common. Introduces security issues with new risks and questions of ownership. Choose your own device—employees choose from a vetted list of CYOD devices. Employee still in control of device. Tries to mitigate BYOD vulnerabilities but not be too strict. Corporate-owned, personally enabled. COPE Employees can still use devices for personal reasons. Organization still has some control, which can prompt privacy concerns. Virtual mobile infrastructure—similar to VDI but for mobile OSes. VMI Employees connect to VMs running mobile OSes. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | Organization retains control during work; employee regains CompTIA.org Software Development Lifecycle The practice of developing software across a lifecycle from initial planning to final deployment and obsolescence. Each developed app goes through distinct phases of this lifecycle. You must integrate security into each phase of the lifecycle. Initia Desi Implem Te Depl Dispo te gn ent st oy se Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Secure Coding Techniques Technique Description Code that executes but produces results not used by app. Limiting dead code Remove dead code to minimize risk. Server side should validate input and execute code not meant Server-side vs. for user. client-side Client side should handle execution of GUI-based code. Limit how much data the app exposes to users. Limiting data exposure Especially important in systems that provide access to multiple users. Some languages manage memory automatically (Python, Memory Java, etc.). management Some languages require manual management (C, C++, etc.). Pre-compiled database statements used for input validation. Stored procedures Deny user access to underlying data. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org