Implementing Host and Software Security PDF

Summary

This document provides an overview of host and software security, focusing on implementing host security, cloud and virtualization security, mobile device security, and incorporating security into the software development lifecycle. It discusses various aspects of these topics including hardening, operating system security, and hardware and firmware security in detail.

Full Transcript

Implementing Host and Software Security

Implement Host Security
Implement Cloud and Virtualization Security
Implement Mobile Device Security
Incorporate Security in the Software Development Lifecycle

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 1
Hardening

The security technique of altering a system's configuration to close
vulnerabilities and protect the system against attack.

Typically implemented so systems conform to security policy.
Many different techniques are available.
Hardening may also restrict a system's capabilities.
Hardening must be balanced against accessibility.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Operating System Security

Each OS has unique vulnerabilities for attackers to exploit.
Different OS types and OSes from different vendors have their own weaknesses.
Vendors try to correct vulnerabilities while attackers try to exploit them.
Stay up-to-date with security info posted by vendors and other references.
Different types of OSes:
Network
Server
Workstation
Appliance
Mobile

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3
Operating System Hardening Techniques

Implement a principle of least functionality.
Disable unnecessary network ports.
Disable unnecessary services.
Take advantage of secure configurations.
Disable default accounts.
Force users to change default passwords.
Implement a patch management service.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4
Trusted Computing Base

Trusted computing base: The hardware, firmware, and software
component responsible for ensuring computer system security.

Trusted operating system: Operating systems that fulfill security
requirements as in a TCB.

Trusted OS

Firmware

Hardware

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5
Hardware and Firmware Security

Component Description
Basic Input/Output System and Unified Extensible Firmware Interface.
BIOS/UEFI Both firmware interfaces to initialize hardware for system boot.
UEFI is more modern and secure.
Root of trust enforces trusted computing through encryption.
Root of trust and HSM
Hardware security module is a physical device that implements root of trust.
Trusted Platform Module.
TPM
Secure cryptoprocessor that generates keys for use in TCB.
Secure boot is a UEFI feature that prevents malicious processes from executing
Secure boot and during boot.
remote attestation Cryptographic hash taken of boot loader to ensure integrity.
TPM can sign hash for third-party verification (remote attestation).

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6
Security Baselines

A collection of host security settings.
Compare the baseline to the security settings of hosts in your network.
Baselines are crucial for streamlining the host hardening process.
Don't harden hosts in a vacuum; use the baseline as a security template.
Each baseline will differ based on the computer's function and operating system.

Server
Baseline Configuration

Compare

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7
Software Updates

Update Type Description

Patch Small unit of code meant to address a security problem or functionality flaw.

Hotfix A patch issued on an emergency basis to address a specific security flaw.

Rollup A collection of previously issued patches and hotfixes.
A large compilation of system updates that can include functionality
Service pack
enhancements and any prior patches, hotfixes, and rollups.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8
Application Blacklisting and Whitelisting

Blacklisting: Preventing the execution of all apps that are on a list of
unauthorized apps.
Drawback: You can't block malicious apps you haven't identified.
Whitelisting: Preventing the execution of all apps that aren't on a list of
authorized apps.
Drawback: Creation and maintenance of list increases overhead.

Blocked Allowed
Apps Apps

Ransomware.exe Word.exe

RAT.exe Outlook.exe

DDoS.exe Chrome.exe

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9
Logging

The process of an operating system or application recording data about
activity on a computer.

Logs stored as text files with
varying levels of detail.
Highly detailed logging can
consume excessive storage
space.
Logs can reveal information
about a suspected attack.
Restrict access to logs and back
them up routinely.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10
Auditing

Performing an organized technical evaluation of a system's security to
ensure it is in compliance.

Similar to a security assessment.
Auditing is focused more on ascertaining if the system meets a set of criteria.
Criteria come from laws, regulations, standards, and organizational policy.
Most audits are performed by third parties.
Example: External auditor checks to see if online merchant is in compliance with PCI DSS.
Commonly associated with reviewing log files.
Can also test passwords, scan firewalls, review user permissions, etc.
Audits contribute to the overall hardening process.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11
Anti-malware Software

Software that scans systems and networks for malicious software.

Most scan for known malware.
Some can scan for unknown malware.
Install anti-malware on all computers.
Keep anti-malware apps updated.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12
Types of Anti-malware Software

Type Description
Scans for code matching virus patterns (signature-based).
Antivirus Can actively monitor system for virus activity (behavior-based or
heuristic).
Anti-spam filters detect key words used in spam messages.
Anti-spam
Can also block based on IPs of known spam sources.
Designed specifically to identify and stop spyware.
Anti-spyware
Functionality may come packaged with antivirus software.
Prevents websites from popping up elements in the browser.
Pop-up blocker
Most browsers include this functionality.
Not specifically designed for anti-malware.
Host-based firewalls
Can still block network traffic used by malware.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13
Embedded Systems

Hardware and software systems that have a specific function within a
larger system.

Larger systems include everything from home appliances to industrial machines.
Embedded systems are found in all kinds of technology and industries.
Usually don't have the complexity of a PC or server.
Their dedicated purpose often means less sophisticated architecture.
May use an all-in-one microcontroller rather than discrete CPU/memory components.
May not have a GUI.
May still have an OS.
Larger system may be user-friendly even if embedded system is not.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14
 Security Implications for Embedded Systems

System Security Implications
Smart devices are electronic devices with network connectivity.
Smart devices Smart devices have autonomous computing properties.
Security is an afterthought or not thought of at all.
IoT devices are objects (electronic or not) connected to the Internet.
IoT IoT devices use embedded electronic components.
Like smart devices, security is very poor or non-existent.
IP cameras are easier to manager than CCTV.
Camera systems Susceptible to standard networking risks.
Can use encryption protocols to protect recorded data.
Medical devices, ATMs, vehicles, etc.
Special purpose systems
Security depends on purpose and functionality of systems.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15
Virtualization

Virtualization: Creating a simulation of a computing environment.

Simulates hardware and software.
You create virtualized computers to run on physical computers.
Example: Virtual Linux computer running on physical Windows Server.

Virtual machine: A virtualized computer.

Advantages:
Easier to manage.
Cost-efficient.
Power and resource-efficient.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16
Hypervisors

The layer of software that separates the virtual software from the
physical hardware it runs on.

Manage resources on physical host and provide them to the virtual guests.
Provide flexibility and increased efficiency of hardware use.
Two basic types:
Type I
Run directly on host's hardware.
Type II
Run as an application on top of host operating system.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17
Hypervisors (Cont.)

Type I Type II

Guest 1 Guest 2 Guest 1 Guest 2
OS OS
OS OS
Hypervisor
Hypervisor
Host OS
Hardware Hardware

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18
Cloud Computing

Computing involving real-time communication over large distributed
networks to provide various resources to a consumer.

Typically relies on the Internet.
"The cloud" refers to resources
available on a particular service.
Examples: Business sites, consumer
sites, storage services, etc.
You can access and manage
resources from anywhere.
Storage method and location are
not visible to the consumer.
Cloud computing uses virtualization
to provision resources.
Security implications are similar.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19
Cloud Deployment Models

Deployment Model Description
Usually distributed by a single entity over a private network.
Private Enables entities to exercise greater controller over services.
Geared toward banking and governmental services.
Done over the Internet offering services to general consumers.
Public Pay-as-you-go subscriptions and lower-tier services for free.
Security is a concern for anything traversing the Internet.
Multiple entities sharing ownership of a cloud service.
Community
Done to pool resources for a common concern.
Combines two or more of the previous models.
Hybrid
Example: Private cloud for internal personnel, public for customers.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20
Cloud Service Types

Service Description
SaaS uses cloud to provide apps to users.
Software Eliminates installation and purchasing of specific versions.
Examples: Office 365, Salesforce, G Suite.
PaaS provides virtual systems to customers.
Platform Can include operating systems and application engines.
Examples: Oracle Database, Azure SQL Database, Google App Engine.
IaaS provides access to infrastructure needs.
Infrastructure Includes data centers, servers, networking, etc.
Examples: Amazon EC2, Azure VMs, OpenStack.
SECaaS provides resources for security purposes.
Security Includes authentication, anti-malware, intrusion detection, etc.
Examples: Cloudflare, FireEye, SonicWall.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21
Mobile Device Connection Methods

Connection Method Description
Wireless connection to transceivers in fixed locations across the world.
Cellular Used primarily by mobile phones for voice and text, but also data.
Uses transport encryption, but users have little control over security.
Wi-Fi networks provide local area connections for mobile devices.
Wi-Fi Can incorporate encryption and authentication if using secure protocols.
Organizations have more control over Wi-Fi than cellular.
Wireless technology primarily used for short-range communications.
Bluetooth Example: Wireless headset connected to a nearby smartphone.
Susceptible to bluejacking and bluesnarfing.
Wireless communication in very close proximity.
NFC Used primarily for in-person data exchange.
Susceptible to RF signal interception and DoS flooding.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22
Mobile Device Management

The process of tracking, controlling, and securing an organization's
mobile infrastructure.

MDM solutions are often web-based platforms with a centralized console.
You can enforce security on all mobile devices at once, rather than individually.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23
Mobile Device Security Controls

Security Control Description
Option should be enabled with strict requirements for unlock.
Screen lock
Can only be accessed by code user has set.
Strong passwords and
User should set up strong password/PIN for lock screen.
PINs
Full device encryption Data on devices should be encrypted to protect sensitive data.
Remote wipe: remotely delete sensitive data if device is lost or stolen.
Remote wipe/lockout
Remote lockout: remotely trigger lock screen if device is lost or stolen.
Geolocation and Geolocation: tracking the geographic location of devices.
geofencing Geofencing: creating geographic boundaries for device functionality.
Uphold principle of least privilege.
Access controls
Consider context-aware authentication.
Application and content Set restrictions on what apps/content user can access.
management Consider blacklisting or whitelisting apps.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 24
Mobile Deployment Models

Deployment Model Description
Organization is sole owner of devices and has full management control.
Corporate-owned Most secure.
May be too strict to be feasible.
Bring your own device—employees own and manage personal devices.
BYOD Becoming increasingly common.
Introduces security issues with new risks and questions of ownership.
Choose your own device—employees choose from a vetted list of devices.
CYOD Employee still in control of device.
Tries to mitigate BYOD vulnerabilities but not be too strict.
Corporate-owned, personally enabled.
COPE Employees can still use devices for personal reasons.
Organization still has some control, which can prompt privacy concerns.
Virtual mobile infrastructure—similar to VDI but for mobile OSes.
VMI Employees connect to VMs running mobile OSes.
Organization retains control during work; employee regains control after work.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 25
Software Development Lifecycle

The practice of developing software across a lifecycle from initial
planning to final deployment and obsolescence.

Each developed app goes through distinct phases of this lifecycle.
You must integrate security into each phase of the lifecycle.

Initiate Design Implement Test Deploy Dispose

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26
Secure Coding Techniques

Technique Description
Code that executes but produces results not used by app.
Limiting dead code
Remove dead code to minimize risk.
Server side should validate input and execute code not meant for user.
Server-side vs. client-side
Client side should handle execution of GUI-based code.
Limit how much data the app exposes to users.
Limiting data exposure
Especially important in systems that provide access to multiple users.
Some languages manage memory automatically (Python, Java, etc.).
Memory management
Some languages require manual management (C, C++, etc.).
Pre-compiled database statements used for input validation.
Stored procedures
Deny user access to underlying data.

Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27