Security+ Domain 3.0: Secure Systems Design and Deployment: Chapter 12

  1. Security+ Certification
  2. Security+: Definitions and Catchwords
  3. Security+ Domain 1.0: Threats, Attacks and Vulnerabilities
  4. Security+ Domain 2.0: Technologies and Tools, Chapter 6
  5. Security+ Domain 2.0: Technologies and Tools, Chapter 7
  6. Security+ Domain 2.0: Technologies and Tools, Chapter 8
  7. Security+ Domain 2.0: Technologies and Tools, Chapter 9
  8. Security+ Domain 2.0: Technologies and Tools, Chapter 10
  9. Security+ Domain 3.0: Architecture and Design: Chapter 11
  10. Security+ Domain 3.0: Secure Systems Design and Deployment: Chapter 12
  11. Security+ Domain 3.0: Secure Systems Design and Deployment: Chapter 12 cont’d
  12. Security+ Domain 3.0: Architecture and Design: Chapter 13: Embedded Systems
  13. Security+ Domain 3.0: Architecture and Design: Chapter 14: Application Development
  14. Security+ Domain 3.0: Architecture and Design: Chapter 15: Cloud and Virtualization
  15. Security+ Domain 3.0: Architecture and Design: Chapter 16: Resiliency and Automation
  16. Security+ Domain 3.0: Architecture and Design: Chapter 17: Physical Security
  17. Security+ Domain 4.0: Identity and Access Management: Chapter 18
  18. Security+ Domain 4.0: Identity and Access Management: Chapter 19
  19. Security+ Domain 4.0: Identity and Access Management: Chapter 20
  20. Security+ Domain 5.0: Risk Management: Chapter 21
  21. Security+ Domain 5.0: Risk Management: Chapter 22
  22. Security+ : Sample Questions
  23. Security+ Domain 5.0: Risk Management: Chapter 23
  24. bastion.inf
  25. Security+ Domain 5.0: Risk Management: Chapter 24
  26. Security+ Domain 5.0: Risk Management: Chapter 25
  27. Security+ Domain 5.0: Risk Management: Chapter 26
  28. Security+ Domain 5.0: Risk Management: Chapter 27
  29. Security+ Domain 5.0: Risk Management: Chapter 28
  30. Security+ Domain 5.0: Risk Management: Chapter 29
  31. Security+: My Favorite Free Tools

Chapter 12: Secure Systems Design and Deployment

System Security is our initial set of best practices. It includes:

    • Disabling non-essential systems and services
    • Hardening operating systems by
      • Applying updates and
      • Securing file systems
    • Hardening applications by
      • Hardening servers (daemons or services) and
      • Hardening data stores
    • Hardening networks through
      • Firmware upgrades and
      • Secure network configuration

Hardware / Firmware Security

Firmware upgrades

Computers, routers and other network equipment store fixed firmware in ROM modules, including:

  • Erasable Programmable Read-Only Memory (EPROM)
  • Electronically Erasable Programmable Read-Only Memory (EEPROM)Computer manufacturers (such as Dell), chipset manufacturers (such as Intel) and router manufacturers (such as Cisco) frequently issue firmware updates. The system administrator is responsible for knowing about and implementing these updates.

Cisco routers in particular must be carefully updated. More than one bad update has been issued by Cisco, but Cisco users will still have to do their best to keep up-to-date.

FDE / SED

TPM

HSM

UEFI / BIOS

Secure Boot and Attestation

Supply Chain

Hardware Root of Trust

EMI / EMP

Operating Systems

Patch Management

In Windows:

        • Service Packs are cumulative sets of updates
        • Hotfixes are single-issue fixes, typically correcting software problems, not security issues
        • Patches are software updates, often to correct security problems

Popular Patch Management Systems for Windows are Windows Update Services (for standalone computers), Microsoft Operations Manager (MOM, formerly known as Software Update Services, SUS, and by other names), and the Shavlik family of security/patch management tools.

In Linux:

        • Patches typically require re-compiling software, or performing an upgrade installation of binary software distributions

          Red Hat provides update services through the Red Hat Network update system.

Disabling Unnecessary Ports and Services

In Windows, view Services:
Start > Settings > Control Panel > Administrative Tools > Services
or
the msconfig command from Start > Run
or
the services.msc command from Start > Run

Visit www.microsoft.com/technet or www.BlackViper.com for discussion of any services with which you’re not familiar.
Note that services can be Automatic, Manual or Disabled.

Probably the single most dangerous service is UPnP, Universal Plug-and-Play. Unless you have a specific, compelling reason to enable this, disable it.

Service names and display names in the Services applet are not always the same.

In Linux, view processes with:

ps -aux

Generally, services are processes ending with a “d,” e.g. httpd.

Services, Port Numbers and Sockets:

The combination of an IP address and a port number is a socket (e.g. 192.168.2.1:80).
Most ports are available to both TCP and UDP.
A total of 65,535 ports are available.
The first 1,023 are called the “well-known port numbers.”

Least Functionality

Secure Configurations

Trusted Operating System

Application Whitelisting / Blacklisting

Disable Default Accounts / Passwords

Peripherals

Wireless keyboards

Wireless mice

Displays

WiFi-enabled SD cards

Printers / MFDs

Storage

Digital Cameras

Sandboxing

Environments

Development

Test

Staging

Production

Secure Baseline

Integrity Measurement