Posted on by Glenn

Security+ Domain 3.0: Secure Systems Design and Deployment: Chapter 12

Chapter 12: Secure Systems Design and Deployment

System Security is our initial set of best practices. It includes:

    • Disabling non-essential systems and services
    • Hardening operating systems by
      • Applying updates and
      • Securing file systems
    • Hardening applications by
      • Hardening servers (daemons or services) and
      • Hardening data stores
    • Hardening networks through
      • Firmware upgrades and
      • Secure network configuration

Hardware / Firmware Security

Firmware upgrades

Computers, routers and other network equipment store fixed firmware in ROM modules, including:

  • Erasable Programmable Read-Only Memory (EPROM)
  • Electronically Erasable Programmable Read-Only Memory (EEPROM)Computer manufacturers (such as Dell), chipset manufacturers (such as Intel) and router manufacturers (such as Cisco) frequently issue firmware updates. The system administrator is responsible for knowing about and implementing these updates.

Cisco routers in particular must be carefully updated. More than one bad update has been issued by Cisco, but Cisco users will still have to do their best to keep up-to-date.

FDE / SED

TPM

HSM

UEFI / BIOS

Secure Boot and Attestation

Supply Chain

Hardware Root of Trust

EMI / EMP

Operating Systems

Patch Management

In Windows:

        • Service Packs are cumulative sets of updates
        • Hotfixes are single-issue fixes, typically correcting software problems, not security issues
        • Patches are software updates, often to correct security problems

Popular Patch Management Systems for Windows are Windows Update Services (for standalone computers), Microsoft Operations Manager (MOM, formerly known as Software Update Services, SUS, and by other names), and the Shavlik family of security/patch management tools.

In Linux:

        • Patches typically require re-compiling software, or performing an upgrade installation of binary software distributions

          Red Hat provides update services through the Red Hat Network update system.

Disabling Unnecessary Ports and Services

In Windows, view Services:
Start > Settings > Control Panel > Administrative Tools > Services
or
the msconfig command from Start > Run
or
the services.msc command from Start > Run

Visit www.microsoft.com/technet or www.BlackViper.com for discussion of any services with which you’re not familiar.
Note that services can be Automatic, Manual or Disabled.

Probably the single most dangerous service is UPnP, Universal Plug-and-Play. Unless you have a specific, compelling reason to enable this, disable it.

Service names and display names in the Services applet are not always the same.

In Linux, view processes with:

ps -aux

Generally, services are processes ending with a “d,” e.g. httpd.

Services, Port Numbers and Sockets:

The combination of an IP address and a port number is a socket (e.g. 192.168.2.1:80).
Most ports are available to both TCP and UDP.
A total of 65,535 ports are available.
The first 1,023 are called the “well-known port numbers.”

Least Functionality

Secure Configurations

Trusted Operating System

Application Whitelisting / Blacklisting

Disable Default Accounts / Passwords

Peripherals

Wireless keyboards

Wireless mice

Displays

WiFi-enabled SD cards

Printers / MFDs

Storage

Digital Cameras

Sandboxing

Environments

Development

Test

Staging

Production

Secure Baseline

Integrity Measurement