Domain 8 Overview and Hardening the System
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Okay folks, I don't know how this happened,
00:00
but somehow some way we have
00:00
gone through seven domains
00:00
and they are only eight to go through,
00:00
so look at us, we are here at the last domain.
00:00
The last domain covers Software Development Security.
00:00
There's a lot of good information in here
00:00
when it comes right down to it and when you ask,
00:00
where are the flaws?
00:00
They're in our software.
00:00
Its not the fault of the developers,
00:00
its the fault of the process not having good,
00:00
secure design processes in place.
00:00
We're going to talk about what it
00:00
takes to make a secure design process,
00:00
some of the considerations,
00:00
we'll talk about a couple of
00:00
architectures that are used to develop software,
00:00
various secure technologies,
00:00
we'll look at OWASP's Top 10,
00:00
and secure database design,
00:00
and last but not least, we'll examine malware.
00:00
We're going to begin
00:00
this section with hardening the system.
00:00
When we talk about hardening the system,
00:00
we're going to focus on not just hardening the system,
00:00
but also hardening the software
00:00
>> that runs on the system.
00:00
>> When we talk about that,
00:00
we're just talking about securing.
00:00
We're going to remove any of
00:00
those elements that are not necessary,
00:00
that might introduce security vulnerabilities.
00:00
Reducing the attack surface.
00:00
Many different vendors out
00:00
there choose ease of use over security.
00:00
Nobody really wants to be known
00:00
as the operating system that's
00:00
hard to manage or
00:00
that application that's tough to operate,
00:00
ease of use sells.
00:00
When we talk about focusing in on ease of use,
00:00
the easiest thing for users is,
00:00
here's everything you could ever want, click here.
00:00
Now, unfortunately,
00:00
that doesn't make for a secure environment,
00:00
and what that leaves us with is
00:00
a very large attack surface.
00:00
When we're talking about reducing the attack surface,
00:00
what we're trying to do is get rid of
00:00
things that aren't necessary.
00:00
When we're talking about that
00:00
specifically with software,
00:00
if we were talking about that for a system,
00:00
we'd say we're going to remove protocols we don't need,
00:00
we're going to make sure there's
00:00
no additional hardware like modems,
00:00
network cards that aren't in use that aren't necessary,
00:00
we're going to make sure
00:00
the various elements of the system are locked down.
00:00
With software, it's the same idea.
00:00
In reducing the attack surface of software,
00:00
one of the ways that software gets corrupted,
00:00
modified, compromised is by the user, we know that.
00:00
Input fields where we allow the user to input
00:00
data that the application's going to
00:00
use or that's going to go into a back-end database,
00:00
we need to limit that.
00:00
We want to limit the number of user input fields,
00:00
and we want to use input validation
00:00
to control what can go into those fields.
00:00
Now, within our operating systems,
00:00
what protocols were supported?
00:00
Most Windows systems are running
00:00
a dual stack of IPv4 and IPv6,
00:00
so do we need them both?
00:00
Are we on an IPv6 network,
00:00
we don't need IPv4 or vice versa?
00:00
I mentioned also a lot of services
00:00
>> are there by default.
00:00
>> I remember with earlier versions
00:00
of Windows client software,
00:00
they came with a web server product
00:00
installed and up and running and ready to go.
00:00
We just want to make sure,
00:00
I'm not going to read every one of these,
00:00
but we want to make sure that what's not
00:00
essential to the baseline function of the application,
00:00
that that's not included or
00:00
that's not running by default.
00:00
It's usually better to let customers
00:00
choose what add-ins they
00:00
want to install, what additional functions.
00:00
It's the idea of the difference between having a house
00:00
with all the doors open or
00:00
a house with all the doors closed,
00:00
its more secure to close all the doors and
00:00
then let the customers open the doors that they need.
00:00
Just some ideas here with securing software,
00:00
reducing the attack surface means
00:00
removing anything that might be especially vulnerable,
00:00
particularly if there's not
00:00
a business demand or business
00:00
need to have that element present.
Up Next
Instructed By
Similar Content
