Welcome to Cyber Aires video Siris on the cop T I. A. Security plus 5 +01 Certification and exam.
I'm your instructor. Round Warner.
A security professional needs to be able to design a secure network and the systems that reside on it.
In this video, I'll review the Security plus section 3.3.
Given a scenario, implement Secure Systems Design. Designing with the systems on the network is closely related to the previously discussed Secure Network architecture.
The idea is to build security into network systems to make it resilient, reliable and robust.
In this video, recovering the following topics relating to implementing secure systems, designed
hardware and firmware security
operating system types, as well as best practices for securing that operating system
and, lastly, peripheral devices,
I'll start this topic with hardware and firmware security.
Security begins at the hardware level. It's part of that layered approach.
You can think of it as the base for security building from the ground up.
A common method for securing hardware is through encryption off the hard drives.
In other videos, I will discuss encryption at length, including various algorithms.
At this point, we were simply interested in the applications of cryptography on hardware systems.
The first type you should be aware of is full disk encryption f D E.
It's encrypting the entire disc rather than a specific file or folder.
This is recommended for full security of the system. So if a laptop goes lost or get stolen, little disc is encrypted, so no one read the contents of that hard drive.
Windows, beginning with Windows seven, offers bit locker on the professional and higher versions of its operating systems.
There are also other open source encryption solutions, such as Vera *** that allow you to encrypt your entire drive.
This provides seamless and invisible encryption for the end user,
but providing that needed level of security at the hardware level.
A self encrypting drive or S C. D has the controller chip built into it that automatically encrypt the drive and decrypt it, Providing the proper password is entered.
The encryption key used in STDs is called the media encryption key.
Locking and unlocking a drive requires another key, called the key encryption key supplied by the user.
The CAC Key Encryption key is used to decrypt the mech, which is in turn, what encrypts and decrypt the drive,
continuing our conversation on hardware and firmware security. I'll discuss trusted platform modules, T P M's and hardware security modules. HS EMS
Trusted platform modules. TPM are dedicated processors that that use cryptographic keys to perform a variety of tasks.
For example, they could be used to authenticate devices. T PM's could also be used to facilitate facilitate full disk encryption. F d E.
Usually a T P M. Will be on the motherboard of the computer.
Apparent Contrast Hardware security modules HS EMS,
their devices that handle digital keys. They could be used to facilitate encryption as Willis authentication via digital signatures.
Most HSM support tamper resistant mechanisms.
There are additional methods for securing base hardware and firmware associated with our computing systems. In addition to securing the drives, the system's bios or you'II fi,
it must also be secured bios. Basic input Output system
was older method for handling the boot up information for the computer
Unified extensible firmware interface. You e f I. U E. V is more modern technique
while you if he has a number of newer and better features compared to bios, they both have the same basic purpose to store information that the computer needs when booting up.
For this reason, you should always ensure that access to either the bios are you evey is password protected.
Look at this way. When you're booting up a computer, you can often hit an F key of 10 or F 12
automatically go into the BIOS. This could be a way to corrupt the computer system
if I have actual hands on the hardware device.
Another method to consider is secure boot.
It is a process whereby the BIOS for Yueh Fei
makes a cryptographic hash of the operating system boot loader and any boot drives and compares that against the stored hash. We'll talk about hashing in future videos.
This is done to prevent root kits and boot sector viruses.
The stored hash is often protected or encrypted by a T. P. M.
Another option is to store the hash and some secure server remotely from the computer being protected.
This leads to a remote at the station.
Another aspect of secure systems design is the root of trust. R O T
root of trust is a security process that has to begin with some unchangeable hardware identity often stored in a T P m.
Even from this confirmed identity, each layer of the system, starting with the BIOS for Yueh fei on the operating system and beyond, is validated
upon startup to ensure that no tampering has occurred.
Last topic on the slide is supply chain,
making sure the hardware itself is secure from wherever you may purchase. The hardware we talk about supply chain security further in other videos, review the different ways of securing hardware and firmware to protect your base operating system as well. A CZ devices themselves.
Our next topic in section 3.3 is operating system types.
You'll see operating systems on any type of device. Sometimes it's embedded within the firmware
worth one that you can install yourself. There are network operating system, so Cisco Devices uses their own Cisco operating system. Paulson on his IOS
servers have operating systems Windows Server 2012 2016
numerous types of Lennox servers as well. Susie Red Hat as examples,
should be familiar with workstation operating systems. All the different Windows variants, Mac OS and again, Lennox
appliances. I o. T. They also have a base, maybe minimal operating system.
We should be aware if it's an embedded system. Sometimes they'll use an older operating system, even Windows X p
a kiosk, he asked. Computers will also be using a base operating system
that needs to be locked out from anyone using that kiosk computer, whether it's an airport, hotel, et cetera,
and then mobile operating systems tablets smartphones. So Android has their variety of operating systems. Apple has their IOS on Lee to be maintained and secured. We'll talk about ways to secure these different types of OS is
under screen, or typical methods for securing operating systems. Will review each of these in more detail coming slides, but use this almost like a checklist.
I also encourage you to refer to the baselines talked about in an earlier video. Say the Stig's were the ones from the center from in Internet security, also providing lists of ways to secure operating systems.
Let me talk about some of these in little more detail.
One of the most effective ways to prevent an attacker from exploiting software bugs is to keep the latest manufacturers patches and service packs applied,
as well as monitor the Web for new vulnerabilities.
Improperly program software could be exploited, their vulnerable
software exploitation is a method for searching for specific problems, weaknesses or security holes and software could and then taking steps to exploit it.
We need to ensure systems are patched
to reduce the effects of those vulnerabilities.
Refer to your screen for the different definitions associated with patch management.
Some of them are seen as synonymous.
For example, a patch is a set of changes to a computer program or supporting data designed, update, fix or improve it.
This includes fixing security vulnerabilities or other types of bugs.
Contrast this with the hot fix, usually just a quick patch to fix a very specific problem.
A service pack is a collection of hot fixes that have been combined
and distributed, usually by the vendor.
Updates provide more comprehensive improvements for features, additional security or as software enhancements and compatibility
grades. Going to a new version of the operating system, software or application software.
You should have a robust patch management system within your organizations. The more you can automate your patch management make it invisible to the end user. More seamless it is, and the more security your systems will have
when you're stalling a new operating system you should take steps to harden or secure. It
includes developing your own secure baselines, as mentioned earlier videos from Stig's or from C. I s where you set your security on a gold image. This is a master image that you have safe.
Don't let anyone touch it, and then you use that to re image computers, whether it's servers or operating systems.
You can also use trusted operating systems, these air ones that are pre built safe from the National Security Agency
that are known to be secure and trusted.
Another aspect of operating system security is that least functionality
don't put too many applications on a particular server. Go with a single function, for example, of VPN device on Lee Does VPN
Web Server on Lee Does Webb
least functionality That way, If I'm able to infiltrate your Web server, I can't take advantage of other applications.
Last concept for this slide is application wait, listing and blacklisting
white listing. You have the only list of Onley applications that are allowed,
and you restrict it based on that least functionality
or application blacklisting. Where it's the list of the applications that are not allowed to be installed were used on the systems
application, wait, listing and blacklisting great way to restrict the use of operating system and provide that additional layer of security.
Other methods for securing operating systems include disabling default accounts. Say, for example, on Windows comes with the guest account
making sure it's disabled,
changing account names so changing the administrator account i D. On the Windows system. Talk about how to do that in a different video.
Also, consider doing this on your routers and switches. They often come with a default i D that can either be disabled or changed
ports, and service is our ins and outs for your computer system. You want to disable any unnecessary ports or service is this goes along with that least privilege least functionality concept I just talked about.
There are over 65,000 TCP and new DP ports.
Ports are divided into three range is well known ports, registered ports and dynamic ports review this concept. If you're not familiar with it,
what you want to do is lock down at the port level. You can do this through firewalls or other methods on the operating system.
On Lee, the ports that are needed for use by those applications on the operating system.
On your screen,
you have listed a few common, well known ports. I recommend you learn about different, well known ports and memorize a few for the security plus example. For example, H g h T T P is Port 80 https port +443 and so on.
Onley. Allow the ports that are needed for the functionality of that particular operating system or a server.
Great simple way for additional operating system hardening.
My last topic for this section is about peripherals.
These are devices you attached to your operating systems. Could be keyboards, mice displays,
micro SD cards or other storage like USB thumb drives
Attaching a mobile device
concept that I've seen some organizations do is they block the attachment of peripherals except for those on a specific white list.
This is a part of data leakage protection.
This isn't always a capability for many organizations,
something to consider with wireless keyboards and mice that I've seen is make sure there's no interference, have actually seen it where organization people had
the same type of wireless keyboards and mice, and it would interfere with each other, and a person actually thought someone was hacking her system. No, it was just someone else. Using a wireless keyboard of the same manufacturer,
securing printers, multifunction devices,
printers and M FDs. Our Web servers may not realize this. They allow a Web interface, so they should be locked down as needed based on the wrist. For your organizations.
Review the different peripherals within your company within your home
and determine the best level of security because they could be an avenue in
to breaching your organization.
Let's practice this topic with a simple quiz question.
Alice is a C. I. S O for a financial institution.
She wants to make sure all laptop hard drives are automatically encrypted.
What tool can she use?
The answer is
Bit Locker provides that transparent data encryption on systems
Security Plus also provides a lab to give you hands on experience with secure systems design.
The one on the screen talks about encryption and hashing, where you learn about full disk encryption using bit locker and are able to manage security for removable devices.
This could be a great way for you to gain some practical hands on experience with transparent data encryption.
This concludes section 3.3 where I discussed
implementing secure systems design.
Refer to your study notes for more information on this topic.