CompTIA® Security+ Exam Notes : Implementing Secure Systems Design

3. Architecture and Design

3.3 Given a scenario, implement secure systems design

Hardware and Firmware Security:

Hardware Security Modules (HSMs) are devices that handle digital keys. They can be used to facilitate encryption as well as authentication via digital signatures. Most HSMs support tamper-resistant mechanisms. A hardware security module uses RSA keys, but not a storage root key.

The process of securing a computer system is called Hardening. There are several things that one need to remember for hardening a PC. These include:

1. Removing non-essential programs, and services. These may provide back-doors for an attacker.

2. Installing an anti-virus package, and a spyware remover

3. Removing unnecessary protocols. If you are using only TCP/IP (required for connecting to the Internet), keep that protocol and remove all other protocols.

4. Disable guest account

5. Rename Administrator account

6. Enable auditing, so that you can view any logon attempts.

7. Installing latest patches, and service packs to operating system, and software.

Instant Messaging (IM): IM, unless otherwise encrypted, transmits all messages in clear text. This makes IM vulnerable to sniffing. Additionally, several IM clients come with advanced features like File Transfer. Such features may allow a hacker to gain access to your system, and transmit viruses.

Application hardening is the process of applying most recent patches and bug fixes to make the applications more robust, thus discouraging an attacker from exploiting the bugs in the application.

Disabling the use of removable media such as USB drive will prevent data being stolen to some extent.

For detecting spamware and virus, one need to install anti spamware, and anti virus programs. Installing the latest updates to Operating Systems will protect your system from exploits (like gaining back-door entry), but not necessarily from downloaded virus or spamware.

Example: A company has 10 staff working on hourly wages at a rate of $50 per hour. The systems are not virus protected, and the company is contemplating an anti-virus package that costs $1000 per year. It is estimated that 50% of the systems fail and the average restoration time is 6 hours. If the company implements the anti virus solution, what is the expected savings per year?

Solution: The number of machines that are likely to have restored: 5 (50% chance of getting infected)

Average time for restoration per machine: 6 hours

Man power cost per hour: 50

Total cost for restoration: 5 multiplied by 6 multiplied by 50 or $1500.

Cost of anti virus software: 1000

Therefore net savings: 1500 - 1000 or $500.

Example: You want to prevent the computer users from copying any data to external removable storage media. You have disabled floppy disk drives, and ensured that the computers are configured with read-only DVD drive. What do you need to do further achieve the objective?

Solution: The objective is to prevent the users from copying the computer files to any removable storage media. The floppy disk is already removed, and the CD/DVD drives are made to read-only. Therefore, you need to disable all USB ports in the system BIOS and then password protect the system BIOS. If not password protected, users may enable the USB ports again.

1. You should not disable hard disk drive in the system BIOS. This may result in the computer not booting up

2. Flashing is the method used to update the BIOS, and is not necessary unless otherwise required.

3. If you disable hard drive controllers, the hard disk stops working. Again, this may result in the hard disk not working at all.

Given below are some of the precautions that may be required to secure the local network resources:

1. Rename default accounts so that blind attacks will not succeed

2. Use strong passwords and change passwords periodically

3. Secure the server rooms with lock and key

4. Use strong encryption for user names and passwords

Note that disabling local admin access is not an option because your manager wants to administer the servers locally. Anti virus software will not protect a server from un-authorized login.

TPM (Trusted Platform Module): TPM is a computer chip (microcontroller) that can securely store artifacts used to authenticate the platform (your PC or laptop). A Trusted Platform Module (TPM) includes a storage root key. The TPM generates this key when a user activates the TPM.

NT File System (NTFS): NTFS supports encryption with Encrypting File System (EFS). However, it is a software based encryption system. TPM is a hardware chip on the computer's motherboard that stores cryptographic keys used for encryption. Many laptop computers include a TPM, but if the system doesn't include it, it is not feasible to add one. The TPM includes a unique RSA key burned into it, which is used for asymmetric encryption. Additionally, it can generate, store, and protect other keys used in the encryption and decryption process. TPMs can also be used to facilitate FDE.


A hardware security module (HSM) and a Trusted Platform Module (TPM) both provide full disk encryption, but cannot block documents sent to a printer or an external network.

Application whitelisting/blacklisting

Whitelisting identifies what software (applications) can be installed on a computer (or a server or any mobile device) and prevents users from installing or running any other software.

Converse of Whitelisting is Blaclisting. Blacklisting identifies which software/applications should not be installed on a system

Full disk encryption (FDE): FDE is encrypting the entire disk, rather than a specific file or folder. This is recommended for full security of the system. Microsoft, beginning with Windows 7, offers BitLocker on the professional and higher versions of its operating system.

Self-Encrypting Drive (SED): SED has a controller chip built into it that automatically encrypts the drive and decrypts it, provided the proper password is entered. The encryption key used in SEDs is called the media encryption key (MEK). Locking and unlocking a drive requires another key, called the key encryption key (KEK), supplied by the user. The KEK is used to decrypt the MEK, which in turn is what encrypts and decrypts the drive.

You are configuring a computer running Windows Server 2008 R2 for use as a network email server. You want to ensure that the most recent updates have been applied to the server. What should you do?

You need to follow the manufacturer's recommendation regarding updates. Microsoft recommends that you enable automatic updates on your client as well as server operating systems so that the latest patches and fixes may be applied.

A Linux or UNIX file with the permission 755 means rwx for the owner, rx for the group and others. 4 = read(r), 2 = write (w), and 1 = execute(x). In the question, the owner permission is 7, the group permission is 5 and others permission is also 5.

Sandboxing: Sand box refers to using software and/or hardware in a test environment. In sandbox environment, all the machines work as usual. However, they are not yet put to actual production. Dummy loads are applied as if they were in production environment. Any glitches or overload conditions as well as security related tests are made, and necessary fixes may be applied during this period. It is a testing environment that isolates untested code changes and outright experimentation from the production environment.

Previous   Contents   Next

Security+ Cram Notes Contents ad