If you’re planning to take the Security+SY0-501 exam, you should have a basic understanding of implementing secure systems design. This includes firmware/hardware security, operating systems, and peripherals.
For example, can you answer this question?
Q. What functions does an HSM include?
A. Reduces the risk of employees emailing confidential information outside the organization
B. Provides webmail to clients
C. Provides full drive encryption
D. Generates and stores keys used with servers
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
When implementing secure systems design, it’s also important to evaluate several hardware elements. Additionally, an organization should evaluate the supply chain. A supply chain includes all the elements required to produce a product. In secure systems design, the product is a secure system.
There have been many incidents where new computers were shipped with malware. As an example, Microsoft researchers purchased several new computers in China and found them infected with the Nitol virus. These computers were also running counterfeit versions of Windows. This helps illustrate the importance of purchasing computers from reputable sources.
EMI and EMP
When designing systems, it’s important to consider electromagnetic interference (EMI) and electromagnetic pulse (EMP). EMI comes from sources such as motors, power lines, and fluorescent lights and it can interfere with signals transmitted over wires. Chapter 9 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide discusses shielding that helps prevent EMI from causing problems. It’s easier to include shielding during the design process rather than add shielding later.
EMP is a short burst of electromagnetic energy. EMP can come from a wide assortment of sources and some sources can cause damage to computing equipment. Some sources include:
- Electrostatic discharge (ESD). Basic ESD prevention practices, such as using ESD wrist straps, help prevent ESD damage.
- Lightning. Lightning pulses can go through electrical wires and damage unprotected systems. Surge protection methods, such as surge protection strips, protect electrical systems.
- Military weapons. Nuclear explosions create a large EMP that can damage electronic equipment (including embedded systems) over a large area. Some non-nuclear weapons have been designed to mimic the nuclear EMP, but without the nuclear explosion. Non-nuclear EMP has a smaller range than nuclear EMP, but can still damage equipment. The best publicly known protection is to turn equipment off, but you’re unlikely to know when one of these explosions will occur.
Remember this
Secure systems design considers electromagnetic interference(EMI) and electromagnetic pulse (EMP). EMI comes from sources such as motors, power lines, and fluorescent lights and can be prevented with shielding. Systems can be protected from mild forms of EMP (a short burst of electromagnetic energy) such as electrostatic discharge and lightning.
FDE and SED
Full disk encryption (FDE) encrypts an entire disk. Several applications are available to do this. For example, VeraCrypt is an open source utility that can encrypt partitions or the entire storage device.
Many hardware vendors now manufacture hardware-based FDE drives. These are sometimes referred to as self-encrypting drives (SEDs). An SED includes the hardware and software to encrypt all data on the drive and securely store the encryption keys. These typically allow users to enter credentials when they set up the drive. When users power up the system, they enter their credentials again to decrypt the drive and boot the system.
UEFI and BIOS
The Basic Input/Output System (BIOS) includes software that provides a computer with basic instructions on how to start. It runs some basic checks, locates the operating system, and starts. The BIOS is often referred to as firmware. It is a hardware chip that you can physically see and touch and it includes software that executes code on the computer. The combination of hardware and software is firmware.
Newer systems use Unified Extensible Firmware Interface (UEFI) instead of BIOS. UEFI performs many of the same functions as BIOS, but provides some enhancements. As an example, it can boot from larger disks and it is designed to be CPU-independent.
Both BIOS and UEFI can be upgraded using a process called flashing. Flashing overwrites the software within the chip with newer software.
Hardware Security Module
A hardware security module (HSM) is a security device you can add to a system to manage, generate, and securely store cryptographic keys. High-performance HSMs are external devices connected to a network using TCP/IP. Smaller HSMs come as expansion cards you install within a server, or as devices you plug into computer ports.
HSMs support the security methods as a TPM. They provide a hardware root of trust, secure boot, and can be configured for remote attestation.
One of the noteworthy differences between an HSM and a TPM is that HSMs are removable or external devices. In comparison, a TPM is a chip embedded into the motherboard. You can easily add an HSM to a system or a network, but if a system didn’t ship with a TPM, it’s not feasible to add one later. Both HSMs and TPMs provide secure encryption capabilities by storing and using RSA keys. Many high-performance servers use HSMs to store and protect keys.
Remember this
A hardware security module (HSM) is a removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. Many server-based applications use an HSM to protect keys.
Q. What functions does an HSM include?
A. Reduces the risk of employees emailing confidential information outside the organization
B. Provides webmail to clients
C. Provides full drive encryption
D. Generates and stores keys used with servers
Answer is D. A hardware security module (HSM) is a removable device that can generate and store RSA keys used with servers for data encryption.
A data loss prevention (DLP) device is a device that can reduce the risk of employees emailing confidential information outside the organization.
Software as a Service (SaaS) provides software or applications, such as webmail, via the cloud.
A Trusted Platform Module (TPM) provides full drive encryption and is included in many laptops.
See Chapter 5 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on securing hosts and data.