This section focuses on the capabilities of specific computing components. Thus, it isn’t a section where hands-on experience can give you an advantage. Some of these components are discussed in other sections, sometimes in more detail. Ensure that you are familiar with all the information in this section. For any topic in this section that is new to you, plan to dive deeper into the topic outside of this study guide.
- Memory protection. At any given time, a computing device might be running multiple applications and services. Each one occupies a segment of memory. The goal of memory protection is to prevent one application or service from impacting another application or service. There are two popular memory protection methods:
- Process isolation. Virtually all modern operating systems provide process isolation, which prevents one process from impacting another process.
- Hardware segmentation. Hardware isolation is stricter than process isolation; the operating system maps processes to dedicated memory locations.
- Virtualization. In virtualized environments, there are special considerations to maximize security. The goal is to prevent attacks on the hypervisors and ensure that a compromise of one VM does not result in a compromise of all VMs on the host. Many organizations choose to deploy their high-security VMs to dedicated high-security hosts. In some cases, organizations have teams (such as the team responsible for identity and access management) manage their own virtualization environment to minimize the chances of an internal attack.
- Trusted Platform Module. A Trusted Platform Module (TPM) is a cryptographic chip that is sometimes included with a client computer or server. A TPM expands the capabilities of the computer by offering hardware-based cryptographic operations. Many security products and encryption solutions require a TPM. For example, BitLocker Drive Encryption (a built-in volume encryption solution) requires a TPM to maximize the security of the encryption.
- Interfaces. In this context, an interface is the method by which two or more systems communicate. For example, when an LDAP client communicates with an LDAP directory server, it uses an interface. When a VPN client connects to a VPN server, it uses an interface. For this section, you need to be aware of the security capabilities of interfaces. There are a couple of common capabilities across most interfaces:
- Encryption. When you encrypt communications, a client and server can communicate privately without exposing information over the network. For example, if you use encryption between two email servers, then the SMTP transactions are encrypted and unavailable to attackers (compared to a default SMTP transaction which takes place in plain text). In some cases, an interface (such as LDAP) provides a method (such as LDAPS) for encrypting communication. When an interface doesn’t provide such a capability, then IPsec or another encrypted transport mechanism can be used.
- Signing. You can also sign communication, whether or not you encrypt the data. Signing communications tells the receiver, without a doubt, who the sender (client) is. This provides non-repudiation. In a highsecurity environment, you should strive to encrypt and sign all communications, though this isn’t always feasible.
- Fault tolerance. Fault tolerance is a capability used to keep a system available. In the event of an attack (such as a DoS attack), fault tolerance helps keep a system up and running. Complex attacks can target a system, knowing that the fallback method is an older system or communication method that is susceptible to attack.