Lesson 12: Implementing Host Security Solutions

Vocabulary flashcards covering key terms and definitions from the lesson on hosting security solutions (secure firmware, endpoint security, and embedded/IoT security).

Hardware Root of Trust (RoT)

A secure hardware subsystem that provides attestation, enabling the system to prove its integrity to a verifier (e.g., NAC) by signing reports about boot metrics and OS files.

Attestation

A trusted statement about a system's state (e.g., boot integrity) that a receiver can verify using trusted keys.

Trusted Platform Module (TPM)

A hardware-based cryptoprocessor that stores encryption keys, hashed data, and identifiers; supports attestation and key management for secure boot and disk encryption.

Endorsement Key

A unique, unchangeable asymmetric private key embedded in the TPM used to create subkeys for storage, signing, and encryption.

Owner (in TPM context)

An administrative identity that can take ownership of the TPM, potentially destroying and regenerating its subkeys.

KMIP (Key Management Interoperability Protocol)

A protocol for centrally provisioning and managing cryptographic keys in enterprise environments.

NAC (Network Access Control)

A server/system that enforces security policy by validating the trust state of devices attempting to join the network.

Secure Boot

UEFI feature that verifies the OS boot loader and kernel with vendor certificates to prevent unsigned or altered boot components from loading.

UEFI (Unified Extensible Firmware Interface)

Firmware interface that oversees boot processes and can enforce boot integrity checks using certificates.

Measured Boot

Boot process using TPM platform configuration registers (PCRs) to detect changes in boot firmware, boot loaders, kernel, and drivers.

PCR (Platform Configuration Register)

TPM registers that store measurements (hashes) of boot components to support measured boot and attestation.

Boot Attestation

Transmitting a TPM-signed boot log to a remote server to verify health and detect unsigned or modified boot components.

Disk Encryption (FDE)

Encrypts the entire drive to protect data at rest; keys are typically stored in the TPM or a secure token source.

Self-Encrypting Drive (SED)

Drive-based encryption that performs cryptographic operations in the drive controller with DEK/MEK and an authentication key (AK) or KEK.

BitLocker

Microsoft disk encryption tool that stores encryption keys in secure storage such as the TPM.

AK/KEK (Authentication Key / Key Encryption Key)

Keys used in SEDs to protect and manage the DEK/MEK; AK is user-authenticated, KEK protects key data.

Opal Storage Specification

TCG standard for self-encrypting drives enabling vendor-agnostic drive-based encryption compatible with NVMe/SSD.

KMIP-enabled HSM

Hardware security module used with KMIP to automate provisioning and management of cryptographic keys.

End of Life (EOL)

Phase when a product is discontinued and support and updates become limited.

End of Service Life (EOSL)

Period when a product is no longer supported by the vendor and no updates are provided.

Long-Term Support (LTS)

Versioning approach where software receives extended support and updates for an extended period.

Third-Party Risk Management

Assessment and governance of vendor and supplier security practices to protect the supply chain.

MOU (Memorandum of Understanding)

A formal or informal agreement expressing intent to collaborate, typically not legally binding.

BPA (Business Partnership Agreement)

A formal agreement outlining a partnership between vendors and solution providers.

NDA (Non-Disclosure Agreement)

A legal contract protecting confidential information shared between parties.

SLA (Service Level Agreement)

Contractual terms defining service performance and obligations between provider and customer.

MSA (Measurement Systems Analysis)

Quality management method to validate data collection and statistical methods used in security processes.

Baseline Configuration

A standard secure configuration template for a host, used to enforce consistent security settings.

GPO (Group Policy Object)

Windows policy framework used to apply configuration settings to domain-joined computers.

MBSA (Microsoft Baseline Security Analyzer)

Former Microsoft tool for validating security configuration; largely replaced by Security Compliance Toolkit.

Security Compliance Toolkit

Microsoft suite to compare production GPOs with template policy settings and enforce baselines.

Patch Management

Process of identifying, testing, deploying, and validating software or firmware updates to fix vulnerabilities.

A-V / Anti-Malware

Signature-based and heuristic protection to detect and prevent malware on hosts.

HIDS / HIPS (Host-Based IDS/IPS)

Security systems that monitor host activity and can detect or prevent malicious changes or actions.

EPP (Endpoint Protection Platform)

Unified security agent providing multiple functions (malware protection, firewall, IDS/IPS, DLP) on endpoints.

DLP (Data Loss Prevention)

Policies and tooling to prevent sensitive data from being exfiltrated or misused.

EDR (Endpoint Detection and Response)

Next-generation visibility and remediation for compromised endpoints, focusing on detection, containment, and forensics.

MDR (Managed Detection and Response)

Hosted security service providing monitoring, detection, and response across endpoints.

Next-Generation Firewall / Synchronized Security

Advanced firewall with analytics that can coordinate with endpoints to block threats and isolate hosts.

Sandboxing

Isolating untrusted code in a controlled environment to analyze behavior safely.

NB-IoT / LTE-M

Low-power cellular technologies for IoT with varying data rates and latency suitable for sensors.

eSIM / SIM

Embedded SIM vs removable SIM used to identify devices on cellular networks.

Z-Wave / Zigbee

Wireless, mesh-network protocols for home automation with encryption and device security considerations.

ICS/SCADA

Industrial Control Systems and Supervisory Control and Data Acquisition networks used in critical infrastructure.

Stuxnet

Notorious ICS/SCADA attack demonstrating targeting of control systems to disrupt processes.

NIST SP 800-82

NIST guidance on security controls for ICS and SCADA environments.

CAN Bus

Controller Area Network used in vehicles; limited or no built-in source addressing or authentication.

OBD-II

Onboard Diagnostics port used for vehicle diagnostics; potential attack surface for CAN/ECU compromise.

OSS/Wrapped Security (IPSec Wrappers)

Using IPSec to protect data in transit by wrapping traffic in a secure tunnel.

PACS (Physical Access Control System)

Security system managing physical access with locks, alarms, and surveillance.