Securing Hosts and Data

Virtualization Overview
Term Definition

Virtualization Technology used within data centers to host one or more virtual systems or
virtual machines (VMs) on a single physical system, reducing costs and
physical resource use.

Key Components and Concepts

Component Definition Examples

Hypervisor Specialized software that creates, runs, and VMware products,

manages virtual machines. Microsoft Hyper-V, Oracle
VM VirtualBox

Host The physical system hosting the VMs, requiring A server with 64GB RAM,
high-speed multi-core processors, large amounts 1TB SSD, and a 10-core
of RAM, fast and abundant disk space, and one processor running VMware
or more fast network cards. ESXi.

1
Guest Operating systems running on the host system. Windows 10 VM, Ubuntu
Hypervisors support various operating systems, 20.04 VM
including different Microsoft OS and Linux
distributions, in both 32-bit and 64-bit versions.

2
Cloud Concepts
Term Definition Examples

Cloud The ability to manually resize the Increasing a VM's RAM from
Scalability computing capacity of a VM by assigning 4GB to 8GB, requiring a restart
more memory, processors, disk space, or to apply changes.
network bandwidth, often requiring a
reboot.

Cloud The ability to dynamically change A web server VM automatically

Elasticity resources assigned to the VM based on adding more CPU resources
load, automatically adjusting resources during peak traffic periods
without requiring a reboot. without needing a restart.

Benefits of Virtualization
Aspect Explanation

Cost Reduction Virtualization reduces the need for multiple physical systems,
lowering hardware, electricity, cooling, and physical space costs.

Resource VMs share resources efficiently, improving overall utilization of

Utilization processing power, memory, and disk space.

3
Return on Virtualization provides better ROI when consolidating underutilized
Investment (ROI) servers into fewer physical hosts.

Example Scenario
Scenario Explanation

Underutilized An organization has nine physical servers, each using less than 20% of
Servers processing power, memory, and disk space. By virtualizing, all servers
could run as guest VMs on two or three physical servers, sharing
resources efficiently and saving money.

Summary
Term Definition

Virtualization Hosting multiple virtual systems on a single physical system.

Hypervisor Software managing VMs.

Host Physical system hosting VMs.

Guest Operating systems on the host.

Cloud Manually resizing VM resources, requiring a reboot.

Scalability

Cloud Elasticity Automatically adjusting VM resources based on load, without needing a

reboot.

ROI Improved when consolidating underutilized servers into fewer physical

hosts.

Thin Clients and Virtual Desktop Infrastructure (VDI)

Term Definition Examples

Thin Client A computer with minimal resources, used to An office workstation with
connect to a server to run applications or basic hardware used to
desktops. It typically includes a keyboard, access applications
mouse, screen, and may support hosted on a central
peripherals like speakers and USB ports. server.

4
Server A powerful system, either on-site or in the A data center server
cloud, that supports multiple thin clients. running multiple virtual
desktops for employees.

Virtual Desktop Hosts a user’s desktop operating system on Employees accessing

Infrastructure a server. VDIs can be accessed within a their work desktops
(VDI) network or via mobile devices, allowing remotely via a VDI and
users to access applications on their VPN connection.
desktop from anywhere with Internet
access.

Containerization
Term Definition Examples

Containerization A type of virtualization that runs services or Docker containers running

applications within isolated containers or microservices on a Linux
application cells, without hosting an entire host.
operating system. The host's OS and
kernel run the services/apps within each
container.

Benefit Uses fewer resources and can be more ISPs using containerization
efficient than traditional Type II hypervisor for specific customer
virtualization. applications, leading to
lower resource
consumption.

Drawback Containers must use the operating system All containers on a Linux
of the host. host must run Linux.

5
Example Scenarios
Scenario Explanation

Thin Client Setup An office with thin clients connected to a powerful central server,
allowing employees to run applications with minimal local
resources.

Mobile VDI Access Employees using their mobile devices to access their virtual
desktops hosted on a VDI, facilitated by a VPN for remote access.

Containerization in A company deploying containerized applications on a Linux server

Practice to ensure efficient resource usage and isolated environments for
each application.

Summary
Term Definition

Thin Client Minimal resource computer connecting to a server to run applications or

desktops.

Server Powerful system supporting multiple thin clients.

VDI Hosts user desktops on a server, accessible within a network or via

mobile devices.

6
Containerization Virtualization running services/apps in isolated containers without
hosting an entire OS.

Benefit More efficient resource use compared to traditional hypervisor

virtualization.

Drawback Containers must use the same OS as the host.

VM Escape Protection
Term Definition Examples

VM Escape An attack allowing access to the host An attacker exploiting a

system from within a virtual guest system. vulnerability in the VM to gain
It involves running code on the virtual control over the host and
system to interact with the hypervisor. other VMs.

Patch Regular updates and patches to both Applying the latest security
Management physical and virtual servers to protect patches released by the
against VM escape vulnerabilities. hypervisor vendor to prevent
VM escape attacks.

VM Sprawl Avoidance
Term Definition Examples

VM Sprawl Occurs when an organization has many A developer creates a VM for

unmanaged VMs, leading to potential testing but doesn't inform IT,
vulnerabilities and resource overload. leading to an unpatched, vulnerable
VM.

Resource Unauthorized VMs consuming system Multiple VMs created without proper
Overload resources, potentially causing management, resulting in server
slowdowns or crashes. performance issues.

7
 Resource Reuse
Term Definition Examples

Resource The potential for data or resources to Data from a previous tenant not
Reuse remain on shared infrastructure, being securely erased, accessible
accessible to other cloud service users, by a new tenant on the same cloud
leading to data leakage or exposure. infrastructure.

Replication
Term Definition Examples

Replication Copying VM files from one physical server Creating a backup of VM files to
to another, allowing easy restoration of a restore quickly in case of server
failed VM. failure.

Snapshots
Term Definition Examples

Snapshots A copy of a VM at a specific point in time, Taking a snapshot before

used as a backup. The hypervisor records all applying patches, allowing
changes after the snapshot. rollback if issues occur.

Example Scenarios
Scenario Explanation

VM Escape Attack An attacker uses a VM vulnerability to gain control over the host
system and other VMs.

Unmanaged VMs A developer creates a VM for testing without informing IT, leaving it
unpatched and vulnerable.

Resource Overload Multiple unauthorized VMs cause server performance issues due to
high resource consumption.

Data Leakage in Previous tenant's data not securely erased, accessible by new
Cloud tenant on the same cloud infrastructure.

VM Replication A VM's files are copied to another server, allowing quick restoration
in case of failure.

8
Snapshot Before An administrator takes a snapshot before applying patches, enabling
Patching easy rollback if problems occur post-patch.

Summary
Term Definition

VM Escape Attack accessing the host system from a virtual guest system.

Patch Updating servers to protect against VM escape vulnerabilities.

Management

VM Sprawl Unmanaged VMs leading to vulnerabilities and resource issues.

Resource Unauthorized VMs consuming excessive system resources.

Overload

Resource Reuse Potential data leakage due to shared cloud infrastructure.

Replication Copying VM files for easy restoration.

Snapshots Creating a VM backup at a specific time, recording all changes

post-snapshot.

Secure Systems Design Concepts

Term Definition Examples

Secure Ensures computing systems are deployed and Implementing firewalls and
Systems maintained securely. Applies to servers, encryption before
Design workstations, laptops, network devices, and deploying a server.
mobile devices.

Endpoint Security Software

Category Definition Examples

Antivirus Scans endpoints for viruses, worms, Trojan horses, McAfee, Norton,
Software and other malicious code, and can automatically Kaspersky.
resolve issues.

Endpoint Detects and responds to threats at the endpoint CrowdStrike

Detection and level using advanced behavioral analysis Falcon, Carbon
Response (EDR) techniques. Black.

9
Extended Goes beyond the endpoint to include network Palo Alto Cortex
Detection and devices, cloud infrastructure, and IoT devices, XDR.
Response (XDR) providing a comprehensive view of the entire IT
environment.

Host Intrusion Applies intrusion prevention techniques at the host McAfee Host IPS.
Prevention level, using behavior analysis, file integrity
Systems (HIPS) monitoring, and application control to prevent
unauthorized access.

Hardening Workstations and Servers

Practice Definition Examples

Disabling Reducing vulnerabilities by stopping Disabling FTP if it's not

Unnecessary unneeded services and protocols on a needed.
Services system.

Uninstalling Removing unnecessary applications to Uninstalling games or

Unneeded eliminate vulnerabilities. unused applications.
Software

Registry Modifying system registry to enhance Enabling PowerShell script

Modifications security, such as enabling logging for logging in the Windows
PowerShell scripts. registry.

Disk Encryption Encrypting disks as part of the Using BitLocker for full disk
hardening process to protect data. encryption.

Changing Default Replacing manufacturer default Changing the default admin

Passwords passwords to prevent unauthorized password on a router.
access.

Configuration Enforcement
Term Definition Examples

Configuration Deploying systems with secure Using configuration baselines and

Management configurations and ensuring they imaging to enforce secure settings.
remain secure over time.

Standard Naming Identifying standard Desktop_Sales_3.0 for the third

Conventions configurations using consistent version of a sales department
naming. desktop configuration.

10
Secure Baseline and Integrity Measurements
Term Definition Examples

Secure Baseline A known starting point for system Initial secure configuration of a
configurations to ensure security. new server.

Integrity Discovering deviations from the Regularly scanning systems to

Measurements baseline configuration to maintain detect unauthorized changes.
security.

Using Master Images for Baseline Configurations

Step Description Examples

Step 1: Create Install and configure the OS, Setting up a Windows Server with
Source applications, and security settings necessary applications and security
System on a blank system. configurations.

Step 2: Capture the configured system Using Symantec Ghost to create a

Capture the image to use as a master image. master image of the configured
Image system.

Step 3: Deploy Deploy the captured image to Installing the captured image on new
the Image multiple systems, ensuring office desktops.
consistent and secure setups.

Patching and Patch Management

Term Definition Examples

Patch Ensuring systems and applications stay Using Microsoft Configuration

Management up-to-date with current patches to Manager to deploy updates
reduce vulnerabilities. across the network.

Change Management
Term Definition Examples

Change Process for handling system modifications Requiring approval for

Management or upgrades to prevent unintended configuration changes to
outages or security failures. critical systems.

11
Application Allow and Block Lists
Term Definition Examples

Application List of applications authorized to Allowing only approved business

Allow List run on a system, blocking all applications to run on company
others. computers.

Application List of applications blocked from Blocking a known malicious game

Block List running on a system, allowing all executable from running on company
others. devices.

Example Scenarios
Scenario Explanation

Implementing Endpoint Installing antivirus, EDR, XDR, and HIPS on all endpoints to
Security protect against various threats.

Hardening Systems Disabling unnecessary services, uninstalling unused software,

modifying the registry, and encrypting disks.

Using Secure Deploying systems with secure configurations and maintaining

Baselines those configurations over time.

Deploying Master Creating and deploying master images to ensure consistent and
Images secure system setups.

Effective Patch Regularly updating systems with the latest patches to protect
Management against known vulnerabilities.

Managing Changes Following a structured change management process to prevent

unintended consequences of system changes.

Application Control Using allow and block lists to control which applications can run
on systems.

12
Disk Encryption
Term Definition Examples

Full Disk Encrypts the entire disk using Windows BitLocker, macOS FileVault,
Encryption (FDE) software or hardware VeraCrypt, Self-Encrypting Drives
solutions. (SEDs).

Boot Integrity
Term Definition Examples

Boot Verifies the integrity of the operating Measured boot processes that prevent
Integrity system and boot loading systems. booting if the system has lost integrity.

Boot Security and UEFI

Term Definition Examples

BIOS Basic Input/Output System providing Legacy systems using BIOS for
basic instructions for starting a booting.
computer.

UEFI Unified Extensible Firmware Interface, Systems using UEFI for booting larger
providing enhancements over BIOS. disks and being CPU-independent.

Flashing Upgrading BIOS or UEFI firmware by Updating the firmware of a

overwriting it with newer software. motherboard to the latest version.

Trusted Platform Module (TPM)

Term Definition Examples

TPM Hardware chip storing cryptographic Using TPM with BitLocker to

keys used for encryption and supporting secure a Windows system.
secure boot processes.

Secure Boot TPM captures and verifies the Blocking the boot process if key
Attestation signatures of key boot files to ensure files have been modified by
they haven't been tampered with. malware.

Remote Verifies boot files against a report sent Using remote attestation to
Attestation to a remote system. confirm the integrity of a system
during boot.

13
Hardware Unique encryption key burned into the TPM ensuring the private key
Root of Trust TPM chip, providing a secure starting remains private and supports
point. authentication.

Hardware Security Module (HSM)

Term Definition Examples

HSM Removable or external device High-performance HSMs as external

managing, generating, and securely network appliances, microSD HSMs in
storing cryptographic keys. microSD card slots.

MicroSD HSM device installed on a microSD Using a microSD HSM in a

HSM card, usable in any device with a smartphone for secure key
microSD or SD slot. management.

Decommissioning and Disposal

Term Definition Examples

Decommissioning Securely retiring hardware no longer Wiping data, removing

needed to prevent unauthorized credentials, and physically
access to sensitive data. destroying old hard drives.

Legacy Hardware Older hardware no longer Servers, laptops, or desktops

manufactured or widely used. from the early 2000s.

End-of-Life (EOL) Hardware that has reached the end Devices that no longer receive
Hardware of its useful life and no longer software updates or security
receives updates or support. patches.

Example Scenarios
Scenario Explanation

Using Full Disk Encrypting an entire disk with BitLocker or FileVault to protect
Encryption data on a laptop.

Verifying Boot Integrity Implementing measured boot processes to prevent booting if

system integrity is compromised.

Upgrading Firmware Flashing the UEFI firmware to the latest version to improve
security and functionality.

14
TPM for Secure Boot Using TPM to verify and ensure the integrity of key boot files
before allowing the system to boot.

HSM for Key Using an external HSM to securely generate, store, and manage
Management cryptographic keys for a server.

Secure Wiping data from an old server and physically destroying the
Decommissioning hard drive to prevent data leakage.

Summary
Term Definition

Full Disk Encryption Encrypts the entire disk to protect data.

Boot Integrity Verifies OS and boot loader integrity.

BIOS/UEFI Firmware interfaces for booting the system.

TPM Hardware chip for secure encryption and boot

processes.

HSM Removable device for secure key management.

Decommissioning Securely retiring hardware to prevent data leakage.

Protecting Data
Aspect Description Examples

Importance of Data is a valuable resource, and Data breaches leading to

Data breaches can lead to financial and identity theft or financial fraud.
reputational damage.

Confidentiality Encryption and strong access controls Using encryption to protect

Protection are primary methods to protect data sensitive information stored
confidentiality. on laptops.

Data Loss Techniques and technologies to Network-based DLP scanning

Prevention (DLP) prevent unauthorized data transfer out outgoing emails for
of an organization. confidential keywords.

15
Removable Media Storage devices that can be easily USB flash drives, external
attached to a computer to copy data, hard drives, SD cards.
which can be restricted.

Encryption Encrypting data at rest and in transit to Using BitLocker to encrypt a

protect confidentiality. laptop's hard drive.

Database Security Encrypting sensitive fields or records Encrypting credit card

within a database. numbers and security codes
in a customer database.

Data in Use Protecting data that is being Using secure enclaves for
processed or accessed by a system or sensitive data processing.
application.

Data Loss Prevention (DLP)

Type Description Examples

Network-Base Examines outgoing network traffic to Blocking emails with Social Security
d DLP prevent unauthorized data transfers. numbers from leaving the network.

Software-Bas Installed on individual systems to Preventing a file containing sensitive

ed DLP detect and block data exfiltration data from being copied to a USB
attempts. drive.

Protecting Confidentiality with Encryption

Aspect Description Examples

Full Disk Encryption Encrypts the entire disk to Windows BitLocker, macOS
(FDE) protect data at rest. FileVault, VeraCrypt.

Partition/Volume Encrypts specific partitions or Encrypting a separate data partition

Encryption volumes on a drive. on a hard drive.

File/Directory Encrypts specific files or Using encryption software to

Encryption directories. protect sensitive files in a folder.

Database Column Encrypts specific columns in Encrypting the credit card number
Encryption a database table. column in a customer database.

Removable Media

16
 Aspect Description Examples

Types of Various storage devices that can be USB flash drives, external hard
Removable easily attached to a computer. drives, SD cards, CDs, DVDs.
Media

Security Organizations may restrict or block Implementing USB data blockers to

Policies the use of removable media to prevent data from being copied to
prevent data loss. USB drives.

Protecting Data in Use

Aspect Description Examples

Data-in-Use Data currently being processed or Sensitive data like passwords

accessed, vulnerable during processing and and encryption keys.
transmission.

Secure Provides a secure and isolated area within Intel’s Software Guard
Enclave a system for processing sensitive data Extensions (SGX) creating a
(TEE) using hardware-based security trusted execution environment.
mechanisms.

Example Scenarios
Scenario Explanation

Data Breach A cybercriminal infiltrates a network and exfiltrates sensitive

customer data, causing financial and reputational damage.

Implementing DLP An organization uses network-based DLP to scan outgoing

emails for confidential information and block unauthorized
transfers.

Using Full Disk Encrypting an entire laptop's hard drive with BitLocker to
Encryption protect data if the laptop is stolen.

Database Column Encrypting sensitive columns, such as credit card numbers, in

Encryption a customer database to protect against unauthorized access.

Preventing Data Loss Implementing USB data blockers to prevent data from being
with USB Blockers copied to USB drives in a secure facility.

Protecting Data in Use Using secure enclaves to process sensitive data securely,
even in potentially insecure environments.

17
Summary
Term Description

Protecting Data Implementing measures to secure data and prevent breaches.

Data Loss Prevention Techniques to prevent unauthorized data transfer out of an

(DLP) organization.

Removable Media Storage devices that can easily be attached to a computer, posing
a data security risk.

Encryption Protecting data confidentiality by encrypting data at rest, in transit,

and in use.

Database Security Encrypting sensitive fields or records within a database to protect

against unauthorized access.

Data in Use Securing data currently being processed or accessed by a system

or application.

Secure Enclave (TEE) Isolated area within a system for secure processing of sensitive
data using hardware-based security.

Cloud Concepts
Aspect Description Examples

Cloud Accessing computing resources via the Using Gmail for email, storing
Computing Internet from a remote location. files on Google Drive.

Cloud Storage Storing data on the cloud provided by Apple iCloud, Microsoft
various service providers. OneDrive, Google Drive.

Cloud Delivery Models

Model Description Examples

Software as a Provides software applications over Gmail, Google Workspace,

Service (SaaS) the Internet accessible via web Microsoft Office 365.
browsers.

Platform as a Provides a preconfigured computing Hosting a website on a virtual

Service (PaaS) platform with operating systems and server provided by a cloud
applications. provider, Amazon Lambda.

18
Infrastructure as a Provides virtualized computing Renting virtual servers from
Service (IaaS) resources over the Internet. Amazon EC2, Microsoft Azure.
Customers manage the OS and
software.

Cloud Deployment Models

Model Description Examples

Public Cloud Services available to any Amazon Web Services (AWS), Google
customer willing to pay, hosted Cloud Platform (GCP), Microsoft Azure.
by third-party providers.

Private Cloud Cloud services used exclusively Shelbyville Nuclear Power Plant hosting
by a single organization. its own servers for internal use.

Community Shared by several organizations Educational institutions in a region

Cloud with similar needs and concerns. sharing resources in a common cloud.

Hybrid Cloud Combines two or more different A company using both public cloud
cloud models (public, private, services for general tasks and a private
community). cloud for sensitive data processing.

Multi-Cloud Systems
Aspect Description Examples

Multi-Cloud Combines resources from multiple Using IaaS from both AWS and
Systems cloud service providers. Microsoft Azure.

Resiliency and Increased reliability as multiple Ensuring continuous service even

Redundancy providers can cover for each other if one cloud provider experiences
during outages. downtime.

Complexity Added complexity in managing IT teams need to be proficient in

multiple cloud environments. both AWS and Azure platforms.

Example Scenarios
Scenario Explanation

Using SaaS for Email Accessing email through Gmail using a web browser without
needing to manage email servers.

19
Deploying PaaS for Using a cloud provider's platform to develop and test applications
Development without managing the underlying hardware.

Adopting IaaS for Renting virtual servers to handle peak load times, such as during
Scalability Black Friday sales, without owning physical servers.

Public Cloud for Using AWS to host a company's website accessible to all internet
General Use users.

Private Cloud for A financial institution using a private cloud to handle sensitive
Security customer data securely.

Community Cloud for Universities in a state sharing a cloud environment to collaborate

Education on research projects.

Hybrid Cloud for A business using a private cloud for secure data and a public
Flexibility cloud for less sensitive operations.

Multi-Cloud for A company using both AWS and Azure to ensure service
Redundancy availability even if one provider faces an outage.

Summary
Term Description

Cloud Computing Accessing computing resources over the Internet.

Cloud Storage Storing data on cloud services provided by various vendors.

SaaS Software provided over the Internet accessible via web browsers.

PaaS Preconfigured computing platforms provided over the Internet.

IaaS Virtualized computing resources provided over the Internet.

Public Cloud Cloud services available to any paying customer.

Private Cloud Cloud services used exclusively by a single organization.

Community Cloud services shared by organizations with common interests.

Cloud

Hybrid Cloud Combines two or more cloud models to create a flexible cloud
environment.

Multi-Cloud Combines resources from multiple cloud service providers to enhance

Systems resiliency and redundancy.

20
Application Programming Interfaces (APIs)
Aspect Description Examples

Definition Software components that allow developers Using APIs for web
access to features or data within another applications, IoT devices, and
application, service, or OS. cloud-based services.

Common APIs are commonly used for data access, Amazon's package tracking,
Uses package tracking, and controlling IoT wireless thermostat
devices. adjustments.

API Considerations
Aspect Description Examples

Authentication Ensuring only authorized entities can use Using passwords with an
the APIs, often using strong methods like authenticator app for API
two-factor authentication. access.

Authorization Controlling access levels to the API, Different access levels for
often using services like OAuth. developers and web
applications.

Transport Level Encrypting API traffic to protect data from Using TLS to secure data
Security (TLS) unauthorized access. transmitted by wireless
thermostats.

Indicators of API Attacks

Indicator Description Examples

Data Leaks Data leaked onto the Internet, Unauthorized access to sensitive
indicating a potential attack. information.

Hacked Websites compromised through API Defaced web pages or

Websites vulnerabilities. unauthorized content changes.

API Security Measures

Measure Description Examples

API Inspection and Testing APIs for security and usability Conducting security tests
Integration to discover vulnerabilities. before deploying APIs.

21
Microservices and APIs
Aspect Description Examples

Microservices Small code modules designed to A microservice for package

perform a single function well, often tracking that works with multiple
used with APIs. shippers.

API vs. APIs are tied to specific businesses or An Amazon API for a specific
Microservice services, while microservices are shipper vs. a microservice that
more versatile and reusable. works with any shipper.

Example Scenarios
Scenario Explanation

Using APIs for Data A developer uses an API to retrieve package tracking data
Access from a shipping company.

Implementing Strong An API requires a password and an authenticator app for

Authentication access to ensure only authorized users can use it.

Ensuring Transport Using TLS to encrypt data transmitted by an API controlling

Security IoT devices.

Detecting Data Leaks Monitoring for data leaked onto the Internet as an indicator of
potential API attacks.

Testing API Security Conducting thorough security testing of APIs before

integrating them into applications.

Developing Microservices Creating a microservice to handle package tracking for

multiple shippers, increasing versatility and reuse.

Summary
Term Description

API Software component allowing access to features or data within

another application or service.

Authentication Methods to ensure only authorized entities use APIs.

Authorization Methods to control access levels to APIs.

22
Transport Level Security Encrypts API traffic to protect data.
(TLS)

Data Leaks Indicators of potential API attacks, detected when data is

leaked onto the Internet.

Microservices Small, reusable code modules designed to perform single

functions well, often used with APIs.

Managed Security Service Provider (MSSP)

Aspect Description Examples

Definition A third-party vendor providing Providing security services to small

security services to improve a companies without needing to hire an
company's overall security in-house security team.
posture.

Services Various managed security Patch management, vulnerability scanning,

Provided services offered by MSSPs. spam and virus filtering, DLP, VPN
connections, proxy services, IDS/IPS, UTM
appliances, NGFWs.

Managed Services Provided by MSSPs

Service Description Examples

Patch Management Regular updates and patches for Automatically updating

systems and applications to software to fix vulnerabilities.
ensure security.

Vulnerability Scanning Regular scans to identify security Scanning for unpatched

weaknesses in the system. software or misconfigured
systems.

Spam and Virus Filtering out malicious emails and Blocking phishing emails and
Filtering viruses from the network. email-borne malware.

Data Loss Prevention Preventing unauthorized transfer Blocking sensitive data from
(DLP) of data out of the organization. being sent via email or USB
drives.

23
Virtual Private Network Secure connections over the Employees accessing the
(VPN) internet for remote access. company network securely
from remote locations.

Proxy Services Web content filtering to block Filtering web traffic to prevent
access to malicious or access to harmful websites.
inappropriate websites.

Intrusion Detection Detecting and preventing Monitoring network traffic for

and Prevention unauthorized access to the suspicious activity and
Systems (IDS/IPS) network. blocking attacks.

Unified Threat Integrated security devices that Devices that combine firewall,
Management (UTM) provide multiple security antivirus, and IDS/IPS
Appliances functions. functionalities.

Next-Generation Advanced firewalls with additional Firewalls that can detect and
Firewalls (NGFWs) features like application block complex threats and
awareness and intrusion unauthorized access.
prevention.

Managed Service Provider (MSP)

Aspect Description Examples

Definition A third-party vendor providing various IT Providing IT support, network

services, including security services management, and data backup
offered by MSSPs. services to organizations.

Cloud Service Provider Responsibilities

Aspect Description Examples

Cloud Service An entity offering one or more cloud AWS, Google Cloud
Provider (CSP) services through various deployment Platform, Microsoft Azure.
models.

Cloud Delivery Models and Responsibilities

Model Description Provider Customer
Responsibilities Responsibilities

24
Software as a Provides software Maintaining and Using strong passwords,
Service (SaaS) applications over the securing the managing user access.
Internet. software, ensuring
availability.

Platform as a Provides a platform Maintaining the Managing applications

Service (PaaS) with OS and platform, keeping OS and data, configuring
applications, and middleware up to middleware and runtime
excluding customer date. environments.
applications and data.

Infrastructure Provides virtual or Providing and Installing and maintaining

as a Service physical servers with maintaining the OS, applications, and
(IaaS) basic infrastructure. hardware, network, middleware, managing
and storage. data and security
settings.

25
Example Scenarios
Scenario Explanation

Using MSSP for A small company hires an MSSP to handle patch management,
Security Services vulnerability scanning, and spam filtering to enhance security
without hiring in-house security experts.

Adopting PaaS for A company uses a PaaS provider to host its development
Development environment, allowing developers to focus on coding without
managing the underlying infrastructure.

Implementing IaaS An organization rents virtual servers from an IaaS provider to

for Scalability handle increased demand during peak times, reducing the need for
physical servers.

Securing SaaS A company using SaaS applications like Gmail ensures strong
Applications password policies and manages user access to protect data.

26
Summary
Term Description

MSSP Provides security services to improve an organization's security posture.

MSP Provides various IT services, including those offered by MSSPs.

CSP Offers cloud services through different deployment models (IaaS, PaaS, SaaS).

SaaS Software provided over the Internet, with the provider handling maintenance and
security.

PaaS Platform with OS and applications, excluding customer-managed applications and

data.

IaaS Virtual or physical servers with basic infrastructure, with the customer managing
OS and applications.

Cloud Security Considerations

Aspect Description Examples

Availability Ensures systems or services remain Using multiple load-balancing

operational with minimal downtime. nodes across different geographic
locations.

Resilience Ability to maintain functionality Implementing redundancy and

despite adverse conditions or failover mechanisms, such as
unexpected events. backups and disaster recovery
sites.

Cost Balancing the cost of cloud services Comparing different CSPs to find
with budget and requirements. the best value for money.

Responsivene Speed and reliability of a cloud Optimizing response time and

ss service in responding to requests throughput through caching and
and performing tasks. load balancing.

Scalability Ability to handle increasing data, Using elastic computing resources

traffic, and user requests without and auto-scaling mechanisms.
performance degradation.

27
Segmentation Isolating sensitive data and Using VLANs and screened
applications from other parts of the subnets in cloud-based networks.
network for security and compliance.

On-Premises vs. Off-Premises

Aspect Description Examples

On-Premises Resources owned, operated, and Implementing a private cloud

maintained within the organization’s within a company’s data
properties. center.

Off-Premises Resources hosted by CSPs, can be Using AWS for hosting

used for any cloud deployment model. applications and data storage.

Centralized Equipment located in one or a few large A single large data center
Approach data centers, reducing costs and hosting the company’s IT
simplifying management. infrastructure.

Decentralized Equipment spread across many smaller Multiple small data centers
Approach data centers, reducing the impact of a across different locations.
single facility failure.

Hardening Cloud Environments

Aspect Description Examples

Cloud Access Deployed between an organization’s Ensuring consistent security

Security Broker network and the cloud provider to policy enforcement across
(CASB) monitor traffic and enforce security multiple cloud services.
policies.

Cloud-Based DLP Implements policies for data stored Detecting and managing PII
in the cloud to prevent data loss. or PHI in cloud storage.

Next-Generation Combines a proxy server and a URL filtering, packet filtering,

Secure Web Gateway stateless firewall to filter Internet malware detection,
(SWG) traffic and prevent threats. network-based DLP, and
sandboxing.

Cloud Firewall Virtual networks in the cloud need Using security groups to
Considerations firewalls to prevent unauthorized write firewall rules that the
access. cloud service provider
enforces.

28
Infrastructure as Code (IaC)
Aspect Description Examples

Infrastructure as Managing and provisioning data Running scripts to create and

Code (IaC) centers with code to define VMs and manage virtual infrastructure.
virtual networks.

Automation Facilitates automation and creates Using scripts to automatically

reusable code for infrastructure deploy and configure new
management. servers.

Example Scenarios
Scenario Explanation

Ensuring High Availability Using load-balancing nodes in different geographic

locations to maintain system availability.

Implementing Resilience Setting up backup and disaster recovery sites to ensure

system functionality during adverse events.

Balancing Cost and Selecting a CSP that offers the best value for the
Requirements organization’s budget and needs.

Optimizing Responsiveness Using caching and load balancing to improve the speed
and reliability of a cloud service.

Achieving Scalability Implementing auto-scaling mechanisms to handle

increasing traffic and user requests.

Segmenting Cloud Networks Using VLANs to isolate sensitive data and applications
from other parts of the network.

Choosing On-Premises Retaining control over all cloud-based resources and

Deployment implementing internal security controls.

Utilizing Off-Premises Leveraging CSPs for hosting applications and data

Resources storage with minimal maintenance overhead.

Deploying CASB for Security Using a CASB to enforce security policies across multiple
cloud services.

Using Cloud-Based DLP Implementing policies to detect and manage PII stored in
the cloud.

29
Configuring a Setting up an SWG to filter Internet traffic and prevent
Next-Generation SWG threats.

Writing Firewall Rules with Using security groups to create and manage firewall
Security Groups rules for virtual networks in the cloud.

Applying Infrastructure as Automating the deployment and configuration of virtual

Code (IaC) infrastructure using scripts.

Summary
Term Description

Availability Ensuring minimal downtime for systems or services.

Resilience Maintaining functionality during adverse conditions.

Cost Balancing cloud service costs with organizational budget and

requirements.

Responsiveness Speed and reliability of cloud services in responding to requests.

Scalability Ability to handle increasing data, traffic, and user requests.

Segmentation Isolating sensitive data and applications within cloud networks.

On-Premises Cloud resources maintained within the organization’s properties.

Off-Premises Cloud resources hosted by CSPs, used for various cloud

deployment models.

CASB Software or service deployed between an organization’s network

and the cloud provider to enforce security policies.

Cloud-Based DLP Data loss prevention solutions for data stored in the cloud.

Next-Generation SWG Secure web gateway combining proxy and firewall services to
filter Internet traffic.

Cloud Firewall Virtual network security through managed firewall rules using
Considerations security groups.

Infrastructure as Code Managing virtual infrastructure through code for automation and
(IaC) efficiency.

30
Software-Defined Networking (SDN)
Aspect Description Examples

Definition Uses virtualization technologies to route Implementing SDN as part of an

traffic instead of hardware routers and IaaS solution.
switches.

Data Plane Logic used to forward or block traffic. Software-based data plane
rules replacing hardware ACLs.

Control Logic used to identify the path to take. Using routing protocols like
Plane OSPF and BGP.

Routing Protocols
Protocol Description Examples

Open Shortest Path Helps routers determine the best Sharing routing information to
First (OSPF) path to route traffic. create a network map.

Border Gateway Used for routing between Determining the best paths for
Protocol (BGP) autonomous systems on the data across the internet.
internet.

SD-WAN
Aspect Description Examples

SD-WA Software-defined networking for Connecting different sites together using

N wide-area networks. SDN without hardware routers.

Edge and Fog Computing

Aspect Description Examples

Edge Storing and processing data close to the Autonomous car systems
Computing devices that generate and use it. processing data onboard for quick
responses.

Fog Uses a network close to the device with A network of sensors and
Computing multiple nodes for sensing and processors near IoT devices to
processing data. reduce latency.

Cloud Security Alliance (CSA)

31
 Aspect Description Examples

CSA A not-for-profit organization promoting Creating the Certificate of

best practices related to cloud security. Cloud Security Knowledge
(CCSK) certification.

CCSK Certification focusing on cloud security. Certificate of Cloud Security

Knowledge.

CSA Cloud A cybersecurity control framework with Focused on cloud-based

Controls Matrix over 200 security control objectives in 17 resources.
(CCM) domains.

SP-800-53 Security and privacy controls for Used for all types of computing
Revision 5 information systems and organizations, systems, not limited to
applicable to all computing systems. cloud-based resources.

Example Scenarios
Scenario Explanation

Implementing SDN Using software-based virtualization to route network traffic

instead of relying on hardware routers.

Using OSPF in SDN Utilizing the OSPF protocol to determine the best path for
routing traffic within a software-defined network.

Deploying SD-WAN Connecting multiple business locations using SD-WAN for

efficient and flexible network management.

Autonomous Car with Processing sensor data locally in an autonomous car to

Edge Computing make real-time decisions and avoid latency issues.

Setting Up Fog Computing Implementing a fog network to process IoT sensor data near
the devices for faster response times.

Adopting CSA Practices Following best practices recommended by the Cloud Security
Alliance to enhance cloud security.

CCSK Certification Obtaining the Certificate of Cloud Security Knowledge to

validate expertise in cloud security practices.

Using CCM for Cloud Implementing security controls from the CSA Cloud Controls
Security Matrix to secure cloud-based resources.

32
Summary
Term Description

SDN Uses virtualization to route traffic, separating data and control

planes.

OSPF and BGP Routing protocols used in SDN for path determination.

SD-WAN Software-defined networking for wide-area networks.

Edge Computing Processes data close to the source to reduce latency.

Fog Computing Similar to edge computing but uses a network of nodes for data
processing.

CSA Promotes best practices for cloud security and offers the CCSK
certification.

CCM Cybersecurity control framework focused on cloud resources.

SP-800-53 Revision Comprehensive security and privacy controls for all computing
5 systems.

Mobile Device Characteristics

Characteristic Description Examples

Wireless Network At least one interface for Wi-Fi, Bluetooth, cellular network.
Interface connecting to wireless networks.

Local Data Storage Ability to store data locally on the Internal flash storage, microSD
device. cards.

Operating System Full-featured or limited-functioning iOS, Android.

OS to manage device functions.

Application Capability to install additional Downloading apps from Google

Installation applications. Play Store or Apple App Store.

Mobile Device Deployment Models

Model Description Examples

33
Corporate-owned Devices are purchased and Company-issued smartphones
issued by the organization. for employees.

COPE Organization owns the devices, Work smartphones used for

(Corporate-Owned, but employees can use them for personal calls and apps.
Personally Enabled) personal activities.

BYOD (Bring Your Employees bring their own Personal smartphones used to
Own Device) personal devices and connect access work emails.
them to the network.

CYOD (Choose Your Employees can choose from a list Employees selecting from a list
Own Device) of approved devices and of pre-approved smartphones
purchase them for work use. for work purposes.

Connection Methods
Method Description Examples

Cellular Connects to cellular networks such as LTE, Smartphones connecting to mobile

4G, or 5G. data services.

Wi-Fi Wireless network interface for connecting Connecting to office or home Wi-Fi
to Wi-Fi networks. networks.

Bluetoot Wireless protocol for personal area Using a Bluetooth headset with a
h networks. smartphone.

Mobile Device Management (MDM) Concepts

Concept Description Examples

Application Restricts what applications Using application allow lists to

Management can run on mobile devices. control app installations.

Full Device Encrypts the entire device to Enabling full disk encryption on
Encryption protect data. corporate smartphones.

Storage Isolates data on the device Storing corporate data in an

Segmentation into separate segments. encrypted segment on the device.

Content Management Ensures appropriate content is Enforcing storage of sensitive data

stored in secure segments. in encrypted areas.

34
Containerization Runs applications in isolated, Running corporate apps in a
encrypted containers. secure container on BYOD
devices.

Passwords and PINs Enforces strong password Requiring a PIN or password to

policies on mobile devices. unlock the device.

Biometrics Uses biometric authentication Using fingerprint or facial

methods. recognition to unlock the device.

Screen Locks Locks the device after a period Automatic screen lock with a
of inactivity. passcode after 5 minutes of
inactivity.

Remote Wipe Sends a signal to erase all Using MDM to remotely wipe a
data on a lost or stolen device. stolen smartphone.

Geolocation Uses GPS to track and locate Locating a lost phone using GPS
the device. tracking.

Geofencing Creates a virtual boundary to Configuring apps to run only within

restrict device functions. the organization’s premises.

GPS Tagging Adds geographical data to Embedding location data in photos

files like pictures and videos. taken with a smartphone.

Context-aware Uses multiple elements to Combining geolocation and user

Authentication authenticate a user and behavior for authentication.
device.

Push Notifications Sends messages to mobile Receiving notifications from the

devices from apps. Facebook app on a smartphone.

Hardening Mobile Devices

Aspect Description Examples

Unauthorized Preventing installation of Blocking apps from third-party app

Software unapproved apps. stores.

Jailbreaking and Removing software restrictions Rooting an Android device or

Rooting to gain full access to the device. jailbreaking an iPhone.

Firmware OTA Over-the-air updates to keep the Regularly updating the OS on

Updates device's firmware up to date. smartphones.

35
Sideloading Installing apps by copying them Developers testing apps by
directly to the device. sideloading APK files on Android
devices.

Hardware Control
Aspect Description Examples

Camera and Controlling the use of device Disabling cameras in sensitive

Microphone cameras and microphones. areas within the organization.

Geolocation-based Enforcing hardware control Disabling cameras only within

Restrictions based on device location. specific geofenced areas.

Unauthorized Connections
Aspect Description Examples

Tethering Sharing one device’s Internet Connecting a laptop to the Internet

connection with other devices. via a smartphone’s mobile data.

Mobile Devices that provide Internet access Using a mobile hotspot to connect
Hotspots to multiple systems. various devices to the Internet.

Wi-Fi Direct Allows devices to connect without a Smartphones connecting directly to

wireless access point or router. each other for file sharing.

Summary
Term Description

Mobile Device Smartphones and tablets with wireless interfaces, local storage,
and the ability to install apps.

Deployment Models Methods for managing and securing mobile devices in an

organization.

MDM Technologies for managing mobile devices and enforcing security

policies.

Hardening Mobile Techniques to enhance security, including managing unauthorized

Devices software and hardware control.

Unauthorized Managing and preventing unauthorized network connections.

Connections

36
Embedded Systems
Aspect Description Examples

Definition Devices with a dedicated function Wireless multifunction printers (MFPs),

using a computer system. medical devices, automotive systems.

Component Use CPUs, operating systems, and System-on-chip (SoC), real-time

s applications to perform functions. operating system (RTOS).

Internet of Things (IoT)

Aspect Description Examples

Definition Technologies interacting with the Smart thermostats, security cameras,

physical world, often with embedded medical monitoring devices, smart
systems. meters.

Connectivity Typically connect via the Internet, Remote temperature monitoring,

Bluetooth, or other wireless motion-controlled lighting, fire
technologies. detection systems.

Industrial Control Systems (ICS) and SCADA Systems

Aspect Description Examples

ICS Systems within large facilities for Power plants, water treatment facilities.
control and automation.

SCADA Supervisory control and data Monitoring manufacturing processes,

acquisition systems monitoring and facility environmental controls, energy
controlling ICS. processing systems.

Isolation Ideally isolated networks to prevent Isolated VLANs with network intrusion
internet access and external attacks. prevention systems (NIPS).

Embedded Systems Components

Component Description Examples

37
System-on-Chip Integrates many computer system Processors, memory,
(SoC) components onto a single chip. input/output interfaces.

Real-Time Specialized OS designed for Medical devices, automotive

Operating System embedded systems requiring precise systems requiring real-time
(RTOS) timing and deterministic behavior. scheduling.

Hardening Specialized Systems

Aspect Description Examples

Patch Applying security fixes and updates to Regularly reviewing and

Management keep systems secure. applying patches for embedded
systems.

Segmentation Placing systems on a segmented Isolating IoT devices within a

network to protect them from external dedicated VLAN.
attacks.

Embedded System Constraints

Constraint Description Examples

Compute Limited computing ability compared Small embedded devices

to full computing systems. without full CPUs.

Cryptographic Limited processing power restricts Devices that cannot perform

Limitations the use of cryptographic protocols. strong encryption due to
processing constraints.

Power Dependence on parent device power Battery-powered sensors

or batteries that need replacement. requiring periodic maintenance.

Ease of Often deployed in remote or difficult RTOS deployment in remote

Deployment to access locations, requiring industrial sites.
specialized expertise.

Cost Balancing cost with features such as Choosing between adding

security. security features and keeping
device costs low.

Inability to Patch Difficulty in patching embedded Embedded devices without

systems or lack of available patches. vendor-provided patch
mechanisms.

38
Example Scenarios
Scenario Explanation

Using Embedded Systems A wireless multifunction printer with an embedded system

for printing, scanning, and faxing.

IoT in Home Security Smart cameras and motion sensors connected to a home
security app.

ICS in a Power Plant SCADA system monitoring and controlling power

generation processes.

Deploying an SoC in IoT Integrating processor, memory, and interfaces on a single

Devices chip for a smart thermostat.

RTOS in Automotive Using an RTOS to ensure real-time processing in car safety

Systems systems.

Segmentation for Security Placing smart meters on a dedicated network segment to

protect from external attacks.

Handling Cryptographic Implementing lightweight encryption protocols suitable for

Limitations low-power IoT devices.

Managing Remote Regular maintenance and updates for industrial IoT devices
Embedded Systems deployed in remote locations.

Summary
Term Description

Embedded Systems Devices with a dedicated function using a computer system.

Internet of Things (IoT) Technologies interacting with the physical world, often using
embedded systems.

Industrial Control Systems within large facilities for control and automation.
Systems (ICS)

SCADA Systems Supervisory control systems monitoring and controlling ICS.

System-on-Chip (SoC) Integrates many computer system components onto a single

chip.

Real-Time Operating Specialized OS for embedded systems requiring precise timing

System (RTOS) and deterministic behavior.

39
Hardening Systems Applying patches and segmentation to protect specialized
systems.

Embedded System Limitations in computing power, cryptographic capabilities,

Constraints power, ease of deployment, cost, and patching.

Virtualization Concepts
Concept Description Examples

Virtualization Allows multiple servers to operate on a Running multiple VMs on

single physical host and supports one physical server.
virtual desktops.

Virtual Desktop Hosts a user’s desktop operating Accessing a Windows

Infrastructure (VDI) system on a server, accessible by thin desktop from an iPad.
clients and mobile devices.

Container Runs services or applications within Docker containers running

Virtualization isolated containers using the host's microservices.
kernel.

VM Escape Attack An attacker gains access to the host Regularly updating VMs
system from a VM; primary protection and hypervisors to prevent
is keeping systems patched. exploits.

VM Sprawl Occurs when VMs are not managed Implementing policies to

properly within the organization. track and manage VM
usage.

Implementing Secure Systems

Aspect Description Examples

Endpoints Devices like servers, desktops, Monitoring endpoints using EDR

laptops, mobile devices, and IoT and XDR.
devices.

Hardening Making an operating system or Disabling unnecessary services

application more secure from its and applying security patches.
default installation.

Configuration Deploying systems with secure Using configuration templates

Management configurations and maintaining and automated deployment
them. tools.

40
Master Image Provides a secure starting point for Deploying a pre-configured and
systems, typically created with tested system image to new
templates. machines.

Patch Management Ensures operating systems, Using automated tools to deploy

applications, and firmware are up patches across the network.
to date with current patches.

Change Defines the process for making Requiring approval for changes
Management changes to reduce unintended to production systems.
outages.

Application Controls which applications can or Allow list for approved business
Allow/Block List cannot run on a system. applications; block list for
unauthorized software.

Full Disk Encrypts the entire disk to protect Using BitLocker on Windows
Encryption (FDE) data. systems.

Trusted Platform A hardware chip that supports full TPM used for BitLocker
Module (TPM) disk encryption, secure boot, and encryption and platform integrity
remote attestation. checks.

Hardware Security A removable or external device HSMs used in data centers to

Module (HSM) used for encryption, generating secure cryptographic keys.
and storing RSA keys.

Data Protection Protects confidentiality with Encrypting database columns

encryption and strong access containing sensitive information.
controls.

Data Loss Prevents data loss by blocking Blocking USB ports and
Prevention (DLP) unauthorized transfers and scanning emails for sensitive
monitoring outgoing data. information.

Data Exfiltration Unauthorized transfer of data Detecting and blocking attempts

outside an organization. to send confidential files outside
the company.

Cloud Concepts
Aspect Description Examples

Cloud Computing Provides additional resources via Using AWS for scalable
the Internet or a hosting provider. computing resources.

41
SaaS (Software as a Web-based applications provided Google Workspace, Microsoft
Service) over the Internet. Office 365.

PaaS (Platform as a Provides an easy-to-configure OS Google App Engine, Microsoft

Service) and on-demand computing, vendor Azure.
keeps systems updated.

IaaS (Infrastructure Provides hardware resources via Amazon EC2, Google Cloud
as a Service) the cloud, reducing hardware Platform.
footprint and personnel costs.

MSP (Managed Third-party vendor providing any IT Outsourcing IT support and

Service Provider) services needed by an services.
organization.

MSSP (Managed Focuses on providing security Managed firewall services,

Security Service services for an organization. intrusion detection systems.
Provider)

CASB (Cloud Access Software tool/service between an Monitoring and controlling

Security Broker) organization’s network and the data flow to and from cloud
cloud provider, enforcing security services.
policies.

Cloud Deployment Public, private, community, and Using a private cloud for
Models hybrid clouds. internal services, a public
cloud for customer-facing
applications.

Cloud Security Includes availability, resilience, Implementing multi-region

Considerations cost, responsiveness, scalability, deployments for high
and segmentation. availability.

Infrastructure as Managing and provisioning data Using Terraform to automate

Code (IaC) centers with code to define VMs cloud infrastructure
and virtual networks. deployment.

Software-Defined Uses virtualization technologies to Implementing SDN in a data

Networking (SDN) route traffic instead of hardware center to optimize traffic flow
routers and switches. and management.

Mobile Devices
Aspect Description Examples

42
Mobile Devices Includes smartphones and iPhones, Android tablets.
tablets running a mobile OS.

COPE Organization owns the Company-issued smartphones with

(Corporate-Owned, devices, but employees can personal app usage allowed.
Personally Enabled) use them for personal
reasons.

BYOD (Bring Your Employees connect personal Employees using personal laptops
Own Device) devices to the organization’s for work purposes.
network.

CYOD (Choose Your List of approved devices Employees selecting from a list of
Own Device) employees can purchase and company-approved smartphones.
connect to the network.

VDI (Virtual Desktop Virtual desktops that can be Accessing a virtual Windows
Infrastructure) accessed from mobile desktop from an iPad.
devices.

Connection Methods Methods for mobile devices to Cellular, Wi-Fi, Bluetooth.

connect to networks and
other devices.

Mobile Device Tools to ensure devices meet Enforcing device encryption, remote
Management (MDM) security requirements, wipe capabilities, application
monitor devices, and enforce control.
policies.

Security Methods Techniques to protect mobile Screen locks, remote wipe,

devices and data. geolocation, geofencing, GPS
tagging, context-aware
authentication.

Unauthorized Preventing installation of Blocking apps from third-party

Software unapproved apps. stores, preventing
jailbreaking/rooting.

Hardware Control Managing hardware features Disabling cameras and

on mobile devices. microphones within sensitive areas.

Unauthorized Managing and preventing Blocking tethering, mobile hotspots,

Connections unauthorized network and Wi-Fi Direct.
connections.

43
Embedded Systems
Aspect Description Examples

Embedded Devices with a dedicated function Wireless multifunction printers,

Systems using a computer system. medical devices, automotive
systems.

IoT (Internet of Devices interacting with the physical Smart thermostats, security
Things) world, often with embedded systems. cameras, medical monitoring
devices, smart meters.

ICS and SCADA Industrial control systems managed by Power plants, water treatment
Systems SCADA systems in large facilities. facilities.

System-on-Chip Integrated circuit including a full Processors, memory,

(SoC) computing system. input/output interfaces.

Real-Time Specialized OS designed for Medical devices, automotive

Operating System embedded systems requiring precise systems.
(RTOS) timing and deterministic behavior.

Embedded Limitations in computing power, Limited processing power,

System cryptographic capabilities, power, reliance on batteries, difficulty
Constraints ease of deployment, cost, and in patching.
patching.

44