CISSP Guide to Security Essentials, Chapter 7 PDF

CISSP Guide to Security Essentials, Second Edition Chapter 7 Security Operations © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. Objectives Applying security concepts to computer and business operations Records management security controls Backups Anti-virus software and other anti-malware controls Remote access Administrative management and control of information security Resource protection Incident management High availability architectures Vulnerability management Change management and configuration management CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 2 posted to a publicly accessible website, in whole or in part. Security Operations Concepts Need to know Least privilege Separation of duties Job rotation Monitoring of special privileges Records management controls Backups Anti-virus and anti-malware Remote access CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 3 posted to a publicly accessible website, in whole or in part. Need-to-Know Individual personnel should have access to only the information that they require in order to perform their stated duties Independent of security clearance – A person authorized to view “secret” information should be restricted to only that information required to carry out their duties, not all secret information that exists in the organization CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 4 posted to a publicly accessible website, in whole or in part. Least Privilege Users should have the fewest or lowest number of privileges required to accomplish their duties Independent of security clearance CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 5 posted to a publicly accessible website, in whole or in part. Separation of Duties High-value or high-risk tasks require two or more different individuals to complete Examples – Open a bank vault – Issue an arrest warrant – Provision a privileged-access computer account – Change a firewall rule CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 6 posted to a publicly accessible website, in whole or in part. Job Rotation Move individual workers through a range of job assignments Reduces monotony, risk Reduces likelihood that employees will perform inappropriate or illegal actions if they fear being caught when next job rotation occurs CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 7 posted to a publicly accessible website, in whole or in part. Monitoring of Special Privileges Privileged users have more power Mistakes have greater impact Record activities – Network administrator – System administrator – Database administrator – Application administrator CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 8 posted to a publicly accessible website, in whole or in part. Records Management Controls Data classification Access management Records retention Backups Data destruction CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 9 posted to a publicly accessible website, in whole or in part. Data Classification Establish sensitivity levels Establish handling procedures for each level – Creation, storage, transmittal, destruction Train users CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 10 posted to a publicly accessible website, in whole or in part. Access Management Policies, procedures, and controls that determine how information is accessed and by whom – User account provisioning – Privilege management – Password management – Review of access rights – Secure log on CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 11 posted to a publicly accessible website, in whole or in part. Records Retention Policies that specify how long different types of records must be retained (minimums and maximums) Manage risks related to business records – Risk of compromise of sensitive information – Risk of loss of important information – E-Discovery – Regulation CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 12 posted to a publicly accessible website, in whole or in part. Backups Protection against loss due to malfunctions, failures, mistakes, and disasters Activities – Data restoration – Protection of backup media – Off-site storage of backup media CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 13 posted to a publicly accessible website, in whole or in part. Data Restoration Periodic testing to ensure that data that is backed up can be restored – Same computer – Different computer Best way to prove that backups are being performed properly CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 14 posted to a publicly accessible website, in whole or in part. Protection of Backup Media Backup media contains sensitive information Same level of control as original information Encryption Keep in locked cabinets – Least privilege & need to know CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 15 posted to a publicly accessible website, in whole or in part. Offsite Storage of Backup Media Reduce risk of loss of backup media in the event of a disaster that destroys data center – Fire, flood, sabotage Factors – Distance from business location – Security of transportation – Security of storage center – Resilience of storage center against disasters CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 16 posted to a publicly accessible website, in whole or in part. Data Destruction Purpose: ensure that discarded information is truly destroyed and not salvageable by either employees or outsiders Once information has reached the end of its need, its destruction needs to be carried out in a manner that is proportional to its sensitivity – Degaussing – Shredding – Wiping CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 17 posted to a publicly accessible website, in whole or in part. Anti-Virus and Anti-Malware Effects of uncontrolled malware – Loss of business information – Disclosure or compromise of business information – Corruption of business information – Disruption of business information processing – Inability to access business information – Loss of productivity Apply defense in depth to protect assets Central anti-malware management CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 18 posted to a publicly accessible website, in whole or in part. Remote Access Connectivity to a network or system from a location away from the network or system, usually from a location apart from the organization’s premises Improves productivity by permitting employees to access business information from any location Risk mitigation – Encryption, strong authentication, anti-malware, firewall CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 19 posted to a publicly accessible website, in whole or in part. Types of Controls Technical Physical Administrative CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 20 posted to a publicly accessible website, in whole or in part. Categories of Controls Detective Deterrent Preventive Corrective Recovery Compensating CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 21 posted to a publicly accessible website, in whole or in part. Resource Protection Facilities – Water and sewage – Electricity – Fire alarms and suppression – Environmental controls – Communications – Security controls CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 22 posted to a publicly accessible website, in whole or in part. Resource Protection (cont.) Hardware – Servers – Workstations – Network devices – Printers, copiers – Cabling Protect against physical and logical threats CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 23 posted to a publicly accessible website, in whole or in part. Resource Protection (cont.) Software requires control and management – Licensing and distribution – Access control – Source code Intellectual property Security – Source code control CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 24 posted to a publicly accessible website, in whole or in part. Resource Protection (cont.) Documentation – May contain trade secrets and sensitive information – Processes, procedures, and instructions – Version control – Access control CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 25 posted to a publicly accessible website, in whole or in part. Incident Management Incident declaration Triage Investigation Analysis Containment Recovery Debriefing Covered in detail in Chapter 6: Legal, Regulations, Investigations, and Compliance CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 26 posted to a publicly accessible website, in whole or in part. High-Availability Architectures Fault tolerance Clustering Failover Replication Virtualization CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 27 posted to a publicly accessible website, in whole or in part. Fault Tolerance Makes devices less prone to failure – Multiple power supplies – Multiple network interfaces – Multiple processor units – RAID (Redundant Array of Inexpensive / Independent Disks) CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 28 posted to a publicly accessible website, in whole or in part. Clustering A group of two or more servers that operate functionally as a single logical server Active-active mode Active-passive mode – Failover: when active status is transferred Geo-cluster – servers located at great distances from one another CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 29 posted to a publicly accessible website, in whole or in part. Replication Data changes are transmitted to a counterpart storage system An adjunct to clustering, makes current data available to all cluster nodes CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 30 posted to a publicly accessible website, in whole or in part. Virtualization Multiple operating system instances on a single server platform Systems can be logically and physically moved from one server platform to another – Local – Long distance CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 31 posted to a publicly accessible website, in whole or in part. Business Continuity Management A management activity where analysis is performed to better understand the risks associated with potential disaster scenarios, and the steps that can be taken to reduce the impact of a disaster should one occur Covered in detail in Chapter 4, Business Continuity and Disaster Recovery Planning CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 32 posted to a publicly accessible website, in whole or in part. Vulnerability Management Vulnerability scanning Application scanning Penetration testing Source code reviews and scanning Threat modeling Patch management CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 33 posted to a publicly accessible website, in whole or in part. Vulnerability Scanning A scan of many or all TCP / IP “ports” on one or more target systems Mimics the actions of a hacker who scans a system or network for active, exploitable ports and services CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 34 posted to a publicly accessible website, in whole or in part. Application Scanning The process of performing security tests on an application (usually, but not always, a web-based application) in order to find vulnerabilities in the application code itself – Cross-site scripting, Cross-site request forgery, SQL injection, Script injection, Parameter tampering, Buffer overflow, Boundary checking, Defective or unsecure session management, Defective or unsecure logon, Malicious file execution CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 35 posted to a publicly accessible website, in whole or in part. Penetration Testing Starts with vulnerability scanning Use of manual tools to discover vulnerabilities that scanning tools are unable to identify Exploit vulnerabilities Targets can be network devices, servers, and / or applications CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 36 posted to a publicly accessible website, in whole or in part. Source Code Reviews and Scanning Manual and automated inspections of software source code – Examine and validate approved changes – Detection of inappropriate changes, unsafe code, security issues CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 37 posted to a publicly accessible website, in whole or in part. Threat Modeling Analysis on the design of a system Discover potential threats against the system CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 38 posted to a publicly accessible website, in whole or in part. Patch Management The process – usually assisted with management tools – to manage the installation of patches on target systems Reduces risks associated with malware, hacking attacks that exploit known vulnerabilities CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 39 posted to a publicly accessible website, in whole or in part. Change Management Prepare the change Circulate and review the change Discuss and agree to the change Perform the change Recordkeeping CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 40 posted to a publicly accessible website, in whole or in part. Configuration Management Configuration of hardware, software components Configuration management database (CMDB) Automated tools CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 41 posted to a publicly accessible website, in whole or in part. Operations Attacks Social engineering Sabotage Theft Extortion Bypass Denial of service CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 42 posted to a publicly accessible website, in whole or in part. Summary The concept of need-to-know states that individual personnel should have access to only the information that they require in order to perform their stated duties. The concept of least privilege states that users should have the fewest or lowest numbers of privileges required to accomplish their duties. The concept of separation of duties states that high-value or high-risk tasks should be designed to require two or more individuals to complete it. The concept of job rotation moves individual workers through a range of assignments over time. The actions of individuals with special privileges should be monitored, to detect potential problems as well as to deter individual wrongdoing. CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 43 posted to a publicly accessible website, in whole or in part. Summary (cont.) Data classification is the practice of assigning security levels and handling procedures to documents and databases. Access management is used to control who and what can access specific business records. Records retention governs the minimum and maximum periods of time that specific business records must be retained. Backups ensure the survival of business records even if malfunctions, errors, or disasters destroy original records. Data destruction is the process of securely discarding data when it is no longer needed. Malware has the capacity to disrupt the operation of user workstations as well as servers, which could result in loss or compromise of business information and the inability to access or process business information. CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 44 posted to a publicly accessible website, in whole or in part. Summary (cont.) Remote access equipment enables workers not on physical premises to access network based resources such as file servers, applications, and internal web sites. Management should establish security policies, control objectives, a risk assessment methodology, a security awareness program, direct internal audits, and strive for continuous improvement. The types of controls are technical, physical, and administrative. The categories of controls are detective, deterrent, preventive, corrective, recovery, and compensating. Resource protection ensures that the buildings, equipment, and systems used to operate the business are protected from harm, damage, or loss. CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 45 posted to a publicly accessible website, in whole or in part. Summary (cont.) A security incident is an event in which some aspect of an organization’s security policy has been violated. A high availability architecture is a system or application architecture that includes one or more of the following characteristics: fault tolerance, clusters, failover, and replication. Fault tolerant devices typically are equipped with redundant components that can be changed while the device continues operating. A cluster is a group of servers that logically functions as a single server. A failover is an event that occurs in a cluster where the role of an active server is transitioned to another server in the cluster. CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 46 posted to a publicly accessible website, in whole or in part. Summary (cont.) Virtualization facilitates the operation of multiple operating system instances running on a single server platform. Vulnerability management is a collection of activities all concerned with the identification and remediation of vulnerabilities in an environment. Penetration testing is a vulnerability management activity that is used to identify active and exploitable ports and services on servers and network devices. Application scanning is a vulnerability management activity that is used to identify vulnerabilities in an application. Patch management is a vulnerability management activity that is used to identify important software patches and the systems and devices where they should be installed. CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 47 posted to a publicly accessible website, in whole or in part. Summary (cont.) Change management is an operations process where all changes in an environment are analyzed in a peer review process prior to implementation. Configuration management is an operations process where all changes to systems and components are recorded or controlled by a configuration management tool and recorded in a configuration management database (CMDB). CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 48 posted to a publicly accessible website, in whole or in part.

CISSP Guide to Security Essentials, Chapter 7 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue