Chapter 13
Administrative Management
THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:
- Operations Security
- Understand the following security concepts
- Need-to-know/least privilege; separation of duties and responsibilities; monitor special privileges (e.g., operators, administrators); job rotation; marking, handling, storing, and destroying of sensitive information and media; record retention
- Employ resource protection
- Media management; asset management; personnel privacy and safety
- Understand configuration management concepts (e.g., versioning, baselining)
- Understand the following security concepts
All companies must take into account any issues that can make day-to-day operations susceptible to breaches in security. Personnel management is a form of administrative control, or administrative management, and is an important factor in maintaining operations security. Clearly defined personnel management practices must be included in your security policy and subsequent formal security structure documentation (including all necessary relevant standards, guidelines, and procedures).
Operations security topics are related to personnel management because personnel management can directly affect security and daily operations. They are included in the Operations Security domain of the Common Body of Knowledge (CBK) for the CISSP certification exam, which deals with topics and issues related to maintaining an established and secure IT environment. Operations security concerns itself with maintaining an IT infrastructure after it has been designed and deployed: That means using hardware controls, media controls, and subject (user) controls designed to protect against asset threats.
This domain is discussed in this chapter and further in the following chapter (Chapter 14, “Auditing and Monitoring”). Be sure to read and study both chapters to ensure your understanding of the essential anti-malware and operations material.
The primary purpose for operations security is to safeguard information assets that reside in a system on a day-to-day basis, to identify and safeguard any vulnerabilities that might be present in the system, and to prevent any exploitation of threats. Administrators sometimes call the relationship between assets, vulnerabilities, and threats an operations security triple. The trick in the arena then becomes how best to tackle the operations security triple.
The Operations Security domain is a broad collection of many concepts that are both distinct and interrelated, including antivirus or antimalware management, operational assurance, backup maintenance, changes in location, privileges, trusted recovery, configuration and change management control, due care and due diligence, privacy, security, and operations controls.
The following sections highlight these important day-to-day issues that affect company operations by discussing them as they relate to maintaining security.
Antivirus Management
Viruses represent the most common type of security breach in the IT world. Any communications pathway can and will be exploited as a delivery mechanism for a virus or other malicious code (more generically called malware). Viruses proliferate via email (the most common means), websites, shared documents, and even occasionally within tainted commercial software. In 2001, Microsoft was dealt a blow when the FunLove virus infected security hotfix files on partner and premier support sites, and in 2007, Windows Vista Home Premium came preinstalled on a batch of notebooks accompanied by a 13-year-old boot sector virus named Stoned. Angelina—and these are just two examples that targeted a high-profile vendor. Antivirus management is the design, deployment, and maintenance of an antivirus solution for your IT environment.
If users are allowed to install and execute software without restriction, then the IT infrastructure becomes absolutely vulnerable to virus infections. To provide a more virus-free environment, make sure that software changes, installations, and upgrades are rigidly controlled. Users should be able to install and execute only company-approved and vendor-distributed software. All new software should be thoroughly tested and scanned before it is deployed or distributed on a production network. Even commercial software has become an inadvertent carrier of viruses, worms, and other malware, which happened again to Microsoft in 2002 when it accidentally distributed the Nimda worm to South Korea as it distributed Korean-language versions of Visual Studio .NET.
Users should be trained in safe computing best practices, especially those granted Internet access or who use any form of email. In areas where technical controls cannot prevent virus infections, users must be trained to prevent them through safe completion of their daily duties. User awareness training must include information about handling attachments or downloads from unknown senders and unrequested attachments of any kind. Users should be told never to test an executable by executing it directly. All instances of suspect software should be reported immediately to a security administrator.
Antivirus software should be deployed at multiple levels on a network. All traffic—including internal, inbound, and outbound—should be scanned for viruses. A virus-scanning tool should be present on all border connection points, on all servers, and on all clients. Installing products from different vendors in each of these three arenas can provide a more thorough and foolproof scanning gauntlet.
Try to avoid installing more than one virus-scanning tool on any single system. Though defense in depth is often merited and in many cases warranted, doubling-up antivirus applications can cause unrecoverable system failure in some cases and often consumes excessive memory and CPU cycles.
Seek to maintain 100 percent virus-free servers and 100 percent virus-free backups. To accomplish the former, you must scan every bit of data before it is allowed into or onto a server for processing or storage. To accomplish the latter, you must scan every bit of data before writing it onto backup media. Maintaining virus-free systems and backups enables efficient, timely recovery from a virus infection.
In addition to using a multilevel or concentric circle antivirus strategy, you must routinely maintain all elements that implement the strategy. A concentric circle strategy basically consists of multiple layers of antivirus scanning throughout the environment to ensure that all current data and backups remain free from viruses. Regular updates to virus signature and definitions databases should be automated. However, you should distribute updates only after verifying that the are benign. It is possible for virus lists or engine updates to crash some systems. Many organizations employ the following strategy: (1) install AV software on all systems including desktops and servers, (2) install specialized AV software on email systems, and (3) perform content filtering in the firewall (or a special content-filtering appliance).
Maintain constant vigilance by tracking notification newsletters, mailing lists, RSS feeds, and vendor sites. Whenever a new virus epidemic breaks out, take appropriate action: Shut down or tightly restrict access to email or the Internet (if at all possible or practical) until a workable solution/repair/inoculation becomes available.
Multiple Defenses
Defense in depth is a common security strategy used to provide a protective multilayer barrier against various forms of attack. It’s reasonable to assume that there is greater difficulty in passing bad traffic or data through a network heavily fortified by a firewall, an IDS, and a diligent administration staff than one with a firewall alone. Why shouldn’t you double up your defenses?
Jonas is an IT administrator for a fledgling Class C network where Kelly is employed as a data entry specialist. Kelly receives emails that contain all sorts of multimedia attachments as part of her daily duties, which also explains why she receives a ton of spam, spyware, and Trojan horses (among other unwanted and unsolicited items).
Jonas explains to Kelly that she needs more than just a virus scanner to prevent unwanted intrusion or inclusion of undesirable software. What might he suggest Kelly do to create a defense-in-depth strategy on her desktop? At a minimum, added antispyware coverage appears warranted, and it will also be useful to route Kelly’s incoming email through a third-party spam-screening/filtering service (like those from companies such as Spam Arrest, MailWasher, and so forth).
Operational Assurance and Life Cycle Assurance
Assurance is the degree of confidence you can place in the satisfaction of security needs for a computer, network, solution, and so on. It is based on how well a specific system complies with stated security needs and how well it supports the security services it provides. Assurance was discussed in Chapter 12, “Principles of Security Models,” but there is another element of assurance that applies to the Operation Security domain.
The Trusted Computer System Evaluation Criteria (TCSEC) guidelines are used to assign a level of assurance to systems. TCSEC, or the Orange Book, also defines two additional types or levels of assurance: operational assurance and life cycle assurance. As you are aware, TCSEC was replaced by the Common Criteria in October 2002. It is, however, important to be aware of TCSEC-related material simply as a means to convey concepts and theories about security evaluation. Thus, you don’t need to know the complete details of these two assurance levels, but you should be familiar with a few specific issues.
Operational assurance focuses on basic features and architecture of systems that lend themselves to supporting security. There are five requirements or elements that apply to operational assurance:
- System architecture. (We discuss system architecture in Chapter 7, “Data and Application Security Issues” in the sections on distributed environments, object request brokers, Microsoft component models, DBMS architecture, and other applications.)
- System integrity. (For more information, see the section “Protection Mechanisms” in Chapter 11, and also see Chapter 12.)
- Covert channel analysis. (For more information, see Chapter 12.)
- Trusted facility management. (Check out Chapter 19, “Physical Security Requirements,” for information about trusted facility management.)
- Trusted recovery. (We cover this subject later in this chapter.)
Life cycle assurance focuses on the controls and standards that are necessary to design, build, and maintain a system. The following items represent the four requirements or elements for life cycle assurance:
- Security testing
- Design specification and testing
- Configuration management
- Trusted distribution
Backup Maintenance
Backing up critical information is essential to maintaining the availability and integrity of data. Systems fail for various reasons, such as hardware failure, physical damage, software corruption, or malicious destruction from intrusions and attacks. Providing ready access to a reliable backup is the best form of assurance that data on an affected system is not permanently lost. Without a backup, it is often impossible to restore data to its pre-disaster state. A backup can be considered reliable only if it is periodically tested and routinely maintained. Testing involves restoring files from backup media, then checking their integrity to ensure that they’re readable and correct.
Backups are an essential part of maintaining operations security and are discussed further in Chapter 16, “Disaster Recovery Planning.”
Changes in Workstation/Location
You can use changes in a user’s workstation or in their physical location within an organization to improve or maintain security. Similar to job rotation, changing a user’s workstation prevents a user from altering the system or installing unapproved software because the next person to use the system is likely to discover it.
Having nonpermanent workstations encourages users to keep all materials stored on network servers where it can be easily protected, overseen, and audited. It also discourages storing personal information on the system as a whole. A periodic change in the physical location of a user’s workspace can also deter collusion because employees are less likely to be able to convince colleagues with whom they’re not familiar to perform unauthorized or illegal activities.
Preventing Bad Behavior
Preventive controls are crucial in the workplace, especially where sensitive data is involved. You can always instruct employees not to act on information in an illicit or illegal manner, but you cannot be sure they will always follow through. A preventive control can help you steer employees into behaving correctly and at the very least hold them accountable if they do misbehave on the system.
Lindsey is responsible for processing large volumes of privileged client information as part of her job description. Periodically, her activities and access to certain information changes, but her role and responsibility remains constant. Michael, a system administrator who oversees workstation and responsibility rotation, cannot seem to adequately explain why her contact with sensitive information dictates this rotation cycle.
How might you approach the subject and explain to Lindsey that she isn’t being punished for any of her actions and that this is a necessary and vital security function? You might point out the exposure that could result from unintended disclosure, set up two accounts (one for everyday, routine office work and the other for handling client data only), and point out that a judicious separation of roles protects everybody and makes her own job both safer and easier. In particular, you might point out how rotation prevents Lindsey and those around her from falling into predictable, everyday habits or behaviors that might create opportunities to compromise security. Change not only does a body good, but it also helps prevent falling into ruts that could pose potential security problems.
Also consider controlling portable installation media at every critical junction on the network, wherever there is a user with a PC serving as a potential vector for viral outbreak. Removable media devices are relatively cheap, generously capacious, and easily portable, which makes them a perfect vehicle to transmit digital disease and pestilence. Create choke points to deliberately restrict or obstruct use of removable media on specified workstations where there’s no removable storage, then require users to work on such machines to create a better barrier against viral attack.
Removable storage media and drives vary widely among computing environments and include USB-based flash drives, memory cards and memory card readers, floppy drives and Zip disks (where applicable), CD/DVD drives, and self-contained storage units generally known as external storage drives (network attached, USB attached, eSATA or FireWire attached, and otherwise).
Need to Know and the Principle of Least Privilege
Need to know and the principle of least privilege are two standard axioms in high-security environments. A user must have a need to know to gain access to data or resources. Even if that user has an equal or greater security classification than the requested information, without a need to know, they are denied access. A need to know is the requirement to have access to, knowledge about, or possession of data or a resource to perform specific work tasks. The principle of least privilege is the notion that, in a secure environment, users should be granted the least amount of access possible to be able to complete their work tasks.
Periodic Reviews of User Account Management
Many administrators utilize periodic reviews of user account management to revisit and maintain processes and procedures employed by the administrative staff in supporting users. Such reviews should include examining how well the principle of least privilege is enforced, whether inactive accounts are still in use, whether out-of-use accounts have been disabled or deleted, and whether or not all current practices are approved by management and consistent with current security policies.
Reviewing user account management typically does not address whether some specific password conforms to stated company password policy. That issue is addressed by enrollment tools, password policies, and periodic penetration testing or ethical hacking.
It is also important to note that the actions involved in adding, removing, and managing user account settings fall under the purview of the account administrators or operations administrators, not that of a security administrator. However, it is the responsibility of security administrators to set clearances for users in a mandatory access control (MAC) environment.
Privileged Operations Functions
Privileged operations functions are activities that require special access or privileges to be performed within a secured IT environment. In most cases, these functions are restricted to administrators and system operators. Maintaining privileged control over these functions is essential to sustain the system’s security. Many of these functions could be easily exploited to violate confidentiality, integrity, or availability of a system’s assets.
The following list includes some examples of privileged operations functions:
- Using operating system control commands
- Configuring interfaces
- Accessing audit logs
- Managing user accounts
- Configuring security mechanism controls
- Running script/task automation tools
- Backing up and restoring the system
- Controlling communication
- Using database recovery tools and log files
- Controlling system reboots
Managing privileged access is an important part of keeping security under control. In addition to restricting privileged operations functions, you should employ separation of duties. Separation of duties ensures that no single person has total control over a system’s or environment’s security mechanisms. This is necessary to ensure that no single person can compromise the system as a whole. It can also be called a form of split knowledge. In deployment, separation of duties is enforced by dividing the top- and mid-level administrative capabilities and functions among multiple trusted users.
Further control and restriction of privileged capabilities can be implemented by using two-person controls and rotation of duties. Two-person control is the configuration of privileged activities so that they require two administrators to work together to complete a task. The necessity of two operators also confers the benefits of peer review and reduced likelihood of collusion and fraud. Rotation of duties is the security control that involves switching several privileged security or operational roles among several users on a regular basis.
For example, if an organization has divided its administrative activities into six distinct roles or job descriptions, then six or seven people need to be cross-trained for those roles. Each person could work in a specific role for two to three months, and then everyone in the group would switch or rotate into another role. When the organization employs more than the necessary minimum number of trained administrators, each rotation leaves out one person, who can take some vacation time or serve as a fill-in if needed. Using rotation of duties as a security control provides for peer review, reduces collusion and fraud, and enables cross-training. Cross-training makes your environment less dependent on any single individual.
Trusted Recovery
For a secured system, trusted recovery means recovering securely from operation failures or system crashes. The purpose of trusted recovery is to provide assurance that after a failure or crash, the rebooted system is no less secure than it was before that failure or crash occurred.
You must address two elements of the recovery process to implement a trusted solution. The first element is failure preparation. In most cases, this simply means deployment of a reliable backup solution that keeps a current backup of all data. A reliable backup solution also implies that there is a means by which data on the backup media can be restored in a protected and efficient manner. The second element is the process of system recovery. The system should be forced to reboot into a single-user nonprivileged state. This means that the system should reboot so that a normal user account can be used to log in and that the system does not grant unauthorized access to users. System recovery also includes the restoration of all affected files and services actively in use on the system at the time of the failure or crash. Any missing or damaged files are restored, any changes to classification labels corrected, and settings on all security critical files are then verified.
Trusted recovery is a security mechanism discussed in the Common Criteria. The Common Criteria define three types or hierarchical levels of trusted recovery:
Manual recovery An administrator is required to manually perform the actions necessary to implement a secured or trusted recovery after a failure or system crash.
Automated recovery The system itself is able to perform trusted recovery activities to restore a system, but only against a single failure.
Automated recovery without undue loss The system is able to perform trusted recovery activities to restore itself. This level of trusted recovery allows for additional steps to provide verification and protection of classified objects. The additional protection mechanisms may include restoring corrupted files, rebuilding data from transaction logs, and verifying the integrity of key system and security components.
What happens when a systems suffers from an uncontrolled trusted computing base (TCB, the processing platforms on which secure processing normally occurs) or media failure? Such failures may compromise the stability and security of the environment, and the only possible response is to terminate the current environment and re-create the environment through rebooting. Related to trusted recovery, an emergency system restart is the feature of a security system that forces an immediate reboot once the system goes down.
Configuration and Change Management Control
Once a system has been properly secured, it is important to keep that security intact. Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to manage change systematically. Typically, this involves extensive logging, auditing, and monitoring of activities related to security controls and mechanisms. The resulting data is then used to identify agents of change, whether objects, subjects, programs, communication pathways, or even the network itself. The means to provide this function is to deploy configuration management control or change management control. Such mechanisms ensure that any alterations or changes to a system do not result in diminished security.
Changes can create unintended side effects causing outages if not properly controlled and managed. For example, suppose an administrator makes a change to one system with the intention of resolving a problem, but that change then affects operability of other systems. This directly affects the A in the CIA triad, availability. Change management processes give various IT experts an opportunity to review proposed changes for unintended side effects before they are implemented and lets them check their work in controlled circumstances before propagating changes into production environments.
Configuration/change management controls provide a process by which all system changes are tracked, audited, controlled, identified, and approved. It requires that all system changes undergo a rigorous testing procedure before being deployed in the production environment. It also requires documentation of any changes to user work tasks and training for any affected users. Configuration/change management controls should minimize the effect on security from any alteration to the system. They often provide a means to roll back a change if it is found to cause a negative or unwanted effect on the system or on security.
Five steps or phases are involved in configuration/change management control:
1. Applying to introduce a change
2. Cataloging the intended change
3. Scheduling the change
4. Implementing the change
5. Reporting the change to the appropriate parties
When a configuration/change management control solution is enforced, it creates complete documentation for all changes to a system. This provides a trail of information if the change needs to be reversed. It also provides a road map or procedure to follow if the same change is implemented on other systems. When a change is properly documented, such documentation assists administrators in minimizing the negative effects of the change throughout the environment.
Controlling Change
Unauthorized changes (possibly by unauthorized parties) to configurations, installations, or operations necessitate change management controls. Software publishers, hardware vendors, and other involved parties can be adversely affected by unverified or undesirable changes to important system parameters or properties.
A given attack may involve downgrading software to some known vulnerable state or changing critical system properties to introduce a new vulnerability. Attackers may even assert themselves through email correspondence as official representatives to encourage unsuspecting administrators to install trapdoors on their networks.
What sort of integrity checks, preventive measures, and change control might you include to prevent such attacks from succeeding against your network? To begin with, a formal change control mechanism will help document and track valid changes and immediately identify bogus ones as unscheduled and therefore unauthorized. Regular integrity checks like those from programs such as Tripwire can help flag unexpected or unauthorized changes and make it easy to reverse or repair them. Stronger access controls may very well block unauthorized changes from occurring as well.
Configuration/change management control is a mandatory element for some security assurance requirements (SARs) in the ISO Common Criteria, but it’s recommended for all situations. Ultimately, change management improves the security of an environment by protecting implemented security from unintentional, tangential, or malicious diminishments. Those in charge of change management should oversee alterations to every aspect of a system, including hardware configuration and system and application software. It should be included in their design, development, testing, evaluation, implementation, distribution, evolution, growth, operation, and application of modifications.
Change management requires a detailed inventory of every component and configuration. It also requires the collection and maintenance of complete documentation for every system component (including hardware and software) and for everything from configuration settings to security features. This process, called versioning, is the act of using a labeling/numbering system to differentiate between different software sets and configurations across multiple machines or at different points in time on a single machine. Versioning is used to keep track of changes over time to deployed software. Versioning can also be tied in with baselining. The first deployed version of a software set and its configuration can be defined as the baseline. Each subsequent modified version on other systems or on the original system will be assigned unique versioning labels. This process of versioning and baselining provides a form of change documentation and a control tracking system.
Another aspect of configuration and change management control is the management of patches, updates, and service packs. The installation of improvement modules from software and hardware vendors is another form of change that must be controlled. Patch management, vulnerability management, and even update management are additional areas of change that must be audited, reviewed, tested, and approved before they may be applied to production equipment.
Standards of Due Care and Due Diligence
Due care means using reasonable care to protect the interests of an organization. Due diligence is practicing those activities that maintain due care. For example, due care means developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. Due diligence means continued application of this security structure onto the IT infrastructure for an organization. Operational security is the ongoing maintenance of continued due care and due diligence by all responsible parties within an organization.
In today’s business environment, prudence is mandatory: Showing due care and due diligence is the only way to disprove negligence should any losses occur. Likewise, senior management must show due care and due diligence to reduce their culpability and liability if a loss is experienced. Otherwise, senior management could be responsible for monetary damages up to $10 million or twice the gain of the offender for nonperformance of due diligence in accordance with the U.S. Federal Sentencing Guidelines of 1991.
Privacy and Protection
Privacy means protecting personal information from disclosure to any unauthorized individual or entity. In today’s online world, the line between public and private information is often blurry. For example, is information about your web-surfing habits private or public? Can that information be gathered legally without your consent? And can the gathering organization sell that information for a profit that you don’t share in? In addition, your personal information includes more than information about your online habits; it also includes who you are (name, address, phone, race, religion, age, and so on), your health and medical records, your financial records, and even your criminal or legal records. In general such information falls under the heading of personally identifiable information, aka PII, as described in the NIST publication Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) available online at http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf.
Dealing with privacy is a requirement for any organization that has employees. Thus, privacy is a central issue for all organizations. Protection of privacy should be a core mission or goal set forth in the security policy for any organization. Personnel privacy issues are discussed at greater length in Chapter 17, “Law and Investigations.”
Legal Requirements
Every organization operates within a certain industry and country. Both of these entities impose legal requirements, restrictions, and regulations on the practices of organizations that fall within their realm. These legal requirements can apply to licensed use of software, hiring restrictions, handling of sensitive materials, and compliance with safety regulations.
Complying with all applicable legal requirements is a key part of sustaining security. The legal requirements for an industry and a country (and often also a state and city) must be considered a baseline or foundation upon which the remainder of the security infrastructure is built.
Illegal Activities
Illegal activities are actions that violate some legal restriction, regulation, or requirement. They include fraud, misappropriation, unauthorized disclosure, theft, destruction, espionage, entrapment, and so on. A secure environment should provide mechanisms to hinder illegal activities and provide a means to track them and assign accountability to individuals perpetrating any such offenses.
Preventive control mechanisms include identification and authentication, access control, separation of duties, job rotation, mandatory vacations, background screening, awareness training, least privilege, and many more. Detective mechanisms include auditing, intrusion detection systems, and more.
Record Retention
Record retention is an organizational policy that defines what information is maintained and for how long. In most cases, the records in question are audit trails of user activity. This may include file and resource access, logon patterns, email, and the use of privileges. Note that in some legal jurisdictions, users must also be informed that their activities are being tracked.
Depending upon your industry and your relationship with the government, you may need to retain records for three years, seven years, or indefinitely. In most cases, a separate backup mechanism is used to create archived copies of sensitive audit trails and accountability information. This allows the main data backup system to periodically reuse its media without violating the requirement to retain audit trails and the like.
If data about individuals is being retained by your organization (such as a conditional employment agreement or a use agreement), those employees and customers need to be aware of what information is being kept. In many cases, notification is a legal requirement; in others, it is simply a courtesy. In either case, it is a good idea to discuss the issue with appropriate legal counsel.
Sensitive Information and Media
Managing information and media properly—especially in a high-security environment in which sensitive, confidential, or proprietary data is processed—is crucial to the security and stability of an organization. Because the value of the stored data greatly exceeds the cost of the storage media, always purchase media of the highest quality. In addition to media selection, there are several key areas of information and media management that must be addressed: marking, handling, storage, life span, reuse, and destruction. Marking, handling, storing media and observing its life span ensure the viability of data on a storage media. Reuse and destruction focus on destroying the hosted data, not retaining it. Proper marking, handling, storing, and destroying of sensitive information and the media it is housed on is an essential part of maintaining overall organizational security through media management and asset management.
Marking and Labeling Media
Marking media is the simple and obvious activity of clearly and accurately defining its contents. The most important aspect of marking is to indicate the security classification for the data stored on the media so that the media itself can be handled properly. Tapes with unclassified data do not need as much security in their storage and transport as do tapes with classified data. Data labels should be created automatically and stored as part of the backup set on the media.
Additionally, a physical label should be applied to the media and maintained over its entire lifetime. Media used to store classified information should never be reused to store less-sensitive data. Media labels help ensure proper handling of hosted sensitive, classified, or confidential data. All removable media, including tapes, USB drives, floppies, CDs, hard drives, and printouts, should be labeled.
Handling Media
Handling refers to the secured transportation of media from the point of purchase through storage and finally to destruction. Media must be handled in a manner consistent with the classification of the data it hosts. The environment within which media is stored can significantly affect its useful lifetime. For example, warm or dusty environments can damage tape media, shortening its life span. Strong magnetic fields can potentially disturb the contents of magnetic storage drives, physical and chemical delamination can ruin CD or DVD media, and so forth.
Here are some useful guidelines for handling media:
- Keep new media in its original sealed packaging until it’s needed to protect it from dust and dirt.
- When opening a media package, take extra caution not to damage the media in any way. This includes avoiding sharp objects and not twisting or flexing the media.
- Avoid exposing the media to temperature extremes; it shouldn’t be stored close to heaters, radiators, air conditioners, or other sources of extreme temperatures.
- Do not use media that has been damaged, exposed to abnormal levels of dust and dirt, or dropped.
- Media should be transported from one site to another in a temperature-controlled vehicle.
- Media should be protected from exposure to the outside environment; avoid sunlight, moisture, humidity, heat, and cold. Always transport media in an airtight, waterproof, secured container.
- Media should be acclimated for 24 hours before use.
- Appropriate security should be maintained over media from the point of departure from the backup device to the secured offsite storage facility. Media is vulnerable to damage and theft at any point during transportation.
- Appropriate security should be maintained over media at all other times (including when it’s reused) throughout the lifetime of the media until destruction.
- Keep magnetic storage media away from strong magnetic fields and—in the case of sensitive drive electronics—store them in appropriately padded or protective containers.
- Avoid corrosive chemicals or physical abrasion when handling CD and DVD media, and utilize protective sleeves where possible.
- Never utilize adhesive tape (that you intend to later remove) on the printed or data-bearing top side of a CD or DVD.
Storing Media
Media should be stored only in a secured location in which the temperature and humidity is controlled, and it should not be exposed to magnetic fields, especially tape media. Elevator motors, printers, and CRT monitors all have strong electric fields. The cleanliness of the storage area will directly affect the life span and usefulness of media. Access to the storage facility should be controlled at all times. Physical security is essential to maintaining the confidentiality, integrity, and availability of backup media.
Managing Media Life Span
All media has a useful life span. Reusable media is subject to a mean time to failure (MTTF) that is usually represented in the number of times it can safely be reused. Most tape backup media can be reused 3 to 10 times. When media is reused, it must be properly cleared. Clearing is a method of sufficiently deleting data on media for reuse in the same secured environment. Purging means erasing the data so the media can be reused in a less-secure environment. Unless absolutely necessary, do not employ media purging. The cost of supplying each classification level with its own media is insignificant compared to the damage that can be caused by unwanted disclosure. If media will neither be archived nor be reused within the same environment, it should be securely destroyed.
Once a backup media has reached its MTTF, it should be destroyed. Securely destroying media that contained confidential and sensitive data is just as important as the storage of such media. When media is destroyed, it should be erased properly to remove magnetized data traces that remain, called remanence (for magnetic tape, a device called a degausser may be used to erase its contents, but this is not always sufficient to completely purge such media). Once properly purged, media should be physically destroyed to prevent easy reuse and attempted data gleaning through casual (keyboard attacks) or high-tech (laboratory attacks) means. Physical crushing is often sufficient, but incineration may be necessary.
Preventing Disclosure via Reused Media
Preventing disclosure of information from backup media is an important aspect of maintaining operational security. Disclosure prevention must occur at numerous instances in the life span of media. It must be addressed upon every reuse in the same secure environment, upon every reuse in a different or less-secure environment, upon removal from service, and upon destruction. Addressing this issue can take many forms, including erasing, clearing, purging, declassification, sanitization, degaussing, and destruction:
Erasing Erasing media is simply performing a delete operation against a file, a selection of files, or the entire media. In most cases, the deletion or removal process removes only the directory or catalog link to the data. The actual data remains on the drive. The data will remain on the drive until it is overwritten by other data or properly removed from the media.
Clearing Clearing, or overwriting, is a process of preparing media for reuse and assuring that the cleared data cannot be recovered by any means. When media is cleared, unclassified data is written over specific locations or over the entire media where classified data was stored. Often, the unclassified data is strings of 1s and 0s. The clearing process typically prepares media for reuse in the same secure environment, not for transfer to other environments.
Purging Purging is a more intense form of clearing that prepares media for reuse in less-secure environments. Depending on the classification of the data and the security of the environment, the purging process is repeated 7 to 10 times to provide assurance against data recovery via laboratory attacks.
Declassification Declassification involves any process that clears media for reuse in less-secure environments. In most cases, purging is used to prepare media for declassification, but most of the time, the efforts required to securely declassify media are significantly greater than the cost of new media for a less-secure environment.
Sanitization Sanitization is any number of processes that prepares media for destruction. It ensures that data cannot be recovered by any means from destroyed or discarded media. Sanitization can also be the actual means by which media is destroyed. Media can be sanitized by purging or degaussing without being physically destroyed. Sanitization methods that result in the physical destruction of the media include incineration, crushing, and shredding.
Degaussing Degaussing magnetic media returns it to its original pristine, unused state. It occurs by subjecting the media to strong magnetic fields that return it to the same condition it enjoyed immediately after manufacture. This technique works only for magnetic tape, however; degaussing a hard disk will render it inoperable.
Be careful when performing any type of sanitization, clearing, or purging process. It is possible that the human operator or the tool involved in the activity may not properly perform its task of removing data from the media. Software can be flawed, magnets can be faulty, and either can be used improperly. Always verify that the desired result is achieved after performing any sanitization process.
Destruction Destruction is the final stage in the life cycle of backup media. Destruction should occur after proper sanitization or as a means of sanitization. When media destruction takes place, you must ensure that the media cannot be reused or repaired and that data cannot be extracted from the destroyed media by any possible means. Methods of destruction can include incineration, crushing, shredding, and dissolving using caustic or acidic chemicals.
When donating or selling used computer equipment, it is usually recommended that you remove and destroy storage devices rather than attempting to purge or sanitize them. If sanitization processes are used, perform a secure erasure with an appropriate number of passes. Better still, take advantage of incineration services for storage media.
Security Control Types
You can use several methods to classify security controls. A classification may be based on the nature of the control, such as administrative, technical/logical, or physical. It may also be based on the action or objective of the control, such as directive, preventive, detective, corrective, and recovery. Some controls can have multiple action/objective classifications:
Directive control A directive control is a security tool used to guide the security implementation of an organization. Examples of directive controls include security policies, standards, guidelines, procedures, laws, and regulations. The goal or objective of directive controls is to cause or promote a desired result.
Preventive control A preventive control is a security mechanism, tool, or practice that can deter or mitigate undesired actions or events. Preventive controls are designed to stop or reduce the occurrence of various crimes, such as fraud, theft, destruction, embezzlement, espionage, and so on. They are also designed to avert common human failures such as errors, omissions, and oversights. Preventive controls are designed to reduce risk. Although not always the most cost effective, they are preferred over detective or corrective controls from the perspective of maintaining security.
Stopping an unwanted or unauthorized action before it occurs results in a more secure environment than detecting and resolving problems after they do occur. Examples of preventive controls include firewalls, authentication methods, access controls, antivirus software, data classification, separation of duties, job rotation, risk analysis, encryption, warning banners, data validation, prenumbered forms, checks for duplications, and account lockouts.
Detective control A detective control is a security mechanism used to verify the success of directive and preventive controls. Detective controls actively search for both violations of the security policy and actual crimes. They are used to identify attacks and errors so that appropriate action can be taken. Examples of detective controls include audit trails, logs, closed-circuit television (CCTV), intrusion detection systems, penetration testing, password crackers, performance monitoring, and cyclical redundancy checks (CRCs).
Corrective control Corrective controls are instructions, procedures, or guidelines used to mitigate the effects of an unwanted activity, such as attacks and errors. Examples of corrective controls include manuals, procedures, malware cleanup, logging and journaling, incident handling, and fire extinguishers.
Recovery control A recovery control is used to return affected systems back to normal operations after an attack or an error has occurred. Examples of recovery controls include system restoration, backups, rebooting, key escrow, insurance, redundant equipment, fault-tolerant systems, failover, checkpoints, and contingency plans.
Operations Controls
Operations controls are the mechanisms and daily procedures that provide protection for systems. They are typically security controls that must be implemented or performed by people rather than automated by the system. Most operations controls are administrative in nature, but they also include some technical or logical controls.
When possible, operations controls should be invisible or transparent to users. The less a user sees the security controls, the less likely they will think that security is hampering their productivity. Likewise, the less users know about the security of a system, the less likely it is that they will be able to circumvent it.
Resource Protection
Operations controls for resource protection are designed to provide security for resources in an IT environment. Resources are those hardware, software, and data assets that make up an organization’s IT infrastructure. To maintain confidentiality, integrity, and availability of hosted assets, resources must also be protected.
When designing a protection scheme for resources, keep the following aspects or elements of the IT infrastructure in mind:
- Communication hardware/software
- Boundary devices
- Processing equipment
- Password files
- Application program libraries
- Application source code
- Vendor software
- Operating systems
- System utilities
- Directories and address tables
- Proprietary packages
- Main storage
- Removable storage
- Sensitive/critical data
- System logs/audit trails
- Violation reports
- Backup files and media
- Sensitive forms and printouts
- Isolated devices, such as printers and faxes
- Telephone network
Privileged Entity Controls
Another aspect of operations controls is privileged entity controls. A privileged entity is an administrator or system operator who has access to special, higher-order functions and capabilities inaccessible to normal users. Privileged entity access is required for many administrative and control job tasks, such as creating new user accounts, adding new routes to a router table, or altering the configuration of a firewall.
Privileged entity access can include system commands, system control interfaces, system log/audit files, and special control parameters. Access to privileged entity controls should be restricted and audited to prevent the usurping of power by unauthorized users.
Hardware Controls
Hardware controls are another part of operations controls. Hardware controls focus on restricting and managing access to the IT infrastructure hardware. In many cases, periodic maintenance, error/attack repair, and system configuration changes require direct physical access to hardware. An operations control to manage access to hardware is a form of a physical access control. All personnel who are granted access to the physical components of the system must have authorization. It is also a good idea to provide supervision while third parties perform any hardware operations.
Other issues related to hardware controls include managing maintenance accounts and port controls. Maintenance accounts are predefined default accounts that are installed on hardware (and in software) with preset and widely known passwords. These accounts should be renamed and a strong password assigned. Many hardware devices have diagnostic or configuration/console ports. They should be accessible only to authorized personnel, and if possible, they should be disabled when not in use for approved maintenance operations.
Input/Output Controls
Input and output controls are mechanisms used to protect the flow of information into and out of a system. These controls also protect applications and resources by preventing invalid, oversized, or malicious input from causing errors or security breaches.
Output controls restrict the data that is revealed to users by restricting content based on subject classification and the security of the communication’s connection.
Input and output controls are not limited to technical mechanisms; they can also be physical controls (for example, restrictions against bringing memory flashcards, USB flash drives, printouts, floppy disks, CD-Rs, and so on into or out of secured areas).
Application Controls
Application controls are designed into software applications to minimize and detect operational irregularities. They limit an end user’s use of applications so that only particular screens, records, and data are visible and only specific authorized functions enabled. Monitoring and auditing can then focus on particular uses of applications with potential security implications. Application controls are transparent to endpoint applications, so changes are not required to the applications involved.
Some applications include integrity verification controls, much like those employed by database management systems (DBMSs). These controls look for evidence of data manipulation, errors, and omissions. These types of controls are considered application controls (that is, internal controls) rather than software management controls (that is, external controls).
Media Controls
Media controls revisit topics discussed in the section “Sensitive Information and Media” earlier in this chapter. Media controls must encompass the marking, handling, storage, transportation, and destruction of media such as floppies, memory cards, hard drives, backup tapes, CD-Rs, CD-RWs, and so on. A tracking mechanism should be used to record and monitor the location and uses of media. Secured media should never leave the boundaries of the secured environment. Likewise, any media brought into a secured environment should not contain viruses, malicious code, or other unwanted code elements, and that media should never leave the secured environment except after proper sanitization or destruction.
Administrative Controls
Operations controls include many of the administrative controls that we have already discussed numerous times, such as separation of duties and responsibilities, rotation of duties, least privilege, and so on. However, in addition to these controls, you must consider how the maintenance of hardware and software is performed.
When assessing controls used to manage and sustain hardware and software maintenance, here are key issues to ponder:
- Are program libraries properly restricted and controlled?
- Is version control or configuration management enforced?
- Are all components of a new product properly tested, documented, and approved prior to release to production?
- Are the systems properly hardened? Hardening a system involves removing unnecessary processes, segregating interprocess communications, and reducing executing privileges to increase system security.
No matter how much effort, expense, and expertise you put into physical access control and logical/technical security mechanisms, you will always have to deal with people. In fact, people are both your last line of defense and your worse security management issue. People are vulnerable to a wide range of technical and social attacks, and they can intentionally violate security policy and attempt to circumvent physical and logical/technical security controls. Because of this, you must endeavor to employ only those people who are entirely trustworthy.
Security controls to manage personnel are considered a type of administrative control. These controls and issues should be clearly outlined in your security policy and followed as closely as possible. Failing to employ strong personnel controls may render all other security efforts worthless.
The first type of personnel controls occur in the hiring process. To hire a new employee, you must first know what position needs to be filled. This requires creating a detailed job description. The job description should outline the work tasks and responsibilities for the position, which in turn dictates the access and privileges needed in the environment. Furthermore, the job description defines the knowledge, skill, and experience level required for the position. Only after the job description has been created can you begin screening applicants.
The next step in using personnel controls is selecting the best person for the job. In terms of security, this means the most trustworthy. Often trustworthiness is determined through employment candidate screening, including a thorough background check and reference verification, employment history verification, and education and certificate verification. This process could even include credit checks and FBI background checks.
Once a person has been hired, personnel controls should be deployed to continue to monitor and evaluate their work. Personnel controls monitoring activity should be deployed for all employees, not just new ones. These controls can include access audit and review, validation of security clearances, periodic skills assessment, supervisory employee ratings, and supervisor oversight and review.
Often companies employ a policy of mandatory vacations in one- or two-week increments. Such a tool removes the employee from the environment and allows another cross-trained employee to perform their work tasks during the interim. This activity serves as a form of peer review, providing a means to detect fraud and collusion. At any time, if an employee is found to be in violation of the security policy, they should be properly reprimanded and warned. If an employee continues to commit violations, they should be terminated.
Finally, there are personnel controls that govern the termination process. When an employee is to be fired, an exit interview should be conducted. For the exit interview, the soon-to-be-released employee is brought to a manager’s office for a private meeting. This meeting is designed to remove them from their workspace and to minimize the effect of the firing activity on other employees. The meeting usually consists of the employee, a manager, and a security guard. The security guard acts as a witness and as a protection agent. The exit interview should be coordinated with the security administration staff so that just as the exit interview begins, the employee’s network and building access is revoked. During an exit interview, the employee is reminded of his legal obligations to comply with any nondisclosure agreements and not to disclose any confidential data. The employee must return all badges, keys, and other company equipment on their person.
Once the exit interview is complete, the security guard escorts the terminated employee out of the facility and possibly even off the grounds. If the ex-employee has any company equipment at home or at some other location, the security guard should accompany the ex-employee to recover those items. The purpose of an exit interview is primarily to reinforce the nondisclosure issue, but it also serves the purpose of removing the ex-employee from the environment, having all access removed and devices returned, and preventing or minimizing any retaliatory activities because of the termination.
In addition to processes used to evaluate personnel security for internal employees, you must consider the temporary and external worker. Your screening process should include procedures focusing on vendor, consultant, and contractor controls as well as part-time staff, temporary workers, interns, and volunteers. Leave no individual with physical or logical access to your organization outside the realm of focused security scrutiny.
Many areas of day-to-day operations are susceptible to security breaches. Therefore, all standards, guidelines, and procedures should clearly define personnel management practices. Important aspects of personnel management include antivirus management and operations security.
Personnel management is a form of administrative control or administrative management. You must include clearly defined personnel management practices in your security policy and subsequent formalized security documentation. From a security perspective, personnel management focuses on three main areas: hiring practices, ongoing job performance, and termination procedures.
Operations security consists of controls to maintain security in an office environment from design to deployment. Such controls include hardware, media, and subject (user) controls that are designed to protect against asset threats. Because viruses are the most common form of security breach in the IT world, managing a system’s antivirus protection is one of the most important aspects of operations security.
Any communications pathway, such as email, websites, documents, and even commercial software, can and will be exploited as a delivery mechanism for a virus or other malicious code. Antivirus management is the design, deployment, and maintenance of an antivirus solution for your IT environment.
Backing up critical information is a key part of maintaining the availability and integrity of data and an essential part of maintaining operations security. Having a reliable backup is the best form of insurance that the data on the affected system is not permanently lost.
Changes in a user’s workstation or their physical location within an organization can be used as a means to improve or maintain security. When a user’s workstation is changed, the user is less likely to alter the system or install unapproved software because the next person to use the system would most likely be able to discover it.
The concepts of need to know and the principle of least privilege are two important aspects of a high-security environment. A user must have a need to know to gain access to data or resources. To comply with the principle of least privilege, users should be granted the least amount of access to the secure environment as possible for them to be able to complete their work tasks.
Activities that require special access or privilege to perform within a secured IT environment are considered privileged operations functions. Such functions should be restricted to administrators and system operators.
Due care is performing reasonable care to protect the interest of an organization. Due diligence is practicing the activities that maintain the due care effort. Operational security is the ongoing maintenance of continued due care and due diligence by all responsible parties within an organization.
Another central issue for all organizations is privacy, which means providing protection of personal information from disclosure to any unauthorized individual or entity. The protection of privacy should be a core mission or goal set forth in an organization’s security policy.
It’s also important that an organization operate within the legal requirements, restrictions, and regulations of its country and industry. Complying with all applicable legal requirements is a key part of sustaining security.
Illegal activities are actions that violate a legal restriction, regulation, or requirement. Fraud, misappropriation, unauthorized disclosure, theft, destruction, espionage, and entrapment are all examples of illegal activities. A secure environment should provide mechanisms to prevent the committal of illegal activities and the means to track illegal activities and maintain accountability from the individuals perpetrating the crimes.
In a high-security environment where sensitive, confidential, and proprietary data is processed, managing information and media properly is crucial to the environment’s security and stability.
There are four key areas in information and media management: marking, handling, storage, and destruction. Record retention is the organizational policy that defines what information is maintained and for how long. If your organization retains data about individuals, the employees or customers must be informed about what is being kept and for how long.
The classification of security controls can be based on their nature, such as administrative, technical/logical, or physical. It can also be based on the action or objective of the control, such as directive, preventive, detective, corrective, and recovery.
Operations controls are the mechanisms and daily procedures that provide protection for systems. They are typically security controls that must be implemented or performed by people rather than automated by the system. Most operations controls are administrative in nature, but as you can see from the following list, they also include some technical or logical controls:
- Resource protection
- Privileged-entity controls
- Change control management
- Hardware controls
- Input/output controls
- Media controls
- Administrative controls
- Trusted recovery process
Understand that personnel management is a form of administrative control, also called administrative management. You must clearly define personnel management practices in your security policy and subsequent formal security structure documentation. Personnel management focuses on three main areas: hiring practices, ongoing job performance, and termination procedures.
Understand antivirus management. Antivirus management includes the design, deployment, and maintenance of an antivirus solution for your IT environment.
Know how to prevent unrestricted installation of software. To provide a virus-free environment, you should rigidly control the installation of software. This includes allowing users to install and execute only company-approved and company-distributed software as well as thoroughly testing and scanning all new software before it is distributed on a production network. Even commercial software has become an inadvertent carrier of viruses.
Understand backup maintenance. A key part of maintaining the availability and integrity of data is a reliable backup of critical information. Having a reliable backup is the only form of insurance that the data on a system that has failed or has been damaged or corrupted is not permanently lost.
Know how changes in workstation or location promote a secure environment. Changes in a user’s workstation or their physical location within an organization can be used as a means to improve or maintain security. Having a policy of changing users’ workstations prevents them from altering the system or installing unapproved software and encourages them to keep all material stored on network servers where it can be easily protected, overseen, and audited.
Understand the need-to-know concept and the principle of least privilege. Need to know and the principle of least privilege are two standard axioms in high-security environments. To gain access to data or resources, a user must have a need to know. If users do not have a need to know, access is denied. The principle of least privilege means that users should be granted only as much access to the secure environment as they need to complete their work tasks and no more.
Understand privileged operations functions. Privileged operations functions are activities that require special access or privileges to be performed within a secured IT environment. For maximum security, such functions should be restricted to administrators and system operators.
Know the standards of due care and due diligence. Due care is using reasonable care to protect the interest of an organization. Due diligence is practicing activities that maintain due care. Senior management must show reasonable due care and due diligence to reduce their culpability and liability when a loss occurs.
Understand how to maintain privacy. Maintaining privacy means protecting personal information from disclosure to any unauthorized individual or entity. In today’s online world, the line between public information and private information is often blurry. The protection of privacy should be a core mission or goal set forth in the security policy for an organization.
Know the legal requirements in your region and field of expertise. Every organization operates within a certain industry and country, both of which impose legal requirements, restrictions, and regulations on its practices. Legal requirements can involve licensed use of software, hiring restrictions, handling of sensitive materials, and compliance with safety regulations.
Understand what constitutes an illegal activity. An illegal activity is an action that violates a legal restriction, regulation, or requirement. A secure environment should provide mechanisms to prevent illegal activities from being committed and the means to track illegal activities and maintain accountability from the individuals perpetrating the crimes.
Know the proper procedure for record retention. Record retention is an organizational policy that defines what information is retained and for how long. In most cases, the records in question are audit trails of user activity. This can include file and resource access, logon patterns, email, and the use of privileges.
Understand the elements of securing sensitive media. Managing information and media properly, especially in a high-security environment where sensitive, confidential, and proprietary data is processed, is crucial to the security and stability of an organization. In addition to media selection, there are several key areas of information and media management: marking, handling, storage, life span, reuse, and destruction.
Know and understand the security control types. Several methods are used to classify security controls. A classification may be based on the nature of the control (administrative, technical/logical, or physical) or on the action or objective of the control (directive, preventive, detective, corrective, and recovery).
Know the importance of control transparency. When possible, operations controls should be invisible or transparent to users to prevent users from thinking security is hampering their productivity. Likewise, the less users know about the security of the system, the less likely they will be able to circumvent it.
Understand how to protect resources. The operations controls for resource protection are designed to provide security for the IT environment’s resources, including hardware, software, and data assets. To maintain confidentiality, integrity, and availability of the hosted assets, the resources themselves must be protected.
Be able to explain change and configuration control management. Change in a secure environment can introduce loopholes, overlaps, misplaced objects, and oversights that can lead to new vulnerabilities. Therefore, you must systematically manage change by logging, auditing, and monitoring activities related to security controls and security mechanisms. The resulting data is then used to identify agents of change, whether they are objects, subjects, programs, communication pathways, or even the network itself. The goal of change management is to ensure that any change does not lead to reduced or compromised security.
Understand the trusted recovery process. The trusted recovery process ensures that a system is not breached during a crash, failure, or reboot and that every time one of these occurs, the system returns to a secure state.
1. Describe the primary form of security breach and relevant security best practices.
2. Identify and define the difference between need to know and principle of least privilege.
3. What is workstation rotation, and why is it necessary?
4. Name at least five common examples of privileged operations functions.
1. Computer viruses are a large portion of computer network security breaches, and they are handled through antivirus management practices that include proper screening of new software components; restricted access to software changes, installations, and upgrades/updates; and the utilization of company-approved and vendor-distributed software.
2. A need to know is the requirement to have access to, knowledge about, or possession of data or a resource to perform specific work tasks. The principle of least privilege is granting only the necessary access rights for a user to complete their job tasks.
3. Workstation rotation is the alternation of employee seating assignments as a means to improve or maintain a strong security posture against malicious changes or unauthorized modification to the operation or capability of any given computer. It also discourages storage of personal or private data on an organization’s systems.
4. Privileged operations functions include operating system control commands, configuration interfaces, audit log access, account management, and backup and restoration operations.
1. Personnel management is a form of what type of control?
A. Administrative
B. Technical
C. Logical
D. Physical
2. What is the most common means of distribution for viruses?
A. Unapproved software
B. Email
C. Websites
D. Commercial software
3. Which of the following causes the vulnerability of being affected by viruses to increase?
A. Length of time the system is operating
B. The classification level of the primary user
C. Installation of software
D. Use of roaming profiles
4. In areas where technical controls cannot be used to prevent virus infections, what should be used to prevent them?
A. Security baselines
B. Awareness training
C. Traffic filtering
D. Network design
5. Which of the following is not true?
A. Complying with all applicable legal requirements is a key part of sustaining security.
B. It is often possible to disregard legal requirements if complying with regulations would cause a reduction in security.
C. The legal requirements of an industry and of a country should be considered the baseline or foundation upon which the remainder of the security infrastructure must be built.
D. Industry and governments impose legal requirements, restrictions, and regulations on the practices of an organization.
6. Which of the following is not an illegal activity that can be performed over a computer network?
A. Theft
B. Destruction of assets
C. Waste of resources
D. Espionage
7. Who does not need to be informed when records about their activities on a network are being recorded and retained?
A. Administrators
B. Normal users
C. Temporary guest visitors
D. No one
8. What is the best form of antivirus protection?
A. Multiple solutions on each system
B. A single solution throughout the organization
C. Concentric circles of different solutions
D. One-hundred-percent content filtering at all border gateways
9. Which of the following is an effective means of preventing and detecting the installation of unapproved software?
A. Workstation change
B. Separation of duties
C. Discretionary access control
D. Job responsibility restrictions
10. What is the requirement to have access to, knowledge about, or possession of data or a resource to perform specific work tasks commonly known as?
A. Principle of least privilege
B. Prudent man theory
C. Need to know
D. Role-based access control
11. Which are activities that require special access to be performed within a secured IT environment?
A. Privileged operations functions
B. Logging and auditing
C. Maintenance responsibilities
D. User account management
12. Which of the following requires that archives of audit logs be kept for long periods of time?
A. Data remanence
B. Record retention
C. Data diddling
D. Data mining
13. What is the most important aspect of marking media?
A. Date labeling
B. Content description
C. Electronic labeling
D. Classification
14. Which operation is performed on media so it can be reused in a less-secure environment?
A. Erasing
B. Clearing
C. Purging
D. Overwriting
15. Sanitization can be unreliable because of which of the following?
A. No media can be fully swept clean of all data remnants.
B. Even fully incinerated media can offer extractable data.
C. The process can be performed improperly.
D. Stored data is physically etched into the media.
16. Which security tool is used to guide the security implementation of an organization?
A. Directive control
B. Preventive control
C. Detective control
D. Corrective control
17. Which security mechanism is used to verify whether the directive and preventive controls have been successful?
A. Directive control
B. Preventive control
C. Detective control
D. Corrective control
18. When possible, operations controls should be ____________.
A. simple
B. administrative
C. preventive
D. transparent
19. What is the primary goal of change management?
A. Personnel safety
B. Allowing rollback of changes
C. Ensuring that changes do not reduce security
D. Auditing privilege access
20. What type of trusted recovery process requires the intervention of an administrator?
A. Restricted
B. Manual
C. Automated
D. Controlled
1. A. Personnel management is a form of administrative control. Administrative controls also include separation of duties and responsibilities, rotation of duties, least privilege, and so on.
2. B. Email is the most common distribution method for viruses.
3. C. As more software is installed, more vulnerabilities are added to the system, thus adding more avenues of attack for viruses.
4. B. In areas where technical controls cannot prevent virus infections, users should be trained on how to prevent them.
5. B. Laws and regulations must be obeyed and security concerns must be adjusted accordingly.
6. C. Although wasting resources is considered inappropriate activity, it is not actually a crime in most cases.
7. D. Everyone should be informed when records about their activities on a network are being recorded and retained.
8. C. Concentric circles of different solutions are the best form of antivirus protection.
9. A. Workstation change is an effective means of preventing and detecting the presence of unapproved software.
10. C. Need to know is the requirement to have access to, knowledge about, or possession of data or a resource to perform specific work tasks.
11. A. Privileged operations functions are activities that require special access to perform within a secured IT environment. They may include auditing, maintenance, and user account management.
12. B. To use record retention properly, archives of audit logs must be kept for long periods of time.
13. D. Classification is the most important aspect of marking media because it determines the precautions necessary to ensure the security of the hosted content.
14. C. Purging media is erasing media so it can be reused in a less-secure environment. The purging process may need to be repeated numerous times depending on the classification of the data and the security of the environment.
15. C. Sanitization can be unreliable because the purging, degaussing, or other processes can be performed improperly.
16. A. A directive control is a security tool used to guide the security implementation of an organization.
17. C. A detective control is a security mechanism used to verify whether the directive and preventive controls have been successful.
18. D. When possible, operations controls should be invisible, or transparent, to users. This keeps users from feeling hampered by security and reduces their knowledge of the overall security scheme, thus further restricting the likelihood that users will violate system security deliberately.
19. C. The goal of change management is to ensure that any change does not lead to reduced or compromised security.
20. B. A manual recovery type of trusted recovery process requires the intervention of an administrator.