Overseeing Compliance of Security Operations ◾  159
© 2011 by Taylor & Francis Group, LLC
may need access to the internal network (the intranet) for services oered via the
internal Web site. is is distinct from others who need intranet access for purposes
of connecting to internal database or application servers.
Remote access control addresses technical privileges, business privileges, as well
as personal responsibilities on the part of the remote user. e same responsibilities
exist for remote access as exist for on-site use. is means limiting line of sight to the
remote computer, password protection, authentication process, screen lock, securing
the communication path (e.g., virtual private network), and acceptable use of the
remote computer to avoid malware entering the enterprise via remote connection.
Authentication
Authentication is the validation of the user presenting an identity credential. at
is, the user presents a claim of identity (e.g., user ID) and then some verication
that he or she is the valid owner of that identity. Authentication may occur in many
ways including something the user
Knows, e.g., a password or personal identication number (PIN)
Has, e.g., a secure token, identity card with embedded radio frequency iden-
tication (RFID)
Is, e.g., biometric (ngerprint, retina scan)
Does, e.g., written signature metrics
Is located, e.g., Global Positioning System (GPS) coordinate validation
e use of two or more of these in a single authentication transaction is known as
multifactor authentication, or strong authentication. A secure token is a small device
in the possession of the user that displays a random number sequence that synchro-
nizes with the authentication server. Upon login, the user enters his or her ID, then
a PIN plus the number sequence as the password. e password is always changing
and is generated by a combination of something the user knows (the PIN) and some-
thing they have (the secure token). eft of the token is not enough for the thief to
gain access. e use of a secure token is an example of strong authentication.
Authorization
Authorization is the validation and approval of a claim of privilege. Authenticating
an identity is a separate and distinct process from authorizing an activity. e pos-
session of a valid identity credential and proving that it indeed belongs to the pre-
senter does by default equate to permission to perform an activity. Privileges may
be embedded in the identity credential, or there may be a privilege database that
contains a list of permissible activities. e individual may be assigned specic
activity privileges, or the user may be assigned a role with which certain privileges
are permitted by default.
160 ◾  Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
For example, a new employee presents his or her identity credential at the card
reader leading into the main lobby. e user authenticates this claim of identity by
entering a PIN. e card reader system authenticates the identity (i.e., yes, this is
John Doe); a default privilege by virtue of being an employee is permission to enter
the main lobby. John Doe then goes up one ight of stairs and attempts the same
sequence of events to enter the data center. e card reader may authenticate the
claim of identity (i.e., yes, this is John Doe), but deny entry because John does not
have the explicit privilege to enter the data center, nor is John assigned a role that
has the privilege to enter the data center.
A log is made of this entry attempt. A once or twice attempt is likely a mistake
on the part of John and does not warrant any further investigation. Ten attempts
within 24 hours, plus other attempts at unauthorized entry in other parts of the
building are indicators that further investigation is prudent. Establishing authenti-
cation, authorization, logs, log review procedures, anomaly detection, and further
investigation of anomalies are all part of a comprehensive security management
program to establish and maintain compliance.
Network sniers and other monitoring devices have the potential to intercept
network trac. is includes the message exchanges during logon, password entry,
and authentication/authorization. Authenticate over an encrypted link to hide the
sending of user IDs and passwords.
Encryption
Having established a connection via a successful login, protect the subsequent
exchange of data (data in transit) from interception using encryption. Encryption is
the transformation of plain-text to cipher-text. Plain-text is the native form of a lan-
guage like the sentence you are reading now. e transformation of this plain-text
into cipher-text uses a key and an algorithm to modify the text into a format that can
be read only by those who possess the key to turn cipher-text back into plain-text.
For example, assume the key to be +1and the algorithm to be an alphabet
shift to the right. Applying this algorithm to the word ENCRYPTION results in
FODSZQUJPO, or the shifting of each letter to the right by one. e decryption
process applies the associated decryption key of “–1to the encryption algorithm,
which is to shift the alphabet minus one space to turn FODSZQUJPO back into
ENCRYPTION. is is a very simple encryption process and easily broken by
cryptography professionals. is is why you should always choose the strongest
form of encryption possible to make it very dicult to break the encryption.
e use of encryption on data at rest and in transit is one method to protect
data from unauthorized disclosure. If during the course of normal operations your
organization discloses protected data, and the investigation shows that you do not
use encryption and that the disclosure could have otherwise been avoided if encryp-
tion were in place, your organization needs a really good reason for not having put
encryption in place. ere are valid arguments for not having encryption due to
Overseeing Compliance of Security Operations ◾  161
© 2011 by Taylor & Francis Group, LLC
cost, complexity, or lower priority than other security investments; however, omis-
sion by oversight is not a valid position. Conscious omission with the rationale of
business priorities is a valid position. Hence the usefulness of the ESS and ESF to
provide a checklist of considerations and a place to record current situation (as-is),
future situation (to-be), current projects (transition), and future plans for all of
security, as budget allows.
Virtual Private Network
A virtual private network (VPN) is an encrypted link between network nodes.
Trac traversing this link inherits the encrypted properties of the link. is means
that the end-user PC does not have to encrypt the in-transit trac at the application
level because the VPN accomplishes this for the user. A VPN may exist between
routers or may be an application on the end-user PC that establishes an encrypted
network connection to the enterprise for secure remote use.
Acceptable Use
Acceptable use covers restrictions on the use of the computer and restrictions on access-
ing other networks and Web sites. e purpose is threefold: to avoid productivity wast-
ers, to avoid potential litigation against the enterprise, and to avoid malware entering
the enterprise. Productivity wasters are the accessing of dating sites, sports sites, auc-
tion sites, and other such activities that have no benet to the organization and simply
waste employee time on nonproductive activities. Accessing material on hate sites (e.g.,
racially biased sites) and porn sites may place material on an enterprise PC or display
material that could be oensive to others. e oense may lead to lawsuits against the
enterprise for allowing such activity. Activity like productivity wasters could be allowed
during nonworking hours in the interest of employee morale or other good business
justication. Activities leading to potential litigation should be restricted at all times.
Activities that could lead to the introduction of malware to the enterprise net-
work should also be restricted at all times. is may include restricting the down-
load and installation of executable code, the use of le sharing systems (e.g., music
sharing), accessing sites with a history or reputation of introducing spyware, and
the use of USB storage devices. e technical restriction of all such activity may
interfere with valid business functions (e.g., the use of USB storage devices). At the
least, the appropriate use policy should call for employee awareness and training on
the responsible and secure use of enterprise information technology.
Wireless Policy
Publishing an access policy that also incorporates wireless access is better than main-
taining two separate policies for access control. e point is to publish wireless
policy details somewhere to ensure the appropriate use of wireless technology and,
162 ◾  Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
more importantly, to avoid the misuse of wireless technology. Wireless networks are
available for connection to anyone within range of the wireless access point. Many
wireless signals extend beyond enterprise oce space, buildings, and campuses (see
the War Driving section for detecting this). For that reason, appropriate guidance
is necessary to govern the presence, conguration, and actual use of wireless net-
works. Wireless policies should cover the registration of access points, the alloca-
tion of channels, and security and access control.
Wireless access point (WAP) registration records WAP details in a database. If
a WAP is detected that is not in the database, it is likely a rogue access point. e
presence of a rogue access point may be an enterprising, but misguided, employee
trying to set up a valid business application. A rogue access point may also be set
up by a would-be attacker looking for access to the network from close physical
proximity, but not physically on enterprise property.
Multiple WAPs may lead to conicts over channel allocation. e channel allo-
cation portion of the wireless policy will cover which channels are available and
which should be used. Wireless policy covers both the secure and ecient use of
wireless networks within the enterprise.
Wireless Security
e security and access control portion of the wireless policy covers the restriction
of network access to authorized personnel and the prevention of unauthorized dis-
closure of data traversing the wireless network. Securing wireless networks is achiev-
able via machine access code (MAC) access lists, isolating the wireless network from
other networks, and encrypting the wireless transmissions. Access lists restrict access
to the wireless network to known entities. Isolation of wireless networks keeps wire-
less trac o wired networks and limits the potential damage through unauthorized
access. Preventing unauthorized disclosure is accomplished using wireless encryp-
tion schemes like wired equivalent privacy (WEP; note: WEP is not an acronym for
wireless encryption protocol) and Wi-Fi Protected Access (WPA and WPA2).
WEP is specied in the IEEE 802.11b Wireless Fidelity (Wi-Fi) standard. WEP
is not a strong encryption method and is easily cracked with readily available soft-
ware. WPA superseded WEP in 2003, which at the time implemented only part of
the pending standard IEEE 802.11i. In 2004, WPA2 implemented the full IEEE
802.11i standard. Implementing wireless encryption is good, but be sure it is adequate
to satisfy compliance requirements. Knowing you are implementing a weak encryp-
tion method (e.g., WEP) may not hold up in critical inquiry from customers whose
data was disclosed or a prosecuting attorney who may challenge due diligence.
Portable Media Policy
Portable media includes personal digital assistants (PDAs), iPods, iPhones, ash pens,
cameras, portable hard drives, cell phones, thumb drives, digital recorders, tapes,
Overseeing Compliance of Security Operations ◾  163
© 2011 by Taylor & Francis Group, LLC
oppy disks, DVDs, CDs, etc. ere are valid business uses for all these devices, and
policy should enumerate valid business uses and restrict all others. Many portable
devices have the potential to record and store vast amounts of data. ese porta-
ble devices are also easily lost or stolen. is policy is a dicult balance between
empowerment, well-intentioned productivity, and the restriction of use to avoid
being tomorrow’s national news headline for disclosing sensitive customer data.
e valid business use of portable media may include the use of portable devices
to store sensitive data. Policy may require the use of encryption to protect data in
the event of loss or theft and the secure removal of sensitive data from these devices,
which are procedures beyond the standard delete command.
Personal Property Use Policy
A supplement to the portable media policy, as well as other policies, is the use
of personally owned technology versus organization-issued technology. e use of
organization-issued USB devices, portable hard drives, tapes, CDs, oppy disks,
etc., may be ne. However, the use of personally owned devices may be restricted
or prohibited. Personal devices include everything in the previous list plus PDAs,
iPods, iPhones, ash pens, digital audio recording devices, portable storage devices
like USB thumb drives, cameras, PCs, and laptops. ese devices are capable of stor-
ing electronic les, and even under the best of intentions pose a threat to disclose
proprietary or sensitive information. e use of personal devices may disclose data
because personal devices may not have the same security software and devices.
e use of personal devices on enterprise networks may introduce malware, also
from the lack of the same security software installed on enterprise-issued equip-
ment. Many of these devices initiate an automated startup procedure when con-
nected to a PC. If these personal devices connect at any time to enterprise PCs and
the personal device contains malware, that malware has now been introduced to
the enterprise environment. For example, a thumb sucker attack is the installation of
malware on a USB thumb drive and leaving that thumb drive lying about. A person
picks up the thumb drive and wanting to know what is on it or whom it belongs
to, plugs it into a PC. e automated startup software initiates and installs the
malware on that PC … and the enterprise network is now compromised. Cameras
may take pictures of sensitive areas like data centers and data center security. Cell
phones may be tracked via global positioning (GPS). PDAs can store large amounts
of data as can USB storage devices. Personal laptops are often not as secure as
enterprise PCs.
Enterprise policy governing the possession and use of personal property should
reect the sensitivity of the data and the environment. Legislative compliance
requirements that require the protection of personal information or nancial infor-
mation should inuence these policies. Moreover, the enterprise competitive envi-
ronment should also inuence the details of policy. Corporate espionage is not
just an interesting dramatic movie plot. ere are real dollars at stake in a globally
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.20.224.107