234 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
presence of unauthorized applications and is a complement to the whitelist lter,
which blocks the execution of unauthorized applications.
Software Licensing
A software license is permission granted from the software publisher to a company
or individual to use a piece of software under certain conditions. Software licenses
are legal instruments and are binding among parties to the agreement. Nearly all
software applications are licensed rather than sold, meaning you have permission
to use the software, but you do not own the software. Tracking and monitoring
licenses is necessary to remain in compliance with licensing agreements (e.g., end
user license agreements [EULAs]) and legislation governing use of software.
Typically, one license is required per computer. A per-seat software license is
based upon the number of users who may use the software. Some server software
will provide the ability to purchase a license for the number of simultaneous users,
meaning that 100 users may have the client software installed, but only 20 may
access the server simultaneously; simultaneous user licenses are also known as con-
current user licenses. Note that server licenses and client licenses may be separate
purchases and tracked separately in software inventory. Enterprise licenses permit
the installation of software on a network server and allow access by all employees.
Enterprise licenses may involve an annual license fee plus a maintenance fee. Not
all license agreements are the same, and they may vary within the same vendor as
well as among dierent vendors.
Many software license agreements will specify that they are nontransferable.
is means that you may not resell the software. You may sell the media on which
it resides, you may sell a piece of equipment that has the software installed (e.g., pri-
vate branch exchange [PBX]), but not the license that provides the next owner the
right to use the software. e new owners may have to purchase their own license,
their own right to use from the software vendor.
e traditional method of installing from the original software media (e.g.,
physical CD) has largely been replaced by push deployment across the network.
is software deployment push method allows for faster software deployment as well
as facilitating keeping track of software installed and license counts. Installer pack-
ages coupled with group policies provide the ability to selectively install software
on end user PCs. is ensures that only personnel who need the software receive
the software.
Many software deployment tools provide the ability to track usage. Tracking
software installed and license usage helps the organization maintain legal compliance
and thus avoid liability issues; it helps with cost management by not over-buying
licenses for personnel that do not need the software; and it facilitates ecient patch
deployment. Some applications (e.g., Microsoft Remote Desktop) will not allow the
application to launch if there are insucient licenses. Some applications create audit
trails when license limits are exceeded (e.g., Microsoft Terminal Server).
Overseeing Compliance of Security Operations ◾ 235
© 2011 by Taylor & Francis Group, LLC
Some software packages may use usage meters to track actual use of the soft-
ware. A software license with a usage meter does not limit the number of users, but
monitors the usage and charges according to volume of use. Another type of license
is shareware or freeware. e name of this type of license is misleading because even
though the software is available for free downloading from the Internet, the use of
the software is often on a trial basis after which the user is expected to pay for a
license to continue to use it.
e Business Software Alliance (BSA) is an organization that represents the com-
mercial software industry and promotes the reporting and prosecution of software
theft. e Canadian Alliance Against Software eft is another example similar to
the BSA. e Recording Industry Association of America (RIAA) is a trade group
representing the recording industry. e RIAA is involved in the licensing and roy-
alties within the recording industry. Scanning enterprise systems for the illegal
storage and sharing of video and audio recordings is necessary to avoid liability for
hosting such activity.
Digital Rights Management (DRM) is an enforcement mechanism for access
control and what can and cannot be done with a software le, audio le, video le,
or document le. Copyright law prohibits unauthorized copies of digital les or
other media (e.g., audio tapes, video tapes). DRM extends beyond this to restrict
the number of viewings or restrict copies to certain types of devices, e.g., Sony
restricts the copying of some music les from the music CD to a hard drive.
Software piracy is a romantic phrase that veils the reality of the situation, i.e.,
software theft is a crime. Licensing is a serious issue and the rise of watchdog orga-
nizations and litigation against violators requires good software license manage-
ment. e level of culpability goes up with explicit intent to steal software as well
as with negligence in taking reasonable steps to avoid being an unwitting host for
illegal activities. Any organization is only expected to do so much to avoid illegal
activities, but you must do at least that much. Working out exactly what to do,
resource allocations to do it, and budget allocations is a matter of discussion among
information technology, security, executives, governance, and legal departments.
Configuration Settings
Tracking hardware and software is good, but not enough. e conguration set-
tings of the hardware and software are also necessary to track. ese settings enable
appropriate functionality as well as restrict other functionality. e functional-
ity restrictions are to safeguard the systems and the data residing on the systems.
Unauthorized modication of these settings may place the enterprise at risk by
permitting unauthorized remote access, exltration of data, installation of unau-
thorized software, use of unauthorized devices such as USB drives, etc.
Policy will state the need for standard congurations, and standards will articu-
late the parameters and the parameter settings. Conguration tracking will elicit
these settings from servers, PCs, and other devices and compare them against the
236 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
standard. ese congurations may be related to general operations or specically to
security. One example of a security conguration tracking methodology is Security
Content Automation Protocol (SCAP). SCAP is a method to enable automated vul-
nerability management and policy compliance evaluation. Many software vendors
are developing SCAP-compliant applications.
Policy may require enterprise-wide congurations for workstations, servers, user
congurations, application settings, database settings, and more. ese settings
may be modied to optimize performance and to optimize security. A major goal
of the conguration policy is to normalize the enterprise on a common operating
environment to ensure interoperability, consistency for redundancy and recovery,
and optimal network trac ow.
In addition to compliance evaluation, tracking conguration settings is good
business practice to ensure consistency throughout the organization as well as to
have a record of settings in the event of disaster recovery. Getting the hardware and
software installed and recongured is time consuming, and attempting to remem-
ber the conguration settings is not nearly as productive as simply restoring settings
already captured.
Virtual Machines
Virtual refers to that which is not real (not tangible), but may display qualities
of that which is real. A virtual machine (VM) is not a real, tangible machine,
but a simulated device to perform some activity. A key characteristic of a virtual
machine is containment, meaning the software running within the VM cannot
reach beyond the VM. is includes not reaching beyond the hardware assigned
to the VM and the abstractions within the hardware like random access memory
(RAM). Containment has implications to security and to compliance in keeping
software and data on one VM separate and distinct from another VM running on
the same hardware platform, e.g., malware entering one VM should not be able to
reach another VM on the same platform.
Two general types of VMs are a system virtual machine and a process virtual
machine. A system virtual machine has a single hardware platform with multiple
OS installations each sharing the underlying hardware. A process virtual machine
runs as a software application within an operating system. e process VM then
provides an environment to execute code, e.g., a software business application. e
process VM abstracts the underlying OS and hardware from the business applica-
tion; hence the same business application may run on a variety of OS and hardware
combinations. A key benet of using system VMs is to leverage single hardware
platforms to house many OS instances running a variety of applications. A key
benet to using process VMs is to write software applications that may execute on
any hardware environment.
Virtual machines are not tangible like real, physical machines and they may reside
hidden while not running. erefore, they may be missed during assessments, audits,
Overseeing Compliance of Security Operations ◾ 237
© 2011 by Taylor & Francis Group, LLC
or physical inventory. A virtual machine may pose a threat if unnoticed because scans
for vulnerabilities may bypass nonrunning virtual machines. Inventory management
should keep track of all hardware that host virtual machines and the number, type,
and business function of each virtual machine.
Information Inventory
Keeping track of physical assets is one part of inventory management; another part
is tracking information, specically sensitive information that resides on the PCs,
servers, or other storage media. A large part of compliance with litigation is to
ensure the proper handling of employee and customer (or patient) information, e.g.,
personally identiable information (PII). Moreover, tracking information will help
maintain a record of data sensitive to your organization like nancial data, employee
lists, research and development plans, strategic plans, or engineering plans.
Develop an information classication scheme that includes information sensi-
tivity and information criticality. Sensitivity classications may include public, pro-
prietary, private, sensitive, or restricted. Public information is available for general
access, proprietary is intellectual property, etc. Your organization may not use all
these, but rather choose those appropriate to distinguish the variety of information.
Criticality classication may include essential, nonessential, primary, and derived.
Primary information is the root source and may often be a unique source; the loss
of primary information may cause severe loss to the organization. Derived informa-
tion is an aggregate from primary sources; the loss of derived information may be
annoying, but is not devastating to the organization. Essential information is criti-
cal to operations; nonessential is still important, but is not critical for the enterprise
to fulll its mission.
Develop standards and procedures for media labeling and handling that use the
information classication scheme. Such a scheme on physical labels and on virtual
labels (e.g., metadata) will help in determining access, modication, deletion, and
media disposal.
Inventory Management Good General Practice
Good inventory management practice includes the following:
◾ Inventory lists
◾ Software libraries
◾ Inventory report
◾ Inventory audit
Maintain an automated inventory management system that retains lists of
hardware and software as well as conguration setting details. Establish a software
library to manage the distribution of both the software media (disks, CDs, DVDs,
238 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
documentation) and to track licenses. If a person moves from one computer to
another and their software moves with them, there is a need to track the removal
of the license from one system and the installation on another. Be sure to account
for the removal so you are not paying for a license that is not in use.
Generate a comprehensive inventory report at least once per year that includes
an evaluation of current information against expected information. Provide answers
to following questions:
◾ Do we have what we think we have?
◾ Is it where it belongs?
◾ What can we anticipate to refresh over the next scal year?
◾ Are we within our license agreement?
◾ Are we nding any unauthorized software?
− Are there patterns to the unauthorized installations? (Note: A pattern
may show that a particular application has business value and people have
taken it upon themselves to add it to their desktop. is is good feedback
to operations.)
◾ Are we nding any unauthorized hardware (e.g., rogue wireless access devices)?
Inventory management tells you what you think you have. At least once per
year, good practice is to verify what you have via a physical inventory. Put eyes and
hands on assets and validate the information you have recorded in the inventory
management system.
Access Control
Access control is fundamental to eective security and includes the following cat-
egories and examples:
◾ Physical access
− Building, oor, oce, wiring closet
− Identity card; possession of a combination for a cipher lock; possession of
a physical key
◾ Technical access
− Remote access
− Wireless access
− Application access
− Password, PIN, biometric, smart access card
◾ Identity and authentication
◾ Privilege and authorization
◾ Identity credential
◾ Privilege credential
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.