The Systems Security Certified Practitioner (SSCP) must be familiar with an organization's policies, standards, procedures, and guidelines to ensure adequate information availability, integrity, and confidentiality (AIC). The SSCP works closely with the organization's management personnel, system owners, information managers, data custodians, and end users in the application of security policies, data classification schemes, security controls verification, and the monitoring and application of patches and updates. It is important that the SSCP candidate understand the concepts of endpoint device security and change management. As a member of the organization's IT security team, a practitioner may be involved in security awareness training and other milestones in the employee life cycle, such as onboarding, account provisioning and user support, changing rights, and account termination processing.
Security operations and administration is a broad canvas encompassing everything from corporate policies to everyday security activities. The practitioner should be knowledgeable in all of the facets of IT security administration for an organization.
Security administration includes the policies, principles, standards, procedures, and guidelines required for availability, integrity, and confidentiality (AIC) of an organization's data and hardware assets. Security administration also defines the roles and responsibilities of individuals within the organization who must carry out various tasks according to established directives. Administrative activities such as change control, configuration management, security awareness training, monitoring of systems and devices, and the application of generally accepted industry practices are the responsibility of IT administrators and security practitioners.
Security administration is performing various functions and activities related to the security of the system or enterprise. It is typically the responsibility of a security administrator, security officer, or security manager. While some of the specific activities are actually performed by frontline personnel such as security practitioners, the responsibility for them resides with the security administrator. But security administration sometimes requires more than assuming duties that somebody else has been performing. Many security administration functions in organizations are handled by various personnel. A typical assignment of the security practitioner is to perform duties that ensure that system security is maintained, security flaws are controlled, and risk to the organization is minimized.
Security administration involves the selection and placement of controls to enforce the AIC objectives within the system to ensure availability, integrity, and confidentiality for all members of the organization. These key administration duties may include configuration, logging, monitoring, upgrading, and updating products and end-user support.
The first thing that comes to mind when someone says IT security are electronic boxes with assorted flashing lights. Although various network hardware devices may be used to detect and mitigate threats on a network, IT security and the security of the enterprise must first be built on a firm foundation of policies and concepts. Without policies and the resulting procedures and guidelines, there would be a complete lack of corporate governance with respect IT security. Security policies are the foundation upon which the organization can rely for guidance.
Network personnel, from network administrators to security practitioners, are required to have a least a working knowledge of networking, security, and risk management concepts and how they impact the enterprise.
IT security and the security of the organization are necessary because of risk. Every enterprise faces uncertainty based on a vast array of threats. The process of measuring, identifying, and controlling the risk environment within an organization is referred to as risk management. Risks are managed by utilizing various controls to reduce them. You have already seen that these controls may be technical or administrative in nature. The following is the description we use in the system security field to identify risk:
Risk is a function of the likelihood of a threat agent exploiting a vulnerability, and the resulting impact of that action creates an adverse effect on the organization.
In other words, risk can be expressed as the possibility of loss. Risk and risk management will be covered in Chapter 5. The activities of security administration include the creation of policies as a risk mitigation function. Administrative policies recognize that threats exist and put in place controls and conditions whereby the exposure of various organization vulnerabilities may be mitigated.
Policies and practices are put in place by an organization to guide business and personnel actions. In a small entrepreneurial business, policies may be dictated and enforced by the business owner. Not always are these policies committed to writing. In many cases, a policy statement might be explained as, “We've always done it this way.” In most cases, when a very small business begins to grow and gains employees, it's actually the human resources department that spearheads the requirement for policy statements. Many of these employee-based policy statements are enacted due to various local, state, and federal regulations. In many cases, the beginnings of a small business security policy take the form of “lock the door and turn off the lights when you leave.”
As we move from small and medium-sized businesses (SMBs) into large enterprises, the requirements for formal, well-constructed written documents that are aligned with the mission and values of the enterprise are required. These documents form the foundation to protect the organization's information and assets by specifying the requirements and techniques utilized to control risk. It is through these documents that controls are put in place to reduce risk by mitigating a threat's ability to exploit a vulnerability.
The security of any organization or enterprise rests totally on the strategic planning and tactical implementation of security policies and risk mitigation controls. The security plan of the organization should completely coincide with the mission, objectives, culture, and nature of the business. Various security frameworks exist to guide the organization as well as the security professionals responsible for implementing programs through the planning, organization, and documentation that respond to the requirements of the organization. The most popular frameworks include the National Institute of Standards and Technology (NIST) 800 series of Special Publications. These NIST publications offer a broad coverage of IT security best practices. Another of the most popular frameworks is the ISO/IEC 27000 series of information security standards.
An information security management system (ISMS) consists of the set of policies designed to reduce or mitigate risks to the organization. It promotes the principle that an organization should create, implement, and maintain a complete set of security policies, processes, and systems to manage risks to both hardware and information assets.
The framework initially was published in the United Kingdom as BS 7799 in the mid '90s. By 2000 it was adopted by the International Organization for Standardization (ISO) and retitled ISO/IEC 17799. In 2005, the standard was incorporated into the ISO 27000 standards series as ISO/IEC 27002. It is common to place the date of revision after the standard number. The most recent revision is ISO/IEC 27002:2013. The standard is explicitly concerned with information security, meaning the security of all forms of information. There are several information security standards published in the ISO/IEC 27000 series. The two most popular are as follows:
Both ISO 27001:2013 and ISO 27002:2013 have been completely rewritten since the 2005 edition. While ISO 27001:2005 specified Deming's Plan-Do-Check-Act cycle, in ISO 27001:2013 other continuous improvement processes such as Six Sigma's DMAIC (Define, Measure, Analyze, Improve, and Control) may be implemented.
A best practice is an accepted methodology of performing an action that leads to a beneficial result. In many situations, the best practice has developed, over a period of time, through trial and error. Businesses utilize best practices in the form of frameworks, templates, or guidelines. Various methodology frameworks such as Information Technology Infrastructure Library ITIL, Six Sigma, agile project management, and the Scrum agile software development framework are readily adopted by businesses. Practice distribution has been made possible generally through the commercialization of the topic and the proliferation of books, courses, and certifications.
Organizations such as the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), and the International Electrotechnical Commission (IEC) work with industry groups as well as governments to develop and publish frameworks of best practices. Once a framework becomes generally well accepted, it will be adopted as an industry standard. A typical best practice recommendation for information security management is the ISO/IEC 27002:2013. Quite often best practices and industry-recognized frameworks become the foundation for corporate policies.
A corporate policy is a written document that states high-level goals and directives as established by corporate top management. Corporate policies take the form of a brief statement by corporate top management and provide authorization, intent, and direction. They generally include all of the major areas of the enterprise, such as accounting, legal, human resources, ethics, and regulatory compliance to name a few.
Corporate policies are generally created as a response to various requirements.
The corporate security policy is a statement authorized by top management that defines the overall security for the organization and protection of corporate assets. Chief among corporate assets is information. Therefore, many security policies are referred to as IT security policies because information is contained on computers, servers, and storage devices.
The IT security policy may be viewed as an umbrella policy that encompasses a number of subpolicies or supporting policies that address various activities or risk categories. These subpolicies generally cover areas such as information access, use and disclosure, destruction, and classification as well as physical security, ethics, and various activities associated with the IT infrastructure. Figure 4.1 illustrates the relationship between general corporate policies, the IT security policy, and various subpolicies.
For instance, the enterprise security policy may broadly state that all information system users are required to use a password as an authentication mechanism. The password policy would then specify such details as the structure of a password, password expiration and renewal, re-issuance of a forgotten password, and any other details specific to passwords.
There are different categories of security policies depending upon the structure and requirements of the organization. There are three general types of security policies that together meet the requirements of the overall enterprise security program:
The same organizational policy may exist for all three entities, with the difference being the scope of the policy in relation to the requirements of the entity. For instance, an organizational policy reflecting the requirement for personal privacy for European operations will have different standards, regulations, and legislation to comply with than one for the Omaha division within the United States. Organizational policy should be clear regarding the specific entity or geography of the intended audience. It should include specific statements about the geography, facilities, hardware, software, data storage, and personnel within the scope of the policy. This is very important in the case of a cloud data storage policy, for example.
The organizational policy may generally state that customer data may be placed in cloud storage. Unfortunately, the organization may find that the cloud storage facilities are based in a country that does not allow search and seizure of the data during a forensics investigation. Therefore, the organization must carefully consider and clearly define the requirements when creating a general organizational policy.
Similar to organizational policies, functional policies may include the entire organization, corporate division, geographic area, or country-specific working group within the scope of the policy. An example of the corporate division functional policy might be that personal access to all manufacturing facility workspaces at the XYZ Corporation Omaha Engine Manufacturing Division will require two-factor authentication.
The more detailed or granular a policy, the more frequently the policy may be required to be updated or changed. Organizational policies are usually very broad in scope, while an operational policy defines a specific operational requirement or action. For instance, an organizational policy may require that all individuals utilize two-factor authentication for facility access. This is a general statement that applies to all the individuals in the organization. The specific supporting operational policy may state that the XYZ2314 retinal scanner be used as the second factor for authentication at the New Mexico Laboratory Annex. While the organizational policy is long term, spanning many years, the XYZ2314 retinal scanner may be replaced within a year or two, requiring an operational policy and procedural policy change.
Although corporate policies may be authored by knowledgeable individuals within the organization or may be adopted from a variety of best practices, policy templates, or frameworks, it is of paramount importance that the top management of the organization support, approve, and endorse the security policy. The security policy should reflect and support the mission and goals of the enterprise. The endorsement by top management provides an authoritative document that authorizes the adoption and implementation of various controls by which to mitigate risk to the organization's assets. The security policy clearly states the direction and goals of top management and reflects the culture, goals, and mission of the organization.
Today we operate in a multicultural global economy. As security professionals, we must recognize that our organization may span dozens of countries. Under the umbrella of IT security policies, it is not unusual to have policies specific to a country or a region. The right to privacy is a highly developed area of law in Europe. All of the member states of the European Union are also members of the European Convention on Human Rights. In 1980, the comprehensive data protection system was adopted throughout Europe. The Convention developed the guidelines governing the protection of privacy. It adopted seven principles governing the protection of personal data:
It is important to understand that from a global perspective, numerous security policies may be required depending upon local laws, customs, and regulations.
A large number of policies may fall under the umbrella of IT security or corporate security policies. Each of these policies provides guidance on a specific requirement. Here are some of the most common supporting security policies:
Security policies do not need to be large and bulky to be effective. In fact, most corporate policies are three to five pages and usually no longer than nine pages in length. It is very helpful if all policies follow the same general format.
All policies may be designed to include various statements specific to the policy topic; security policies usually contain many of the following sections:
As you have seen, the corporate security policy is generally broad in nature and makes a single statement. It does not go into detail concerning the “how” and, specifically, the “who” of any aspect of the policy. In the example of the corporate password security policy, the mandate statement was very general. On the specific password policy, more detail was added as to the length of time, identity verification, and other password requirements. This password policy detail is supported by a policy statement, standards, baselines, procedures, and guidelines.
The components of a policy and supporting documents are as follows:
Each piece of hardware or software has optimal settings that allow for the most secure implementation. A baseline states a specific configuration criteria required for the hardware or software to meet the functional or organizational policy statement. For example, an organizational policy may state that every user workstation be protected by antivirus software. The functional policy may state that ABC antivirus software be implemented on all user workstations. And a baseline may state that the ABC antivirus software be configured to automatically update on a daily basis using the ABC Professional Signature database. It is also important that configurations be regularly evaluated or audited to ensure that they meet the baseline minimum requirement.
It is not uncommon that over time guidelines become accepted practice throughout an organization or industry and are integrated into a procedure as a requirement. Many of today's policies and procedures originated as guidelines.
Figure 4.2 illustrates the hierarchy from general corporate policies to guidelines, including standards, baselines, and procedures.
For effective communication, all corporate policies should use a similar template. The template will ensure that each policy document contains the required information and is easy to read and understand. Policy content must be brief and to the point.
Policies may be documented through a number of methods. Of course, one technique would be to print out the pages and place them in a binder. Policies do need to be in writing, but consideration should be given to storage, accessibility, updates, and communication.
A method of enforcement must be included in the security policy. The policy should list the definition of a violation (and optionally, its severity) and the punishment, sanction, or action taken. When considering enforcement actions, it is always highly recommended to include the human resources department. Policies must be enforced fairly and without bias. Individuals could claim that they did not know about the policy, the policy changed without them knowing, or that somebody else was not accused when they violated the policy. Numerous legal issues may arise when enforcing a security policy.
The violation of some policies could lead to severe punishment, sanctions, or termination for the employee. In such case, as with onboarding documentation, the employee must sign an acknowledgment that they have received, read, and understand the policy. When feasible, some organizations require a face-to-face meeting with each employee, while other policy notification situations may use emails to employees and require an e-signature document to be returned.
Over time, some policies must change. Policy change and review should constantly be undertaken by the organization. Because top-level corporate policies are authorized by C-level corporate officers, a formal change review and signoff process should be undertaken. Once a policy is updated, copies should be distributed as specified by the communication plan.
Policies and changes to policies must be communicated to the appropriate audience throughout an organization. Depending upon the policy, not all information is distributed to everybody. A policy that affects only the marketing department is obviously not required to be distributed to warehouse personnel.
When communicating policies and changes, it is important to consider the actions required by the individual. Some of these actions may be more significant than others. For instance, a policy change stating that a specific server will not be available from 10 p.m. to midnight on Saturdays due to scheduled maintenance may have less impact and significance on individuals than a policy that implements a new workgroup data-sharing software application requiring individuals to organize and upload all of their work files within the next week. The communication should be clear on what actions and activities individuals must perform in relation to the policy or policy change.
Many companies utilize their intranet to disseminate policy information. Other policy documentation communication plans might include one or more of the following:
Two of the most popular and frequently used methods of policy distribution and awareness are manager meetings and pop-up logon banners. Everyone in the organization logs into their computer workstation on a regular basis. It is fairly easy to include a pop-up or warning banner announcing a policy or a change in a policy. For more detailed explanation or policy distributions that may require a question-and-answer session, manager meetings may be held with departmental staff. Depending upon the details of the policy, “train-the-trainer” sessions may be held with managers to explain the details of a policy and how to answer specific questions. This is especially important if a policy may have an adverse or confusing effect on personnel.
A security practitioner may be involved in the development of software or applications. It is important that security personnel be involved at the beginning and as a stakeholder in every development project.
The Security Development Lifecycle (SDL) is a software development process proposed by Microsoft to reduce software maintenance costs and increase the reliability and security of software. The Security Development Lifecycle incorporates all of the activities to ensure compliance with both operational and security requirements as specified by organizational policy. Security requirements and the inclusion of security controls should be present at the beginning of the development project.
The security practitioner may be required to manage the configuration files on a variety of network equipment. Configuration management is critical to the success of the IT organization. Various IT devices, including servers, switches, routers, and IDSs as well as other networking items, require configuration and system updates on a regular basis. The larger the organization, the more difficult this task becomes.
While it is always possible to update and configure items manually, many organizations have adopted automated configuration management. Automated configuration management provides a centralized method to make changes to a system in an organized manner.
Configuration management is the application of tools that allow for the centralized management of settings, firewall rules, and configuration files that allow networking items to perform their assigned tasks.
The task of configuration management may be broken down into a number of activities. The security practitioner may be responsible for any or all of these configuration management tasks.
Applying relevant patches, updates, and fixes may be the responsibility of the security practitioner. Patching devices may be automated or manual in nature and are always procedural based. This means that a procedure exists such as taking an item offline, placing it in administrator mode, connecting a console, and completing many other required steps to update the software contained on the device. Although the word patch is frequently used to describe an update or change in a software device, there are many other terms associated with this activity.
Software version numbering is a method of assigning alphanumeric or numbers to designate the generation or “build” of a software or firmware product. The numbers or alphanumeric designations are generally assigned in increasing order to correspond to changes and developments and new releases of the software product.
Most versioning schemes feature three- to four-digit identifiers and are used to convey the importance or significance between changes. Different manufacturers and producers of software make use of the designations differently. For instance, the designation 2.1.3.4 may indicate that this is the fourth revision (4) of the documentation and the third revision (3) of minor changes. It may also indicate this is the first revision (1) indicating a major change since the last general release. Some manufacturers jump sequence numbers to indicate the importance of an upgrade or software revision change. For instance, Internet Explorer 6 went from 6.1 to 6.5.
The primary version number (2) indicates a new software release with a major functionality change. When manufacturers change the primary version number, it may indicate a substantial change in functionality, usability, or feature set. It may also denote an incompatibility with prior versions. When changing the primary version number, many manufacturers use this opportunity to resell the subscription to the software.
It is an industry best practice to thoroughly test any patch, fix, update, or service pack in a nonproduction environment. Sandbox refers to a machine or virtual network that is totally isolated from the production environment. Problems experienced during testing within a sandbox cannot escape to the production network. It is never a good idea to distribute patches, fixes, or even service packs without first testing them in an offline environment.
Release management is part of the software development process, which can be a constantly evolving process or an ongoing cycle of development, testing, and release. Software applications are created, modified, or updated on a regular basis. As part of the process, they are tested and evaluated by both IT quality testing teams and end-user testing teams. Each team is challenged with testing the software to specific design parameters, usually as outlined in the business requirements document (BRD). The IT quality team is charged with testing the automation of the software and how it interacts with databases, storage devices, and other pieces of software, sometimes referred to as quality acceptance testing (QAT), while the user team is testing the software against specific scenarios or business cases, usually referred to as user acceptance testing (UAT).
Once the software is completed and passes the testing environment, it is made ready for deployment. Software deployment is a series of steps in which the new software is loaded on a server and distributed to the appropriate user workstations. In some deployment situations, the software remains on the server and is available for end-user logon.
Software release can be an ongoing, multifaceted project involving dozens of individuals. In the past, new software releases and updates were made available only upon the completion of particular project. This project methodology is referred to as the waterfall development process, where one step leads to the next until the project is eventually completed and distributed to the end users. Software development organizations today utilize an agile development process in which items are developed very quickly, tested, and made available. The agile development process has greatly increased the number of possible software releases due to the rapid ability to create or modify software, correct mistakes, and reissue the software.
Change management is specifically an IT process in which the objective is to ensure that the methods and procedures for change are standardized and are used for efficient and prompt response to all change requests. Change management is a system that records a request, processes requests, elicits a denial or authorization, and records the outcome of the change to a configuration item.
Changes requiring specific approval may be forwarded to a change control board (CCB) or change advisory board (CAB) consisting of various authoritative and qualified individuals within the organization who review and approve or deny changes.
Change management is responsible for managing change processes involving the following:
Asset management broadly defines the identification, maintenance, and risk protection of hardware or information assets. The very first step of risk management is identifying the assets that require protection. The security practitioner may be involved in cataloging, maintaining, or decommissioning various organizational assets.
Assets are generally grouped into two specific classes: physical assets, which are also called tangible assets, and nonphysical assets, which are also called intangible assets. It may be obvious that tangible assets are IT infrastructure hardware components, while intangible assets are data, information, and intellectual property.
As a security practitioner, you may be involved in providing some service at any point along the asset life cycle. The asset life cycle includes the following steps:
The IT environment is constantly changing along with the threats to the organization. IT departments should regularly test security and compliance controls to ensure that they remain both effective and within the scope of the required operational guidelines. The reason security controls require validation is to maintain compliance established by various regulations, such as, for example, FISMA/NIST, PCI DSS, and HIPAA.
It may be the responsibility of the security practitioner to assess, verify, and document the correct operational state of a security control based upon established baselines. During this process, the practitioner accomplishes a number of procedures that may include validation of current updates and patches, validation of correct configuration, and review of logs and documentation.
Every organization maintains data related to its business or operation. This information may consist simply of phone numbers and contacts, or it may be regulated information such as patient medical records. The security practitioner can be involved at any level of the maintenance and protection of organizational information.
Data is classified as being in one of three states: data at rest, data in transit, and data in process. Data at rest is in memory, and data in transit is moving. Data in process is a little more complex because it is data that is being used by a process. Programmers and database administrators are involved with handling data in process. For instance, if two numbers are being added together and the power goes out, what happens to the two numbers, and what happens to the answer? The programmers and database administrators use processes referred to as rollback and roll forward to reverse the effects of the calculation and restore the data to the state it was in prior to the power going out. Although the security practitioner may not be involved in such programming, it is important to recognize the terminology.
Information life cycle management (ILM) is the practice of applying certain policies during the creation and maintenance of information. The organization may have several policies concerning the creation, classification, access, handling, and disposal of information. The security practitioner may be involved at any point during information life cycle management, including the classification and disposal of information as per existing policies.
Organizations, whether business, military, or the federal government, possess data requiring various levels of privacy. The strictest data privacy classification in a military organization is top secret. This designation would indicate that the data or information would require the greatest amount of protection afforded any data in the system.
Various organizations are required to classify information based on privacy regulations imposed upon the industry. Information such as trade secrets, Department of Defense or governmental information, patient privacy information, and customer information such as credit cards, addresses, and Social Security numbers are all pieces of information that require protection through privacy. Some organizations separate classifications based on the type of data, such as financial, personal, or institutional secrets. An information classification structure is a set of labels or tags placed on documents and data that specifies the required protection that should be afforded to the information.
Many organizations, including the U.S military and government, use hierarchical based information classification systems. Business and commercial information classification systems are much more abbreviated than those of the military or government usually featuring three layers at most. Typically, this hierarchy includes unclassified, sensitive but unclassified, confidential, secret, and top secret. In the corporate world, a hierarchy may include public, sensitive, and confidential as classification categories.
Most organizations provide security controls based on the value of what is being protected. Many organizations rely on a risk assessment to determine the value of data. There are several ways to determine the value of an asset. The organization could assess the impact of the loss or disclosure of the data, the cost of replacement, and the amount of embarrassment that disclosure or loss of the data could produce. Then, place a higher value on the more serious impacts. The higher the value, the more protection is required. The lower the value, the less protection is needed.
To keep yourself on track, keep the following points in mind when assessing the level of security necessary for data within your organization.
There are two parts to a data classification system:
Data classification strategies differ greatly from one organization to the next because each generates different types and volumes of data. The balance may vary greatly from one user to the next between office documents, email correspondence, images, video files, customer and product information, and financial or intellectual property data. Many companies begin to classify data in line with their confidentiality requirements, adding more security for increasingly confidential data. The classification system itself must include an element of centralized control so that data is classified in the context of overall strategic business objectives, such as compliance.
Various tools, software, and methodology exist to assist an organization in the data classification process. Generally, organizations opt to classify the most sensitive information first and work down to publicly available information.
An organization establishing a data classification policy must also include information concerning the marking, labeling, and storage of classified information. Sensitive information must be adequately identified both physically (by the marking on containers and storage devices) and digitally so that it can be recognized by trusted computer systems. The data classification policy should also include the access control provisions for both current information and information in long-term storage. Some information must be maintained in storage off-site for many years. Some regulations require that sensitive information be retained 7 years and some as much as 10 years. In the case of criminal evidence data, the information must be kept indefinitely. Consideration should also be given to the encryption methodology for long-term storage of data at rest. Currently, the AES encryption algorithm is used for long-term data storage.
Records management is an expensive undertaking for any organization. The continued maintenance of classified information, including storage and access, should be considered in any data retention or data classification program. Many government agencies and other organizations have responded by developing an open data program. An open data program is an attempt to review information and declassify it according to various criteria. Some information that has been gathered may not be declassified. For instance, the Privacy Act of 1974, 5 U.S.C. § 552a, Public Law No. 93-579, established a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. Other regulations, including HIPAA, restrict declassification or dissemination of private client or patient information.
It is suggested that a declassification scheme and methodology be included in any classification policy.
Any computer hardware device that can be connected to the Internet or a local area network can be referred to as an endpoint device. Endpoint devices include desktop computers, user workstations, laptop computers, tablets, thin clients, smartphones, printers, removable memory such as USB drives, IP cameras, and other business-related computer items. Specialized computer hardware, such as point-of-sale terminals, dedicated tablets such as those used in the shipping industry, barcode readers, smart meters used in the electrical distribution industry, and supervisory control and data acquisition SCADA networking items within the manufacturing industries are classified as endpoint devices.
With the creation of IPv6, the Internet of Things (IoT) will force the quantity of endpoint devices into the billions, including household appliances, Internet-enabled medical devices, and other Internet-connected items such as automobiles, communication devices, tools, and process control items.
Endpoint device security is specified in the endpoint device policy and generally consists of endpoint compliance and endpoint defense, as explained in the following sections.
Network access control (NAC) is a technology that uses a set of protocols to enforce a policy for endpoint access to a network. In essence, network access control checks the health of the device requesting network access. An endpoint device security policy might state that the device is required to meet a certain criteria prior to being allowed access to the network. This criteria could include the requirement that current software, current updates, and specific applications be loaded on the device. Upon request to join a network, the network access control technology would check the requesting device to determine that it has the current antivirus protection, the current system updates, and the current system configuration; it also may verify installed software or applications (apps) and confirm the current update level or configuration of the applications.
The second aspect of network access control technology is that through various means, which may include a preinstalled software agent loaded on the device, the network access control software may be able to automatically bring the device into compliance by automatically upgrading the device or correcting configuration problems.
Network access control represents a new and emerging category of security products that investigate a device and check its health prior to allowing access to a network. With the millions and possibly billions of devices within the Internet of Things, Internet-enabled devices such as health monitoring wristbands, refrigerators, washing machines, wearable devices, medical devices such as insulin pumps, and thousands of additional devices all could be compromised by malware or other attacks. It would be highly beneficial to be able to remotely monitor the health of the connecting device.
Although the nature of this technology is currently somewhat controversial concerning privacy issues and the ability to make changes externally on a personally owned device, it's clear that there will be a need for a way to check the health of devices wishing to connect to a network.
Endpoint defense consists of an endpoint-mounted firewall, host intrusion detection systems (HIDSs), and antivirus software. The point at which defense mechanisms should be installed is when the endpoint or host system is initially set up or installed. The problem with endpoint defense is that it is required to be installed and maintained by the end user. It is safe to say that the majority of tablets, pads, and cell phones are currently incorrectly set up. In fact, it is a proven fact that most devices still maintain the default password that was on the product out of the box. Another aspect of end-user responsibility is maintaining patches, updates, and new versions of software applications as well as antivirus software.
Various firms offer endpoint security management software. Security management software is usually a form of server product that centrally manages the security settings and security components of network-based endpoint computers. Using security management software, applying patches and updates and monitoring the health and well-being of the endpoint device may be accomplished in a central location.
Endpoint defense for systems connected to a network can be carried out through the use of group management policies. A network administrator may assign various rights and capabilities to the user group that are enforced when they log onto the network. These rights and capabilities could include the inability to make changes, use USB devices, download specific software, or take other actions that might compromise the system. Although imposing restrictions on users is never popular, it does restrict the possibility of intrusions and problems with endpoint devices.
Endpoint device policies describe the various aspects and requirements of endpoint devices that are connected to the organization's network. By definition, endpoint devices may consist of assets owned by the organization or personally owned devices. It is obvious that endpoint devices owned directly by the organization are much easier to keep in compliance with upgraded software, patches, and other defensive mechanisms.
Personally owned devices may be described by a mobile device policy, in some cases known as a Bring Your Own Device (BYOD) policy. It is important today to have and enforce a clear BYOD policy within an organization. Employees, contractors, and visitors as well as strangers are attempting to enter your network on a daily basis. Clearly the policy must address authentication mechanisms that allow or restrict access to network hardware and information assets. One of the most important parts of a BYOB policy is what information may be stored on a personally own device and what happens if the device is lost or stolen. Most BYOD policies specify that each device that has the capability of downloading information from the network must have the capability of being wiped or erased remotely if stolen or lost.
Personally owned devices offer many challenges to IT security managers and practitioners. Employees must be trained in the protection of corporate information assets that may be in their possession. For example, many personally owned devices have VPN client software installed. Many users automatically store their logon passwords on the device, and if the device is lost or stolen, the thief can immediately log on to the organization's network. In addition, users might log on using public Wi-Fi networks. In some public environments, Wi-Fi networks can actually be spoofed by a rogue operator who is intercepting passwords and text messages being sent over the network. The security practitioner should be involved in educating users in the correct methods of using their own devices.
End users pose the greatest threat to hardware and information assets of an organization. Through inadvertent or willful actions, users have the ability to cause great harm to the organization. Most organizations have already invested heavily in the latest firewalls, intrusion detection systems, and other advanced security technologies. Yet losses caused by security breaches continue to grow each year. The problem is not so much with the security technology as it is with the lack of security awareness among users. All too often the breaches that information security professionals have to deal with are caused by users forgetting to back up critical files, using weak passwords, or opening an email attachment with malicious code.
Social networking attacks prove to be one of the easiest attack vectors available. The uneducated user can be easily exploited. It is important to stress initial and continued security awareness education and training at all levels within an organization.
Organizations need to address the following potential vulnerabilities caused by uneducated end users:
Network managers and administrators have attempted to create various password policies that invariably include passwords such as &KH67rty&D@, which are virtually impossible for individuals to memorize, thus leading them to have written notes containing passwords in the vicinity of their computer.
Other end users do not take password security seriously. It is been discovered through various industry audits that whole departments shared a single password into a database. It has also been discovered that temporary personnel have been allowed to log in as the person they are replacing for the day.
The security policy of the organization must include a top-level security training policy. It should clearly state the importance of training at all levels of the organization to mitigate the threat to the organization through end-user conduct, whether it's willful or negligent.
The policy should clearly dictate which department is responsible for end-user security training. It should allocate the appropriate budget and state the expected goals and outcomes of end-user training.
Security awareness training should focus on the threats to the organization as posed by the end users. These individuals should be made aware that such threats exist and be able to recognize the pattern or techniques an attacker may use. They should also be instructed on how to be vigilant so they can identify the potential risks and vulnerabilities that exist.
Several groups within an organization are involved with and have access to various levels of information. Training programs should be focused on users, management, and executives due to their exposure to potentially sensitive information. Special security awareness training programs should be devised for each group to pinpoint the threats and the risks at each of their levels within the organization.
Training corporate employees on the subject of security is extremely important. It may be required under the corporate security policy, and in some cases it may be a compliance item under a governmental or industry regulation. It is important for the SSCP to understand various aspects of training because you may very well be involved in either the development or the delivery of security training topics.
Specialized training should be provided to any end users handling sensitive or confidential information. This may include individuals with access to customer databases, accounting records, or client information. Individuals should also receive specialized security training in compliance-based areas such as HIPAA medical information regulations and patient information privacy.
Corporate security training may be tailored to other employees at different ranks within the organization. It's important to recognize the information requirements and perspectives of these individuals in order to make the best use of time and provide for the greatest impact and absorption of the information.
Making a presentation on security topics to the senior executives within an organization is a skill that requires understanding both the time available and the amount of information to present. This level of corporate employee requires a high-level presentation that is quite different from end-user corporate security training.
Every business or organization can potentially face threats or situations that disrupt business processes and activities. For instance, a hurricane might interrupt electrical power to a business location. A tornado or fire might destroy parts of the building in which a business is located. A flood might easily disrupt the operations of a primary supplier of parts to manufacture the company's products. Each one of these interruptions or disruptions can potentially harm the organization.
Business community planning includes all of the steps and activities required to maintain business operations in the event of a disaster or disruption. It must include consideration for those activities required to completely restore business operations. All of the activities and information required to maintain business activities during a disaster incident and the restoration activities necessary to restore the business to a fully operational status are included in a business continuity plan (BCP).
A business continuity plan will take into consideration a variety of threats that might potentially disrupt or interrupt business operations. These threats will fall into the following categories:
The failure of internal operations that are required to create or manufacture products such as the machine tool or conveyor system could pose significant interruption or disruption to a business. Services and other activities such as banking and Internet and telecommunication services may be included as part of the supply chain because they contribute to the organization's ongoing business activities.
The September 11, 2001, terrorist attacks; the terrorist attack on a cartoon publisher in Paris, France; the attack on the Oklahoma City federal building; and other significant terrorist attacks have illustrated on how terrorism can cause significant business interruption or disruption or even immediate termination of activities, as with the Sony Pictures release of a supposedly offensive movie.
Crime also includes the theft of intellectual property. Edward Snowden perpetrated a crime against the United States government by exposing Central Intelligence Agency classified information. Creating a politically embarrassing situation for the government of the United States, this action illustrates that organizations can be significantly disrupted by the release of sensitive information or the exposure of intellectual property such as trade secrets to competitors.
These threats and the resulting business disruptions illustrate many of the calamities that face organizations. While risk analysis endeavors to identify various threats and mitigate their effects, it is obvious that a business or organization can never address every threat. There would be no way the promoters of the Boston marathon could have significantly predicted that two brothers from Boston would place a bomb in a spectator area. Through risk analysis, they may have identified that anything could go wrong at any point along the marathon route and thus obtain an insurance policy covering both the marathon participants and spectators in case a spectator brings a legal action against the promoter. The continuity plan, on the other hand, would detail the actions that would be taken in the eventuality that there was a significant disruption or interruption of the marathon.
The business continuity plan is a set of procedures, programs, and supporting plans that have been established to maintain the operations of the organization in the event of disruption or interruption caused by different levels of disaster. In the event of a disaster, responding individuals simply follow a plan consisting of instructions, checklists, or prearranged activities. Each individual can proceed to take the actions necessary to recover from a disastrous situation.
Development of a business continuity plan is a major undertaking for any organization. It requires time and diligence and the participation of many individuals. Successful plan creation is the result of the resolve and commitment of the organization and the commitment of financial resources to the project. Unfortunately, many small to medium-size businesses neglect the creation of a business continuity plan purely because of lack of resources. Although there is some business continuity plan templates available, each business organization must determine which functions are vital to the success of its specific operation.
As with all projects of any substance, the activity begins with a policy or charter that initiates the project. The business continuity plan policy must include the mandate of top management or the sponsorship of a senior executive or executive committee to provide the required directives and financial support the plan creation will require. Without top management or executive support, the creation of the plan will fail.
A business continuity plan consists of several supporting plans or documents (Figure 4.3). These plans are used to identify and prioritize various activities of the organization that must be maintained for the continued viability of the organization. Other documents will detail information concerning backup plans, alternate sites, restoration and recovery plans, and other plans critical to the continuation of the organization.
A business impact analysis (BIA) is the first step in creating a business continuity plan. Similar to risk analysis, where all assets are identified and possible threats categorized, the business impact analysis seeks to determine and rank activities and functions that are absolutely required by the operation and without which the operation would cease to exist. The business impact analysis evaluates the financial impact on the organization from a quantitative and qualitative viewpoint.
For example, a warehouse and shipping facility suffered $500,000 in damage during a hurricane. Prior to the damage, the facility was shipping $70,000 worth of products per day. It is estimated that the facility will be down for five days. The quantitative financial impact might be calculated at $350,000 in lost shipping revenue plus $500,000 to restore the warehouse to full operation. The qualitative financial impact is a less precise figure based upon business that had been turned away, customers that will leave and never come back, and bad publicity or reputation in the marketplace and other considerations.
During a business analysis, all of the major activities of the organization are listed and categorized as to their importance or how critical they are to the continued existence of the organization. Every business organization has basic revenue-driving operations and support functions. The BIA seeks to differentiate critical operations from support operations and specify a time frame during which the business can survive without the critical operations. Differing from a risk analysis where potential threats are examined, a business impact analysis considers the impact to the business if the business function ceased operation for whatever reason.
Various steps must be undertaken during the creation of a business impact analysis:
The list of all the business processes is usually created by contacting senior personnel, department heads, managers, and knowledgeable individuals within the organization. This listing of processes will form the basis of creating an entire picture of the organization.
Figure 4.5 illustrates the relationship between the recovery point objective and the recovery time objective. The recovery point objective indicates the last known good data safely backed up and not affected by the disaster. The recovery time objective is the amount of time required to restore the data from the backup archives.
The concepts of maximum tolerable downtime, recovery point objective, and recovery time objective may be applied to every critical activity identified as a priority to the organization. Although the recovery point objective in the previous example refers to the restoration of data using backup files, it may also apply to physical or operational assets. For instance, a recovery point in a customer service office may be established as the point at which customer service agents are able to resume operations by answering telephones and resolving client issues. When planning a physical or operational recovery point objective, it is important to consider alternate or temporary recovery programs. For instance, the customer service department may be brought back to minimal operational status in an alternate location with telephone service using temporary tables, paper records, and written forms while the normal facility, communications equipment, and computer service is being restored.
As a security practitioner, you will be involved in restoration activities after a disaster. You, along with other team members, perform an integral service in returning IT operations and other business functions back to normal. A business continuity plan is concerned with maintaining the operations of a system or department after a disaster. As previously discussed, operations may be continued in a temporary location using a paper-based methodology, but at least they will be continuing.
Disaster recovery plans encompass a framework of processes and programs focused on the restoration of computer services, telecommunications, facilities, and operations back to a predisaster operational state. Since most organizations rely heavily on IT infrastructure, it is important that IT systems and services be returned to an operational state as soon as possible. As previously stated, continuity planning and disaster recovery planning sometimes require monumental efforts. These activities require a large degree of coordination, stakeholder input, and financial resources. Due to the importance of IT infrastructure, the IT department should create a comprehensive continuity plan and a disaster recovery plan independently of the rest of the organization if necessary. In other words, the IT infrastructure for an organization should take priority and have complete restoration plans available.
Not all disasters are created equal. For instance, the air-conditioning breaking down the server room or the loss of power from the electrical grid may pose serious problems, but they are not as catastrophic as a tornado or hurricane. Some disasters are not disasters at all and only pose significant but short-term problems. To address this situation, various threats may be identified and assessed as to either the likelihood of occurrence or the impact to the organization if they do occur. There will be those threats with a very low likelihood of occurrence and possibly with a very low impact on the operations of the organization if they do occur.
Since all disasters and their impact on the organization are not equal, a method should be available to trigger the correct response plan. For instance, suppose a fire occurs and the information needs to be conveyed to the emergency recovery staff, corporate executives, and other stakeholders. You could easily imagine that the very next question somebody will have is, “How serious is it?” Therefore, many organizations have adopted a three-tier category system to describe an event by listing a disaster level. In this example, we'll list them as level I, level II, and level III disasters, although the title may be different based upon the organization. The descriptions and responses for each disaster level are completely arbitrary and may be assigned or determined by the individual organization. Each disaster level triggers a measured and preplanned response by the organization. Note that the level classification indicates the response to the disaster event, not a description of the cause, which is of secondary concern.
Various items and components of the IT infrastructure require different strategies. For instance, should a disaster event occur, there is a significant difference between restoring a server with previously backed-up information and totally replacing server racks and damaged cables and restoring communication equipment. The recovery strategy should include plans and procedures for the restoration or replacement of various components of the IT infrastructure. These plans should include the following sections:
Each section should indicate the job title of the individuals responsible for the management and completion of the activity. It may also detail suppliers, service providers, contractors, partners, and other individuals and entities that may be utilized or contracted to perform a role in the recovery efforts.
A recovery plan may be organized by operational section. For example, different individuals may have responsibilities, and each section may feature different priorities, timelines, suppliers, and requirements. The following operational sections might be included in a recovery plan for an IT department:
Figure 4.6 illustrates a graphical technique of prioritizing disaster response by analyzing the impact to the business if a catastrophic event should occur. Obviously, plans to restore high-impact, high-probability processes take precedence over low-impact, low-probability processes. This type of planning chart will easily illustrate restoration priorities. Business processes that are very important to the business would be placed in the upper-right quadrant, indicating that the continuity of these processes has high significance to the continued operation of the business.
Continuity plans and disaster plans required testing. Testing is the method of identifying weaknesses, reviewing assignments and updating plan information. It also verifies that the plan meets the organization's needs and requirements and that all individuals responsible for action items are knowledgeable and competent regarding their responsibilities. The primary goal of testing includes the following activities:
Various methods may be used to test the plans with varying degrees of risk to the organization and commitment of time and resources:
At that time, the continuity plan leader announces the type of emergency, such as a fire and evacuation of part of the building with an outage of all network operations and communication within that area. The leader may then declare the potential impact of the event. For instance, nationwide customer service is completely interrupted for the next 20 hours. Since the current work location is no longer available, the team leader designates the location that will be used as an alternate site for the coordination of all activities. All responsible participants will relocate all of their available resources to the newly assigned location. If they are responsible for other individuals, they have to locate these people and deliver them to a predefined location.
The simulation tests is a very accurate training tool because, invariably, people will forget things, not have transportation, not have backups available, or find that communication is inadequate. The simulation test is typically conducted once a year in many organizations due to the fact that it may interrupt or disrupt business activities during the testing period.
With proper succession planning, backup personnel are available in the event that key personnel are lost or unavailable. Backup personnel may be required to fill key business leadership positions in the company or IT department. Succession planning increases the availability of experienced and capable employees who are prepared to assume these roles if they are required.
Succession planning is key within an IT department. It begins with the process of hiring competent well-rounded personnel. They should then be cross-trained in many different disciplines. Specifically for disaster planning, the disaster plan should clearly list, by job title, the succession to the top decision-making role during a disaster. This is simply accomplished in some organizations by a “call list” that includes the individuals who should be notified of an event or situation. The point is, in a disaster scenario, a clear leader and decision-maker must be denoted. In the event a primary person is not available, the authority should immediately be instilled with a backup person.
In planning for succession, individuals should be cross-trained in disaster preparedness and information should be shared among both the primary and backup persons who are responsible to take action. Plans including procedures, documentation, policies, and other documents should be identified and shared.
Business continuity plans require the listing of alternate plans for the continuation of IT operations should a disaster occur. Of course, in some level I disasters, as previously described, IT operations may continue in the same location. A level III disaster may mean that a location is no longer suitable or available for continued IT operations and therefore a decision must be made to relocate, on a temporary basis, to an alternate site or facility. It is important during the creation of business continuity plans to carefully consider and preplan alternate sites. These alternate sites should be arranged for and contracted in anticipation of any need arising.
A variety of site selections and alternative methods are available for the continuity of business operations:
Several scenarios should be envisioned when planning for alternate sites or the relocation of operations. The assumption might be that if a disaster affects a geographic region, various scenarios may occur.
The systems security certified practitioner must be familiar with the organization's policies, standards, procedures, and guidelines to ensure adequate information availability, integrity, and confidentiality.
In this chapter you learned that security administration defines the roles and responsibilities of practitioners within the organization who must carry out various tasks according to established policy and directives. Practitioners may be involved with change control, configuration management, security awareness training, and the monitoring of systems and devices. The application of generally accepted industry best practices is the responsibility of the IT administrators and security practitioners. Key administration duties may include configuration, logging, monitoring, and upgrading and updating products as well as providing end-user support.
We discussed the importance of policies within an organization. Without policies and the resulting procedures and guidelines, there would be a complete lack of corporate governance with respect to IT security. Security policies are the foundation upon which the organization can rely for guidance. Included with these policies is the concept of continuity of operations. Continuity of operations includes all actions required to continue operations after a disaster. A policy of disaster preparedness and a disaster recovery policy provide the steps and required information to restore operations.
The configuration and management of various systems and network products may be the responsibility of the security practitioner. This chapter covered patching and upgrading systems. We also looked at the version numbering methodology used to identify various versions of software, firmware, and hardware and discussed release management and the responsibilities involved in the distribution of software changes throughout the organization.
Data classification policies and the responsibilities of the security practitioner were discussed. The practitioner may be involved in both the classification process and the declassification process with regard to data management policies.
The security practitioner may be involved in conducting or facilitating security awareness training courses or sessions. During the sessions, malware, social media, passwords, and the implications of lost devices can be discussed. Different groups of individuals that require training were identified.
Business continuity and disaster recovery plans are important programs to initiate within an organization. The security practitioner may be involved in originating or maintaining such plans and will definitely be involved if the plan needs to be exercised. A business impact analysis is key to the origination of a business continuity plan. Plans should be tested by a variety of methods to ensure that individuals are aware of their responsibilities and that all of the details of the plans have been considered.
You can find the answers in Appendix A.
You can find the answers in Appendix B.
A. The elimination of risk
B. The total reduction of malware
C. The AIC objectives
D. Separation of duties
A. DDOS
B. Risk
C. A hurricane
D. Power supply brownout
A. It describes the requirement for shareholder satisfaction
B. Lists potential risk targets within the organization
C. Makes extensive use of baselines and guidelines
D. Completely aligns with the mission, objectives, culture, and nature of the business
A. Numerous franchises in a geographical area
B. The airline industry
C. HIPAA patient privacy requirements for healthcare providers
D. Third-party companies and their networks share customer data based upon a single sign-on to a primary organization
A. A padlock on a gate
B. A chain on the hotel room door
C. A red bucket of sand with the word, “Fire”
D. An insurance policy
A. An enforcement provision
B. Scope and statements from stakeholders
C. Senior executive endorsement
D. Controls and procedures statement
A. That the organization assets may not be used on weekends
B. That USB drives may not be used
C. The acceptable and unacceptable uses for organizational resources
D. That users may not visit shopping sites during work
A. Administrative
B. Corrective
C. Detective
D. Compensating
A. A copyright notice
B. An enforcement statement
C. A statement from the author
D. A preamble of rights
A. Baselines
B. Standards
C. Procedures
D. Policy Requirements Document (PRD)
A. Intranet announcement
B. Handouts
C. Instagram announcement
D. Phone e-mailed blast
A. Act honorably
B. Ensure the safety of society
C. Meet all CEU requirements for this certification
D. Provide competent and diligent service
A. A piece of software intended to update an application
B. A piece of software written by user group intended to fix a problem
C. A piece of software intended to inform users of a software vulnerability
D. An executable program that loads a number of fixes and system upgrades
A. As they are received from the manufacturer
B. In a sandbox
C. In a production environment
D. In a simulator
A. Unclassified, sensitive but unclassified, secret, and top secret
B. Unclassified, business casual, confidential
C. Public, company confidential, company secret
D. Public, sensitive but unclassified, confidential, secret, and top secret
A. Data Tag
B. Mandatory Access Control label
C. Access point
D. Classification
A. Router
B. Computer printer
C. Switch
D. HIDS
A. The recovery downtime objective
B. The restoration of accounting data into databases
C. Recovery point objective
D. The maximum tolerable off-line time
A. Makes use of probability analysis
B. Uses the Business Information Plan to determine procedures
C. Documents procedures to restore equipment and facilities to the condition they were in prior to the disaster
D. Specifies time required to restore data with different backup schemes
A. The amount of time a business process may be off-line before the viability of the organization is in severe jeopardy
B. The point at which data recovery should begin
C. The amount of time between RPO and RTO
D. The time required to restore data from a backup
3.139.80.209