Uploaded byVannaJoy20
DOCX, PDF25 views

· Your initial post should be at least 500 words, formatted and ci.docx

The document outlines the importance of understanding the pathological conditions that affect sexual response in older adults, detailing issues such as dementia and diabetes, alongside the influences of nutrition and psychological factors on the immune system. It emphasizes the necessity for healthcare professionals, particularly nurses, to recognize these factors in order to provide effective interventions that enhance the sexual health and overall well-being of this population. Proper nutrition, psychological well-being, and appropriate medical interventions are essential for supporting the immune system and mitigating the effects of aging-related health challenges.

Embed presentation

Download to read offline
1 / 197
2 / 197
3 / 197
4 / 197
5 / 197
6 / 197
7 / 197
8 / 197
9 / 197
10 / 197
11 / 197
12 / 197
13 / 197
14 / 197
15 / 197
16 / 197
17 / 197
18 / 197
19 / 197
20 / 197
21 / 197
22 / 197
23 / 197
24 / 197
25 / 197
26 / 197
27 / 197
28 / 197
29 / 197
30 / 197
31 / 197
32 / 197
33 / 197
34 / 197
35 / 197
36 / 197
37 / 197
38 / 197
39 / 197
40 / 197
41 / 197
42 / 197
43 / 197
44 / 197
45 / 197
46 / 197
47 / 197
48 / 197
49 / 197
50 / 197
51 / 197
52 / 197
53 / 197
54 / 197
55 / 197
56 / 197
57 / 197
58 / 197
59 / 197
60 / 197
61 / 197
62 / 197
63 / 197
64 / 197
65 / 197
66 / 197
67 / 197
68 / 197
69 / 197
70 / 197
71 / 197
72 / 197
73 / 197
74 / 197
75 / 197
76 / 197
77 / 197
78 / 197
79 / 197
80 / 197
81 / 197
82 / 197
83 / 197
84 / 197
85 / 197
86 / 197
87 / 197
88 / 197
89 / 197
90 / 197
91 / 197
92 / 197
93 / 197
94 / 197
95 / 197
96 / 197
97 / 197
98 / 197
99 / 197
100 / 197
101 / 197
102 / 197
103 / 197
104 / 197
105 / 197
106 / 197
107 / 197
108 / 197
109 / 197
110 / 197
111 / 197
112 / 197
113 / 197
114 / 197
115 / 197
116 / 197
117 / 197
118 / 197
119 / 197
120 / 197
121 / 197
122 / 197
123 / 197
124 / 197
125 / 197
126 / 197
127 / 197
128 / 197
129 / 197
130 / 197
131 / 197
132 / 197
133 / 197
134 / 197
135 / 197
136 / 197
137 / 197
138 / 197
139 / 197
140 / 197
141 / 197
142 / 197
143 / 197
144 / 197
145 / 197
146 / 197
147 / 197
148 / 197
149 / 197
150 / 197
151 / 197
152 / 197
153 / 197
154 / 197
155 / 197
156 / 197
157 / 197
158 / 197
159 / 197
160 / 197
161 / 197
162 / 197
163 / 197
164 / 197
165 / 197
166 / 197
167 / 197
168 / 197
169 / 197
170 / 197
171 / 197
172 / 197
173 / 197
174 / 197
175 / 197
176 / 197
177 / 197
178 / 197
179 / 197
180 / 197
181 / 197
182 / 197
183 / 197
184 / 197
185 / 197
186 / 197
187 / 197
188 / 197
189 / 197
190 / 197
191 / 197
192 / 197
193 / 197
194 / 197
195 / 197
196 / 197
197 / 197
· Your initial post should be at least 500 words, formatted and cited in current APA style with support from at least 2 academic sources. Your initial post is worth 8 points. · You should respond to at least two of your peers by extending, refuting/correcting, or adding additional nuance to their posts. Your reply posts are worth 2 points (1 point per response.) · All replies must be constructive and use literature where possible. #1 Lisa Wright St. Thomas University NUR 417: Aging and End of Life Yedelis Diaz November 01, 2022 Pathological Conditions in Older Adults As one goes through the natural aging process, the body's capacity to defend itself against infections diminishes. The immune system's ability to offer protection is reduced, and the individual becomes susceptible to conditions that affect them more than other age groups (Haynes, 2020). This population also experiences other symptoms impairing other aspects of their lives as time passes. For instance, their skin and bones lose their integrity and become more prone to abrasions and breakage. This assignment module will examine the pathological conditions that affect the sexual response in older adults and how and why nutritional and psychological factors, drugs, and other alternative and complementary medications affect the immune system of the populations. Pathological Conditions that Affect Sexual Response in Older Adults Sexuality is an essential aspect of life, irrespective of the age group one is in—the older population and the younger generation alike need to explore sexuality to maintain health and well-being. Exploring sexuality is also a mixture of
biological, psychological, social, and religious factors, all of which have plenty to do with aging. Among the pathological conditions that affect sexual response in the elderly include Genitourinary Syndrome of Menopause These are the changes experienced in the genitourinary pathway as one age. The individual can feel a burning sensation, dryness, or irritation. This can lead to painful sexual encounters, which can, in turn, reduce their desire to engage and their response. Dementia This is a degenerative disorder of the mental faculties, predominantly among the elderly (National Institute on Aging, n.d.). Their judgment diminishes, making them disinterested or utterly unaware of their sexual experiences. Some forms of the condition have been shown to increase sex or closeness, but the individual may fail to recognize what is appropriate and what is not. Diabetes As a chronic condition experienced mainly by this population, it can lead to yeast generation, leading to itchiness around the sex organs, making sex unpalatable. The situation can, however, be addressed with medication. Incontinence This is a condition where one experiences bladder leakage caused by poor control (National Institute on Aging, n.d.). It is most prevalent among the population and can lead to diminished sex drive. It can, however, also be addressed with medication. Nutrition, Psychologic, Drugs, and Complementary and Alternative Medication’s Influence on the Immune System As the population ages, some aspects they go through include isolation and loneliness brought on by not belonging to the younger age groups. They also become more dependent on their loved ones or caregivers for food, healthcare services, and other needs. When this care is not meticulously monitored, the individual can deteriorate even further, making them frailer and
generally unhealthy. Proper nutrition through food is the primary source of life, which can significantly increase their immune system’s capacity to defend their health. Food from fruits like oranges that are rich in vitamin C is essential to the immune system (Childs et al., 2019). Vegetables, proteins, and fiber-rich food have been shown to stimulate an individual’s immune cells. Medical and alternative interventions also have plenty of upsides for an individual in their old age. From medication that helps with loss of appetite to multivitamins, the individual’s immune system can be better boosted to protect the system. A key aspect of medical interventions is fighting off infections and bacteria and diminishing their capacity to multiply. This, in turn, helps the immune system fend for itself with ease and keep the elderly safe. Vaccines also work splendidly, especially for the elderly, ensuring they are better equipped to fight off an infection they would otherwise struggle to fend off. Psychological intervention for the elderly has also been effective in bolstering the immune system (Abdurachman & Herawati, 2018). Maintaining a balance in one’s psychological well-being was proven to have immune impacts for an individual that, in turn, helps them better depend on their health. Conclusion Age brings with it a host of issues that decrease the body's functionalities that once were. From decreased cognitive capacity through conditions like dementia to diminished sex drive, age can feel like one's body is turning on them. It is thus all the more imperative to observe one's health throughout one's life, especially at this stage, to ensure that one is strong and can lead relatively full lives even at that age. One needs to observe all aspects of their health, from physical to psychological, as coordination of all these aspects is critical to overall well- being, especially as one age. This assignment module investigated the pathological conditions that affect the sexual response in older adults and how and why nutritional and
psychological factors, drugs, and other alternative and complementary medications affect the immune system of the populations. References Abdurachman, & Herawati, N. (2018). The role of psychological well-being in boosting immune response: An optimal effort for tackling infection. African Journal of Infectious Diseases, 12(1 Suppl), 54. https://doi.org/10.2101/AJID.12V1S.7 Childs, C. E., Calder, P. C., & Miles, E. A. (2019). Diet and immune function. Nutrients, 11(8). https://doi.org/10.3390/NU11081933 Haynes, L. (2020). Aging of the immune system: Research challenges to enhance the health span of older adults. Frontiers in Aging, 0, 2. https://doi.org/10.3389/FRAGI.2020.602108 National Institute on Aging. (n.d.). Sexuality and intimacy in older adults. https://www.nia.nih.gov/health/sexuality-and-intimacy- older-adults #2 Jessica Rincon St. Thomas University NUR 417 AP2 Prof. Yedelis Diaz 11/1/2022 Effects of Pathological Conditions
Erens et al. (2019) posit that sexual expression contributes to health and well-being, promotes self-esteem, and maintains relationships, making it important throughout the life course. However, society continues to witness an age-related decrease in sexual satisfaction and activity, leading to the conclusion that sexual expression changes with an increase in age. According to Lecture Notes (Slide 2), nurses are responsible for assessing disabling drugs and medical conditions, as well as age-related changes affecting older adults’ sexual lives, and intervene at an early point. The effectiveness of the interventions depends on an understanding of the contributing factors. On the contrary, most nurses share in society’s prejudice and negative attitudes toward the asexuality of older adults, which is a barrier to the effectiveness of the interventions they provide (Lecture Notes, Slide 5). Hence, there is a need for nurses to be aware of and understand the importance of sexuality among older adults. Pathological factors are the primary contributors to decreased sexual activity and satisfaction among older adults. They include dementia, malignancies, and human immunodeficiency virus (Lecture Notes, Slide 8). Dementia affects sexuality by causing changes in cognition and judgment. Malignancies include colon, prostate, and breast cancer, whose toll on the health and well-being of older adults causes sexual inhibition or a decrease in sexuality. Lastly is HIV, which affects about 45% of the older adult population above 55 years (Lecture Notes, Slide 8). Since it is mostly diagnosed late, older adults progress quickly, thereby reducing their interests and chances of engaging in sexual activity. Hence, nurses who serve this population must be vigilant in assessing these pathological conditions and providing appropriate interventions to enhance their sexuality, which, in turn, will improve their health outcomes. On the other hand, nutritional factors, psychological factors, drugs, and alternative and complementary medications affect the immune systems of older adults by attacking their innate response mechanisms that act as the first line of defense against
pathogens. Akha (2018) states that this outcome manifests in the prevalence of constitutive low-grade inflammation and autoimmunity, diminished response to vaccination, and decreased ability to fight infection. For instance, nutritional factors, such as malnutrition, could expose older adults to sarcopenia, which refers to a decline in skeletal muscle as a result of insufficient dietary protein, neuromuscular changes, reduced levels of testosterone and growth hormone, disuse of muscles, and physical inactivity (Lecture Notes, Slide 7). Drugs, as well as complementary and alternative medications, also affect the immune system of older adults immensely. Akha (2018) provides an example of chemotherapeutic drugs used to treat patients with cancer. The impact of such medications has led to the development of evaluation criteria referred to as immune-related response criteria (irCR). The evaluation criteria reveal the expansion of immune-related adverse effects of chemotherapeutic drugs, such as autoimmunity and immunotoxicity (Akha, 2018). The adverse effects of chemotherapeutic drugs are mediated by age-related immune system changes and comorbidities, which significantly lower the ability of the immune system to defend against other pathogens. In other words, nutritional, psychological, and medication- related factors affect the immune system of older adults by cumulatively attacking its response criteria. The occurrence of these factors at the same time, which is common among older adults, compromises the immune system and its ability to fight illnesses. The result is more comorbidities that increase hospital visits by the population. Nurses must be aware of the interplay between these factors and offer effective interventions to provide better care. References Akha, A. A. S. (2018). Aging and the immune system: An overview. Journal of immunological methods, 463, 21-26.
Erens, B., Mitchell, K. R., Gibson, L., Datta, J., Lewis, R., Field, N., & Wellings, K. (2019). Health status, sexual activity and satisfaction among older people in Britain: A mixed methods study. PloS one, 14(3), e0213835. Lecture Notes. (n.d.). Chapter 12: Sexuality and Aging. Lecture Notes. (n.d.). Chapter 9: Nutrition. 1 chapter 42 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 3 chapter Organizations achieve operational security through policies and procedures that guide user’s interactions with data and data processing systems. Developing and aligning these efforts with the goals of the business
is a crucial part of developing a successful security program. One method of ensuring coverage is to align efforts with the operational security model described in the last chapter. This breaks efforts into groups; prevention, detection, and response elements. Prevention technologies are designed to keep individuals from being able to gain access to systems or data they are not authorized to use. Originally, this was the sole approach to security. Eventually we learned that in an operational environment, prevention is extremely difficult and relying on prevention technologies alone is not sufficient. This led to the rise of technologies to detect and respond to events that occur when prevention fails. Together, the prevention technologies and the detection and response technologies form the operational model for computer security. In this chapter, you will learn
how to ■■ Identify various operational aspects to security in your organization ■■ Identify various policies and procedures in your organization ■■ Identify the security awareness and training needs of an organization ■■ Understand the different types of agreements employed in negotiating security requirements ■■ Describe the physical security components that can protect your computers and network ■■ Identify environmental factors that can affect security ■■ Identify factors that affect the security of the growing number of wireless technologies used for data transmission ■■ Prevent disclosure through electronic emanations We will bankrupt ourselves in the vain search for absolute security. —Dwight David Eisenhower
Operational and Organizational Security 03-ch03.indd 42 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security PB 43 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 ■■ Policies, Procedures, Standards, and Guidelines An important part of any organization’s approach to implementing security are the policies, procedures, standards, and guidelines that are established to detail what users and administrators should be doing to maintain the security of the systems and network. Collectively, these documents provide the guidance needed to determine how security will be implemented in the organization. Given this guidance, the specific technology and security mechanisms required can be planned for. Policies are high-level, broad statements of what the organization wants to accomplish. They are made by management when laying out the organi- zation’s position on some issue. Procedures are the step-by-step
instructions on how to implement policies in the organization. They describe exactly how employees are expected to act in a given situation or to accomplish a specific task. Standards are mandatory elements regarding the implemen- tation of a policy. They are accepted specifications that provide specific details on how a policy is to be enforced. Some standards are externally driven. Regulations for banking and financial institutions, for example, require certain security measures be taken by law. Other standards may be set by the organization to meet its own security goals. Guidelines are recom- mendations relating to a policy. The key term in this case is recommenda- tions—guidelines are not mandatory steps. Just as the network itself constantly changes, the policies, procedures, standards, and guidelines should be included in living documents that are periodically evaluated and changed as necessary. The constant monitoring of the network and the periodic review of the relevant documents are part of the process that is the operational model. When applied to policies, this process results in what is known as the policy lifecycle. This operational pro- cess and policy lifecycle roughly consist of four steps in relation to your security policies and solutions:
1. Plan (adjust) for security in your organization. 2. Implement the plans. 3. Monitor the implementation. 4. Evaluate the effectiveness. In the first step, you develop the policies, procedures, and guidelines that will be implemented and design the security components that will protect your network. There are a variety of governing instruments, from standards to compliance rules that will provide boundaries for these docu- ments. Once these documents are designed and developed, you can imple- ment the plans. Part of the implementation of any policy, procedure, or guideline is an instruction period during which those who will be affected by the change or introduction of this new document learn about its con- tents. Next, you monitor to ensure that both the hardware and the software as well as the policies, procedures, and guidelines are effective in securing your systems. Finally, you evaluate the effectiveness of the security mea- sures you have in place. This step may include a vulnerability assessment (an attempt to identify and prioritize the list of vulnerabilities within a system
These documents guide how security will be implemented in the organization: Policies High-level, broad statements of what the organization wants to accomplish Procedures Step-by- step instructions on how to implement the policies Standards Mandatory elements regarding the implementation of a policy Guidelines Recommend- ations relating to a policy 03-ch03.indd 43 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 44 45 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 or network) and a penetration test (a method to check the security of a sys- tem by simulating an attack by a malicious individual) of your system to ensure the security is adequate. After evaluating your security posture, you
begin again with step one, this time adjusting the security mechanisms you have in place, and then continue with this cyclical process. Regarding security, every organization should have several common policies in place (in addition to those already discussed relative to access control methods). These include, but are not limited to, security policies regarding change management, classification of information, acceptable use, due care and due diligence, due process, need to know, disposal and destruction of data, service level agreements, human resources issues, codes of ethics, and policies governing incident response. Security Policies In keeping with the high-level nature of policies, the security policy is a high-level statement produced by senior management that outlines both what security means to the organization and the organization’s goals for security. The main security policy can then be broken down into additional policies that cover specific topics. Statements such as “this organization will exercise the principle of least access in its handling of client informa- tion” would be an example of a security policy. The security policy can also describe how security is to be handled from an organizational point of view (such as describing which office and corporate officer or
manager oversees the organization’s security program). In addition to policies related to access control, the organization’s secu- rity policy should include the specific policies described in the next sec- tions. All policies should be reviewed on a regular basis and updated as needed. Generally, policies should be updated less frequently than the pro- cedures that implement them, since the high-level goals will not change as often as the environment in which they must be implemented. All policies should be reviewed by the organization’s legal counsel, and a plan should be outlined that describes how the organization will ensure that employees will be made aware of the policies. Policies can also be made stronger by including references to the authority who made the policy (whether this policy comes from the CEO or is a department-level policy, for example) and references to any laws or regulations that are applicable to the specific policy and environment. Change Management Policy The purpose of change management is to ensure proper procedures are fol- lowed when modifications to the IT infrastructure are made. These modi- fications can be prompted by a number of different events, including new
legislation, updated versions of software or hardware, implementation of new software or hardware, or improvements to the infrastructure. The term “management” implies that this process should be controlled in some sys- tematic way, and that is indeed the purpose. Changes to the infrastructure might have a detrimental impact on operations. New versions of operat- ing systems or application software might be incompatible with other soft- ware or hardware the organization is using. Without a process to manage 03-ch03.indd 44 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 44 45 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 the change, an organization might suddenly find itself unable to conduct business. A change management process should include various stages, including a method to request a change to the infrastructure, a review and approval process for the request, an examination of the consequences of the change, resolution (or mitigation) of any detrimental effects the change
might incur, implementation of the change, and documentation of the pro- cess as it related to the change. Data Policies System integration with third parties frequently involves the sharing of data. Data can be shared for the purpose of processing or storage. Con- trol over data is a significant issue in third-party relationships. There are numerous questions that need to be addressed. The question of who owns the data, both the data shared with third parties and subsequent data devel- oped as part of the relationship, is an issue that needs to be established. Data Ownership Data requires a data owner. Data ownership roles for all data elements need to be defined in the business. Data ownership is a business function, where the requirements for security, privacy, retention, and other business func- tions must be established. Not all data requires the same handling restric- tions, but all data requires these characteristics to be defined. This is the responsibility of the data owner. Unauthorized Data Sharing Unauthorized data sharing can be a significant issue, and in today’s world, data has value and is frequently used for secondary purposes. Ensuring
that all parties in the relationship understand the data-sharing require- ments is an important prerequisite. Equally important is ensuring that all parties understand the security requirements of shared data. Data Backups Data ownership requirements include backup responsibilities. Data backup requirements include determining the level of backup, restore objectives, and level of protection requirements. These can be defined by the data owner and then executed by operational IT personnel. Determining the backup responsibilities and developing the necessary operational proce- dures to ensure that adequate backups occur are important security ele- ments. Classification of Information A key component of IT security is the protection of the information pro- cessed and stored on the computer systems and network. Organizations deal with many different types of information, and they need to recognize that not all information is of equal importance or sensitivity. This requires classification of information into various categories, each with its own requirements for its handling. Factors that affect the classification of spe- cific information include its value to the organization (what will be the
impact to the organization if it loses this information?), its age, and laws or 03-ch03.indd 45 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 46 47 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 regulations that govern its protection. The most widely known system of classification of information is that implemented by the U.S. government (including the military), which classifies information into categories such as Confidential, Secret, and Top Secret. Businesses have similar desires to protect information and often use categories such as Publicly Releasable, Proprietary, Company Confidential, and For Internal Use Only. Each policy for the clas- sification of information should describe how it should be protected, who may have access to it, who has the authority to release it and how, and how it should be destroyed. All employees of the organization should be trained in the procedures for handling the information that they are authorized to access. Discretionary and mandatory access control techniques use classi-
fications as a method to identify who may have access to what resources. Data Labeling, Handling, and Disposal Effective data classification programs include data labeling, which enables personnel working with the data to know whether it is sensitive and to understand the levels of protection required. When the data is inside an information-processing system, the protections should be designed into the system. But when the data leaves this cocoon of protection, whether by printing, downloading, or copying, it becomes necessary to ensure con- tinued protection by other means. This is where data labeling assists users in fulfilling their responsibilities. Training to ensure that labeling occurs and that it is used and followed is important for users whose roles can be impacted by this material. Training plays an important role in ensuring proper data handling and disposal. Personnel are intimately involved in several specific tasks asso- ciated with data handling and data destruction/disposal and, if properly trained, can act as a security control. Untrained or inadequately trained per- sonnel will not be a productive security control and, in fact, can be a source of potential compromise.
Need to Know Another common security principle is that of need to know, which goes hand- in-hand with least privilege. The guiding factor here is that each individual in the organization is supplied with only the absolute minimum amount of information and privileges he or she needs to perform their work tasks. To obtain access to any piece of information, the individual must have a justi- fied need to know. A policy spelling out these two principles as guiding philosophies for the organization should be created. The policy should also address who in the organization can grant access to information and who can assign privileges to employees. Disposal and Destruction Policy Many potential intruders have learned the value of dumpster diving. An organization must be concerned about not only paper trash and discarded objects, but also the information stored on discarded objects such as com- puters. Several government organizations have been embarrassed when old computers sold to salvagers proved to contain sensitive documents on their hard drives. It is critical for every organization to have a strong disposal and destruction policy and related procedures. Tech Tip
Data Classification Information classification categories you should be aware of for the CompTIA Security+ exam include: High, Medium, Low, Confidential, Private, and Public. 03-ch03.indd 46 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 46 47 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 Important papers should be shredded, and important in this case means anything that might be useful to a potential intruder. It is amazing what intruders can do with what appear to be innocent pieces of information. Before magnetic storage media (such as disks or tapes) is discarded in the trash or sold for salvage, it should have all files deleted, and should be overwritten at least three times with all 1’s, all 0’s, and then random charac- ters. Commercial products are available to destroy files using this process. It is not sufficient simply to delete all files and leave it at that, since the deletion process affects only the pointers to where the files are
stored and doesn’t actually get rid of all the bits in the file. This is why it is possible to “undelete” files and recover them after they have been deleted. A safer method for destroying files from a storage device is to destroy the data magnetically, using a strong magnetic field to degauss the media. This effectively destroys all data on the media. Several commercial degauss- ers are available for this purpose. Another method that can be used on hard drives is to use a file on them (the sort of file you’d find in a hardware store) and actually file off the magnetic material from the surface of the platter. Shredding floppy media is normally sufficient, but simply cutting a floppy disk into a few pieces is not enough—data has been successfully recovered from floppies that were cut into only a couple of pieces. CDs and DVDs also need to be disposed of appropriately. Many paper shredders now have the ability to shred these forms of storage media. In some highly secure environments, the only acceptable method of disposing of hard drives and other storage devices is the actual physical destruction of the devices. Matching the security action to the level of risk is important to recognize in this instance. Destroying hard drives that do not have sensitive information is wasteful; proper file scrubbing is probably appropriate. For
drives with ultra-sensitive information, physical destruction makes sense. There is no single answer, but as in most things associated with information security, the best practice is to match the action to the level of risk. Human Resources Policies It has been said that the weakest links in the security chain are the humans. Consequently, it is important for organizations to have policies in place relative to their employees. Policies that relate to the hiring of individuals are primarily important. The organization needs to make sure that it hires individuals who can be trusted with the organization’s data and that of its clients. Once employees are hired, they should be kept from slipping into the category of “disgruntled employee.” Finally, policies must be devel- oped to address the inevitable point in the future when an employee leaves the organization—either on his or her own or with the “encouragement” of the organization itself. Security issues must be considered at each of these points. Code of Ethics Numerous professional organizations have established codes of ethics for their members. Each of these describes the expected behavior of their mem- bers from a high-level standpoint. Organizations can adopt this
idea as well. For organizations, a code of ethics can set the tone for how employees will be expected to act and to conduct business. The code should demand Many organizations overlook the security implications that decisions by Human Resources may have. Human Resources personnel and security personnel should have a close working relationship. Decisions on the hiring and firing of personnel have direct security implications for the organization. As a result, procedures should be in place that specify which actions must be taken when an employee is hired, is terminated, or retires. 03-ch03.indd 47 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 48 49 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 honesty from employees and require that they perform all activities in a professional manner. The code could also address principles of
privacy and confidentiality and state how employees should treat client and organiza- tional data. Conflicts of interest can often cause problems, so this could also be covered in the code of ethics. By outlining a code of ethics, the organization can encourage an envi- ronment that is conducive to integrity and high ethical standards. For addi- tional ideas on possible codes of ethics, check professional organizations such as the Institute for Electrical and Electronics Engineers (IEEE), the Association for Computing Machinery (ACM), or the Information Systems Security Association (ISSA). Job Rotation An interesting approach to enhance security that is gaining increasing attention is job rotation. Organizations often discuss the benefits of rotat- ing individuals through various jobs in an organization’s IT department. By rotating through jobs, individuals gain a better perspective on how the various parts of IT can enhance (or hinder) the business. Since security is often a misunderstood aspect of IT, rotating individuals through security positions can result in a much wider understanding throughout the organi- zation about potential security problems. It also can have the side benefit of
a company not having to rely on any one individual too heavily for security expertise. If all security tasks are the domain of one employee, and that individual leaves suddenly, security at the organization could suffer. On the other hand, if security tasks are understood by many different individuals, the loss of any one individual has less of an impact on the organization. Employee Hiring and Promotions It is becoming common for organizations to run background checks on prospective employees and to check the references prospective employ- ees supply. Frequently, organizations require drug testing, check for any past criminal activity, verify claimed educational credentials, and confirm reported work history. For highly sensitive environments, special security background investigations can also be required. Make sure that your orga- nization hires the most capable and trustworthy employees, and that your policies are designed to ensure this. After an individual has been hired, your organization needs to mini- mize the risk that the employee will ignore company rules and affect secu- rity. Periodic reviews by supervisory personnel, additional drug checks, and monitoring of activity during work may all be considered by the orga-
nization. If the organization chooses to implement any of these reviews, this must be specified in the organization’s policies, and prospective employees should be made aware of these policies before being hired. What an organi- zation can do in terms of monitoring and requiring drug tests, for example, can be severely restricted if not spelled out in advance as terms of employ- ment. New hires should be made aware of all pertinent policies, especially those applying to security, and should be asked to sign documents indicat- ing that they have read and understood them. Occasionally an employee’s status will change within the company. If the change can be construed as a negative personnel action (such as a demo- tion), supervisors should be alerted to watch for changes in behavior that Tech Tip Hiring Hackers Hiring a skilled hacker may make sense from a technical skills point of view, but an organization also has to consider the broader ethical and business consequences and associated risks. Is the hacker completely reformed or not? How much time is needed to determine this? The real question is not “Would you hire a hacker?” but
rather “Can you fire a hacker once he has had access to your systems?” Trust is an important issue with employees who have system administrator access, and the long-term ramifications need to be considered. Tech Tip Accounts of Former Employees When conducting security assessments of organizations, security professionals frequently find active accounts for individuals who no longer work for the company. This is especially true for larger organizations, which may lack a clear process for the personnel office to communicate with the network administrators when an employee leaves the organization. These old accounts, however, are a weak point in the security perimeter for the organization and should be eliminated. 03-ch03.indd 48 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 48 49
BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 might indicate the employee is contemplating or conducting unauthorized activity. It is likely that the employee will be upset, and whether he acts on this to the detriment of the company is something that needs to be guarded against. In the case of a demotion, the individual may also lose certain priv- ileges or access rights, and these changes should be made quickly so as to lessen the likelihood that the employee will destroy previously accessible data if he becomes disgruntled and decides to take revenge on the organiza- tion. On the other hand, if the employee is promoted, privileges may still change, but the need to make the change to access privileges may not be as urgent, though it should still be accomplished as quickly as possible. If the move is a lateral one, changes may also need to take place, and again they should be accomplished as quickly as possible. Retirement, Separation, or Termination of an Employee An employee leaving an organization can be either a positive or a negative action. Employees who are retiring by their own choice may announce their planned retirement weeks or even months in advance. Limiting their access to sensitive documents the moment they announce their
intention may be the safest thing to do, but it might not be necessary. Each situation should be evaluated individually. If the situation is a forced retirement, the organi- zation must determine the risk to its data if the employee becomes disgrun- tled as a result of the action. In this situation, the wisest choice might be to cut off the employee’s access quickly and provide her with some additional vacation time. This might seem like an expensive proposition, but the dan- ger to the company of having a disgruntled employee may justify it. Again, each case should be evaluated individually. When an employee decides to leave a company, generally as a result of a new job offer, continued access to sensitive information should be carefully considered. If the employee is leaving as a result of hard feelings toward the company, it might be wise to quickly revoke her access privileges. If the employee is leaving the organization because he is being termi- nated, you should assume that he is or will become disgruntled. While it may not seem the friendliest thing to do, an employee in this situation should immediately have his access privileges to sensitive information and facilities revoked.
Combinations should also be quickly changed once an employee has been informed of their termination. Access cards, keys, and badges should be collected; the employee should be escorted to her desk and watched as she packs personal belongings; and then she should be escorted from the building. Mandatory Vacations Organizations have provided vacation time to their employees for many years. Few, however, force employees to take this time if they don’t want to. At some companies, employees are given the choice to either “use or lose” their vacation time; if they do not take all of their vacation time, they lose at least a portion of it. From a security standpoint, an employee who never takes time off might be involved in nefarious activity, such as fraud or embezzlement, and might be afraid that if he leaves on vacation, the orga- nization will discover his illicit activities. As a result, requiring employees to use their vacation time through a policy of mandatory vacations can be It is better to give a potentially disgruntled employee several weeks of paid vacation than to have him trash sensitive files to which he has access. Because employees
typically know the pattern of management behavior with respect to termination, doing the right thing will pay dividends in the future for a firm. Organizations commonly neglect to have a policy that mandates the removal of an individual’s computer access upon termination. Not only should such a policy exist, but it should also include the procedures to reclaim and “clean” a terminated employee’s computer system and accounts. 03-ch03.indd 49 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 50 51 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 a security protection mechanism. Using mandatory vacations as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation. Having a second person familiar with security procedures is also a good policy in case something happens to the
primary employee. On-boarding/Off-boarding Business Partners Just as it is important to manage the on- and off-boarding processes of company personnel, it is important to consider the same types of elements when making arrangements with third parties. Agreements with business partners tend to be fairly specific with respect to terms associated with mutual expectations associated with the process of the business. Consid- erations regarding the on-boarding and off-boarding processes are impor- tant, especially the off-boarding. When a contract arrangement with a third party comes to an end, issues as to data retention and destruction by the third party need to be addressed. These considerations need to be made prior to the establishment of the relationship, not added at the time that it is coming to an end. Social Media Networks The rise of social media networks has changed many aspects of business. Whether used for marketing, communications, customer relations, or some other purpose, social media networks can be considered a form of third party. One of the challenges in working with social media networks and/or applications is their terms of use. While a relationship with a typical third
party involves a negotiated set of agreements with respect to requirements, there is no negotiation with social media networks. The only option is to adopt their terms of service, so it is important to understand the implica- tions of these terms with respect to the business use of the social network. Acceptable Use Policy An acceptable use policy (AUP) outlines what the organization considers to be the appropriate use of company resources, such as computer systems, e-mail, Internet access, and networks. Organizations should be concerned about personal use of organizational assets that does not benefit the company. The goal of the AUP is to ensure employee productivity while limit- ing organizational liability through inappropriate use of the organization’s assets. The AUP should clearly delineate what activities are not allowed. It should address issues such as the use of resources to conduct personal busi- ness, installation of hardware or software, remote access to systems and networks, the copying of company-owned software, and the responsibility of users to protect company assets, including data, software, and hardware. Statements regarding possible penalties for ignoring any of the policies
(such as termination) should also be included. Related to appropriate use of the organization’s computer systems and networks by employees is the appropriate use by the organization. The most important of such issues is whether the organization considers it appropriate to monitor the employees’ use of the systems and network. On-boarding and off- boarding business procedures should be well documented to ensure compliance with legal requirements. 03-ch03.indd 50 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 50 51 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 If monitoring is considered appropriate, the organization should include a statement to this effect in the banner that appears at login. This repeat- edly warns employees, and possible intruders, that their actions are sub- ject to monitoring and that any misuse of the system will not be tolerated.
Should the organization need to use in a civil or criminal case any informa- tion gathered during monitoring, the issue of whether the employee had an expectation of privacy, or whether it was even legal for the organization to be monitoring, is simplified if the organization can point to a statement that is always displayed that instructs users that use of the system constitutes consent to monitoring. Before any monitoring is conducted, or the actual wording on the warning message is created, the organization’s legal coun- sel should be consulted to determine the appropriate way to address this issue in the particular jurisdiction. Internet Usage Policy In today’s highly connected environment, employee use of access to the Internet is of particular concern. The goal of the Internet usage policy is to ensure maximum employee productivity and to limit potential liability to the organization from inappropriate use of the Internet in a workplace. The Internet provides a tremendous temptation for employees to waste hours as they surf the Web for the scores of games from the previous night, con- duct quick online stock transactions, or read the review of the latest block- buster movie everyone is talking about. In addition, allowing employees to visit sites that may be considered offensive to others (such as
pornographic or hate sites) can open the company to accusations of condoning a hostile work environment and result in legal liability. The Internet usage policy needs to address what sites employees are allowed to visit and what sites they are not allowed to visit. If the com- pany allows them to surf the Web during nonwork hours, the policy needs to clearly spell out the acceptable parameters, in terms of when they are allowed to do this and what sites they are still prohibited from visiting (such as potentially offensive sites). The policy should also describe under what circumstances an employee would be allowed to post something from the organization’s network on the Web (on a blog, for example). A necessary addition to this policy would be the procedure for an employee to follow to obtain permission to post the object or message. E-Mail Usage Policy Related to the Internet usage policy is the e-mail usage policy, which deals with what the company will allow employees to send in, or as attachments to, e-mail messages. This policy should spell out whether nonwork e-mail traffic is allowed at all or is at least severely restricted. It needs to cover the type of message that would be considered inappropriate to send to other
employees (for example, no offensive language, no sex-related or ethnic jokes, no harassment, and so on). The policy should also specify any dis- claimers that must be attached to an employee’s message sent to an indi- vidual outside the company. The policy should remind employees of the risks of clicking on links in e-mails, or opening attachments, as these can be social engineering attacks. In today’s highly connected environment, every organization should have an AUP that spells out to all employees what the organization considers appropriate and inappropriate use of its computing and networks resources. Having this policy may be critical should the organization need to take disciplinary actions based on an abuse of its resources. 03-ch03.indd 51 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 52 53 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3
Clean Desk Policy Preventing access to information is also important in the work area. Firms with sensitive information should have a “clean desk policy” specifying that sensitive information must not be left unsecured in the work area when the worker is not present to act as custodian. Even leaving the desk area and going to the bathroom can leave information exposed and subject to compromise. The clean desk policy should identify and prohibit things that are not obvious upon first glance, such as passwords on sticky notes under keyboards and mouse pads or in unsecured desk drawers. All of these ele- ments that demonstrate the need for a clean desk are lost if employees do not make them personal. Training for clean desk activities needs to make the issue a personal one, where consequences are understood and the work- place reinforces the positive activity. Bring Your Own Device (BYOD) Policy Everyone seems to have a smartphone, a tablet, or other personal Internet device that they use in their personal lives. Bringing these to work is a natu- ral extension of one’s normal activities, but this raises the question of what policies are appropriate before a firm allows these devices to connect to the corporate network and access company data. Like all other policies, plan-
ning is needed to define the appropriate pathway to the company objec- tives. Personal devices offer cost savings and positive user acceptance, and in many cases these factors make allowing BYOD a sensible decision. The primary purpose of a BYOD policy is to lower the risk associated with connecting a wide array of personal devices to a company’s network and accessing sensitive data on them. This places security, in the form of risk management, as a center element of a BYOD policy. Devices need to be maintained in a current, up-to-date software posture, and with certain secu- rity features, such as screen locks and passwords enabled. Remote wipe and other features should be enabled, and highly sensitive data, especially in aggregate, should not be allowed on the devices. Users should have specific training as to what is allowed and what isn’t and should be made aware of the increased responsibility associated with a mobile means of accessing corporate resources. In some cases it may be necessary to define a policy associated with per- sonally owned devices. This policy will describe the rules and regulations associated with use of personally owned devices with respect to corporate data, network connectivity, and security risks.
Privacy Policy Customers place an enormous amount of trust in organizations to which they provide personal information. These customers expect their informa- tion to be kept secure so that unauthorized individuals will not gain access to it and so that authorized users will not use the information in unintended ways. Organizations should have a privacy policy that explains what their guiding principles will be in guarding personal data to which they are given access. 03-ch03.indd 52 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 52 53 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 A special category of private information that is becoming increasingly important today is personally identifiable information (PII). This category of information includes any data that can be used to uniquely identify an individual. This would include an individual’s name, address, driver’s license number, and other details. An organization that collects
PII on its employees and customers must make sure that it takes all necessary mea- sures to protect the data from compromise. Cross Check Privacy Privacy is an important consideration in today’s computing environ- ment. As such, it has been given its own chapter, Chapter 25. Additional details on privacy issues can be found there. Due Care and Due Diligence Due care and due diligence are terms used in the legal and business com- munity to define reasonable behavior. Basically, the law recognizes the responsibility of an individual or organization to act reasonably relative to another party. If party A alleges that the actions of party B have caused it loss or injury, party A must prove that party B failed to exercise due care or due diligence and that this failure resulted in the loss or injury. These terms often are used synonymously, but due care generally refers to the standard of care a reasonable person is expected to exercise in all situations, whereas due diligence generally refers to the standard of care a business is expected to exercise in preparation for a business transaction. An organization must take reasonable precautions before entering a business
transaction or it might be found to have acted irresponsibly. In terms of security, organiza- tions are expected to take reasonable precautions to protect the information that they maintain on individuals. Should a person suffer a loss as a result of negligence on the part of an organization in terms of its security, that person typically can bring a legal suit against the organization. The standard applied—reasonableness—is extremely subjective and often is determined by a jury. The organization will need to show that it had taken reasonable precautions to protect the information, and that, despite these precautions, an unforeseen security event occurred that caused the injury to the other party. Since this is so subjective, it is hard to describe what would be considered reasonable, but many sectors have a set of “security best practices” for their industry, which provides a basis for organizations in that sector to start from. If the organization decides not to follow any of the best practices accepted by the industry, it needs to be prepared to justify its reasons in court should an incident occur. If the sector the organization is in has regulatory requirements, justifying why the mandated security practices were not followed will be much more difficult (if not impossible).
Tech Tip Prudent Person Principle The concepts of due care and due diligence are connected. Due care addresses whether the organization has a minimal set of policies that provides reasonable assurance of success in maintaining security. Due diligence requires that management actually do something to ensure security, such as implement procedures for testing and review of audit records, internal security controls, and personnel behavior. The standard applied is one of a “prudent person”; would a prudent person find the actions appropriate and sincere? To apply this standard, all one has to do is ask the following question for the issue under consideration: “What would a prudent person do to protect and ensure that the security features and procedures are working or adequate?” Failure of a security feature or procedure doesn’t necessarily mean the person acted imprudently. Due diligence is the application of a specific standard of care. Due care is the
degree of care that an ordinary person would exercise. 03-ch03.indd 53 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 54 55 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 Due Process Due process is concerned with guaranteeing fundamental fairness, justice, and liberty in relation to an individual’s legal rights. In the United States, due process is concerned with the guarantee of an individual’s rights as outlined by the Constitution and Bill of Rights. Procedural due process is based on the concept of what is “fair.” Also of interest is the recognition by courts of a series of rights that are not explicitly specified by the Constitu- tion but that the courts have decided are implicit in the concepts embodied by the Constitution. An example of this is an individual’s right to privacy. From an organization’s point of view, due process may come into play dur- ing an administrative action that adversely affects an employee. Before an employee is terminated, for example, were all of the
employee’s rights protected? An actual example pertains to the rights of privacy regarding employees’ e-mail messages. As the number of cases involving employers examining employee e-mails grows, case law continues to be established and the courts eventually will settle on what rights an employee can expect. The best thing an employer can do if faced with this sort of situation is to work closely with HR staff to ensure that appropriate policies are followed and that those policies are in keeping with current laws and regulations. Incident Response Policies and Procedures No matter how careful an organization is, eventually a security incident of some sort will occur. When it happens, how effectively the organization responds to it will depend greatly on how prepared it is to handle incidents. An incident response policy and associated procedures should be devel- oped to outline how the organization will prepare for security incidents and respond to them when they occur. Waiting until an incident happens is not the right time to establish your policies—they need to be designed in advance. The incident response policy should cover five phases: prep- aration, detection, containment and eradication, recovery, and follow-up actions.
Cross Check Incident Response Incident response is covered in detail in Chapter 22. This section serves only as an introduction to policy elements associated with the topic. For complete details on incident response, please examine Chapter 22. ■■ Security Awareness and Training Security awareness and training programs can enhance an organization’s security posture in two direct ways. First, they teach personnel how to fol- low the correct set of actions to perform their duties in a secure manner. Second, they make personnel aware of the indicators and effects of social engineering attacks. 03-ch03.indd 54 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 54 55 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 There are many tasks that employees perform that can have information security ramifications. Properly trained employees are able to
perform their duties in a more effective manner, including their duties associated with information security. The extent of information security training will vary depending on the organization’s environment and the level of threat, but initial employee security training at the time of being hired is important, as is periodic refresher training. A strong security education and awareness training program can go a long way toward reducing the chance that a social engineering attack will be successful. Security awareness programs and campaigns, which might include seminars, videos, posters, newsletters, and similar materials, are also fairly easy to implement and are not very costly. Security Policy Training and Procedures Personnel cannot be expected to perform complex tasks without training with respect to the tasks and expectations. This applies both to the security policy and to operational security details. If employees are going to be expected to comply with the organization’s security policy, they must be properly trained in its purpose, meaning, and objectives. Training with respect to the information security policy, individual responsibilities, and expectations is something that requires periodic reinforcement through refresher training.
Because the security policy is a high-level directive that sets the over- all support and executive direction with respect to security, it is important that the meaning of this message be translated and supported. Second-level policies such as password, access, information handling, and acceptable use policies also need to be covered. The collection of policies should paint a picture describing the desired security culture of the organization. The training should be designed to ensure that people see and understand the whole picture, not just the elements. Role-based Training For training to be effective, it needs to be targeted to the user with regard to their role in the subject of the training. While all employees may need general security awareness training, they also need specific training in areas where they have individual responsibilities. Role-based training with regard to information security responsibilities is an important part of infor- mation security training. If a person has job responsibilities that may impact information security, then role-specific training is needed to ensure that the individual understands the responsibilities as they relate to information security. Some roles, such as system administrator or developer, have clearly defined
information security responsibilities. The roles of others, such as project manager or purchasing manager, have information security impacts that are less obvious, but these roles require training as well. In fact, the less-obvious but wider-impact roles of middle management can have a large effect on the information security culture, and thus if a specific outcome is desired, it requires training. As in all personnel-related training, two elements need attention. First, retraining over time is necessary to ensure that personnel keep proper levels of knowledge. Second, as people change jobs, a reassessment of the 03-ch03.indd 55 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 56 57 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 required training basis is needed, and additional training may be required. Maintaining accurate training records of personnel is the only way this can be managed in any significant enterprise.
Compliance with Laws, Best Practices, and Standards There is a wide array of laws, regulations, contractual requirements, standards, and best practices associated with information security. Each places its own set of requirements upon an organization and its personnel. The only effective way for an organization to address these requirements is to build them into their own policies and procedures. Training to one’s own policies and proce- dures would then translate into coverage of these external requirements. It is important to note that many of these external requirements impart a specific training and awareness component upon the organization. Orga- nizations subject to the requirements of the Payment Card Industry Data Security Standard (PCI DSS), Gramm Leach Bliley Act (GLBA), or Health Insurance Portability Accountability Act (HIPAA) are among the many that must maintain a specific information security training program. Other organizations should do so as a matter of best practice. User Habits Individual user responsibilities vary between organizations and the type of business each organization is involved in, but there are certain very basic responsibilities that all users should be instructed to adopt:
■■ Lock the door to your office or workspace, including drawers and cabinets. ■■ Do not leave sensitive information inside your car unprotected. ■■ Secure storage media containing sensitive information in a secure storage device. ■■ Shred paper containing organizational information before discarding it. ■■ Do not divulge sensitive information to individuals (including other employees) who do not have an authorized need to know it. ■■ Do not discuss sensitive information with family members. (The most common violation of this rule occurs in regard to HR information, as employees, especially supervisors, may complain to their spouse or friends about other employees or about problems that are occurring at work.) ■■ Protect laptops and other mobile devices that contain sensitive or important organization information wherever the device may be stored or left. (It’s a good idea to ensure that sensitive information is encrypted on the laptop or mobile device so that, should the equipment be lost or stolen, the information remains safe.)
■■ Be aware of who is around you when discussing sensitive corporate information. Does everybody within earshot have the need to hear this information? 03-ch03.indd 56 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 56 57 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 ■■ Enforce corporate access control procedures. Be alert to, and do not allow, piggybacking, shoulder surfing, or access without the proper credentials. ■■ Be aware of the correct procedures to report suspected or actual violations of security policies. ■■ Follow procedures established to enforce good password security practices. Passwords are such a critical element that they are frequently the ultimate target of a social engineering attack. Though such password procedures may seem too oppressive or strict, they are often the best line of defense.
■■ User habits are a front-line security tool in engaging the workforce to improve the overall security posture of an organization. New Threats and Security Trends/Alerts At the end of the day, information security practices are about managing risk, and it is well known that the risk environment is one marked by con- stant change. The ever-evolving threat environment frequently encounters new threats, new security issues, and new forms of defense. Training peo- ple to recognize the new threats necessitates continual awareness and train- ing refresher events. New Viruses New forms of viruses, or malware, are being created every day. Some of these new forms can be highly destructive and costly, and it is incumbent upon all users to be on the lookout for and take actions to avoid exposure. Poor user practices are counted on by malware authors to assist in the spread of their attacks. One way of explaining proper actions to users is to use an analogy to cleanliness. Training users to practice good hygiene in their actions can go a long way toward assisting the enterprise in defending against these attack vectors. Phishing Attacks The best defense against phishing and other social engineering
attacks is an educated and aware body of employees. Continual refresher training about the topic of social engineering and specifics about current attack trends are needed to keep employees aware of and prepared for new trends in social engineering attacks. Attackers rely upon an uneducated, complacent, or distracted workforce to enable their attack vector. Social engineering has become the gateway for many of the most damaging attacks in play today. Social engineering is covered extensively in Chapter 4. Social Networking and P2P With the rise in popularity of peer-to-peer (P2P) communications and social networking sites—notably Facebook, Twitter, and LinkedIn— many people have gotten into a habit of sharing too much information. Using a status of “Returning from sales call to XYZ company” reveals information to peo- ple who have no need to know this information. Confusing sharing with User responsibilities are easy training topics about which to ask questions on the CompTIA Security+ exam, so commit to memory your knowledge of the points listed here. 03-ch03.indd 57 03/11/15 5:20 pm
Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 58 59 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 friends and sharing business information with those who don’t need to know is a line people are crossing on a regular basis. Don’t be the employee who mixes business and personal information and releases information to parties who should not have it, regardless of how innocuous it may seem. Users need to understand the importance of not using common pro- grams such as torrents and other file sharing in the workplace, as these pro- grams can result in infection mechanisms and data-loss channels. The infor- mation security training and awareness program should cover these issues. If the issues are properly explained to employees, their motivation to com- ply won’t simply be to avoid adverse personnel action for violating a policy; they will want to assist in the security of the organization and its mission. Training Metrics and Compliance Training and awareness programs can yield much in the way of an edu-
cated and knowledgeable workforce. Many laws, regulations, and best practices have requirements for maintaining a trained workforce. Having a record-keeping system to measure compliance with attendance and to measure the effectiveness of the training is a normal requirement. Simply conducting training is not sufficient. Following up and gathering training metrics to validate compliance and security posture is an important aspect of security training management. A number of factors deserve attention when managing security train- ing. Because of the diverse nature of role-based requirements, maintaining an active, up-to-date listing of individual training and retraining require- ments is one challenge. Monitoring the effectiveness of the training is yet another challenge. Creating an effective training and awareness program when measured by actual impact on employee behavior is a challenging endeavor. Training needs to be current, relevant, and interesting to engage employee attention. Simple repetition of the same training material has not proven to be effective, so regularly updating the program is a requirement if it is to remain effective over time. ■■ Interoperability Agreements Many business operations involve actions between many
different par- ties—some within an organization, and some in different organizations. These actions require communication between the parties, defining the responsibilities and expectations of the parties, the business objectives, and the environment within which the objectives will be pursued. To ensure an agreement is understood between the parties, written agreements are used. Numerous forms of legal agreements and contracts are used in business, but with respect to security, some of the most common ones are the service level agreement, business partnership agreement, memorandum of under- standing, and interconnection security agreement. Tech Tip Security Training Records Requirements for both periodic training and retraining drive the need for good training records. Maintaining proper information security training records is a requirement of several laws and regulations and should be considered a best practice. 03-ch03.indd 58 03/11/15 5:20 pm
Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 58 59 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 Service Level Agreements Service level agreements (SLAs) are contractual agreements between entities that describe specified levels of service that the servicing entity agrees to guarantee for the customer. SLAs essentially set the requisite level of per- formance of a given contractual service. SLAs are typically included as part of a service contract and set the level of technical expectations. An SLA can define specific services, the performance level associated with a service, issue management and resolution, and so on. SLAs are negotiated between customer and supplier and represent the agreed-upon terms. An organi- zation contracting with a service provider should remember to include in the agreement a section describing the service provider’s responsibility in terms of business continuity and disaster recovery. The provider’s backup plans and processes for restoring lost data should also be clearly described. Typically, a good SLA will satisfy two simple rules. First, it will describe the entire set of product or service functions in sufficient detail
that their requirement will be unambiguous. Second, the SLA will provide a clear means of determining whether a specified function or service has been pro- vided at the agreed-upon level of performance. Business Partnership Agreement A business partnership agreement (BPA) is a legal agreement between part- ners establishing the terms, conditions, and expectations of the relation- ship between the partners. These details can cover a wide range of issues, including typical items such as the sharing of profits and losses, the respon- sibilities of each partner, the addition or removal of partners, and any other issues. The Uniform Partnership Act (UPA), established by state law and convention, lays out a uniform set of rules associated with partnerships to resolve any partnership terms. The terms in a UPA are designed as “one size fits all” and are not typically in the best interest of any specific partner- ship. To avoid undesired outcomes that may result from UPA terms, it is best for partnerships to spell out specifics in a BPA. Memorandum of Understanding A memorandum of understanding (MOU) is a legal document used to describe a bilateral agreement between parties. It is a written agreement expressing a set of intended actions between the parties with respect to
some common pursuit or goal. It is more formal and detailed than a simple handshake, but it generally lacks the binding powers of a contract. It is also common to find MOUs between different units within an organization to detail expectations associated with the common business interest. Interconnection Security Agreement An interconnection security agreement (ISA) is a specialized agreement between organizations that have interconnected IT systems, the purpose of which is to document the security requirements associated with the inter- connection. An ISA can be a part of an MOU detailing the specific technical security aspects of a data interconnection. Be sure you understand the differences between the interoperability agreements SLA, BPA, MOU, and ISA. The differences hinge upon the purpose for each document. 03-ch03.indd 59 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 60 61 BaseTech / Principles of Computer Security, Fourth Edition /
Conklin / 597-0 / Chapter 3 ■■ The Security Perimeter The discussion to this point has not included any mention of the specific technology used to enforce operational and organizational security or a description of the various components that constitute the organization’s security perimeter. If the average administrator were asked to draw a dia- gram depicting the various components of their network, the diagram would probably look something like Figure 3.1. This diagram includes the major components typically found in a net- work. The connection to the Internet generally has some sort of protection attached to it such as a firewall. An intrusion detection system (IDS), also often part of the security perimeter for the organization, may be either on the inside or the outside of the firewall, or it may in fact be on both sides. The specific location depends on the company and what it is more concerned about preventing (that is, insider threats or external threats). The router can also be thought of as a security device, as it can be used to enhance security such as in the case of wireless routers that can be used to enforce encryption settings. Beyond this security perimeter is the corporate net- work. Figure 3.1 is obviously a very simple depiction—an
actual network can have numerous subnets and extranets as well as wireless access points—but the basic components are present. Unfortunately, if this were the diagram provided by the administrator to show the organization’s basic net- work structure, the administrator would have missed a very important component. A more astute administrator would provide a diagram more like Figure 3.2. This diagram includes other possible access points into the network, including the public switched telephone net- work (PSTN) and wireless access points. The organization may or may not have any authorized modems or wire- less networks, but the savvy administrator would realize that the potential exists for unauthorized versions of both. When considering the policies, procedures, and guidelines needed to implement security for the organization, both networks need to be consid- ered. Another development that has brought the telephone and computer networks together is the implementation of voice over IP (VoIP), which elimi- nates the traditional land lines in an organization and replaces them with special telephones that connect to the IP data network. While Figure 3.2 provides a more comprehen- sive view of the various components that need to be protected, it is still incomplete. Most experts will agree that the biggest danger to any organization does not come from external attacks but rather from the insider—a disgruntled employee or somebody else who has physical access to the facility. Given physical access to an office, the knowledgeable attacker will quickly find the information needed to gain access to the organization’s computer systems
The security perimeter, with its several layers of security, along with additional security mechanisms that may be implemented on each system (such as user IDs/passwords), creates what is sometimes known as defense-in-depth. This implies that security is enhanced when there are multiple layers of security (the depth) through which an attacker would have to penetrate to reach the desired goal. An increasing number of organizations are implementing VoIP solutions to bring the telephone and computer networks together. While there are some tremendous advantages to doing this in terms of both increased capabilities and potential monetary savings, bringing the two networks together may also introduce additional security concerns. Another common method to access organizational networks today is through wireless access points. These may be provided by the organization itself to enhance productivity, or they may be attached to the network by users without organizational approval.
The impact of all of these additional methods that can be used to access a network is to increase the complexity of the security problem. • Figure 3.2 A more complete diagram of an organization’s network Wireless access point IDS Corporate LAN Corporate PBX Modem Telephones FirewallRouter The Internet The PSTN • Figure 3.1 Basic diagram of an organization’s network IDS
Corporate LANFirewallRouter The Internet 03-ch03.indd 60 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 60 61 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 and network. Consequently, every organization also needs security policies, procedures, and guidelines that cover physical security, and every secu- rity administrator should be concerned with these as well. While physical security (which can include such things as locks, cameras, guards and entry points, alarm systems, and physical barriers) will probably not fall under the purview of the security administrator, the operational state of the organiza- tion’s physical security measures is just as important as many of the other network-centric measures. ■■ Physical Security Physical security consists of all mechanisms used to ensure that physical
access to the computer systems and networks is restricted to only autho- rized users. Additional physical security mechanisms may be used to pro- vide increased security for especially sensitive systems such as servers and devices such as routers, firewalls, and intrusion detection systems. When considering physical security, access from all six sides should be consid- ered—not only should the security of obvious points of entry be examined, such as doors and windows, but the walls themselves as well as the floor and ceiling should also be considered. Questions such as the following should be addressed: ■■ Is there a false ceiling with tiles that can be easily removed? ■■ Do the walls extend to the actual ceiling or only to a false ceiling? ■■ Is there a raised floor? ■■ Do the walls extend to the actual floor, or do they stop at a raised floor? ■■ How are important systems situated? ■■ Do the monitors face away from windows, or could the activity of somebody at a system be monitored? ■■ Who has access to the facility?
■■ What type of access control is there, and are there any guards? ■■ Who is allowed unsupervised access to the facility? ■■ Is there an alarm system or security camera that covers the area? ■■ What procedures govern the monitoring of the alarm system or security camera and the response should unauthorized activity be detected? These are just some of the numerous questions that need to be asked when examining the physical security surrounding a system. Physical Access Controls The purpose of physical access controls is the same as that of computer and network access controls—you want to restrict access to only those who are authorized to have it. Physical access is restricted by requiring the individ- ual to somehow authenticate that they have the right or authority to have Tech Tip Physical Security Is Also Important to Computer Security Computer security professionals recognize that they cannot
rely only on computer security mechanisms to keep their systems safe. Physical security must be maintained as well, because in many cases, if an attacker gains physical access, he can steal data and destroy the system. ■■ The Security Perimeter The discussion to this point has not included any mention of the specific technology used to enforce operational and organizational security or a description of the various components that constitute the organization’s security perimeter. If the average administrator were asked to draw a dia- gram depicting the various components of their network, the diagram would probably look something like Figure 3.1. This diagram includes the major components typically found in a net- work. The connection to the Internet generally has some sort of protection attached to it such as a firewall. An intrusion detection system (IDS), also often part of the security perimeter for the organization, may be either on the inside or the outside of the firewall, or it may in fact be on both sides. The specific location depends on the company and what it is more concerned about preventing (that is, insider threats or external threats). The router can also be thought of as a security device, as it can be used to
enhance security such as in the case of wireless routers that can be used to enforce encryption settings. Beyond this security perimeter is the corporate net- work. Figure 3.1 is obviously a very simple depiction—an actual network can have numerous subnets and extranets as well as wireless access points—but the basic components are present. Unfortunately, if this were the diagram provided by the administrator to show the organization’s basic net- work structure, the administrator would have missed a very important component. A more astute administrator would provide a diagram more like Figure 3.2. This diagram includes other possible access points into the network, including the public switched telephone net- work (PSTN) and wireless access points. The organization may or may not have any authorized modems or wire- less networks, but the savvy administrator would realize that the potential exists for unauthorized versions of both. When considering the policies, procedures, and guidelines needed to implement security for the organization, both networks need to be consid- ered. Another development that has brought the telephone and computer networks together is the implementation of voice over IP (VoIP), which elimi- nates the traditional land lines in an organization and replaces them with special telephones that connect to the IP data network. While Figure 3.2 provides a more comprehen- sive view of the various components that need to be protected, it is still incomplete. Most experts will agree that the biggest danger to any organization does not come from external attacks but rather from
the insider—a disgruntled employee or somebody else who has physical access to the facility. Given physical access to an office, the knowledgeable attacker will quickly find the information needed to gain access to the organization’s computer systems The security perimeter, with its several layers of security, along with additional security mechanisms that may be implemented on each system (such as user IDs/passwords), creates what is sometimes known as defense-in-depth. This implies that security is enhanced when there are multiple layers of security (the depth) through which an attacker would have to penetrate to reach the desired goal. An increasing number of organizations are implementing VoIP solutions to bring the telephone and computer networks together. While there are some tremendous advantages to doing this in terms of both increased capabilities and potential monetary savings, bringing the two networks together may also introduce additional security concerns. Another common method to access organizational networks today is
through wireless access points. These may be provided by the organization itself to enhance productivity, or they may be attached to the network by users without organizational approval. The impact of all of these additional methods that can be used to access a network is to increase the complexity of the security problem. 03-ch03.indd 61 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 62 63 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 the desired access. As in computer authentication, access in the physical world can be based on something the individual has, something they know, or something they are. Frequently, when dealing with the physical world, the terms “authentication” and “access control” are used interchangeably. The most common physical access control device, which has been around in some form for centuries, is a lock. Combination locks represent
an access control device that depends on something the individual knows (the combination). Locks with keys depend on something the individual has (the key). Each of these has certain advantages and disadvantages. Combi- nations don’t require any extra hardware, but they must be remembered (which means individuals may write them down—a security vulnerability in itself) and are hard to control. Anybody who knows the combination may provide it to somebody else. Key locks are simple and easy to use, but the key may be lost, which means another key has to be made or the lock has to be rekeyed. Keys may also be copied, and their dissemination can be hard to control. Newer locks replace the traditional key with a card that must be passed through a reader or placed against it. The individual may also have to provide a personal access code, thus making this form of access both a something-you-know and something-you-have method. In addition to locks on doors, other common physical security devices include video surveillance and even simple access control logs (sign-in logs). While sign-in logs don’t provide an actual barrier, they do provide a record of access and, when used in conjunction with a guard who verifies an individual’s identity, can dissuade potential adversaries from attempt-
ing to gain access to a facility. As mentioned, another common access con- trol mechanism is a human security guard. Many organizations employ a guard to provide an extra level of examination of individuals who want to gain access to a facility. Other devices are limited to their designed func- tion. A human guard can apply common sense to situations that might have been unexpected. Having security guards also addresses the common prac- tice of piggybacking (aka tailgating), where an individual follows another person closely to avoid having to go through the access control procedures. Biometrics Access controls that utilize something you know (for example, combina- tions) or something you have (such as keys) are not the only methods to limit facility access to authorized individuals. A third approach is to utilize something unique about the individual—their fingerprints, for example— to identify them. Unlike the other two methods, the something- you-are method, known as biometrics, does not rely on the individual to either remember something or to have something in their possession. Biometrics is a more sophisticated access control approach and can be more expen- sive. Biometrics also suffer from false positives and false negatives, mak-
ing them less than 100 percent effective. For this reason they are frequently used in conjunction with another form of authentication. The advantage is the user always has them (cannot leave at home or share) and they tend to have better entropy than passwords. Other methods to accomplish bio- metrics include handwriting analysis, retinal scans, iris scans, voiceprints, hand geometry, and facial geometry. Tech Tip Physical and Information Security Convergence In high-security sites, physical access controls and electronic access controls to information are interlocked. This means that before data can be accessed from a particular machine, the physical access control system must agree with the finding that the authorized party is present. There are many similarities between authentication and access controls in computers and in the physical world. Remember the three common techniques for verifying a person’s identity and access privileges: something you know, something you have, and
something about you. 03-ch03.indd 62 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 62 63 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 Both access to computer systems and networks and physical access to restricted areas can be controlled with biometrics. However, biometric methods for controlling physical access are generally not the same as those employed for restricting access to computer systems and networks. Hand geometry, for example, requires a fairly large device. This can easily be placed outside of a door to control access to the room but would not be as convenient to control access to a computer system, since a reader would need to be placed with each computer or at least with groups of computers. In a mobile environment where laptops are being used, a device such as a hand geometry reader would be unrealistic. Physical Barriers An even more common security feature than locks is a physical barrier.
Physical barriers help implement the physical-world equivalent of layered security. The outermost layer of physical security should contain the more publicly visible activities. A guard at a gate in a fence, for example, would be visible by all who happen to pass by. As you progress through the lay- ers, the barriers and security mechanisms should become less publicly vis- ible to make determining what mechanisms are in place more difficult for observers. Signs are also an important element in security, as they announce to the public which areas are public and which are private. A man trap can also be used in this layered approach. It generally consists of a small space that is large enough for only one person at a time, with two locking doors. An individual has to enter the first door, close the first door, then attempt to open the second door. If unsuccessful, perhaps because they do not have the proper access code, the person can be caught inside this small location until security personnel show up. In addition to walls and fences, open space can also serve as a barrier. While this may at first seem to be an odd statement, consider the use of large areas of open space around a facility. For an intruder to cross this open space takes time—time in which they are vulnerable and their pres-
ence may be discovered. In today’s environment in which terrorist attacks have become more common, additional precautions should be taken for areas that may be considered a possible target for terrorist activity. In addi- tion to open space, which is necessary to lessen the effect of explosions, concrete barriers that stop vehicles from getting too close to facilities should also be used. It is not necessary for these to be unsightly concrete walls; many facilities have placed large, round concrete circles, filled them with dirt, and then planted flowers and other plants to construct a large, immov- able planter. ■■ Environmental Issues Environmental issues may not at first seem to be related to security, but when considering the availability of a computer system or network, they must be taken into consideration. Environmental issues include items such as heating, ventilation, and air conditioning (HVAC) systems, electrical power, and the “environments of nature.” HVAC systems are used to maintain the Tech Tip Biometric Devices Once only seen in spy or science fiction movies, biometrics such as hand and fingerprint readers,
eye-scanning technology, and voiceprint devices are now becoming more common in the real world. The accuracy of these devices has improved and the costs have dropped, making them realistic solutions to many access control situations. Tech Tip Signs Signs can be an effective control, warning unauthorized personnel not to enter, locating critical elements for first responders, and providing paths to exits in emergencies. Proper signage is an important aspect of physical security controls. 03-ch03.indd 63 05/11/15 10:05 am Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 64 65 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 comfort of an office environment. A few years back, they were also critical for the smooth operation of computer systems that had low tolerances for
humidity and heat. Today’s desktop systems are much more tolerant, and the limiting factor is now often the human user. The exception to this HVAC limitation is when large quantities of equipment are co-located, in server rooms and network equipment closets. In these heat-dense areas, HVAC is needed to keep equipment temperatures within reasonable ranges. Often certain security devices such as firewalls and intrusion detection systems are located in these same equipment closets and the loss of HVAC systems can cause these critical systems to fail. One interesting aspect of HVAC sys- tems is that they themselves are often computer controlled and frequently provide remote access via telephone or network connections. These con- nections should be protected in a similar manner to computer modems, or else attackers may locate them and change the HVAC settings for an office or building. Electrical power is obviously an essential requirement for computer systems and networks. Electrical power is subject to momentary surges and disruption. Surge protectors are needed to protect sensitive electronic equip- ment from fluctuations in voltage. An uninterruptible power supply (UPS) should be considered for critical systems so that a loss of power will not
halt processing. The size of the batteries associated with a UPS will deter- mine the amount of time that it can operate before it too loses power. Many sites ensure sufficient power to provide administrators the opportunity to cleanly bring the system or network down. For installations that require continuous operations, even in the event of a power outage, electric gen- erators that automatically start when a loss of power is detected can be installed. These systems may take a few seconds to start before they reach full operation, so a UPS should also be considered to smooth the transition between normal and backup power. Fire Suppression Fires are a common disaster that can affect organizations and their com- puting equipment. Fire detection and fire suppression devices are two approaches to addressing this threat. Detectors can be useful because some may be able to detect a fire in its very early stages before a fire suppres- sion system is activated, and they can potentially sound a warning. This warning could provide employees with the opportunity to deal with the fire before it becomes serious enough for the fire suppression equipment to kick in. Suppression systems come in several varieties, including sprinkler- based systems and gas-based systems. Standard sprinkler-based
systems are not optimal for data centers because water will ruin large electrical infrastructures and most integrated circuit–based devices—such as com- puters. Gas-based systems are a good alternative, though they also carry special concerns. More extensive coverage of fire detection and suppression is provided in Chapter 8. HVAC systems for server rooms and network equipment closets are important because the dense equipment environment can generate significant amounts of heat. HVAC outages can result in temperatures that are outside equipment operating ranges, forcing shutdowns. 03-ch03.indd 64 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 64 65 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 ■■ Wireless When someone talks about wireless communication, they generally are
referring to cellular telephones (“cell phones”). These devices have become ubiquitous in today’s modern office environment. A cell phone network consists of the phones themselves, the cells with their accompanying base stations that they are used in, and the hardware and software that allow them to communicate. The base stations are made up of antennas, receivers, transmitters, and amplifiers. The base stations communicate with those cell phones that are currently in the geographical area that is serviced by that station. As a person travels across town, they may exit and enter multiple cells. The stations must conduct a handoff to ensure continuous operation for the cell phone. As the individual moves toward the edge of a cell, a mobile switching center notices the power of the signal beginning to drop, checks whether another cell has a stronger signal for the phone (cells fre- quently overlap), and, if so, switches operation to this new cell and base station. All of this is done without the user ever knowing that they have moved from one cell to another. Wireless technology can also be used for networking. There are two main standards for wireless network technology. Bluetooth is designed as a short-range (approximately ten meters) personal area network (PAN)
cable-replacement technology that can be built into a variety of devices, such as mobile phones, tablets, and laptop computers. The idea is to cre- ate low-cost wireless technology so that many different devices can com- municate with each other. Bluetooth is also interesting because, unlike other wireless technology, it is designed so that devices can talk directly with each other without having to go through a central device (such as the base station described previously). This is known as peer-to- peer com- munication. The other major wireless standard is the IEEE 802.11 set of standards, which is well suited for the local area network (LAN) environment. 802.11 networks can operate either in an ad hoc peer-to-peer fashion or in infra- structure mode, which is more common. In infrastructure mode, computers with 802.11 network cards communicate with a wireless access point. This access point connects to the network so that the computers communicating with it are essentially also connected to the network. While wireless networks are very useful in today’s modern office (and home), they are not without their security problems. Access points are gen- erally placed throughout a building so that all employees can access the
corporate network. The transmission and reception areas covered by access points are not easily controlled. Consequently, many publicly accessible areas might fall into the range of one of the organization’s access points, or its Bluetooth-enabled systems, and thus the corporate network may become vulnerable to attack. Wireless networks are designed to incorporate some security measures, but all too often the networks are set up without security enabled, and serious security flaws exist in the 802.11 design. Tech Tip Wireless Network Security Issues Due to a number of advantages, such as the ability to take your laptop with you as you move around your building and still stay connected, wireless networks have grown in popularity. They also eliminate the need to string network cables all over the office. At the same time, however, they can be a security nightmare if not adequately protected. The signal for your network doesn’t stop at your office door or wall just because it is there. It will continue propagating to areas that may be open to anybody. This provides the opportunity for others to access your network. To avoid
this, you must take steps such as encrypting transmissions so that your wireless network doesn’t become the weak link in your security chain. 03-ch03.indd 65 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 66 67 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 Cross Check Wireless Networks Wireless network security is discussed in this chapter in relationship to physical issues such as the placement of wireless access points. There are, however, numerous other issues with wireless security, which are discussed in Chapter 12. Make sure to understand how the physical location of wireless access points affects the other wireless security issues. ■■ Electromagnetic Eavesdropping In 1985, a paper by Wim van Eck of the Netherlands described what became known as the van Eck phenomenon. In the paper van Eck
described how eavesdropping on what was being displayed on monitors could be accom- plished by picking up and then decoding the electromagnetic interference produced by the monitors. With the appropriate equipment, the exact image of what is being displayed can be re-created some distance away. While the original paper discussed emanations as they applied to video display units (monitors), the same phenomenon applies to other devices such as printers and computers. This phenomenon had actually been known about for quite some time before van Eck published his paper. The U.S. Department of Defense used the term TEMPEST (referred to by some as the Transient ElectroMagnetic Pulse Emanation STandard) to describe both a program in the military to control these electronic emanations from electrical equipment and the actual process for controlling the emanations. There are three basic ways to prevent these emanations from being picked up by an attacker: ■■ Put the equipment beyond the point that the emanations can be picked up. ■■ Provide shielding for the equipment itself. ■■ Provide a shielded enclosure (such as a room) to put the
equipment in. One of the simplest ways to protect against equipment being monitored in this fashion is to put enough distance between the target and the attacker. The emanations can be picked up from only a limited distance. If the physi- cal security for the facility is sufficient to put enough space between the equipment and publicly accessible areas that the signals cannot be picked up, then the organization doesn’t have to take any additional measures to ensure security. Distance is not the only way to protect against eavesdropping on elec- tronic emanations. Devices can be shielded so their emanations are blocked. Acquiring enough property to provide the necessary distance needed to pro- tect against an eavesdropper may be possible if the facility is in the country with lots of available land surrounding it. Indeed, for smaller organizations that occupy only a few offices or floors in a large office building, it would 03-ch03.indd 66 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 66 67
BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 be impossible to acquire enough space. In this case, the organization may resort to purchasing shielded equipment. A “TEMPEST approved” com- puter will cost significantly more than what a normal computer would cost. Shielding a room (in what is known as a Faraday cage) is also an extremely expensive endeavor. A natural question to ask is, how prevalent is this form of attack? The equipment needed to perform electromagnetic eavesdropping is not read- ily available, but it would not cost an inordinate amount of money to pro- duce it. The cost could certainly be afforded by any large corporation, and industrial espionage using such a device is a possibility. While there are no public records of this sort of activity being conducted, it is reasonable to assume that it does take place in large corporations and the government, especially in foreign countries. Modern Eavesdropping Not just electromagnetic information can be used to carry information out of a system to an adversary. Recent advances have demonstrated the feasi- bility of using the webcams and microphones on systems to spy
on users, recording keystrokes and other activities. There are even devices built to intercept the wireless signals between wireless keyboards and mice and transmit them over another channel to an adversary. USB-based keylog- gers can be placed in the back of machines, as in many cases the back of a machine is unguarded or facing the public (watch for this the next time you see a receptionist’s machine). One of the challenges in security is determining how much to spend on security without spending too much. Security spending should be based on likely threats to your systems and network. While electronic emanations can be monitored, the likelihood of this taking place in most situations is remote, which makes spending on items to protect against it at best a low priority. 03-ch03.indd 67 03/11/15 5:20 pm 68 Principles of Computer Security BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3
Chapter 3 Review ■ Chapter Summary After reading this chapter and completing the exercises, you should understand the following regarding opera- tional and organizational security. Identify various operational aspects to security in your organization ■■ Prevention technologies are designed to keep individuals from being able to gain access to systems or data they are not authorized to use. ■■ Previously in operational environments, prevention was extremely difficult and relying on prevention technologies alone was not sufficient. This led to the rise of technologies to detect and respond to events that occur when prevention fails. ■■ An important part of any organization’s approach to implementing security is to establish policies, procedures, standards, and guidelines to detail what users and administrators should be doing to maintain the security of the systems and network. Identify various policies and procedures in your organization ■■ Policies, procedures, standards, and guidelines are important in establishing a security program within an organization. ■■ The security policy and supporting policies play an important role in establishing and managing
system risk. ■■ Policies and procedures associated with Human Resources functionality include job rotation, mandatory vacations, and hiring and termination policies. Identify the security awareness and training needs of an organization ■■ Security training and awareness efforts are vital in engaging the workforce to act within the desired range of conduct with respect to security. ■■ Security awareness and training is important in achieving compliance objectives. ■■ Security awareness and training should be measured and managed as part of a comprehensive security program. Understand the different types of agreements employed in negotiating security requirements ■■ The different interoperability agreements, including SLA, BPA, MOU and ISA, are used to establish security expectations between various parties. Describe the physical security components that can protect your computers and network ■■ Physical security consists of all mechanisms used to ensure that physical access to the computer systems and networks is restricted to only authorized users.
■■ The purpose of physical access controls is the same as that of computer and network access controls— to restrict access to only those who are authorized to have it. ■■ The careful placement of equipment can provide security for known security problems exhibited by wireless devices and that arise due to electronic emanations. Identify environmental factors that can affect security ■■ Environmental issues are important to security because they can affect the availability of a computer system or network. ■■ Loss of HVAC systems can lead to overheating problems that can affect electronic equipment, including security-related devices. ■■ The frequency of natural disasters is a contributing factor that must be considered when making contingency processing plans for an installation. ■■ Fires are a common problem for organizations. Two general approaches to addressing this problem are fire detection and fire suppression. Identify factors that affect the security of the growing number of wireless technologies used for data transmission ■■ Wireless networks have many security issues, including the transmission and reception areas covered by access points, which are not easily controlled and can thus provide easy network
access for intruders. 03-ch03.indd 68 03/11/15 5:20 pm 69 Chapter 3: Operational and Organizational Security BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 Prevent disclosure through electronic emanations ■■ With the appropriate equipment, the exact image of what is being displayed on a computer monitor can be re-created some distance away, allowing eavesdroppers to view what you are doing. ■■ Providing a lot of distance between the system you wish to protect and the closest place an eavesdropper could be is one way to protect against eavesdropping on electronic emanations. Devices can also be shielded so that their emanations are blocked. ■ Key Terms acceptable use policy (AUP) (50) biometrics (62) Bluetooth (65) business partnership agreement (BPA) (59) due care (53) due diligence (53) guidelines (43) heating, ventilation, and air conditioning (HVAC) (63) IEEE 802.11 (65)
incident response policy (54) interconnection security agreement (ISA) (59) memorandum of understanding (MOU) (59) physical security (61) policies (43) procedures (43) security policy (44) service level agreement (SLA) (59) standards (43) TEMPEST (66) uninterruptible power supply (UPS) (64) user habits (57) ■ Key Terms Quiz Use terms from the Key Terms list to complete the sen- tences that follow. Don’t use the same term more than once. Not all terms will be used. 1. _______________ are high-level statements made by management that lay out the organization’s position on some issue. 2. The collective term used to refer to the systems that are used to maintain the comfort of an office environment and that are often controlled by computer systems is _______________. 3. A(n) _______________ is a device designed to provide power to essential equipment for a period of time when normal power is lost. 4. _______________ are a foundational security tool in engaging the workforce to improve the overall security posture of an organization.
5. _______________ are accepted specifications providing specific details on how a policy is to be enforced. 6. _______________ is a wireless technology designed as a short-range (approximately ten meters) personal area network (PAN) cable- replacement technology that may be built into a variety of devices such as mobile phones, tablets, and laptop computers. 7. A(n) _______________ is a legal document used to describe a bilateral agreement between parties. 8. _______________ are step-by-step instructions that describe exactly how employees are expected to act in a given situation or to accomplish a specific task. 9. The set of standards for wireless networks that is well suited for the LAN environment and whose normal mode is to have computers with network cards communicating with a wireless access point is _______________. 10. A(n) _______________ is a legal agreement between organizations establishing the terms, conditions, and expectations of the relationship between them. 03-ch03.indd 69 03/11/15 5:20 pm 70 Principles of Computer Security
BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 ■ Multiple-Choice Quiz 5. Biometric access controls are typically used in conjunction with another form of access control because: A. Biometrics are still expensive. B. Biometrics cannot be copied. C. Biometrics are not always convenient to use. D. Biometrics are not 100 percent accurate, having some level of misidentifications. 6. Procedures can be described as: A. High-level, broad statements of what the organization wants to accomplish B. Step-by-step instructions on how to implement the policies C. Mandatory elements regarding the implementation of a policy D. Recommendations relating to a policy 7. What technique can be used to protect against electromagnetic eavesdropping (known as the van Eck phenomenon)?
A. Provide sufficient distance between the potential target and the nearest location an attacker could be. B. Put the equipment that you are trying to protect inside a shielded room. C. Purchase “TEMPEST approved” equipment. D. All of the above. 8. Key user habits that can improve security efforts include: A. Do not discuss business issues outside of the office. B. Never leave laptops or tablets inside your car unattended. C. Be alert of people violating physical access rules (piggybacking through doors). D. Items B and C. 1. Which of the following is a physical security threat? A. Cleaning crews are allowed unsupervised access because they have a contract. B. Employees undergo background criminal checks before being hired. C. All data is encrypted before being backed up. D. All the above.
2. The benefit of fire detection equipment over fire suppression devices is: A. Fire detection equipment is regulated, whereas fire suppression equipment is not. B. Fire detection equipment will often catch fires at a much earlier stage, meaning that the fire can be addressed before significant damage can occur. C. Fire detection equipment is much more reliable than fire suppression equipment. D. There is no advantage of fire detection over fire suppression other than the cost of fire detection equipment is much less than the cost of fire suppression equipment. 3. Which of the following is a contractual agreement between entities that describes specified levels of service that the servicing entity agrees to guarantee for the customer? A. Service level agreement B. Support level agreement C. Memorandum of understanding D. Business service agreement 4. During which step of the policy lifecycle does training of users take place?
A. Plan for security. B. Implement the plans. C. Monitor the implementation. D. Evaluate for effectiveness. 03-ch03.indd 70 03/11/15 5:20 pm 71 Chapter 3: Operational and Organizational Security BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 9. When should a human security guard be used for physical access control? A. When other electronic access control mechanisms will not be accepted by employees B. When necessary to avoid issues such as piggybacking, which can occur with electronic access controls C. When other access controls are too expensive to implement D. When the organization wants to enhance its image 10. What device should be used by organizations to protect sensitive equipment from fluctuations
in voltage? A. A surge protector B. An uninterruptible power supply C. A backup power generator D. A redundant array of inline batteries (RAIB) Lab Projects Take a tour of your building on campus or at work. What is secured at night when workers are absent? Record the location and type of physical access control devices. How do these access controls change at night when workers are absent? How well trained do guards and other employees appear to be? Do they allow “piggybacking” (somebody slipping into a facility behind an authorized individual without being challenged)? What are the policies for visitors and contractors? How does this all impact physical security? • Lab Project 3.1 • Lab Project 3.2 Describe the four steps of the policy lifecycle. Obtain a policy from your organization (such as an acceptable use policy or Internet usage policy). How are users informed of this policy? How often is it reviewed? How would changes to it be suggested and who would make decisions on whether the
changes were accepted? ■ Essay Quiz 1. Describe the difference between fire suppression and fire detection systems. 2. Discuss why physical security is also important to computer security professionals. 3. Why should we be concerned about HVAC systems when discussing security? 4. Outline the various components that make up (or should make up) an organization’s security perimeter. Which of these can be found in your organization (or school)? 03-ch03.indd 71 03/11/15 5:20 pm As a consultant with the Security Advisors Co., you have been asked to develop a process for each of the following tasks: 1. Fire an employee at Accounting and Finance department 2. Hire new employee at research and development department 3. Backup customers records in the company Please consider the following instructions: · You should develop a process for each task separately. · Do not copy directly from the internet (we will do a plagiarism checker and below 20%). · If you get any information from any resource, you shall provide references and cite them within the text. · Keep your discussion precise and short (maximum 1500 words).
CHAPTER Domain 9: Operations security 10 EXAM OBJECTIVES IN THIS CHAPTER • Administrative Security • Sensitive Information/Media Security • Asset Management • Continuity of Operations • Incident Response Management UNIQUE TERMS AND DEFINITIONS • Collusion—An agreement between two or more individuals to subvert the secu- rity of a system. • Remanence—Data that might persist after removal attempts. • Redundant Array of Inexpensive Disks (RAID)—A method of using multiple disk drives to achieve greater data reliability, greater speed, or both. • Mirroring—Complete duplication of data to another disk, used by some levels
of RAID. • Striping—Spreading data writes across multiple disks to achieve performance gains, used by some levels of RAID. INTRODUCTION Operations Security is concerned with threats to a production operating environ- ment. Threat agents can be internal or external actors, and operations security must account for both of these threat sources in order to be effective. Ultimately opera- tions security centers on the fact that people need appropriate access to data. This data will exist on some particular media, and is accessible by means of a system. So operations security is about people, data, media, hardware, and the threats asso- ciated with each of these in a production environment. CISSP® Study Guide. DOI: 10.1016/B978-1-59749-563- 9.00010-X © 2010 Elsevier, Inc. All rights reserved. 371
ADMINISTRATIVE SECURITY All organizations contain people, data, and means for people to use the data. A fun- damental aspect of operations security is ensuring that controls are in place to inhibit people either inadvertently or intentionally compromising the confidentiality, integ- rity, or availability of data or the systems andmedia holding that data. Administrative Security provides the means to control people’s operational access to data. Administrative Personnel Controls Administrative Personnel Controls represent important operations security concepts that should be mastered by the CISSP� candidate. These are fundamental concepts within information security that permeate through multiple domains. Least Privilege or Minimum Necessary Access One of the most important concepts in all of information security is that of the principle of least privilege. The principle of least privilege dictates that persons have no more than the access that is strictly required for the performance of their
duties. The principle of least privilege may also be referred to as the principle of minimum necessary access. Regardless of name, adherence to this principle is a fundamental tenet of security, and should serve as a starting point for administrative security controls. Although the principle of least privilege is applicable to organizations leveraging Mandatory Access Control (MAC), the principle’s application is most obvious in Discretionary Access Control (DAC) environments. With DAC, the principle of least privilege suggests that a user will be given access to data if, and only if, a data owner determines that a business need exists for the user to have the access. With MAC, we have a further concept that helps to inform the principle of least privilege: need to know. Need to know In organizations with extremely sensitive information that leverage Mandatory Access Control (MAC), basic determination of access is
enforced by the system. The access determination is based upon clearance levels of subjects and classifica- tion levels of objects. Though the vetting process for someone accessing highly sensitive information is stringent, clearance level alone is insufficient when dealing with the most sensitive of information. An extension to the principle of least privi- lege in MAC environments is the concept of compartmentalization. Compartmentalization, a method for enforcing need to know, goes beyond the mere reliance upon clearance level and necessitates simply that someone requires access to information. Compartmentalization is best understood by considering a highly sensitive military operation: while there may be a large number of indivi- duals (some of high rank), only a subset “need to know” specific information. The others have no “need to know,” and therefore no access. 372 CHAPTER 10 Domain 9: Operations security
Separation of Duties While the principle of least privilege is necessary for sound operational security, in many cases it alone is not a sufficient administrative control. As an example, imag- ine that an employee has been away from the office for training, and has submitted an expense report indicating $1,000,000 was needed for reimbursement. This indi- vidual happens to be a person who, as part of her daily duties, had access to print reimbursement checks, and would therefore meet the principle of least privilege for printing her own reimbursement check. Should she be able to print herself a nice big $1,000,000 reimbursement check? While this access may be necessary for her job function, and thus meet the requirements for the principle of least privilege, additional controls are required. The example above serves to illustrate the next administrative security control, separation of duties. Separation of duties prescribes that
multiple people are required to complete critical or sensitive transactions. The goal of separation of duties is to ensure that in order for someone to be able to abuse their access to sen- sitive data or transactions; they must convince another party to act in concert. Col- lusion is the term used for the two parties conspiring to undermine the security of the transaction. The classic action movie example of separation of duties involves two keys, a nuclear sub, and a rogue captain. LEARN BY EXAMPLE: SEPARATION OF DUTIES Separation of duties is a hard lesson to learn for many organizations, but many only needed to learn this lesson once. One such organization had a relatively small and fledgling security department that was created as a result of regulatory compliance mandates. Most of the other departments were fairly antagonistic toward this new department because it simply cobbled together various perceived security functions and was not mindfully built. The original intent was for the department to serve primarily in an advisory capacity regarding all things in security, and for the department not to have operational responsibilities regarding changes. The result meant that security ran a lot of vulnerability scans, and took these to operations for resolution. Often
operations staff were busy with more pressing matters than patch installations, the absence of which posed little perceived threat. Ultimately, because of their incessant nagging, the security department was given the, thankless if ever there was one, task of enterprise patch management for all but the most critical systems. Though this worked fine for a while, eventually, one of the security department staff realized that his performance review depended upon his timely remediation of missing patches, and, in addition to being the person that installed the patches, he was also the person that reported whether patches were missing. Further scrutiny was applied when management thought it odd that he reported significantly less missing patches than all of his security department colleagues. Upon review it was determined that though the employee had indeed acted unethically, it was beneficial in bringing the need for separation of duties to light. Though many departments have not had such an egregious breach of conduct, it is important to be mindful of those with audit capabilities also being operationally responsible for what they are auditing. The moral of the story: Quis custodiet ipsos custodes?1 Who watches the watchers? 373Administrative security Rotation of Duties/Job Rotation
Rotation of Duties, also known as job rotation or rotation of responsibilities, pro- vides an organization with a means to help mitigate the risk associated with any one individual having too many privileges. Rotation of duties simply requires that critical functions or responsibilities are not continuously performed by the same single person without interruption. There are multiple issues that rotation of duties can help begin to address. One issue addressed by job rotation is the “hit by a bus” scenario: imagine, morbid as it is, that any one individual in the organization is hit by a bus on their way to work. If the operational impact of the loss of an individual would be too great, then perhaps one way to assuage this impact would be to ensure that there is additional depth of coverage for this individual’s responsibilities. Rotation of duties can also mitigate fraud. Over time some employees can develop a sense of ownership and entitlement to the systems and
applications they work on. Unfortunately, this sense of ownership can lead to the employee’s finding and exploiting a means of defrauding the company with little to no chance of arousing suspicion. One of the best ways to detect this fraudulent behavior is to require that responsibilities that could lead to fraud be frequently rotated amongst multiple people. In addition to the increased detection capabilities, the fact that responsibilities are routinely rotated itself deters fraud. EXAM WARNING Though job or responsibility rotation is an important control, this, like many other controls, is often compared against the cost of implementing the control. Many organizations will opt for not implementing rotation of duties because of the cost associated with implementation. For the exam, be certain to appreciate that cost is always a consideration, and can trump the implementation of some controls. Mandatory Leave/Forced Vacation An additional operational control that is closely related to rotation of duties is that of mandatory leave, also known as forced vacation. Though
there are various jus- tifications for requiring employees to be away from work, the primary security considerations are similar to that addressed by rotation of duties; reducing or detecting personnel single points of failure, and detection and deterrence of fraud. Discovering a lack of depth in personnel with critical skills can help organizations understand risks associated with employees unavailable for work due to unforeseen circumstances. Forcing all employees to take leave can identify areas where depth of coverage is lacking. Further, requiring employees to be away from work while it is still operating can also help discover fraudulent or suspicious behavior. As stated before, the sheer knowledge that mandatory leave is a possibility might deter some individuals from engaging in the fraudulent behavior in the first place, because of the increased likelihood of getting caught. 374 CHAPTER 10 Domain 9: Operations security
Non-Disclosure Agreement A non-disclosure agreement (NDA) is a work-related contractual agreement that ensures that, prior to being given access to sensitive information or data, an indi- vidual or organization appreciates their legal responsibility to maintain the confi- dentiality of sensitive information. Non-disclosure agreements are often signed by job candidates before they are hired, as well as consultants or contractors. Non-disclosure agreements are largely a directive control. NOTE Though non-disclosure agreements are commonly now part of the employee orientation process, it is vitally important that all departments within an organization appreciate the need for non-disclosure agreements. This is especially important for organizations where it is commonplace for individual departments to engage with outside consultants and contractors. Background Checks Background checks (also known as background investigations or preemployment screening) are an additional administrative control commonly
employed by many organizations. The majority of background investigations are performed as part of a preemployment screening process. Some organizations perform cursory back- ground investigations that include a criminal record check. Others perform more in-depth checks, such as verifying employment history, obtaining credit reports, and in some cases requiring the submission of a drug screening. The sensitivity of the position being filled or data to which the individual will have access strongly determines the degree to which this information is scrutinized and the depth to which the investigation will report. The overt purpose of these preemployment background investigations is to ensure that persons who will be employed have not exhibited behaviors that might suggest they cannot be trusted with the responsibilities of the position. Ongoing, or postemployment, investiga- tions seek to determine whether the individual continues to be worthy of the trust
required of their position. Background checks performed in advance of employ- ment serve as a preventive control while ongoing repeat background checks consti- tute a detective control and possibly a deterrent. Privilege Monitoring The business needs of organizations require that some individuals have privileged access to critical systems, or systems which contain sensitive data. These indivi- duals’ heightened privileges require both greater scrutiny and more thoughtful con- trols in order to ensure that the confidentiality, integrity, and availability remain intact. Some of the job functions that warrant greater scrutiny include: account cre- ation/modification/deletion, system reboots, data backup, data restoration, source code access, audit log access, security configuration capabilities, etc. 375Administrative security SENSITIVE INFORMATION/MEDIA SECURITY
Though security and controls related to the people within an enterprise are vitally important, so is having a regimented process for handling sensitive information, including media security. This section discusses concepts that are an important component of a strong overall information security posture. Sensitive Information All organizations have sensitive information that requires protection, and that sen- sitive information physically resides on some form of media. In addition to primary storage, backup storage must also be considered. It is also likely that sensitive information is transferred, whether internally or externally, for use. Wherever the data exists, there must be processes that ensure the data is not destroyed or inacces- sible (a breach of availability), disclosed, (a breach of confidentiality) or altered (a breach of integrity). Labeling/marking Perhaps the most important step in media security is the process of locating sensi-
tive information, and labeling or marking it as sensitive. How the data is labeled should correspond to the organizational data classification scheme. Handling People handling sensitive media should be trusted individuals who have been vetted by the organization. They must understand their role in the organization’s informa- tion security posture. Sensitive media should have strict policies regarding its handling. Policies should require the inclusion of written logs detailing the person responsible for the media. Historically, backup media has posed a significant problem for organizations. Storage When storing sensitive information, it is preferable to encrypt the data. Encryption of data at rest greatly reduces the likelihood of the data being disclosed in an un- authorized fashion due to media security issues. Physical storage of the media containing sensitive information should not be performed in a haphazard fashion,
whether the data is encrypted or not. Care should be taken to ensure that there are strong physical security controls wherever media containing sensitive informa- tion is accessible. Retention Media and information have a limited useful life. Retention of sensitive informa- tion should not persist beyond the period of usefulness or legal requirement 376 CHAPTER 10 Domain 9: Operations security (whichever is greater), as it needlessly exposes the data to threats of disclosure when the data is no longer needed by the organization. Keep in mind there may be regulatory or other legal reasons that may compel the organization to maintain such data for keeping data beyond its time of utility. Media Sanitization or Destruction of Data It is time to destroy data or the associated media once an organization has identi- fied that it no longer requires retention from an operations or
legal perspective. While some data might not be sensitive and not warrant thorough data destruction measures, an organization will have data that must be verifiably destroyed, or otherwise rendered nonusable in case the media on which it was housed is recov- ered by a third party. The process for sanitization of media or destruction of data varies directly with the type of media and sensitivity of data. NOTE The concepts of data destruction and data remanence are also referenced as part of Chapter 5, Domain 4: Physical (Environmental) Security. As is often the case with the CISSP�, some content easily falls within multiple domains, and might deserve coverage in both sections, as is the case here. Data Remanence The term data remanence is important to understand when discussing media sani- tization and data destruction. Data remanence is data that persists beyond noninva- sive means to delete it. Though data remanence is sometimes used specifically to
refer to residual data that persists on magnetic storage, remanence concerns go beyond just that of magnetic storage media. Security professionals must understand and appreciate the steps to make data unrecoverable. Wiping, overwriting, or shredding File deletion is an important concept for security professionals to understand. In most file systems, if a user deletes a file, the file system merely removes metadata pointers or references to the file. The file allocation table references are removed, but the file data itself remains. Significant amounts of “deleted data” may be recovered (“undeleted”); forensic tools are readily available to do so. Reformatting a file system may also leave data intact. Though simple deletion of files or reformatting of hard disks is not sufficient to render data unrecoverable, files may be securely wiped or overwritten. Wiping, also called overwriting or shredding, writes new data over each bit or block of file data. One of the shortcomings of wiping is when hard disks become physically
damaged, preventing the successful overwriting of all data. An attacker with means and motive could attempt advanced recovery of the hard disks if there was signifi- cant perceived value associated with the media. 377Sensitive information/media security NOTE For many years security professionals and other technologists accepted that data could theoretically be recovered even after having been overwritten. Though the suggested means of recovery involved both a clean room and an electron microscope, which is likely beyond the means of most would be attackers, organizations typically employed either what has been referred to as the DoD (Department of Defense) short method, DoD standard method or Gutmann approach2 to wiping, which involved either 3, 7, or 35 successive passes, respectively. Now it is commonly considered acceptable in industry to have simply a single successful pass to render data unrecoverable. This has saved organizations many hours that were wasted on unnecessary repeat wipes. Degaussing By introducing an external magnetic field through use of a degausser, the data on
magnetic storage media can be made unrecoverable. Magnetic storage media depends upon the magnetization of the media being static unless intentionally changed by the storage media device. A degausser destroys the integrity of the magnetization of the storage media, making the data unrecoverable. Physical Destruction Physical destruction, when carried out properly, is considered the most secure means of media sanitization. One of the reasons for the higher degree of assurance is because of the greater likelihood of errors resulting in data remanence with wip- ing or degaussing. Physical destruction is certainly warranted for the most sensitive of data. Common means of destruction include incineration and pulverization. Shredding A simple form of media sanitization is shredding, a type of physical destruction. Though this term is sometimes used in relation to overwriting of data, here shred-
ding refers to the process of making data printed on hard copy, or on smaller objects such as floppy or optical disks, unrecoverable. Sensitive information such as printed information needs to be shredded prior to disposal in order to thwart a dumpster diving attack. Dumpster diving is a physical attack in which a person recovers trash in hopes of finding sensitive information that has been merely dis- carded in whole rather than being run through a shredder, incinerated, or otherwise destroyed. Figure 10.1 shows locked shred bins that contain material that is intended for shredding. The locks are intended to ensure that dumpster diving is not possible during the period prior to shredding. ASSET MANAGEMENT A holistic approach to operational information security requires organizations to focus on systems as well as the people, data, and media. Systems security is another vital component to operational security, and there are specific controls that
can greatly help system security throughout the system’s lifecycle. 378 CHAPTER 10 Domain 9: Operations security Configuration Management One of the most important components of any systems security work is the develop- ment of a consistent system security configuration that can be leveraged throughout the organization. The goal is to move beyond the default system configuration to one that is both hardened and meets the operational requirements of the organization. One of the best ways to protect an environment against future zero-day attacks (attacks against vulnerabilities with no patch or fix) is to have a hardened system that only provides the functionality strictly required by the organization. Development of a security-oriented baseline configuration is a time consuming process due to the significant amount of research and testing involved. However, once an organizational security baseline is adopted, then the
benefits of having a known, hardened, consistent configuration will greatly increase system security for an extended period of time. Further, organizations do not need to start from scratch with their security baseline development, as different entities provide guid- ance on baseline security. These predefined baseline security configurations might come from the vendor who created the device or software, government agencies, or also the nonprofit Center for Internet Security (see: http://www.cisecurity.org/). Basic configuration management practices associated with system security will involve tasks such as: disabling unnecessary services, removing extraneous pro- grams, enabling security capabilities such as firewalls, antivirus, and intrusion detection or prevention systems, and the configuration of security and audit logs. FIGURE 10.1 Locked shred bins.
Source: http://commons.wikimedia.org/wiki/File:Confidential_shred_bin s.JPG. Photograph by: # BrokenSphere/Wikimedia Commons. Image under permission of Creative Commons Attribution ShareAlike 3.0 379Asset management Baselining Standardizing on a security configuration is certainly important, but there is an additional consideration with respect to security baselines. Security baselining is the process of capturing a point in time understanding of the current system secu- rity configuration. Establishing an easy means for capturing the current system security configuration, can be extremely helpful in responding to a potential secu- rity incident. Assuming that the system or device in question was built from a stan- dardized security baseline, and also that strong change control measures (see Change Management section below) are adhered to, then there would be little need
to capture the current security configuration. However, in the real world, unautho- rized changes can and will occur in even the most strictly controlled environment, which necessitates the monitoring of a system’s security configuration over time. Further, even authorized system modifications that adhere to the change manage- ment procedures need to be understood and easily captured. Another reason to emphasize continual baselining is because there may be systems that were not orig- inally built to an initial security baseline. A common mistake that organizations make regarding system security is focusing on establishing a strong system secu- rity configuration, but failing to quickly and easily appreciate the changes to a sys- tem’s security configuration over time. Patch Management One of the most basic, yet still rather difficult, tasks associated with maintaining strong system security configuration is patch management, the process of manag-
ing software updates. All softwares have flaws or shortcomings that are not fully addressed in advance of being released. The common approach to fixing software is by applying patches to address known issues. Not all patches are concerned with security; many are associated with simple nonsecurity related bug fixes. However, security patches do represent a significant piece of the overall patch pie. Software vendors announce patches both publicly and directly to their customers. Once noti- fied of a patch, organizations need to evaluate the patch from a risk management per- spective to determine how aggressively the patch will need to be deployed. Testing is typically required to determine whether any adverse outcomes are likely to result from the patch installation. From a timeline standpoint, testing often occurs concomitantly with the risk evaluation. Installation is the final phase of the patch management process, assuming adverse effects do not require remediation.
While the process of installing a single patch from a single vendor on a single system might not seem that onerous, managing the identification, testing, and instal- lation of security patches from dozens of vendors across thousands of systems can become extremely cumbersome. Also, the degree to which patch installations can be centrally deployed or automated varies quite a bit amongst vendors. A relatively recent change in the threat landscape has made patch management even more diffi- cult; attackers increasingly are focused on targeting clients rather than server based systems. With attackers emphasizing client side applications such as browsers, and their associated plugins, extensions, and frameworks, office suites, and PDF readers, the patch management landscape is rapidly growing in complexity. 380 CHAPTER 10 Domain 9: Operations security Vulnerability Management Security patches are typically intended to eliminate a known
vulnerability. Organi- zations are constantly patching desktops, servers, network devices, telephony devices and other information systems. The likelihood of an organization having fully patched every system is low. While un-patched systems may be known, it is also common to have systems which were thought to have been patched which were not. It is even more common an occurrence to find systems in need of an unknown patch. Vulnerability scanning is a way to discover poor configurations and missing patches in an environment. While it might seem obvious, it bears men- tioning that vulnerability scanning devices are only capable of discovering the exis- tence of known vulnerabilities. Though discovering missing patches is the most significant feature provided by vulnerability scanning devices or software, some are also capable of discovering vulnerabilities associated with poor configurations. The term vulnerability management is used rather than just
vulnerability scan- ning to emphasize the need for management of the vulnerability information. Many organizations are initially a bit overzealous with their vulnerability scanning and want to continuously enumerate all vulnerabilities within the enterprise. There is limited value in simply listing thousands of vulnerabilities unless there is also a process that attends to the prioritization and remediation of these vulnerabilities. The remediation or mitigation of vulnerabilities should be prioritized based on both risk to the organization and ease of remediation procedures. Zero-Day Vulnerabilities and Zero-Day Exploits Organizations intend to patch vulnerabilities before they are exploited by an attacker. As patches are released, attackers begin trying to reverse engineer exploits for the now-known patched vulnerability. This process of developing an exploit to fit a patched vulnerability has been occurring for quite some time, but what is changing is the typical time-to-development of an
exploit. The average window of time between a patch being released and an associated exploit being made public is decreasing. Recent research even suggests that for some vulnerabil- ities, an exploit can be created within minutes based simply on the availability of the unpatched and patched program3. In addition to attackers reverse engineering security patches to develop exploits, it is also possible for an attacker to discover a vulnerability before the vendor has devel- oped a patch, or has been made aware of the vulnerability either by internal or external security researchers. The term for a vulnerability being known before the existence of a patch is zero day vulnerability. Zero-day vulnerabilities, also commonly written 0- day, are becoming increasingly important as attackers are becoming more skilled in discovery, and, more importantly, the discovery and disclosure of zero day vulnerabil- ities is being monetized. A zero-day exploit, rather than vulnerability, refers to the
existence of exploit code for a vulnerability which has yet to be patched. Change Management As stated above, system, network, and application changes are required. A system that does not change will become less secure over time, as security updates and 381Asset management patches are not applied. In order to maintain consistent and known operational security, a regimented change management or change control process needs to be followed. The purpose of the change control process is to understand, commu- nicate, and document any changes with the primary goal of being able to under- stand, control, and avoid direct or indirect negative impact that the change might impose. The overall change management process has phases, the implementation of which will vary to some degree within each organization. Typically there is a
change control board that oversees and coordinates the change control process. In smaller organizations, the change control board might be a much less formal group than is found in larger organizations, sometimes even consisting of just one or two individuals. The intended change must first be introduced or proposed to the change control board. The change control board then gathers and documents sufficient details about the change to attempt to understand the implications. The person or group proposing the change should attempt to supply information about any potential negative impacts that might result from the change, as well as any negative impacts that could result from not implementing the change. Ultimately, the decision to implement the change, and the timeliness of this implementation, will be driven by principles of risk and cost management. Therefore, details related to the organi- zational risk associated with both enacting or delaying the
change must be brought to the attention of the change control board. Another risk-based consideration is whether or not the change can be easily reversed should unforeseen impacts be greater than anticipated. Many organizations will require a rollback plan, which is sometimes also known as a backout plan. This plan will attempt to detail the pro- cedures for reversing the change should that be deemed necessary. If the change control board finds that the change is warranted, then a schedule for testing and implementing the change will be agreed upon. The schedule should take into account other changes and projects impacting the organization and its resources. Associated with the scheduling of the change implementation is the notification process that informs all departments impacted by the change. The next phase of the change management process will involve the testing and subsequent implementation of the change. Once implemented, a report
should be provided back to the change control board detailing the implementation, and whether or not the change was successfully implemented according to plan. Change management is not an exact science, nor is the prescribed approach a perfect fit for either all organizations or all changes. In addition to each organiza- tion having a slightly different take on the change management process, there will also likely be particular changes that warrant deviation from the organizational norm either because the change is more or less significant than typical changes. For instance, managing the change associated with a small patch could well be handled differently than a major service pack installation. Because of the variabil- ity of the change management process, specific named phases have not been offered in this section. However, the general flow of the change management process includes:
382 CHAPTER 10 Domain 9: Operations security • Identifying a change • Proposing a change • Assessing the risk associated with the change • Testing the change • Scheduling the change • Notifying impacted parties of the change • Implementing the change • Reporting results of the change implementation All changes must be closely tracked and auditable. A detailed change record should be kept. Some changes can destabilize systems or cause other problems; change management auditing allows operations staff to investigate recent changes in the event of an outage or problem. Audit records also allow auditors to verify that change management policies and procedures have been followed. CONTINUITY OF OPERATIONS
Although some continuity concepts have already been covered in Chapter 7: Domain 6: Business Continuity and Disaster Recovery Planning, this section will focus on more overtly operational concerns related to continuity. Needless to say, continuity of operations is principally concerned with the availability portion of the confidentiality, integrity, availability triad. Service Level Agreements (SLA) As organizations leverage service providers and hosted solutions to a greater extent, the continuity of operations consideration become critical in contract negotiation such as service level agreements. Service level agreements have been important for some time, but they are becoming increasingly critical as organizations are increasingly choosing to have external entities perform critical services or host significant assets and applications. The goal of the service level agreement is to stipulate all expecta- tions regarding the behavior of the department or organization that is responsible for
providing services and the quality of the services provided. Often service level agree- ments will dictate what is considered acceptable regarding things such as bandwidth, time to delivery, response times, etc. Though availability is usually the most critical security consideration of a service level agreement, the consideration of other security aspects will increase as they become easier to quantify through better metrics. Further, as organizations increasingly leverage hosting service providers for more than just commoditized connectivity, the degree to which security is emphasized will increase. One important point to realize about service level agreements is that it is paramount that organizations negotiate all security terms of a service level agreement with their service prior to engaging with the company. Typi- cally, if an organization wants a service provider to agree after the fact to specific terms of a service level agreement, then the organization will be required to pay an additional premium for the service.
383Continuity of operations NOTE The most obvious example of a trend toward increasingly critical information and services being hosted by a service provider is that of the growing popularity of cloud computing. Cloud computing allows for organizations to effectively rent computing speed, storage, and bandwidth from a service provider for the hosting of some of their infrastructure. Security and quality of service of these solutions constitutes an extremely important point of distinction between the service offerings and their associated costs. Though not overtly testable for the CISSP�, cloud computing is becoming an important concept for security professionals to appreciate. Fault Tolerance In order for systems and solutions within an organization to be able to continually provide operational availability they must be implemented with fault tolerance in mind. Availability is not solely focused on system uptime requirements, but also requires that data be accessible in a timely fashion as well. Both system and data
fault tolerance will be attended to within this section. Backup The most basic and obvious measure to increase system or data fault tolerance is to provide for recoverability in the event of a failure. Given a long enough timeframe accidents, such as that in Figure 10.2, will happen. In order for data to be able to be recovered in case of a fault some form of backup or redundancy must be provided. Though magnetic tape media is quite an old technology, it is still the most common FIGURE 10.2 Why are backups necessary? Source: http://commons.wikimedia.org/wiki/File:Backup_Backup_Backu p_-_And_Test_Restores.jpg. Photograph by: John Boston. Image used under Creative Commons Attribution 2.0 License. 384 CHAPTER 10 Domain 9: Operations security repository of backup data. Three basic types of backups exist: full backup; the incremental backup; and the differential backup.
Full The full backup is the easiest to understand of the types of backup; it simply is a replica of all allocated data on a hard disk. Full backups contain all of the allocated data on the hard disk, which makes them simple from a recovery standpoint in the event of a failure. Though the time and media necessary to recover are less for full backups than those approaches that employ other methods, the amount of media required to hold full backups is greater. Another downside of using only full back- ups is the time it takes to perform the backup itself. The time required to complete a backup must be within the backup window, which is the planned period of time in which backups are considered operationally acceptable. Because of the larger amount of media, and therefore cost of media, and the longer backup window requirements, full backups are often coupled with either incremental or differential backups to balance the time and media considerations.
Incremental One alternative to exclusively relying upon full backups is to leverage incremental backups. Incremental backups only archive files that have changed since the last backup of any kind was performed. Since fewer files are backed up, the time to perform the incremental backup is greatly reduced. To understand the tape require- ments for recovery, consider an example backup schedule using tapes, with weekly full backups on Sunday night and daily incremental backups. Each Sunday, a full backup is performed. For Monday’s incremental backup, only those files which have been changed since Sunday’s backup will be marked for backup. On Tuesday, those files which have been changed since Monday’s incremental backup will be marked for backup. Wednesday, Thursday, Friday, and Saturday would all simply perform a backup of those files that had changed since the previous incremental backup.
Given this schedule, if a data or disk failure occurs and there is a need for recovery, then the most recent full backup and each and every incremental backup since the full backup is required to initiate a recovery. Though the time to perform each incremental backup is extremely short, the downside is that a full restore can require quite a few tapes, especially if full backups are performed less frequently. Also, the odds of a failed restoration due to a tape integrity issue (such as broken tape) rise with each additional tape required. Differential Another approach to data backup is the differential backup method. While the incremental backup only archived those files that had changed since any backup, the differential method will back up any files that have been changed since the last full backup. The following is an example of a backup schedule using tapes, with weekly full backups on Sunday night and daily differential backups.
385Continuity of operations Each Sunday, a full backup is performed. For Monday’s differential backup, only those files which have been changed since Sunday’s backup will be archived. On Tuesday, again those files which have been changed since Sunday’s full backup, including those backed up with Monday’s differential, will be archived. Wednesday, Thursday, Friday, and Saturday would all simply archive all files that had changed since the previous full backup. Given this schedule, if a data or disk failure occurs and there is a need for recovery, then only the most recent full backup and most recent differential backup are required to initiate a full recovery. Though the time to perform each differential backup is shorter than a full backup, as more time passes since the last full backup the length of time to perform a differential backup will also increase. If much of
the data being backed up regularly changes or the time between full backups is long, then the length of time for a backup might approach that of the full backup. Redundant Array of Inexpensive Disks (RAID) Even if only one full backup tape is needed for recovery of a system due to a hard disk failure, the time to recover a large amount of data can easily exceed the recov- ery time dictated by the organization. The goal of a Redundant Array Inexpensive Disks (RAID) is to help mitigate the risk associated with hard disk failures. There are various RAID levels that consist of different approaches to disk array config- urations. These differences in configuration have varying cost, in terms of number of disks lost to achieve the configuration’s goals, and capabilities in terms of reli- ability and performance advantages. Table 10.1 provides a brief description of the various RAID levels that are most commonly used. Three terms that are important to understand with respect to RAID are: mirror- ing; striping; and parity.
• Mirroring is the most obvious and basic of the fundamental RAID concepts, and is simply used to achieve full data redundancy by writing the same data to multiple hard disks. Since mirrored data must be written to multiple disks the write times are slower. However, there can be performance gains when reading mirrored data by simultaneously pulling data from multiple hard disks. Other than read and write performance considerations, a major cost associated Table 10.1 RAID Levels RAID Level Description RAID 0 Striped set RAID 1 Mirrored set RAID 3 Byte level striping with dedicated parity RAID 4 Block level striping with dedicated parity RAID 5 Block level striping with distributed parity RAID 6 Block level striping with double distributed parity 386 CHAPTER 10 Domain 9: Operations security
with mirroring is disk usage; at least half of the drives are used for redundancy when mirroring is used. • Striping is a RAID concept that is focused on increasing the read and write per- formance by spreading data across multiple hard disks. With data being spread amongst multiple disk drives, reads and writes can be performed in parallel across multiple disks rather than serially on one disk. This parallelization pro- vides a performance increase, and does not aid in data redundancy. The final concept is parity. • Parity is a means to achieve data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance. EXAM WARNING While the ability to quickly recover from a disk failure is the goal of RAID there are configurations that do not have reliability as a capability. For
the exam, be sure to understand that not all RAID configurations provide additional reliability. RAID 0: Striped Set As is suggested by the title, RAID 0 employs striping to increase the performance of read and writes. By itself, striping offers no data redundancy so RAID 0 is a poor choice if recovery of data is the reason for leveraging RAID. Figure 10.3 shows visually what RAID 0 entails. RAID 1: Mirrored Set This level of RAID is perhaps the simplest of all RAID levels to understand. RAID 1 creates/writes an exact duplicate of all data to an additional disk. The write per- formance is decreased, though the read performance can see an increase. Disk cost is one of the most troubling aspects of this level of RAID, as at least half of all disks are dedicated to redundancy. Figure 10.4 shows RAID 1 visually. A C E
G B D F H RAID 0 FIGURE 10.3 RAID 0—Striped Set. 387Continuity of operations RAID 2: Hamming Code RAID 2 is not considered commercially viable for hard disks and is not used. This level of RAID would require either 14 or 39 hard disks and a specially designed hardware controller, which makes RAID 2 incredibly cost prohibitive. RAID 2 is not likely to be tested. RAID 3: Striped Set with Dedicated Parity (byte level) Striping is desirable due to the performance gains associated with spreading data
across multiple disks. However, striping alone is not as desirable due to the lack of redundancy. With RAID 3 data, at the byte level, is striped across multiple disks, but an additional disk is leveraged for storage of parity information, which is used for recovery in the event of a failure. RAID 4: Striped Set with Dedicated Parity (block level) RAID 4 provides the exact same configuration and functionality as that of RAID 3, but stripes data at the block, rather than byte, level. Like RAID 3, RAID 4 employs a dedicated parity drive rather than having parity data distributed amongst all disks, as in RAID 5. RAID 5: Striped Set with Distributed Parity One of the most popular RAID configurations is that of RAID 5, Striped Set with Distributed Parity. Again with RAID 5 there is a focus on striping for the performance increase it offers, and RAID 5 leverages a block level striping. Like RAIDs 3 and 4, RAID 5writes parity information that is used for recovery purposes. However, unlike
RAIDs 3 and 4, which require a dedicated disk for parity information, RAID 5 distri- butes the parity information across multiple disks. One of the reasons for RAID 5’s popularity is that the disk cost for redundancy is lower than that of a Mirrored set. Another important reason for this level’s popularity is the support for both hardware and software based implementations, which significantly reduces the barrier to entry A B C D A B C D RAID 1 FIGURE 10.4 RAID 1—Mirrored Set.
388 CHAPTER 10 Domain 9: Operations security for RAID configurations. RAID 5 allows for data recovery in the event that any one disk fails. Figure 10.5 provides a visual representation of RAID 5. RAID 6: Striped Set with Dual Distributed Parity While RAID 5 accommodates the loss of any one drive in the array, RAID 6 can allow for the failure of two drives and still function. This redundancy is achieved by writing the same parity information to two different disks. NOTE There are many and varied RAID configurations which are simply combinations of the standard RAID levels. Nested RAID solutions are becoming increasingly common with larger arrays of disks that require a high degree of both reliability and speed. Some common nested RAID levels include RAID 0þ1, 1þ0, 5þ0, 6þ0, and (1þ0)þ0, which are also commonly written as RAID 01, 10, 50, 60, and 100, respectively. RAID 1þ0 or RAID 10 RAID 1þ0 or RAID 10 is an example of what is known as nested RAID or multi-
RAID, which simply means that one standard RAID level is encapsulated within another. With RAID 10, which is also commonly written as RAID 1þ0 to explic- itly indicate the nesting, the configuration is that of a striped set of mirrors. System Redundancy Though redundancy and resiliency of data, provided by RAID and backup solu- tions, is important, further consideration needs to be given to the systems them- selves that provide access to this redundant data. Redundant Hardware Many systems can provide internal hardware redundancy of components that are extremely prone to failure. The most common example of this in-built redundancy A1 A2 1 Parity C2 C3 RAID 5
3 Parity B1 2 Parity B3 FIGURE 10.5 RAID 5—Striped Set with Distributed Parity. 389Continuity of operations is systems or devices which have redundant onboard power in the event of a power supply failure. In addition to redundant power, it is also common to find redundant network interface cards (NICs), as well as redundant disk controllers. Sometimes systems simply have field replaceable modular versions of commonly failing com- ponents. Though physically replacing a power supply might increase downtime, having an inventory of spare modules to service the entire datacenter’s servers would be less expensive than having all servers configured with
an installed redun- dant power supply. Redundant Systems Though quite a few fault-prone internal components can be configured to have redundancy built into systems, there is a limit to the internal redundancy. If system availability is extremely important, then it might be prudent to have entire systems available in the inventory to serve as a means to recover. While the time to recover might be greater, it is fairly common for organizations to have an SLA with their hardware manufacturers to be able to quickly procure replacement equipment in a timely fashion. If the recovery times are acceptable, then quick procurement options are likely to be far cheaper than having spare equipment on-hand for ad hoc system recovery. High-Availability Clusters Some applications and systems are so critical that they have more stringent uptime requirements than can be met by standby redundant systems, or
spare hardware. These systems and applications typically require what is commonly referred to as a high-availability (HA) or failover cluster. A high- availability cluster employs multiple systems that are already installed, configured, and plugged in, such that if a failure causes one of the systems to fail then the other can be seamlessly lever- aged to maintain the availability of the service or application being provided. The actual implementation details of a high-availability cluster can vary quite a lot, but there are a few basic considerations that need to be understood. The primary implementation consideration for high-availability clusters is whether each node of a HA cluster is actively processing data in advance of a failure. This is known as an active-active configuration, and is commonly referred to as load balancing. Having systems in an active-active, or load balancing, configuration is typically more costly than having the systems in an active-passive, or hot standby,
configuration in which the backup systems only begin processing when a failure state is detected. INCIDENT RESPONSE MANAGEMENT Although this chapter has provided many operational security measures that would aid in the prevention of a security incident, these measures will only serve to decrease the likelihood and frequency with which security incidents are experi- enced. All organizations will experience security incidents, about this fact there is little doubt. Because of the certainty of security incidents eventually impacting 390 CHAPTER 10 Domain 9: Operations security organizations, there is a great need to be equipped with a regimented and tested methodology for identifying and responding to these incidents. We will first define some basic terms associated with incident response. To be able to determine whether an incident has occurred or is occurring, security events are reviewed. Events are any observable data associated with
systems or networks. A security incident exists if the events suggest that violation of an organization’s security posture has or is likely to occur. Security incidents can run the gamut from a basic policy violation to an insider exfiltrating millions of credit card numbers. Incident handling or incident response are the terms most commonly associated with how an organization proceeds to identify, react, and recover from security incidents. Finally, a Computer Security Incident Response Team (CSIRT) is a term used for the group that is tasked with monitoring, identifying, and responding to security incidents. The overall goal of the incident response plan is to allow the organization to control the cost and damage associated with incidents, and to make the recovery of impacted systems quicker. Methodology Different books and organizations may use different terms and phases associated with incident response; this section will mirror the terms associated with the exam-
ination. Though each organization will indeed have a slightly different understand- ing of the phases of incident response, the general tasks performed will likely be quite similar among most organizations. Detection One of the most important steps in the incident response process is the detection phase. Detection is the phase in which events are analyzed in order to determine whether these events might comprise a security incident. Without strong detective capabilities built into the information systems, the organization has little hope of being able to effectively respond to information security incidents in a timely fashion. Organizations should have a regimented and, preferably, automated fashion for pull- ing events from systems and bringing those events into the wider organizational con- text. Often when events on a particular system are analyzed independently and out of context, then an actual incident might easily be overlooked. However, with the
benefit of seeing those same system logs in the context of the larger organization pat- terns indicative of an incident might be noticed. An important aspect of this phase of incident response is that during the detection phase it is determined made as to whether an incident is actually occurring or has occurred. It is a rather common occurrence for potential incidents to be deemed strange, but innocuous after further review. Containment The containment phase of incident response is the point at which the incident response team attempts to keep further damage from occurring as a result of the incident. Containment might include taking a system off the network, isolating 391Incident response management traffic, powering off the system, or other items to control both the scope and sever- ity of the incident. This phase is also typically where a binary (bit by bit) forensic
backup is made of systems involved in the incident. An important trend to under- stand is that most organizations will now capture volatile data before pulling the power plug on a system. Eradication The eradication phase involves the process of understanding the cause of the inci- dent so that the system can be reliably cleaned and ultimately restored to opera- tional status later in the recovery phase. In order for an organization to be able to reliably recover from an incident, the cause of the incident must be determined. The cause must be known so that the systems in question can be returned to a known good state without significant risk of compromise persisting or reoccurring. A common occurrence is for organizations to remove the most obvious piece of malware affecting a system and think that is sufficient. In reality, the obvious malware may only be a symptom, with the cause still undiscovered.
Once the cause and symptoms are determined then the system is restored to a good state and should not be vulnerable to further impact. This will typically involve either rebuilding the system from scratch or restoring from a known good backup. A key question is whether the known good backup can really be trusted. Root cause analysis is key here: it can help develop a timeline of events that lends credence to the suggestion of a backup or image known to be good. Another aspect of eradication that helps with the prevention of future impact is bolstering defenses of the system. If the incident was caused by exploitation of a known vulnerability, then a patch would be prudent. However, improving the system’s firewall config- uration might also be a means to help defend against the same or similar attacks. Once eradication has been completed, then the recovery phase begins. Recovery The recovery phase involves cautiously restoring the system or
systems to opera- tional status. Typically, the business unit responsible for the system will dictate when the system will go back online. Remember to be cognizant of the possibility that the infection, attacker, or other threat agent might have persisted through the eradication phase. For this reason, close monitoring of the system after it is returned to production is necessary. Further, to make the security monitoring of this system easier, strong preference is given to the restoration of operations occur- ring during off or nonpeak production hours. Reporting Unfortunately, the reporting phase is the one most likely to be neglected in immature incident response programs. This fact is unfortunate because the reporting phase, if done right, is the phase that has the greatest potential to effect a positive change in secu- rity posture. The goal of the reporting phase is to provide a final report on the incident, which will be delivered to management. Important
considerations for this phase are detailing ways in which the identification could have occurred sooner, the response 392 CHAPTER 10 Domain 9: Operations security could have been quicker ormore effective, and organizational shortcomings that might have contributed to the incident, and potential areas for improvement. Though after significant security incidents security personnel might have greater attention of the management, now is not the time to exploit this focus unduly. If a basic operational change would have significantly increased the organization’s ability to detect, contain, eradicate, or recover from the incident, then the final report should detail this fact whether it is a technical or administrative measure. Types of attacks Now that the phases of incident response are understood, types of attacks that fre- quently require incident response will be described. Though this section will by no
means present an exhaustive list of attack types, it will provide basic information on the types of attacks more commonly experienced and responded to in organiza- tions. Before attending specifically to the common attacks, a brief discussion on threats will aid in bringing the common attacks into the organizational risk assess- ment model. Attention should be paid to ways in which the attacks can be classi- fied and organized, which is summarized in Table 10.2. Threat Agents Threat agents are the actors causing the threats that might exploit a vulnerability. While the easiest threat agent to understand is the single dedicated attacker, per- haps working from his mother’s basement, it would be foolish to think this is the only manifestation of threat agents. One of the most alarming recent trends is the increasing organization of the threat agents. Organized crime, terrorists, political dis- sidents, and even nation states are now common threat agents that can easily target
any organization. Though the untrained or careless worker is likely the most common threat agent, this section’s preference for attacks will tend towards the intentional attackers. Malware, or malicious code, can also be considered a threat agent, even though it is automated and lacks creativity. One of the primary reasons to consider the various threat agents is to appreciate the fact that all organizations can be targets when the number, types, and motivations of threat agents are so broad. Threat Vectors What medium allows the threat agent potentially exploit the vulnerability? The answer to this question describes the threat vectors that must be considered. Historically, one of the most common threat vectors that persist even today is that of email attachments. Attackers have been using email attachments as a means to exploit vulnerabilities for a long time, and the practice continues going strong, though the types of attachments that are effective has changed. Other common vec-
tors include: external attacker targeting public-facing systems via open ports, web applications, and clients; using phone lines to target internal servers and already compromised internal clients to target internal servers; and internal attackers tar- geting internal systems. Table 10.2 provides additional details regarding these common attack vectors. 393Incident response management Password Guessing and Password Cracking Though some fail to distinguish between the two, it is prudent to differentiate between password guessing and cracking as the techniques differ. Password gues- sing is the simpler of the two techniques from both the attacker’s and defender’s vantage point. Password guessing is an online technique that involves attempting Table 10.2 Threat Vectors Attacker’s Origin
Attacker’s Target Medium or Vector External Public facing servers Network Attack—direct attacks against ports open through network and system firewalls. This is the conventional attack vector that is most commonly defended against. External Web Application components Web Applications—though some organizations view this as a subset of the above, the attacks and associated defenses are drastically different. The attacker targets the web application, associated servers, and content, rather than merely the web server. Traditional perimeter security defenses fall short when protecting web applications. External SMTP Gateways, Antimalware systems, Internal Clients Attack using malicious email attachments. Used to be straightforward virus attachments, but now commonly uses malicious files that exploit client-side application vulnerabilities (.doc, .xls, .ppt, .pdf, .jpg). Note: these seemingly innocuous file types are also being hosted on malicious websites (see below).
External Internal Servers Phone lines—attacks leveraging phone systems are some of the oldest by nature of the technology involved. Many organizations still leverage these systems, especially for critical legacy components, yet often this medium is now overlooked during security assessments. External Internal Clients Browser attacks—attacker hosts a malicious web site or leverages a compromised trusted site to exploit internal clients. External Internal Servers Pivot attack—leverage an internal client (compromised via another vector) to attack internal servers. Increasingly common as organizations are making better use of perimeter security. Internal Internal Clients, Internal Servers, Infrastructure Insider threat—attacker is an insider (employee, contractor, consultant, transient worker, someone with VPN access, etc.) which typically translates to greater access just by virtue of where they are situated with respect to perimeter defenses. Most organizations have limited internal security when compared to their external facing security.
394 CHAPTER 10 Domain 9: Operations security to authenticate a particular user to the system. Password cracking refers to an off- line technique in which the attacker has gained access to the password hashes or database. Note that most web-based attacks on passwords are of the password guessing variety, so web applications should be designed with this in mind from a detective and preventive standpoint. Password guessing may be detected by monitoring the failed login system logs. In order to differentiate between the normal user accidentally mistyping their pass- words and the attacker, clipping levels are useful. Clipping levels define a mini- mum reporting threshold level. Using the password guessing example, a clipping level might be established such that the audit system only alerts if failed authenti- cation occurs more frequently than five times in an hour for a particular user. Clip-
ping levels can help to differentiate the attacks from noise, however they can also cause false negatives if the attackers can glean the threshold beneath which they must operate. Preventing successful password guessing attacks is typically done with account lockouts. Account lockouts are used to prevent an attacker from being able to sim- ply guess the correct password by attempting a large number of potential pass- words. Some organizations require manual remediation of locked accounts, usually in the form of intervention by the help desk. However, some organizations configure account lockouts to simply have an automatic reset time, which would not necessarily require manual intervention. Care should be taken in the account lockout configuration as an attacker, though unsuccessful at retrieving a correct password, might be able to cause significant administrative burden by intentionally locking out a large volume of accounts.
Password cracking is considered an offline attack because the attacker has gained access to a password hash for a particular account or the entire password database. Most password databases store the passwords as hashes rather than clear text. These one way cryptographic hashes are created by running the plaintext password through a hashing algorithm such as MD5, LM, NT Hash (MD4), etc. The attacker will attempt to crack the password with a dictionary, hybrid, and then finally a brute force method if suitably motivated to achieve the plaintext pass- word. The dictionary method simply directs the password cracking tool to use a supplied list of words as potential passwords. The tool will encrypt the supplied word using the matching password algorithm, and compare the resulting hash with the hash in the database. If the two hashes match then the plaintext password is now known. If the dictionary method is unsuccessful then the hybrid approach will
likely be attempted. The hybrid approach to password cracking still leverages a word list (dictionary), but makes alterations to the word before putting the guess through the hashing algorithm. Common alterations made by hybrid crackers include prepending or appending numbers or symbols to the password, changing the case of the letters in the word, making common symbol or number substitutions for letters (e.g., replacing an “o” with a “0”). Finally, password brute forcing involves simply attempting every possible password until the correct match is 395Incident response management found. Brute forcing will eventually yield the password, but the question is whether it will return the plaintext password quickly enough (days, months, or years) for it to still be of value. A variation on typical password brute forcing that can greatly increase the speed with which the correct password can be
retrieved is a precom- putation brute force attack. This technique employs rainbow tables which are tables of precomputed password-hash combinations, sometimes within specific confines such as an upper limit on password length or only including the more common symbols, collection of all password hashes that are applicable for a given algorithm. While rainbow tables can reduce the password cracking to a mere table lookup to find the password hash in question, the creation of these rainbow tables is an extremely time consuming process. NOTE The efficacy of precomputation brute force attacks leveraging rainbow tables is dependent upon the password hashing algorithm’s implementation. The main feature that determines whether rainbow tables will greatly increase the speed of password recovery is whether the implementation of the algorithm involves salts, which is simply a way of introducing randomness into the resultant hashes. In the absence of salts, the same password will yield the exact same hash every single time. Notably, Windows’ LM and NT hashes do not include
salts, which makes them particularly vulnerable to this type of brute forcing. Linux and UNIX systems have employed salts for decades. A 16 bit salt would effectively require an attacker to create 65,536 separate sets of rainbow tables, one set for each possible salt. Prevention of successful password cracking attempts can be achieved by strong password policies that prescribe appropriate length, complexity, expiration, and rotation of passwords. Further, strong system security that precludes that attacker ever gaining access to the password database in the first place is another preventive measure. Session Hijacking and MITM Another attack technique that needs to be understood is session hijacking, which compromises an existing network session, sometimes seizing control of it. Older protocols such as Telnet may be vulnerable to session hijacking. A Man In The Middle (MITM, also called Monkey In the Middle) attack places the attacker between the victim and another system: the attacker’s goal is to be able
to serve as an undiscovered proxy for either or both of two endpoints engaging in communication. Effectively, an attacker suitably positioned through a combination of spoofing, masquerading as another endpoint, and sniffing traffic is potentially able to insert herself in the middle of a connection. The capabilities of session hijacking include: changing content as it is delivered to one of the endpoints, initi- ating transactions as one side of the connection, distribution of malware to either end of the connection, and other attacks. Prevention of session hijacking is best done by leveraging encrypted communications which provide mutual endpoint authentication. 396 CHAPTER 10 Domain 9: Operations security Malware Malware, or malicious code/software, represents one of the best known types of threats to information systems. There are numerous types of malware, some
detailed in Table 10.3, that have evolved over the years to continually cause stress to operations. This section will provide a brief description of the major classes of malware. One important note is that distinguishing between the classes of malware is growing more difficult as one piece of malware code is being used as the deliv- ery mechanism to distribute other malware. Antivirus, or antimalware, suites are a basic protection mechanism for malicious code. However, most antivirus systems are heavily reliant upon signature based detection which is often considered a reac- tive approach. Many antivirus tools have evolved into larger suites that include functionality beyond just basic signature based virus detection (e.g., host based firewalls, intrusion prevention systems, antispyware functionality, etc.). Two of the most important considerations for preventing malware infection beyond anti- virus suites are system hardening and user awareness training.
Table 10.3 Types of Malware Malicious Code Description Virus Virus is the term that most lay persons use for all bad things that can happen on a computer. Information security professionals require a bit more specificity of the term, and reserve the word virus to indicate malicious code that hooks onto executable code, and requires user interaction to spread. In addition to spreading, the actual payload of the virus, that is, what it is intended to do, could be anything. Macro Virus The termmacro virus refers to malicious code that infects Microsoft Office documents by means of embedding malicious macros within them. Many organizations were wholly unaware of the macro functionality provided by Microsoft Office until they were hit with macro viruses. Worm The distinguishing feature of worms is their ability to self-propagate, or, spread without user interaction. This has made worms exceedingly good at spreading very rapidly throughout the internet. Some of the most well known names of malware fall under the worm category: Code Red, Nimda, SQL Slammer, Blaster, MyDoom, Witty. Trojan Horse Trojans, which get their name from the famous
Trojan Horse from Greek mythology, are defined by how they are concealed, and are most often associated with providing an attacker with persistent backdoor access. Trojans provide ostensibly desirable functionality that the user is seeking, but also comewith malicious functionality that the user does not anticipate. Rooktkit The term rootkit is used for malware that is focused on hiding its own existence from a savvy administrator trying to detect the malware. Typical capabilities include file, folder, process, and network connection hiding. The techniques developed with rootkits are now commonly included in other types of malware. 397Incident response management Denial of Service (DoS) and Distributed Denial of Service (DDoS) Denial of Service (DoS) is a one-to-one availability attack; Distributed Denial Of Service (DDoS) is a many-to-one availability attack. They are among the easiest attack techniques to understand as they are simply availability attacks against a site, system, or network. Though there are many local denial of service techniques,
this section focuses on remote denial of service techniques. DoS attacks come in all shapes and sizes, ranging from those involving one specially crafted packet and a vulnerable system to see that packet, to DDoS attacks that leverage tens of thousands (or more) bots to target an online service provider with a flood of seem- ingly legitimate traffic attempting to overwhelm their capacity. Historically there have been well known named tools for instigating denial of service attacks, how- ever, these seem to have to become less popular with the rise of botnets that pro- vide denial of service techniques as part of their generic feature set. It is unlikely that the CISSP� will require knowledge of more recent specific variations of bots used for distributed denial of service, so Table 10.4 below will include some his- torical examples of malicious packet attacks as well as some general resource exhaustion, or flooding, techniques.
SUMMARY OF EXAM OBJECTIVES In this chapter we have discussed operational security. Operations security con- cerns the security of systems and data while being actively used in a production Table 10.4 Denial of Service Examples DoS Name Type Description Land Malformed packet The land attack uses a spoofed SYN packet that includes the victim’s IP address and TCP port as both source and destination. This attack targets the TCP/IP stack of older unpatched Windows systems. Smurf Resource Exhaustion A smurf attack involves ICMP flooding. The attacker sends ICMP Echo Request messages with spoofed source addresses of the victim to the directed broadcast address of a network known to be a Smurf amplifier. A smurf amplifier is a public facing network that is misconfigured such that it will forward packets sent to the network broadcast address to each host in the network. Assuming a /24 Smurf amplifier, this means that for every single spoofed ICMP Echo Request sent the victim could receive up to 254 ICMP Echo Responses. As with most of resource exhaustion denial of service attacks, prevention involves having infrastructure that can filter the DoS traffic and/or an ISP
that can provide assistance in filtering the traffic. Continued 398 CHAPTER 10 Domain 9: Operations security environment. Ultimately operations security is about people, data, media, and hard- ware; all of which are elements that need to be considered from a security perspec- tive. The best technical security infrastructure in the world will be rendered moot if an individual with privileged access decides to turn against the organization and there are no preventive or detective controls in place within the organization. Table 10.4 Denial of Service Examples—cont’d DoS Name Type Description SYN Flood Resource Exhaustion SYN Floods are themost basic type of resource exhaustion attacks, and involve an attacker, or attacker controlled
machines, initiating many connections to the victim, but not responding to the victim’s SYN/ACK packets. The victim’s connection queue will eventually be unable to process any more new connections. Configuring a system to more quickly recycle half-open connections can help with this technique. As with most of resource exhaustion denial of service attacks, prevention involves having infrastructure that can filter the DoS traffic and/or an ISP that can provide assistance in filtering the traffic. Teardrop Malformed packet The teardrop attack is a malformed packet attack that targets issues with systems’ fragmentation reassembly. The attack involves sending packets with overlapping fragment offsets, which can cause a system attempting to reassemble the fragments issues. Ping of Death Malformed packet The Ping of Death denial of service involved sending a malformed ICMP Echo Request (Ping) that was larger than the maximum size of an IP packet. Historically, sending the Ping of Death would crash systems. Patching the TCP/IP stacks of systems removed the vulnerability to this DoS attack. Fraggle Resource Exhaustion The fraggle attack is a variation of the smurf attack. Themain
difference between smurf and fraggle being that fraggle leverages UDP for the request portion, and stimulates, most likely, an ICMP Port Unreachablemessage being sent to the victim rather than an ICMP Echo Response. DNS Reflection A more recent denial of service technique that, like the smurf attack, leverages a third party is the DNS reflection attack. The attacker who has poorly configured third- party DNS servers query an attacker-controlled DNS server and cache the response (a maximum-size DNS record). Once the large record is cached by many third party DNS servers, the attacker sends DNS requests for those records with a spoofed source of the victim. This causes these extremely large DNS records to be sent to the victim in response. As with most of resource exhaustion denial of service attacks, prevention involves having infrastructure that can filter the DoS traffic and/or an ISP that can provide assistance in filtering the traffic. 399Summary of exam objectives There must be controls associated with even the most trusted individuals. This chapter discussed items such as the principle of least privilege, separation and rota- tion of duties, and mandatory vacations which can all help provide needed security controls for our operational personnel. In addition to personnel
related security, this section dealt with media, where the data physically resides. Even though an organization’s access control methodology might be superlative, if they allow for sensitive information to be written to backup tapes in plaintext and then hand that tape to a courier, bad things will almost certainly follow. Further, media security also dealt with retention and destruction of data, both of which need to be strictly controlled from an operational security perspective. Another aspect of operational security is maintaining the availability of systems and data. To this end, data backup methodologies, RAID, and hardware availability were all attended to. Data backups are one of the most common data and system reliability measures that can be undertaken by an organization. RAID, in most con- figurations, can provide for increased data availability by making systems more resilient to disk failures. In addition to disk and data reliability though, system
hardware must also be continually available in order to access those disks and the data they contain. Hardware availability via redundancy and clustering should also be considered if the systems or data has strict availability requirements. The final aspect of this chapter on operations security dealt with how to respond to incidents and some common attack techniques. An incident response methodology was put forth, because incidents will inevitably occur in organizations; it is just a matter of time. Having a regimented process for detecting, containing, eradicating, recovering, and reporting security incidents is paramount in every organization that is concerned with information security, or, more simply, the confidentiality, integrity, and availabil- ity of their information systems and the data contained therein. Finally, some common attack techniqueswere discussed including password cracking, denial of service techni- ques, session hijacking, and malicious software. Though this is by no means a compre-
hensive list, it does provide some basic information about some of the more common attack techniques that are likely to be seen from an operational security vantage point. SELF TEST 1. Which type of control requires multiple parties in order for a critical transac- tion to be performed? A. Separation of duties B. Rotation of duties C. Principle of least privilege D. Need to know 2. Which concept only allows for individuals to be granted the minimum access necessary to carry out their job function? A. Rotation of duties B. Principle of least privilege 400 CHAPTER 10 Domain 9: Operations security C. Separation of duties
D. Mandatory leave 3. Which level of RAID does NOT provide additionally reliability? A. RAID 1 B. RAID 5 C. RAID 0 D. RAID 3 4. Which type of RAID uses block level striping with parity information distributed across multiple disks? A. RAID 1 B. RAID 3 C. RAID 4 D. RAID 5 5. Which type of backup will include only those files that have changed since the most recent Full backup? A. Full B. Differential C. Incremental
D. Binary 6. Which security principle might disallow access to sensitive data even if an individual had the necessary security clearance? A. Principle of least privilege B. Separation of duties C. Need to know D. Nash analytics 7. Which type of malware is able to propagate itself without user interaction? A. Rootkit B. Trojan C. Virus D. Worm 8. Separation of Duties requires that two parties act in concert in order to carry out a critical transaction. What is the term associated with two individuals working together to perpetrate a fraud? A. Hijacking
B. Espionage C. Terrorism D. Collusion 9. Which type of malware is commonly associated with office productivity documents? A. Macro B. Worm 401Self test C. Spyware D. Rootkit 10. What type of backup is obtained during the Containment phase of Incident Response? A. Incremental B. Full C. Differential D. Binary
11. Which type of attack will make use of misconfigured third party systems to perpetrate a DoS? A. Smurf B. Session hijacking C. Teardrop D. Land 12. Which attack technique might involve a seemingly trusted endpoint resolving as a website hosting malware? A. Password cracking B. Trojan horse C. Session hijacking D. UI redressing 13. Which principle involves defining a trusted security baseline image of critical systems? A. Configuration management B. Change management
C. Patch management D. Vulnerability management 14. Which type of attack leverages overlapping fragments to cause a denial of service? A. Smurf B. Teardrop C. Fraggle D. Session hijacking 15. What security principle can be used to help detect fraud coming from users becoming comfortable in their position? A. Separation of duties B. Principle of least privilege C. Rotation of duties D. Collusion 402 CHAPTER 10 Domain 9: Operations security SELF TEST QUICK ANSWER KEY 1. A
2. B 3. C 4. D 5. B 6. C 7. D 8. D 9. A 10. D 11. A 12. C 13. A 14. B 15. C References 1. Juvenal Satires Book II: Satire 6, 346-348. 1st-2nd Century CE. 2. Gutmann P. Secure Deletion of Data from Magnetic and Solid-State Memory. 1996. http://www.cs.auckland.ac.nz/�pgut001/pubs/secure_del.html [accessed February 17, 2010]. 3. Brumley D, Poosankam P, Song D, Zheng J. Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy, April; 2008. 403Self test quick answer key
· Your initial post should be at least 500 words, formatted and ci.docx

More Related Content

PPTX
NURSING CARE OF ELDERLY BY RAKESH SINGH
byRakesh Singh
 
PPTX
Care of Elderly - Medical Surgical Nursing
byAnandh Perera
 
PPTX
Nursing care of the elderly patients
byNehaNupur8
 
PPT
Tabloski ch17 lecture
bystanbridge
 
PPT
Tabloski ch17 lecture
bystanbridge
 
PPTX
GERIATRIC CARE.pptx Geriatric nursing care
byasmipanchal143
 
PPT
Chapter 033
bybholmes
 
PPTX
Care of elderly nursing perspective
byankita Patel
 
NURSING CARE OF ELDERLY BY RAKESH SINGH
byRakesh Singh
 
Care of Elderly - Medical Surgical Nursing
byAnandh Perera
 
Nursing care of the elderly patients
byNehaNupur8
 
Tabloski ch17 lecture
bystanbridge
 
Tabloski ch17 lecture
bystanbridge
 
GERIATRIC CARE.pptx Geriatric nursing care
byasmipanchal143
 
Chapter 033
bybholmes
 
Care of elderly nursing perspective
byankita Patel
 

Similar to · Your initial post should be at least 500 words, formatted and ci.docx

PPTX
Elderly Care and Management: ursing care involves creating a safe living envi...
byDR .PALLAVI PATHANIA
 
PPTX
Section 5 care of the older person
bybaxtermom
 
PPT
Older adult
bygueste94724c
 
PPTX
Care of elderly
byMr. Mata Deen
 
PPT
Chapter17 HDEV
byemmanuelviking
 
PDF
Nursing care of the eldery in adult health nursing.pdf
byfarhinsolanki86
 
PPTX
Care of elderly
byVipin Patidar
 
PPT
Geriatrics
byRawalpindi Medical College
 
PPTX
The aging ppt
byMaglinAnusha1
 
PPT
Unique Features of Geriatric Patients
bySadianisha
 
PDF
Sexually Transmitted Infections in the Elderly: Systematic Review_Crimson pub...
byCrimsonPublishersGGS
 
PDF
Introduction to Medical Surgical Nursing 6th Edition Linton Test Bank
byyawengdd
 
PPT
Geriatric care
byNikhil Bansal
 
PPTX
Teachback womens health
byjjoekool89
 
PPTX
Teachback womens health
byjjoekool89
 
PPTX
Teachback womens health
byjjoekool89
 
PPTX
Teachback womens health
byjjoekool89
 
PPT
Benetos 2
byevivoudiklari
 
PPT
Chapter 20
byTraveon Brassfield
 
PPTX
Care of Elderly.pptx..care of elderly...
byVINEELA INJETY
 
Elderly Care and Management: ursing care involves creating a safe living envi...
byDR .PALLAVI PATHANIA
 
Section 5 care of the older person
bybaxtermom
 
Older adult
bygueste94724c
 
Care of elderly
byMr. Mata Deen
 
Chapter17 HDEV
byemmanuelviking
 
Nursing care of the eldery in adult health nursing.pdf
byfarhinsolanki86
 
Care of elderly
byVipin Patidar
 
Geriatrics
byRawalpindi Medical College
 
The aging ppt
byMaglinAnusha1
 
Unique Features of Geriatric Patients
bySadianisha
 
Sexually Transmitted Infections in the Elderly: Systematic Review_Crimson pub...
byCrimsonPublishersGGS
 
Introduction to Medical Surgical Nursing 6th Edition Linton Test Bank
byyawengdd
 
Geriatric care
byNikhil Bansal
 
Teachback womens health
byjjoekool89
 
Teachback womens health
byjjoekool89
 
Teachback womens health
byjjoekool89
 
Teachback womens health
byjjoekool89
 
Benetos 2
byevivoudiklari
 
Chapter 20
byTraveon Brassfield
 
Care of Elderly.pptx..care of elderly...
byVINEELA INJETY
 

More from VannaJoy20

DOCX
©2017 Walden University 1 BP1005 Identity as an Early.docx
byVannaJoy20
 
DOCX
 Print, complete, and score the following scales. .docx
byVannaJoy20
 
DOCX
 Consequentialist theory  Focuses on consequences of a.docx
byVannaJoy20
 
DOCX
 The theory that states that people look after their .docx
byVannaJoy20
 
DOCX
 This is a graded discussion 30 points possibledue -.docx
byVannaJoy20
 
DOCX
· Please include the following to create your Argumentative Essay .docx
byVannaJoy20
 
DOCX
• FINISH IVF• NATURAL FAMILY PLANNING• Preimplanta.docx
byVannaJoy20
 
DOCX
 Use the information presented in the module folder along with your.docx
byVannaJoy20
 
DOCX
• Ryanairs operations have been consistently plagued with emp.docx
byVannaJoy20
 
DOCX
• ALFRED CIOFFI• CATHOLIC PRIEST, ARCHDIOCESE OF MIAMI.docx
byVannaJoy20
 
DOCX
· Implementation of research projects is very challenging.docx
byVannaJoy20
 
DOCX
©McGraw-Hill Education. All rights reserved. Authorized only.docx
byVannaJoy20
 
DOCX
••••••.docx
byVannaJoy20
 
DOCX
· Epidemiology · Conceptual issues· Anxiety· Mood diso.docx
byVannaJoy20
 
DOCX
· Reflect on the four peer-reviewed articles you critically apprai.docx
byVannaJoy20
 
DOCX
· Choose a B2B company of your choice (please note that your chose.docx
byVannaJoy20
 
DOCX
© Strayer University. All Rights Reserved. This document conta.docx
byVannaJoy20
 
DOCX
©2005-2009 by Alexander Chernev. Professor Alexander Che.docx
byVannaJoy20
 
DOCX
©2014 by the Kellogg School of Management at Northwestern .docx
byVannaJoy20
 
DOCX
Tool for Analyzing and Adapting Curriculum Materia.docx
byVannaJoy20
 
©2017 Walden University 1 BP1005 Identity as an Early.docx
byVannaJoy20
 
 Print, complete, and score the following scales. .docx
byVannaJoy20
 
 Consequentialist theory  Focuses on consequences of a.docx
byVannaJoy20
 
 The theory that states that people look after their .docx
byVannaJoy20
 
 This is a graded discussion 30 points possibledue -.docx
byVannaJoy20
 
· Please include the following to create your Argumentative Essay .docx
byVannaJoy20
 
• FINISH IVF• NATURAL FAMILY PLANNING• Preimplanta.docx
byVannaJoy20
 
 Use the information presented in the module folder along with your.docx
byVannaJoy20
 
• Ryanairs operations have been consistently plagued with emp.docx
byVannaJoy20
 
• ALFRED CIOFFI• CATHOLIC PRIEST, ARCHDIOCESE OF MIAMI.docx
byVannaJoy20
 
· Implementation of research projects is very challenging.docx
byVannaJoy20
 
©McGraw-Hill Education. All rights reserved. Authorized only.docx
byVannaJoy20
 
••••••.docx
byVannaJoy20
 
· Epidemiology · Conceptual issues· Anxiety· Mood diso.docx
byVannaJoy20
 
· Reflect on the four peer-reviewed articles you critically apprai.docx
byVannaJoy20
 
· Choose a B2B company of your choice (please note that your chose.docx
byVannaJoy20
 
© Strayer University. All Rights Reserved. This document conta.docx
byVannaJoy20
 
©2005-2009 by Alexander Chernev. Professor Alexander Che.docx
byVannaJoy20
 
©2014 by the Kellogg School of Management at Northwestern .docx
byVannaJoy20
 
Tool for Analyzing and Adapting Curriculum Materia.docx
byVannaJoy20
 

Recently uploaded

PDF
Result Analysis of the Pre Board 2025 .pdf
byDirectorate of Education Delhi
 
PPTX
Cultivation Practice of Tomato in Nepal.pptx
byUmeshTimilsina1
 
PDF
Gaming Quiz 2025- 27th October 2025, Quiz Club NITW
byQuiz Club NITW
 
PDF
India Cybercrime Threats & Response 2025: Digital Arrests, 1930 Helpline & Ze...
bySanjay Rathod
 
PPTX
Cultivation practice of Root vegetables.pptx
byUmeshTimilsina1
 
PPTX
Structure and function of Integumentary system (skin).pptx
byAshish Umale
 
PDF
Plant Respiration.pdf Remedial Biology Unit-5 B.Pharm 1st Year
bySaurabh Dubey
 
PDF
Harmonising Tertiary Education through XR and AI: Innovative approach in the ...
byTorrens University Australia
 
PDF
Digital_Empathy_Toolkit_Netiquette_and_Responsible_Communication
byNidhi Pandya
 
PPTX
YSPH VMOC Special Report - Measles - The Americas 12-28 2025 .pptx
byYale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
PPTX
Cultivation Practice of Potato in Nepal.pptx
byUmeshTimilsina1
 
PPTX
What are the Custom lot_serial number in Odoo 19
byCeline George
 
PDF
• Reinforcing the Human Firewall: Moving From Awareness to Applied Skill
byAdityarajsinh Gohil
 
PPTX
Salesforce Spring 26` Release Key Features.pptx
byMehediHasan939830
 
PPTX
Details Study of Joints (articulation).pptx
byAshish Umale
 
PPTX
3. Off-season and protected cultivation of vegetable crops.pptx
byUmeshTimilsina1
 
PPTX
Aplastic_Anaemia_PA17.1_Presentation.pptx
byDibyajyoti Prusty
 
PPTX
Centrifugation pharmaceutical engineering
byShraddha Bandgar
 
PPTX
All Things 2025 - A Year in Review Quiz!
byShashank Jogani
 
PPT
Blood Grouping.ppt - Hematology -Physiology
bykishorkumar396
 
Result Analysis of the Pre Board 2025 .pdf
byDirectorate of Education Delhi
 
Cultivation Practice of Tomato in Nepal.pptx
byUmeshTimilsina1
 
Gaming Quiz 2025- 27th October 2025, Quiz Club NITW
byQuiz Club NITW
 
India Cybercrime Threats & Response 2025: Digital Arrests, 1930 Helpline & Ze...
bySanjay Rathod
 
Cultivation practice of Root vegetables.pptx
byUmeshTimilsina1
 
Structure and function of Integumentary system (skin).pptx
byAshish Umale
 
Plant Respiration.pdf Remedial Biology Unit-5 B.Pharm 1st Year
bySaurabh Dubey
 
Harmonising Tertiary Education through XR and AI: Innovative approach in the ...
byTorrens University Australia
 
Digital_Empathy_Toolkit_Netiquette_and_Responsible_Communication
byNidhi Pandya
 
YSPH VMOC Special Report - Measles - The Americas 12-28 2025 .pptx
byYale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
Cultivation Practice of Potato in Nepal.pptx
byUmeshTimilsina1
 
What are the Custom lot_serial number in Odoo 19
byCeline George
 
• Reinforcing the Human Firewall: Moving From Awareness to Applied Skill
byAdityarajsinh Gohil
 
Salesforce Spring 26` Release Key Features.pptx
byMehediHasan939830
 
Details Study of Joints (articulation).pptx
byAshish Umale
 
3. Off-season and protected cultivation of vegetable crops.pptx
byUmeshTimilsina1
 
Aplastic_Anaemia_PA17.1_Presentation.pptx
byDibyajyoti Prusty
 
Centrifugation pharmaceutical engineering
byShraddha Bandgar
 
All Things 2025 - A Year in Review Quiz!
byShashank Jogani
 
Blood Grouping.ppt - Hematology -Physiology
bykishorkumar396
 

· Your initial post should be at least 500 words, formatted and ci.docx

  • 1.
    · Your initialpost should be at least 500 words, formatted and cited in current APA style with support from at least 2 academic sources. Your initial post is worth 8 points. · You should respond to at least two of your peers by extending, refuting/correcting, or adding additional nuance to their posts. Your reply posts are worth 2 points (1 point per response.) · All replies must be constructive and use literature where possible. #1 Lisa Wright St. Thomas University NUR 417: Aging and End of Life Yedelis Diaz November 01, 2022 Pathological Conditions in Older Adults As one goes through the natural aging process, the body's capacity to defend itself against infections diminishes. The immune system's ability to offer protection is reduced, and the individual becomes susceptible to conditions that affect them more than other age groups (Haynes, 2020). This population also experiences other symptoms impairing other aspects of their lives as time passes. For instance, their skin and bones lose their integrity and become more prone to abrasions and breakage. This assignment module will examine the pathological conditions that affect the sexual response in older adults and how and why nutritional and psychological factors, drugs, and other alternative and complementary medications affect the immune system of the populations. Pathological Conditions that Affect Sexual Response in Older Adults Sexuality is an essential aspect of life, irrespective of the age group one is in—the older population and the younger generation alike need to explore sexuality to maintain health and well-being. Exploring sexuality is also a mixture of
  • 2.
    biological, psychological, social,and religious factors, all of which have plenty to do with aging. Among the pathological conditions that affect sexual response in the elderly include Genitourinary Syndrome of Menopause These are the changes experienced in the genitourinary pathway as one age. The individual can feel a burning sensation, dryness, or irritation. This can lead to painful sexual encounters, which can, in turn, reduce their desire to engage and their response. Dementia This is a degenerative disorder of the mental faculties, predominantly among the elderly (National Institute on Aging, n.d.). Their judgment diminishes, making them disinterested or utterly unaware of their sexual experiences. Some forms of the condition have been shown to increase sex or closeness, but the individual may fail to recognize what is appropriate and what is not. Diabetes As a chronic condition experienced mainly by this population, it can lead to yeast generation, leading to itchiness around the sex organs, making sex unpalatable. The situation can, however, be addressed with medication. Incontinence This is a condition where one experiences bladder leakage caused by poor control (National Institute on Aging, n.d.). It is most prevalent among the population and can lead to diminished sex drive. It can, however, also be addressed with medication. Nutrition, Psychologic, Drugs, and Complementary and Alternative Medication’s Influence on the Immune System As the population ages, some aspects they go through include isolation and loneliness brought on by not belonging to the younger age groups. They also become more dependent on their loved ones or caregivers for food, healthcare services, and other needs. When this care is not meticulously monitored, the individual can deteriorate even further, making them frailer and
  • 3.
    generally unhealthy. Propernutrition through food is the primary source of life, which can significantly increase their immune system’s capacity to defend their health. Food from fruits like oranges that are rich in vitamin C is essential to the immune system (Childs et al., 2019). Vegetables, proteins, and fiber-rich food have been shown to stimulate an individual’s immune cells. Medical and alternative interventions also have plenty of upsides for an individual in their old age. From medication that helps with loss of appetite to multivitamins, the individual’s immune system can be better boosted to protect the system. A key aspect of medical interventions is fighting off infections and bacteria and diminishing their capacity to multiply. This, in turn, helps the immune system fend for itself with ease and keep the elderly safe. Vaccines also work splendidly, especially for the elderly, ensuring they are better equipped to fight off an infection they would otherwise struggle to fend off. Psychological intervention for the elderly has also been effective in bolstering the immune system (Abdurachman & Herawati, 2018). Maintaining a balance in one’s psychological well-being was proven to have immune impacts for an individual that, in turn, helps them better depend on their health. Conclusion Age brings with it a host of issues that decrease the body's functionalities that once were. From decreased cognitive capacity through conditions like dementia to diminished sex drive, age can feel like one's body is turning on them. It is thus all the more imperative to observe one's health throughout one's life, especially at this stage, to ensure that one is strong and can lead relatively full lives even at that age. One needs to observe all aspects of their health, from physical to psychological, as coordination of all these aspects is critical to overall well- being, especially as one age. This assignment module investigated the pathological conditions that affect the sexual response in older adults and how and why nutritional and
  • 4.
    psychological factors, drugs,and other alternative and complementary medications affect the immune system of the populations. References Abdurachman, & Herawati, N. (2018). The role of psychological well-being in boosting immune response: An optimal effort for tackling infection. African Journal of Infectious Diseases, 12(1 Suppl), 54. https://doi.org/10.2101/AJID.12V1S.7 Childs, C. E., Calder, P. C., & Miles, E. A. (2019). Diet and immune function. Nutrients, 11(8). https://doi.org/10.3390/NU11081933 Haynes, L. (2020). Aging of the immune system: Research challenges to enhance the health span of older adults. Frontiers in Aging, 0, 2. https://doi.org/10.3389/FRAGI.2020.602108 National Institute on Aging. (n.d.). Sexuality and intimacy in older adults. https://www.nia.nih.gov/health/sexuality-and-intimacy- older-adults #2 Jessica Rincon St. Thomas University NUR 417 AP2 Prof. Yedelis Diaz 11/1/2022 Effects of Pathological Conditions
  • 5.
    Erens et al.(2019) posit that sexual expression contributes to health and well-being, promotes self-esteem, and maintains relationships, making it important throughout the life course. However, society continues to witness an age-related decrease in sexual satisfaction and activity, leading to the conclusion that sexual expression changes with an increase in age. According to Lecture Notes (Slide 2), nurses are responsible for assessing disabling drugs and medical conditions, as well as age-related changes affecting older adults’ sexual lives, and intervene at an early point. The effectiveness of the interventions depends on an understanding of the contributing factors. On the contrary, most nurses share in society’s prejudice and negative attitudes toward the asexuality of older adults, which is a barrier to the effectiveness of the interventions they provide (Lecture Notes, Slide 5). Hence, there is a need for nurses to be aware of and understand the importance of sexuality among older adults. Pathological factors are the primary contributors to decreased sexual activity and satisfaction among older adults. They include dementia, malignancies, and human immunodeficiency virus (Lecture Notes, Slide 8). Dementia affects sexuality by causing changes in cognition and judgment. Malignancies include colon, prostate, and breast cancer, whose toll on the health and well-being of older adults causes sexual inhibition or a decrease in sexuality. Lastly is HIV, which affects about 45% of the older adult population above 55 years (Lecture Notes, Slide 8). Since it is mostly diagnosed late, older adults progress quickly, thereby reducing their interests and chances of engaging in sexual activity. Hence, nurses who serve this population must be vigilant in assessing these pathological conditions and providing appropriate interventions to enhance their sexuality, which, in turn, will improve their health outcomes. On the other hand, nutritional factors, psychological factors, drugs, and alternative and complementary medications affect the immune systems of older adults by attacking their innate response mechanisms that act as the first line of defense against
  • 6.
    pathogens. Akha (2018)states that this outcome manifests in the prevalence of constitutive low-grade inflammation and autoimmunity, diminished response to vaccination, and decreased ability to fight infection. For instance, nutritional factors, such as malnutrition, could expose older adults to sarcopenia, which refers to a decline in skeletal muscle as a result of insufficient dietary protein, neuromuscular changes, reduced levels of testosterone and growth hormone, disuse of muscles, and physical inactivity (Lecture Notes, Slide 7). Drugs, as well as complementary and alternative medications, also affect the immune system of older adults immensely. Akha (2018) provides an example of chemotherapeutic drugs used to treat patients with cancer. The impact of such medications has led to the development of evaluation criteria referred to as immune-related response criteria (irCR). The evaluation criteria reveal the expansion of immune-related adverse effects of chemotherapeutic drugs, such as autoimmunity and immunotoxicity (Akha, 2018). The adverse effects of chemotherapeutic drugs are mediated by age-related immune system changes and comorbidities, which significantly lower the ability of the immune system to defend against other pathogens. In other words, nutritional, psychological, and medication- related factors affect the immune system of older adults by cumulatively attacking its response criteria. The occurrence of these factors at the same time, which is common among older adults, compromises the immune system and its ability to fight illnesses. The result is more comorbidities that increase hospital visits by the population. Nurses must be aware of the interplay between these factors and offer effective interventions to provide better care. References Akha, A. A. S. (2018). Aging and the immune system: An overview. Journal of immunological methods, 463, 21-26.
  • 7.
    Erens, B., Mitchell,K. R., Gibson, L., Datta, J., Lewis, R., Field, N., & Wellings, K. (2019). Health status, sexual activity and satisfaction among older people in Britain: A mixed methods study. PloS one, 14(3), e0213835. Lecture Notes. (n.d.). Chapter 12: Sexuality and Aging. Lecture Notes. (n.d.). Chapter 9: Nutrition. 1 chapter 42 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 3 chapter Organizations achieve operational security through policies and procedures that guide user’s interactions with data and data processing systems. Developing and aligning these efforts with the goals of the business
  • 8.
    is a crucialpart of developing a successful security program. One method of ensuring coverage is to align efforts with the operational security model described in the last chapter. This breaks efforts into groups; prevention, detection, and response elements. Prevention technologies are designed to keep individuals from being able to gain access to systems or data they are not authorized to use. Originally, this was the sole approach to security. Eventually we learned that in an operational environment, prevention is extremely difficult and relying on prevention technologies alone is not sufficient. This led to the rise of technologies to detect and respond to events that occur when prevention fails. Together, the prevention technologies and the detection and response technologies form the operational model for computer security. In this chapter, you will learn
  • 9.
    how to ■■ Identifyvarious operational aspects to security in your organization ■■ Identify various policies and procedures in your organization ■■ Identify the security awareness and training needs of an organization ■■ Understand the different types of agreements employed in negotiating security requirements ■■ Describe the physical security components that can protect your computers and network ■■ Identify environmental factors that can affect security ■■ Identify factors that affect the security of the growing number of wireless technologies used for data transmission ■■ Prevent disclosure through electronic emanations We will bankrupt ourselves in the vain search for absolute security. —Dwight David Eisenhower
  • 10.
    Operational and Organizational Security 03-ch03.indd42 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security PB 43 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 ■■ Policies, Procedures, Standards, and Guidelines An important part of any organization’s approach to implementing security are the policies, procedures, standards, and guidelines that are established to detail what users and administrators should be doing to maintain the security of the systems and network. Collectively, these documents provide the guidance needed to determine how security will be implemented in the organization. Given this guidance, the specific technology and security mechanisms required can be planned for. Policies are high-level, broad statements of what the organization wants to accomplish. They are made by management when laying out the organi- zation’s position on some issue. Procedures are the step-by-step
  • 11.
    instructions on how toimplement policies in the organization. They describe exactly how employees are expected to act in a given situation or to accomplish a specific task. Standards are mandatory elements regarding the implemen- tation of a policy. They are accepted specifications that provide specific details on how a policy is to be enforced. Some standards are externally driven. Regulations for banking and financial institutions, for example, require certain security measures be taken by law. Other standards may be set by the organization to meet its own security goals. Guidelines are recom- mendations relating to a policy. The key term in this case is recommenda- tions—guidelines are not mandatory steps. Just as the network itself constantly changes, the policies, procedures, standards, and guidelines should be included in living documents that are periodically evaluated and changed as necessary. The constant monitoring of the network and the periodic review of the relevant documents are part of the process that is the operational model. When applied to policies, this process results in what is known as the policy lifecycle. This operational pro- cess and policy lifecycle roughly consist of four steps in relation to your security policies and solutions:
  • 12.
    1. Plan (adjust)for security in your organization. 2. Implement the plans. 3. Monitor the implementation. 4. Evaluate the effectiveness. In the first step, you develop the policies, procedures, and guidelines that will be implemented and design the security components that will protect your network. There are a variety of governing instruments, from standards to compliance rules that will provide boundaries for these docu- ments. Once these documents are designed and developed, you can imple- ment the plans. Part of the implementation of any policy, procedure, or guideline is an instruction period during which those who will be affected by the change or introduction of this new document learn about its con- tents. Next, you monitor to ensure that both the hardware and the software as well as the policies, procedures, and guidelines are effective in securing your systems. Finally, you evaluate the effectiveness of the security mea- sures you have in place. This step may include a vulnerability assessment (an attempt to identify and prioritize the list of vulnerabilities within a system
  • 13.
    These documents guidehow security will be implemented in the organization: Policies High-level, broad statements of what the organization wants to accomplish Procedures Step-by- step instructions on how to implement the policies Standards Mandatory elements regarding the implementation of a policy Guidelines Recommend- ations relating to a policy 03-ch03.indd 43 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 44 45 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 or network) and a penetration test (a method to check the security of a sys- tem by simulating an attack by a malicious individual) of your system to ensure the security is adequate. After evaluating your security posture, you
  • 14.
    begin again withstep one, this time adjusting the security mechanisms you have in place, and then continue with this cyclical process. Regarding security, every organization should have several common policies in place (in addition to those already discussed relative to access control methods). These include, but are not limited to, security policies regarding change management, classification of information, acceptable use, due care and due diligence, due process, need to know, disposal and destruction of data, service level agreements, human resources issues, codes of ethics, and policies governing incident response. Security Policies In keeping with the high-level nature of policies, the security policy is a high-level statement produced by senior management that outlines both what security means to the organization and the organization’s goals for security. The main security policy can then be broken down into additional policies that cover specific topics. Statements such as “this organization will exercise the principle of least access in its handling of client informa- tion” would be an example of a security policy. The security policy can also describe how security is to be handled from an organizational point of view (such as describing which office and corporate officer or
  • 15.
    manager oversees the organization’ssecurity program). In addition to policies related to access control, the organization’s secu- rity policy should include the specific policies described in the next sec- tions. All policies should be reviewed on a regular basis and updated as needed. Generally, policies should be updated less frequently than the pro- cedures that implement them, since the high-level goals will not change as often as the environment in which they must be implemented. All policies should be reviewed by the organization’s legal counsel, and a plan should be outlined that describes how the organization will ensure that employees will be made aware of the policies. Policies can also be made stronger by including references to the authority who made the policy (whether this policy comes from the CEO or is a department-level policy, for example) and references to any laws or regulations that are applicable to the specific policy and environment. Change Management Policy The purpose of change management is to ensure proper procedures are fol- lowed when modifications to the IT infrastructure are made. These modi- fications can be prompted by a number of different events, including new
  • 16.
    legislation, updated versionsof software or hardware, implementation of new software or hardware, or improvements to the infrastructure. The term “management” implies that this process should be controlled in some sys- tematic way, and that is indeed the purpose. Changes to the infrastructure might have a detrimental impact on operations. New versions of operat- ing systems or application software might be incompatible with other soft- ware or hardware the organization is using. Without a process to manage 03-ch03.indd 44 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 44 45 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 the change, an organization might suddenly find itself unable to conduct business. A change management process should include various stages, including a method to request a change to the infrastructure, a review and approval process for the request, an examination of the consequences of the change, resolution (or mitigation) of any detrimental effects the change
  • 17.
    might incur, implementationof the change, and documentation of the pro- cess as it related to the change. Data Policies System integration with third parties frequently involves the sharing of data. Data can be shared for the purpose of processing or storage. Con- trol over data is a significant issue in third-party relationships. There are numerous questions that need to be addressed. The question of who owns the data, both the data shared with third parties and subsequent data devel- oped as part of the relationship, is an issue that needs to be established. Data Ownership Data requires a data owner. Data ownership roles for all data elements need to be defined in the business. Data ownership is a business function, where the requirements for security, privacy, retention, and other business func- tions must be established. Not all data requires the same handling restric- tions, but all data requires these characteristics to be defined. This is the responsibility of the data owner. Unauthorized Data Sharing Unauthorized data sharing can be a significant issue, and in today’s world, data has value and is frequently used for secondary purposes. Ensuring
  • 18.
    that all partiesin the relationship understand the data-sharing require- ments is an important prerequisite. Equally important is ensuring that all parties understand the security requirements of shared data. Data Backups Data ownership requirements include backup responsibilities. Data backup requirements include determining the level of backup, restore objectives, and level of protection requirements. These can be defined by the data owner and then executed by operational IT personnel. Determining the backup responsibilities and developing the necessary operational proce- dures to ensure that adequate backups occur are important security ele- ments. Classification of Information A key component of IT security is the protection of the information pro- cessed and stored on the computer systems and network. Organizations deal with many different types of information, and they need to recognize that not all information is of equal importance or sensitivity. This requires classification of information into various categories, each with its own requirements for its handling. Factors that affect the classification of spe- cific information include its value to the organization (what will be the
  • 19.
    impact to theorganization if it loses this information?), its age, and laws or 03-ch03.indd 45 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 46 47 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 regulations that govern its protection. The most widely known system of classification of information is that implemented by the U.S. government (including the military), which classifies information into categories such as Confidential, Secret, and Top Secret. Businesses have similar desires to protect information and often use categories such as Publicly Releasable, Proprietary, Company Confidential, and For Internal Use Only. Each policy for the clas- sification of information should describe how it should be protected, who may have access to it, who has the authority to release it and how, and how it should be destroyed. All employees of the organization should be trained in the procedures for handling the information that they are authorized to access. Discretionary and mandatory access control techniques use classi-
  • 20.
    fications as amethod to identify who may have access to what resources. Data Labeling, Handling, and Disposal Effective data classification programs include data labeling, which enables personnel working with the data to know whether it is sensitive and to understand the levels of protection required. When the data is inside an information-processing system, the protections should be designed into the system. But when the data leaves this cocoon of protection, whether by printing, downloading, or copying, it becomes necessary to ensure con- tinued protection by other means. This is where data labeling assists users in fulfilling their responsibilities. Training to ensure that labeling occurs and that it is used and followed is important for users whose roles can be impacted by this material. Training plays an important role in ensuring proper data handling and disposal. Personnel are intimately involved in several specific tasks asso- ciated with data handling and data destruction/disposal and, if properly trained, can act as a security control. Untrained or inadequately trained per- sonnel will not be a productive security control and, in fact, can be a source of potential compromise.
  • 21.
    Need to Know Anothercommon security principle is that of need to know, which goes hand- in-hand with least privilege. The guiding factor here is that each individual in the organization is supplied with only the absolute minimum amount of information and privileges he or she needs to perform their work tasks. To obtain access to any piece of information, the individual must have a justi- fied need to know. A policy spelling out these two principles as guiding philosophies for the organization should be created. The policy should also address who in the organization can grant access to information and who can assign privileges to employees. Disposal and Destruction Policy Many potential intruders have learned the value of dumpster diving. An organization must be concerned about not only paper trash and discarded objects, but also the information stored on discarded objects such as com- puters. Several government organizations have been embarrassed when old computers sold to salvagers proved to contain sensitive documents on their hard drives. It is critical for every organization to have a strong disposal and destruction policy and related procedures. Tech Tip
  • 22.
    Data Classification Information classification categoriesyou should be aware of for the CompTIA Security+ exam include: High, Medium, Low, Confidential, Private, and Public. 03-ch03.indd 46 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 46 47 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 Important papers should be shredded, and important in this case means anything that might be useful to a potential intruder. It is amazing what intruders can do with what appear to be innocent pieces of information. Before magnetic storage media (such as disks or tapes) is discarded in the trash or sold for salvage, it should have all files deleted, and should be overwritten at least three times with all 1’s, all 0’s, and then random charac- ters. Commercial products are available to destroy files using this process. It is not sufficient simply to delete all files and leave it at that, since the deletion process affects only the pointers to where the files are
  • 23.
    stored and doesn’t actuallyget rid of all the bits in the file. This is why it is possible to “undelete” files and recover them after they have been deleted. A safer method for destroying files from a storage device is to destroy the data magnetically, using a strong magnetic field to degauss the media. This effectively destroys all data on the media. Several commercial degauss- ers are available for this purpose. Another method that can be used on hard drives is to use a file on them (the sort of file you’d find in a hardware store) and actually file off the magnetic material from the surface of the platter. Shredding floppy media is normally sufficient, but simply cutting a floppy disk into a few pieces is not enough—data has been successfully recovered from floppies that were cut into only a couple of pieces. CDs and DVDs also need to be disposed of appropriately. Many paper shredders now have the ability to shred these forms of storage media. In some highly secure environments, the only acceptable method of disposing of hard drives and other storage devices is the actual physical destruction of the devices. Matching the security action to the level of risk is important to recognize in this instance. Destroying hard drives that do not have sensitive information is wasteful; proper file scrubbing is probably appropriate. For
  • 24.
    drives with ultra-sensitive information,physical destruction makes sense. There is no single answer, but as in most things associated with information security, the best practice is to match the action to the level of risk. Human Resources Policies It has been said that the weakest links in the security chain are the humans. Consequently, it is important for organizations to have policies in place relative to their employees. Policies that relate to the hiring of individuals are primarily important. The organization needs to make sure that it hires individuals who can be trusted with the organization’s data and that of its clients. Once employees are hired, they should be kept from slipping into the category of “disgruntled employee.” Finally, policies must be devel- oped to address the inevitable point in the future when an employee leaves the organization—either on his or her own or with the “encouragement” of the organization itself. Security issues must be considered at each of these points. Code of Ethics Numerous professional organizations have established codes of ethics for their members. Each of these describes the expected behavior of their mem- bers from a high-level standpoint. Organizations can adopt this
  • 25.
    idea as well. Fororganizations, a code of ethics can set the tone for how employees will be expected to act and to conduct business. The code should demand Many organizations overlook the security implications that decisions by Human Resources may have. Human Resources personnel and security personnel should have a close working relationship. Decisions on the hiring and firing of personnel have direct security implications for the organization. As a result, procedures should be in place that specify which actions must be taken when an employee is hired, is terminated, or retires. 03-ch03.indd 47 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 48 49 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 honesty from employees and require that they perform all activities in a professional manner. The code could also address principles of
  • 26.
    privacy and confidentiality andstate how employees should treat client and organiza- tional data. Conflicts of interest can often cause problems, so this could also be covered in the code of ethics. By outlining a code of ethics, the organization can encourage an envi- ronment that is conducive to integrity and high ethical standards. For addi- tional ideas on possible codes of ethics, check professional organizations such as the Institute for Electrical and Electronics Engineers (IEEE), the Association for Computing Machinery (ACM), or the Information Systems Security Association (ISSA). Job Rotation An interesting approach to enhance security that is gaining increasing attention is job rotation. Organizations often discuss the benefits of rotat- ing individuals through various jobs in an organization’s IT department. By rotating through jobs, individuals gain a better perspective on how the various parts of IT can enhance (or hinder) the business. Since security is often a misunderstood aspect of IT, rotating individuals through security positions can result in a much wider understanding throughout the organi- zation about potential security problems. It also can have the side benefit of
  • 27.
    a company nothaving to rely on any one individual too heavily for security expertise. If all security tasks are the domain of one employee, and that individual leaves suddenly, security at the organization could suffer. On the other hand, if security tasks are understood by many different individuals, the loss of any one individual has less of an impact on the organization. Employee Hiring and Promotions It is becoming common for organizations to run background checks on prospective employees and to check the references prospective employ- ees supply. Frequently, organizations require drug testing, check for any past criminal activity, verify claimed educational credentials, and confirm reported work history. For highly sensitive environments, special security background investigations can also be required. Make sure that your orga- nization hires the most capable and trustworthy employees, and that your policies are designed to ensure this. After an individual has been hired, your organization needs to mini- mize the risk that the employee will ignore company rules and affect secu- rity. Periodic reviews by supervisory personnel, additional drug checks, and monitoring of activity during work may all be considered by the orga-
  • 28.
    nization. If theorganization chooses to implement any of these reviews, this must be specified in the organization’s policies, and prospective employees should be made aware of these policies before being hired. What an organi- zation can do in terms of monitoring and requiring drug tests, for example, can be severely restricted if not spelled out in advance as terms of employ- ment. New hires should be made aware of all pertinent policies, especially those applying to security, and should be asked to sign documents indicat- ing that they have read and understood them. Occasionally an employee’s status will change within the company. If the change can be construed as a negative personnel action (such as a demo- tion), supervisors should be alerted to watch for changes in behavior that Tech Tip Hiring Hackers Hiring a skilled hacker may make sense from a technical skills point of view, but an organization also has to consider the broader ethical and business consequences and associated risks. Is the hacker completely reformed or not? How much time is needed to determine this? The real question is not “Would you hire a hacker?” but
  • 29.
    rather “Can youfire a hacker once he has had access to your systems?” Trust is an important issue with employees who have system administrator access, and the long-term ramifications need to be considered. Tech Tip Accounts of Former Employees When conducting security assessments of organizations, security professionals frequently find active accounts for individuals who no longer work for the company. This is especially true for larger organizations, which may lack a clear process for the personnel office to communicate with the network administrators when an employee leaves the organization. These old accounts, however, are a weak point in the security perimeter for the organization and should be eliminated. 03-ch03.indd 48 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 48 49
  • 30.
    BaseTech / Principlesof Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 might indicate the employee is contemplating or conducting unauthorized activity. It is likely that the employee will be upset, and whether he acts on this to the detriment of the company is something that needs to be guarded against. In the case of a demotion, the individual may also lose certain priv- ileges or access rights, and these changes should be made quickly so as to lessen the likelihood that the employee will destroy previously accessible data if he becomes disgruntled and decides to take revenge on the organiza- tion. On the other hand, if the employee is promoted, privileges may still change, but the need to make the change to access privileges may not be as urgent, though it should still be accomplished as quickly as possible. If the move is a lateral one, changes may also need to take place, and again they should be accomplished as quickly as possible. Retirement, Separation, or Termination of an Employee An employee leaving an organization can be either a positive or a negative action. Employees who are retiring by their own choice may announce their planned retirement weeks or even months in advance. Limiting their access to sensitive documents the moment they announce their
  • 31.
    intention may be thesafest thing to do, but it might not be necessary. Each situation should be evaluated individually. If the situation is a forced retirement, the organi- zation must determine the risk to its data if the employee becomes disgrun- tled as a result of the action. In this situation, the wisest choice might be to cut off the employee’s access quickly and provide her with some additional vacation time. This might seem like an expensive proposition, but the dan- ger to the company of having a disgruntled employee may justify it. Again, each case should be evaluated individually. When an employee decides to leave a company, generally as a result of a new job offer, continued access to sensitive information should be carefully considered. If the employee is leaving as a result of hard feelings toward the company, it might be wise to quickly revoke her access privileges. If the employee is leaving the organization because he is being termi- nated, you should assume that he is or will become disgruntled. While it may not seem the friendliest thing to do, an employee in this situation should immediately have his access privileges to sensitive information and facilities revoked.
  • 32.
    Combinations should alsobe quickly changed once an employee has been informed of their termination. Access cards, keys, and badges should be collected; the employee should be escorted to her desk and watched as she packs personal belongings; and then she should be escorted from the building. Mandatory Vacations Organizations have provided vacation time to their employees for many years. Few, however, force employees to take this time if they don’t want to. At some companies, employees are given the choice to either “use or lose” their vacation time; if they do not take all of their vacation time, they lose at least a portion of it. From a security standpoint, an employee who never takes time off might be involved in nefarious activity, such as fraud or embezzlement, and might be afraid that if he leaves on vacation, the orga- nization will discover his illicit activities. As a result, requiring employees to use their vacation time through a policy of mandatory vacations can be It is better to give a potentially disgruntled employee several weeks of paid vacation than to have him trash sensitive files to which he has access. Because employees
  • 33.
    typically know thepattern of management behavior with respect to termination, doing the right thing will pay dividends in the future for a firm. Organizations commonly neglect to have a policy that mandates the removal of an individual’s computer access upon termination. Not only should such a policy exist, but it should also include the procedures to reclaim and “clean” a terminated employee’s computer system and accounts. 03-ch03.indd 49 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 50 51 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 a security protection mechanism. Using mandatory vacations as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation. Having a second person familiar with security procedures is also a good policy in case something happens to the
  • 34.
    primary employee. On-boarding/Off-boarding BusinessPartners Just as it is important to manage the on- and off-boarding processes of company personnel, it is important to consider the same types of elements when making arrangements with third parties. Agreements with business partners tend to be fairly specific with respect to terms associated with mutual expectations associated with the process of the business. Consid- erations regarding the on-boarding and off-boarding processes are impor- tant, especially the off-boarding. When a contract arrangement with a third party comes to an end, issues as to data retention and destruction by the third party need to be addressed. These considerations need to be made prior to the establishment of the relationship, not added at the time that it is coming to an end. Social Media Networks The rise of social media networks has changed many aspects of business. Whether used for marketing, communications, customer relations, or some other purpose, social media networks can be considered a form of third party. One of the challenges in working with social media networks and/or applications is their terms of use. While a relationship with a typical third
  • 35.
    party involves anegotiated set of agreements with respect to requirements, there is no negotiation with social media networks. The only option is to adopt their terms of service, so it is important to understand the implica- tions of these terms with respect to the business use of the social network. Acceptable Use Policy An acceptable use policy (AUP) outlines what the organization considers to be the appropriate use of company resources, such as computer systems, e-mail, Internet access, and networks. Organizations should be concerned about personal use of organizational assets that does not benefit the company. The goal of the AUP is to ensure employee productivity while limit- ing organizational liability through inappropriate use of the organization’s assets. The AUP should clearly delineate what activities are not allowed. It should address issues such as the use of resources to conduct personal busi- ness, installation of hardware or software, remote access to systems and networks, the copying of company-owned software, and the responsibility of users to protect company assets, including data, software, and hardware. Statements regarding possible penalties for ignoring any of the policies
  • 36.
    (such as termination)should also be included. Related to appropriate use of the organization’s computer systems and networks by employees is the appropriate use by the organization. The most important of such issues is whether the organization considers it appropriate to monitor the employees’ use of the systems and network. On-boarding and off- boarding business procedures should be well documented to ensure compliance with legal requirements. 03-ch03.indd 50 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 50 51 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 If monitoring is considered appropriate, the organization should include a statement to this effect in the banner that appears at login. This repeat- edly warns employees, and possible intruders, that their actions are sub- ject to monitoring and that any misuse of the system will not be tolerated.
  • 37.
    Should the organizationneed to use in a civil or criminal case any informa- tion gathered during monitoring, the issue of whether the employee had an expectation of privacy, or whether it was even legal for the organization to be monitoring, is simplified if the organization can point to a statement that is always displayed that instructs users that use of the system constitutes consent to monitoring. Before any monitoring is conducted, or the actual wording on the warning message is created, the organization’s legal coun- sel should be consulted to determine the appropriate way to address this issue in the particular jurisdiction. Internet Usage Policy In today’s highly connected environment, employee use of access to the Internet is of particular concern. The goal of the Internet usage policy is to ensure maximum employee productivity and to limit potential liability to the organization from inappropriate use of the Internet in a workplace. The Internet provides a tremendous temptation for employees to waste hours as they surf the Web for the scores of games from the previous night, con- duct quick online stock transactions, or read the review of the latest block- buster movie everyone is talking about. In addition, allowing employees to visit sites that may be considered offensive to others (such as
  • 38.
    pornographic or hate sites)can open the company to accusations of condoning a hostile work environment and result in legal liability. The Internet usage policy needs to address what sites employees are allowed to visit and what sites they are not allowed to visit. If the com- pany allows them to surf the Web during nonwork hours, the policy needs to clearly spell out the acceptable parameters, in terms of when they are allowed to do this and what sites they are still prohibited from visiting (such as potentially offensive sites). The policy should also describe under what circumstances an employee would be allowed to post something from the organization’s network on the Web (on a blog, for example). A necessary addition to this policy would be the procedure for an employee to follow to obtain permission to post the object or message. E-Mail Usage Policy Related to the Internet usage policy is the e-mail usage policy, which deals with what the company will allow employees to send in, or as attachments to, e-mail messages. This policy should spell out whether nonwork e-mail traffic is allowed at all or is at least severely restricted. It needs to cover the type of message that would be considered inappropriate to send to other
  • 39.
    employees (for example,no offensive language, no sex-related or ethnic jokes, no harassment, and so on). The policy should also specify any dis- claimers that must be attached to an employee’s message sent to an indi- vidual outside the company. The policy should remind employees of the risks of clicking on links in e-mails, or opening attachments, as these can be social engineering attacks. In today’s highly connected environment, every organization should have an AUP that spells out to all employees what the organization considers appropriate and inappropriate use of its computing and networks resources. Having this policy may be critical should the organization need to take disciplinary actions based on an abuse of its resources. 03-ch03.indd 51 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 52 53 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3
  • 40.
    Clean Desk Policy Preventingaccess to information is also important in the work area. Firms with sensitive information should have a “clean desk policy” specifying that sensitive information must not be left unsecured in the work area when the worker is not present to act as custodian. Even leaving the desk area and going to the bathroom can leave information exposed and subject to compromise. The clean desk policy should identify and prohibit things that are not obvious upon first glance, such as passwords on sticky notes under keyboards and mouse pads or in unsecured desk drawers. All of these ele- ments that demonstrate the need for a clean desk are lost if employees do not make them personal. Training for clean desk activities needs to make the issue a personal one, where consequences are understood and the work- place reinforces the positive activity. Bring Your Own Device (BYOD) Policy Everyone seems to have a smartphone, a tablet, or other personal Internet device that they use in their personal lives. Bringing these to work is a natu- ral extension of one’s normal activities, but this raises the question of what policies are appropriate before a firm allows these devices to connect to the corporate network and access company data. Like all other policies, plan-
  • 41.
    ning is neededto define the appropriate pathway to the company objec- tives. Personal devices offer cost savings and positive user acceptance, and in many cases these factors make allowing BYOD a sensible decision. The primary purpose of a BYOD policy is to lower the risk associated with connecting a wide array of personal devices to a company’s network and accessing sensitive data on them. This places security, in the form of risk management, as a center element of a BYOD policy. Devices need to be maintained in a current, up-to-date software posture, and with certain secu- rity features, such as screen locks and passwords enabled. Remote wipe and other features should be enabled, and highly sensitive data, especially in aggregate, should not be allowed on the devices. Users should have specific training as to what is allowed and what isn’t and should be made aware of the increased responsibility associated with a mobile means of accessing corporate resources. In some cases it may be necessary to define a policy associated with per- sonally owned devices. This policy will describe the rules and regulations associated with use of personally owned devices with respect to corporate data, network connectivity, and security risks.
  • 42.
    Privacy Policy Customers placean enormous amount of trust in organizations to which they provide personal information. These customers expect their informa- tion to be kept secure so that unauthorized individuals will not gain access to it and so that authorized users will not use the information in unintended ways. Organizations should have a privacy policy that explains what their guiding principles will be in guarding personal data to which they are given access. 03-ch03.indd 52 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 52 53 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 A special category of private information that is becoming increasingly important today is personally identifiable information (PII). This category of information includes any data that can be used to uniquely identify an individual. This would include an individual’s name, address, driver’s license number, and other details. An organization that collects
  • 43.
    PII on its employeesand customers must make sure that it takes all necessary mea- sures to protect the data from compromise. Cross Check Privacy Privacy is an important consideration in today’s computing environ- ment. As such, it has been given its own chapter, Chapter 25. Additional details on privacy issues can be found there. Due Care and Due Diligence Due care and due diligence are terms used in the legal and business com- munity to define reasonable behavior. Basically, the law recognizes the responsibility of an individual or organization to act reasonably relative to another party. If party A alleges that the actions of party B have caused it loss or injury, party A must prove that party B failed to exercise due care or due diligence and that this failure resulted in the loss or injury. These terms often are used synonymously, but due care generally refers to the standard of care a reasonable person is expected to exercise in all situations, whereas due diligence generally refers to the standard of care a business is expected to exercise in preparation for a business transaction. An organization must take reasonable precautions before entering a business
  • 44.
    transaction or it mightbe found to have acted irresponsibly. In terms of security, organiza- tions are expected to take reasonable precautions to protect the information that they maintain on individuals. Should a person suffer a loss as a result of negligence on the part of an organization in terms of its security, that person typically can bring a legal suit against the organization. The standard applied—reasonableness—is extremely subjective and often is determined by a jury. The organization will need to show that it had taken reasonable precautions to protect the information, and that, despite these precautions, an unforeseen security event occurred that caused the injury to the other party. Since this is so subjective, it is hard to describe what would be considered reasonable, but many sectors have a set of “security best practices” for their industry, which provides a basis for organizations in that sector to start from. If the organization decides not to follow any of the best practices accepted by the industry, it needs to be prepared to justify its reasons in court should an incident occur. If the sector the organization is in has regulatory requirements, justifying why the mandated security practices were not followed will be much more difficult (if not impossible).
  • 45.
    Tech Tip Prudent Person Principle Theconcepts of due care and due diligence are connected. Due care addresses whether the organization has a minimal set of policies that provides reasonable assurance of success in maintaining security. Due diligence requires that management actually do something to ensure security, such as implement procedures for testing and review of audit records, internal security controls, and personnel behavior. The standard applied is one of a “prudent person”; would a prudent person find the actions appropriate and sincere? To apply this standard, all one has to do is ask the following question for the issue under consideration: “What would a prudent person do to protect and ensure that the security features and procedures are working or adequate?” Failure of a security feature or procedure doesn’t necessarily mean the person acted imprudently. Due diligence is the application of a specific standard of care. Due care is the
  • 46.
    degree of carethat an ordinary person would exercise. 03-ch03.indd 53 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 54 55 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 Due Process Due process is concerned with guaranteeing fundamental fairness, justice, and liberty in relation to an individual’s legal rights. In the United States, due process is concerned with the guarantee of an individual’s rights as outlined by the Constitution and Bill of Rights. Procedural due process is based on the concept of what is “fair.” Also of interest is the recognition by courts of a series of rights that are not explicitly specified by the Constitu- tion but that the courts have decided are implicit in the concepts embodied by the Constitution. An example of this is an individual’s right to privacy. From an organization’s point of view, due process may come into play dur- ing an administrative action that adversely affects an employee. Before an employee is terminated, for example, were all of the
  • 47.
    employee’s rights protected? Anactual example pertains to the rights of privacy regarding employees’ e-mail messages. As the number of cases involving employers examining employee e-mails grows, case law continues to be established and the courts eventually will settle on what rights an employee can expect. The best thing an employer can do if faced with this sort of situation is to work closely with HR staff to ensure that appropriate policies are followed and that those policies are in keeping with current laws and regulations. Incident Response Policies and Procedures No matter how careful an organization is, eventually a security incident of some sort will occur. When it happens, how effectively the organization responds to it will depend greatly on how prepared it is to handle incidents. An incident response policy and associated procedures should be devel- oped to outline how the organization will prepare for security incidents and respond to them when they occur. Waiting until an incident happens is not the right time to establish your policies—they need to be designed in advance. The incident response policy should cover five phases: prep- aration, detection, containment and eradication, recovery, and follow-up actions.
  • 48.
    Cross Check Incident Response Incidentresponse is covered in detail in Chapter 22. This section serves only as an introduction to policy elements associated with the topic. For complete details on incident response, please examine Chapter 22. ■■ Security Awareness and Training Security awareness and training programs can enhance an organization’s security posture in two direct ways. First, they teach personnel how to fol- low the correct set of actions to perform their duties in a secure manner. Second, they make personnel aware of the indicators and effects of social engineering attacks. 03-ch03.indd 54 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 54 55 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 There are many tasks that employees perform that can have information security ramifications. Properly trained employees are able to
  • 49.
    perform their duties ina more effective manner, including their duties associated with information security. The extent of information security training will vary depending on the organization’s environment and the level of threat, but initial employee security training at the time of being hired is important, as is periodic refresher training. A strong security education and awareness training program can go a long way toward reducing the chance that a social engineering attack will be successful. Security awareness programs and campaigns, which might include seminars, videos, posters, newsletters, and similar materials, are also fairly easy to implement and are not very costly. Security Policy Training and Procedures Personnel cannot be expected to perform complex tasks without training with respect to the tasks and expectations. This applies both to the security policy and to operational security details. If employees are going to be expected to comply with the organization’s security policy, they must be properly trained in its purpose, meaning, and objectives. Training with respect to the information security policy, individual responsibilities, and expectations is something that requires periodic reinforcement through refresher training.
  • 50.
    Because the securitypolicy is a high-level directive that sets the over- all support and executive direction with respect to security, it is important that the meaning of this message be translated and supported. Second-level policies such as password, access, information handling, and acceptable use policies also need to be covered. The collection of policies should paint a picture describing the desired security culture of the organization. The training should be designed to ensure that people see and understand the whole picture, not just the elements. Role-based Training For training to be effective, it needs to be targeted to the user with regard to their role in the subject of the training. While all employees may need general security awareness training, they also need specific training in areas where they have individual responsibilities. Role-based training with regard to information security responsibilities is an important part of infor- mation security training. If a person has job responsibilities that may impact information security, then role-specific training is needed to ensure that the individual understands the responsibilities as they relate to information security. Some roles, such as system administrator or developer, have clearly defined
  • 51.
    information security responsibilities. Theroles of others, such as project manager or purchasing manager, have information security impacts that are less obvious, but these roles require training as well. In fact, the less-obvious but wider-impact roles of middle management can have a large effect on the information security culture, and thus if a specific outcome is desired, it requires training. As in all personnel-related training, two elements need attention. First, retraining over time is necessary to ensure that personnel keep proper levels of knowledge. Second, as people change jobs, a reassessment of the 03-ch03.indd 55 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 56 57 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 required training basis is needed, and additional training may be required. Maintaining accurate training records of personnel is the only way this can be managed in any significant enterprise.
  • 52.
    Compliance with Laws,Best Practices, and Standards There is a wide array of laws, regulations, contractual requirements, standards, and best practices associated with information security. Each places its own set of requirements upon an organization and its personnel. The only effective way for an organization to address these requirements is to build them into their own policies and procedures. Training to one’s own policies and proce- dures would then translate into coverage of these external requirements. It is important to note that many of these external requirements impart a specific training and awareness component upon the organization. Orga- nizations subject to the requirements of the Payment Card Industry Data Security Standard (PCI DSS), Gramm Leach Bliley Act (GLBA), or Health Insurance Portability Accountability Act (HIPAA) are among the many that must maintain a specific information security training program. Other organizations should do so as a matter of best practice. User Habits Individual user responsibilities vary between organizations and the type of business each organization is involved in, but there are certain very basic responsibilities that all users should be instructed to adopt:
  • 53.
    ■■ Lock thedoor to your office or workspace, including drawers and cabinets. ■■ Do not leave sensitive information inside your car unprotected. ■■ Secure storage media containing sensitive information in a secure storage device. ■■ Shred paper containing organizational information before discarding it. ■■ Do not divulge sensitive information to individuals (including other employees) who do not have an authorized need to know it. ■■ Do not discuss sensitive information with family members. (The most common violation of this rule occurs in regard to HR information, as employees, especially supervisors, may complain to their spouse or friends about other employees or about problems that are occurring at work.) ■■ Protect laptops and other mobile devices that contain sensitive or important organization information wherever the device may be stored or left. (It’s a good idea to ensure that sensitive information is encrypted on the laptop or mobile device so that, should the equipment be lost or stolen, the information remains safe.)
  • 54.
    ■■ Be awareof who is around you when discussing sensitive corporate information. Does everybody within earshot have the need to hear this information? 03-ch03.indd 56 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 56 57 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 ■■ Enforce corporate access control procedures. Be alert to, and do not allow, piggybacking, shoulder surfing, or access without the proper credentials. ■■ Be aware of the correct procedures to report suspected or actual violations of security policies. ■■ Follow procedures established to enforce good password security practices. Passwords are such a critical element that they are frequently the ultimate target of a social engineering attack. Though such password procedures may seem too oppressive or strict, they are often the best line of defense.
  • 55.
    ■■ User habitsare a front-line security tool in engaging the workforce to improve the overall security posture of an organization. New Threats and Security Trends/Alerts At the end of the day, information security practices are about managing risk, and it is well known that the risk environment is one marked by con- stant change. The ever-evolving threat environment frequently encounters new threats, new security issues, and new forms of defense. Training peo- ple to recognize the new threats necessitates continual awareness and train- ing refresher events. New Viruses New forms of viruses, or malware, are being created every day. Some of these new forms can be highly destructive and costly, and it is incumbent upon all users to be on the lookout for and take actions to avoid exposure. Poor user practices are counted on by malware authors to assist in the spread of their attacks. One way of explaining proper actions to users is to use an analogy to cleanliness. Training users to practice good hygiene in their actions can go a long way toward assisting the enterprise in defending against these attack vectors. Phishing Attacks The best defense against phishing and other social engineering
  • 56.
    attacks is an educatedand aware body of employees. Continual refresher training about the topic of social engineering and specifics about current attack trends are needed to keep employees aware of and prepared for new trends in social engineering attacks. Attackers rely upon an uneducated, complacent, or distracted workforce to enable their attack vector. Social engineering has become the gateway for many of the most damaging attacks in play today. Social engineering is covered extensively in Chapter 4. Social Networking and P2P With the rise in popularity of peer-to-peer (P2P) communications and social networking sites—notably Facebook, Twitter, and LinkedIn— many people have gotten into a habit of sharing too much information. Using a status of “Returning from sales call to XYZ company” reveals information to peo- ple who have no need to know this information. Confusing sharing with User responsibilities are easy training topics about which to ask questions on the CompTIA Security+ exam, so commit to memory your knowledge of the points listed here. 03-ch03.indd 57 03/11/15 5:20 pm
  • 57.
    Chapter 3: Operationaland Organizational SecurityPrinciples of Computer Security 58 59 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 friends and sharing business information with those who don’t need to know is a line people are crossing on a regular basis. Don’t be the employee who mixes business and personal information and releases information to parties who should not have it, regardless of how innocuous it may seem. Users need to understand the importance of not using common pro- grams such as torrents and other file sharing in the workplace, as these pro- grams can result in infection mechanisms and data-loss channels. The infor- mation security training and awareness program should cover these issues. If the issues are properly explained to employees, their motivation to com- ply won’t simply be to avoid adverse personnel action for violating a policy; they will want to assist in the security of the organization and its mission. Training Metrics and Compliance Training and awareness programs can yield much in the way of an edu-
  • 58.
    cated and knowledgeableworkforce. Many laws, regulations, and best practices have requirements for maintaining a trained workforce. Having a record-keeping system to measure compliance with attendance and to measure the effectiveness of the training is a normal requirement. Simply conducting training is not sufficient. Following up and gathering training metrics to validate compliance and security posture is an important aspect of security training management. A number of factors deserve attention when managing security train- ing. Because of the diverse nature of role-based requirements, maintaining an active, up-to-date listing of individual training and retraining require- ments is one challenge. Monitoring the effectiveness of the training is yet another challenge. Creating an effective training and awareness program when measured by actual impact on employee behavior is a challenging endeavor. Training needs to be current, relevant, and interesting to engage employee attention. Simple repetition of the same training material has not proven to be effective, so regularly updating the program is a requirement if it is to remain effective over time. ■■ Interoperability Agreements Many business operations involve actions between many
  • 59.
    different par- ties—some withinan organization, and some in different organizations. These actions require communication between the parties, defining the responsibilities and expectations of the parties, the business objectives, and the environment within which the objectives will be pursued. To ensure an agreement is understood between the parties, written agreements are used. Numerous forms of legal agreements and contracts are used in business, but with respect to security, some of the most common ones are the service level agreement, business partnership agreement, memorandum of under- standing, and interconnection security agreement. Tech Tip Security Training Records Requirements for both periodic training and retraining drive the need for good training records. Maintaining proper information security training records is a requirement of several laws and regulations and should be considered a best practice. 03-ch03.indd 58 03/11/15 5:20 pm
  • 60.
    Chapter 3: Operationaland Organizational SecurityPrinciples of Computer Security 58 59 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 Service Level Agreements Service level agreements (SLAs) are contractual agreements between entities that describe specified levels of service that the servicing entity agrees to guarantee for the customer. SLAs essentially set the requisite level of per- formance of a given contractual service. SLAs are typically included as part of a service contract and set the level of technical expectations. An SLA can define specific services, the performance level associated with a service, issue management and resolution, and so on. SLAs are negotiated between customer and supplier and represent the agreed-upon terms. An organi- zation contracting with a service provider should remember to include in the agreement a section describing the service provider’s responsibility in terms of business continuity and disaster recovery. The provider’s backup plans and processes for restoring lost data should also be clearly described. Typically, a good SLA will satisfy two simple rules. First, it will describe the entire set of product or service functions in sufficient detail
  • 61.
    that their requirement willbe unambiguous. Second, the SLA will provide a clear means of determining whether a specified function or service has been pro- vided at the agreed-upon level of performance. Business Partnership Agreement A business partnership agreement (BPA) is a legal agreement between part- ners establishing the terms, conditions, and expectations of the relation- ship between the partners. These details can cover a wide range of issues, including typical items such as the sharing of profits and losses, the respon- sibilities of each partner, the addition or removal of partners, and any other issues. The Uniform Partnership Act (UPA), established by state law and convention, lays out a uniform set of rules associated with partnerships to resolve any partnership terms. The terms in a UPA are designed as “one size fits all” and are not typically in the best interest of any specific partner- ship. To avoid undesired outcomes that may result from UPA terms, it is best for partnerships to spell out specifics in a BPA. Memorandum of Understanding A memorandum of understanding (MOU) is a legal document used to describe a bilateral agreement between parties. It is a written agreement expressing a set of intended actions between the parties with respect to
  • 62.
    some common pursuit orgoal. It is more formal and detailed than a simple handshake, but it generally lacks the binding powers of a contract. It is also common to find MOUs between different units within an organization to detail expectations associated with the common business interest. Interconnection Security Agreement An interconnection security agreement (ISA) is a specialized agreement between organizations that have interconnected IT systems, the purpose of which is to document the security requirements associated with the inter- connection. An ISA can be a part of an MOU detailing the specific technical security aspects of a data interconnection. Be sure you understand the differences between the interoperability agreements SLA, BPA, MOU, and ISA. The differences hinge upon the purpose for each document. 03-ch03.indd 59 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 60 61 BaseTech / Principles of Computer Security, Fourth Edition /
  • 63.
    Conklin / 597-0/ Chapter 3 ■■ The Security Perimeter The discussion to this point has not included any mention of the specific technology used to enforce operational and organizational security or a description of the various components that constitute the organization’s security perimeter. If the average administrator were asked to draw a dia- gram depicting the various components of their network, the diagram would probably look something like Figure 3.1. This diagram includes the major components typically found in a net- work. The connection to the Internet generally has some sort of protection attached to it such as a firewall. An intrusion detection system (IDS), also often part of the security perimeter for the organization, may be either on the inside or the outside of the firewall, or it may in fact be on both sides. The specific location depends on the company and what it is more concerned about preventing (that is, insider threats or external threats). The router can also be thought of as a security device, as it can be used to enhance security such as in the case of wireless routers that can be used to enforce encryption settings. Beyond this security perimeter is the corporate net- work. Figure 3.1 is obviously a very simple depiction—an
  • 64.
    actual network canhave numerous subnets and extranets as well as wireless access points—but the basic components are present. Unfortunately, if this were the diagram provided by the administrator to show the organization’s basic net- work structure, the administrator would have missed a very important component. A more astute administrator would provide a diagram more like Figure 3.2. This diagram includes other possible access points into the network, including the public switched telephone net- work (PSTN) and wireless access points. The organization may or may not have any authorized modems or wire- less networks, but the savvy administrator would realize that the potential exists for unauthorized versions of both. When considering the policies, procedures, and guidelines needed to implement security for the organization, both networks need to be consid- ered. Another development that has brought the telephone and computer networks together is the implementation of voice over IP (VoIP), which elimi- nates the traditional land lines in an organization and replaces them with special telephones that connect to the IP data network. While Figure 3.2 provides a more comprehen- sive view of the various components that need to be protected, it is still incomplete. Most experts will agree that the biggest danger to any organization does not come from external attacks but rather from the insider—a disgruntled employee or somebody else who has physical access to the facility. Given physical access to an office, the knowledgeable attacker will quickly find the information needed to gain access to the organization’s computer systems
  • 65.
    The security perimeter,with its several layers of security, along with additional security mechanisms that may be implemented on each system (such as user IDs/passwords), creates what is sometimes known as defense-in-depth. This implies that security is enhanced when there are multiple layers of security (the depth) through which an attacker would have to penetrate to reach the desired goal. An increasing number of organizations are implementing VoIP solutions to bring the telephone and computer networks together. While there are some tremendous advantages to doing this in terms of both increased capabilities and potential monetary savings, bringing the two networks together may also introduce additional security concerns. Another common method to access organizational networks today is through wireless access points. These may be provided by the organization itself to enhance productivity, or they may be attached to the network by users without organizational approval.
  • 66.
    The impact ofall of these additional methods that can be used to access a network is to increase the complexity of the security problem. • Figure 3.2 A more complete diagram of an organization’s network Wireless access point IDS Corporate LAN Corporate PBX Modem Telephones FirewallRouter The Internet The PSTN • Figure 3.1 Basic diagram of an organization’s network IDS
  • 67.
    Corporate LANFirewallRouter The Internet 03-ch03.indd 60 03/11/155:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 60 61 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 and network. Consequently, every organization also needs security policies, procedures, and guidelines that cover physical security, and every secu- rity administrator should be concerned with these as well. While physical security (which can include such things as locks, cameras, guards and entry points, alarm systems, and physical barriers) will probably not fall under the purview of the security administrator, the operational state of the organiza- tion’s physical security measures is just as important as many of the other network-centric measures. ■■ Physical Security Physical security consists of all mechanisms used to ensure that physical
  • 68.
    access to thecomputer systems and networks is restricted to only autho- rized users. Additional physical security mechanisms may be used to pro- vide increased security for especially sensitive systems such as servers and devices such as routers, firewalls, and intrusion detection systems. When considering physical security, access from all six sides should be consid- ered—not only should the security of obvious points of entry be examined, such as doors and windows, but the walls themselves as well as the floor and ceiling should also be considered. Questions such as the following should be addressed: ■■ Is there a false ceiling with tiles that can be easily removed? ■■ Do the walls extend to the actual ceiling or only to a false ceiling? ■■ Is there a raised floor? ■■ Do the walls extend to the actual floor, or do they stop at a raised floor? ■■ How are important systems situated? ■■ Do the monitors face away from windows, or could the activity of somebody at a system be monitored? ■■ Who has access to the facility?
  • 69.
    ■■ What typeof access control is there, and are there any guards? ■■ Who is allowed unsupervised access to the facility? ■■ Is there an alarm system or security camera that covers the area? ■■ What procedures govern the monitoring of the alarm system or security camera and the response should unauthorized activity be detected? These are just some of the numerous questions that need to be asked when examining the physical security surrounding a system. Physical Access Controls The purpose of physical access controls is the same as that of computer and network access controls—you want to restrict access to only those who are authorized to have it. Physical access is restricted by requiring the individ- ual to somehow authenticate that they have the right or authority to have Tech Tip Physical Security Is Also Important to Computer Security Computer security professionals recognize that they cannot
  • 70.
    rely only oncomputer security mechanisms to keep their systems safe. Physical security must be maintained as well, because in many cases, if an attacker gains physical access, he can steal data and destroy the system. ■■ The Security Perimeter The discussion to this point has not included any mention of the specific technology used to enforce operational and organizational security or a description of the various components that constitute the organization’s security perimeter. If the average administrator were asked to draw a dia- gram depicting the various components of their network, the diagram would probably look something like Figure 3.1. This diagram includes the major components typically found in a net- work. The connection to the Internet generally has some sort of protection attached to it such as a firewall. An intrusion detection system (IDS), also often part of the security perimeter for the organization, may be either on the inside or the outside of the firewall, or it may in fact be on both sides. The specific location depends on the company and what it is more concerned about preventing (that is, insider threats or external threats). The router can also be thought of as a security device, as it can be used to
  • 71.
    enhance security such asin the case of wireless routers that can be used to enforce encryption settings. Beyond this security perimeter is the corporate net- work. Figure 3.1 is obviously a very simple depiction—an actual network can have numerous subnets and extranets as well as wireless access points—but the basic components are present. Unfortunately, if this were the diagram provided by the administrator to show the organization’s basic net- work structure, the administrator would have missed a very important component. A more astute administrator would provide a diagram more like Figure 3.2. This diagram includes other possible access points into the network, including the public switched telephone net- work (PSTN) and wireless access points. The organization may or may not have any authorized modems or wire- less networks, but the savvy administrator would realize that the potential exists for unauthorized versions of both. When considering the policies, procedures, and guidelines needed to implement security for the organization, both networks need to be consid- ered. Another development that has brought the telephone and computer networks together is the implementation of voice over IP (VoIP), which elimi- nates the traditional land lines in an organization and replaces them with special telephones that connect to the IP data network. While Figure 3.2 provides a more comprehen- sive view of the various components that need to be protected, it is still incomplete. Most experts will agree that the biggest danger to any organization does not come from external attacks but rather from
  • 72.
    the insider—a disgruntledemployee or somebody else who has physical access to the facility. Given physical access to an office, the knowledgeable attacker will quickly find the information needed to gain access to the organization’s computer systems The security perimeter, with its several layers of security, along with additional security mechanisms that may be implemented on each system (such as user IDs/passwords), creates what is sometimes known as defense-in-depth. This implies that security is enhanced when there are multiple layers of security (the depth) through which an attacker would have to penetrate to reach the desired goal. An increasing number of organizations are implementing VoIP solutions to bring the telephone and computer networks together. While there are some tremendous advantages to doing this in terms of both increased capabilities and potential monetary savings, bringing the two networks together may also introduce additional security concerns. Another common method to access organizational networks today is
  • 73.
    through wireless accesspoints. These may be provided by the organization itself to enhance productivity, or they may be attached to the network by users without organizational approval. The impact of all of these additional methods that can be used to access a network is to increase the complexity of the security problem. 03-ch03.indd 61 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 62 63 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 the desired access. As in computer authentication, access in the physical world can be based on something the individual has, something they know, or something they are. Frequently, when dealing with the physical world, the terms “authentication” and “access control” are used interchangeably. The most common physical access control device, which has been around in some form for centuries, is a lock. Combination locks represent
  • 74.
    an access controldevice that depends on something the individual knows (the combination). Locks with keys depend on something the individual has (the key). Each of these has certain advantages and disadvantages. Combi- nations don’t require any extra hardware, but they must be remembered (which means individuals may write them down—a security vulnerability in itself) and are hard to control. Anybody who knows the combination may provide it to somebody else. Key locks are simple and easy to use, but the key may be lost, which means another key has to be made or the lock has to be rekeyed. Keys may also be copied, and their dissemination can be hard to control. Newer locks replace the traditional key with a card that must be passed through a reader or placed against it. The individual may also have to provide a personal access code, thus making this form of access both a something-you-know and something-you-have method. In addition to locks on doors, other common physical security devices include video surveillance and even simple access control logs (sign-in logs). While sign-in logs don’t provide an actual barrier, they do provide a record of access and, when used in conjunction with a guard who verifies an individual’s identity, can dissuade potential adversaries from attempt-
  • 75.
    ing to gainaccess to a facility. As mentioned, another common access con- trol mechanism is a human security guard. Many organizations employ a guard to provide an extra level of examination of individuals who want to gain access to a facility. Other devices are limited to their designed func- tion. A human guard can apply common sense to situations that might have been unexpected. Having security guards also addresses the common prac- tice of piggybacking (aka tailgating), where an individual follows another person closely to avoid having to go through the access control procedures. Biometrics Access controls that utilize something you know (for example, combina- tions) or something you have (such as keys) are not the only methods to limit facility access to authorized individuals. A third approach is to utilize something unique about the individual—their fingerprints, for example— to identify them. Unlike the other two methods, the something- you-are method, known as biometrics, does not rely on the individual to either remember something or to have something in their possession. Biometrics is a more sophisticated access control approach and can be more expen- sive. Biometrics also suffer from false positives and false negatives, mak-
  • 76.
    ing them lessthan 100 percent effective. For this reason they are frequently used in conjunction with another form of authentication. The advantage is the user always has them (cannot leave at home or share) and they tend to have better entropy than passwords. Other methods to accomplish bio- metrics include handwriting analysis, retinal scans, iris scans, voiceprints, hand geometry, and facial geometry. Tech Tip Physical and Information Security Convergence In high-security sites, physical access controls and electronic access controls to information are interlocked. This means that before data can be accessed from a particular machine, the physical access control system must agree with the finding that the authorized party is present. There are many similarities between authentication and access controls in computers and in the physical world. Remember the three common techniques for verifying a person’s identity and access privileges: something you know, something you have, and
  • 77.
    something about you. 03-ch03.indd62 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 62 63 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 Both access to computer systems and networks and physical access to restricted areas can be controlled with biometrics. However, biometric methods for controlling physical access are generally not the same as those employed for restricting access to computer systems and networks. Hand geometry, for example, requires a fairly large device. This can easily be placed outside of a door to control access to the room but would not be as convenient to control access to a computer system, since a reader would need to be placed with each computer or at least with groups of computers. In a mobile environment where laptops are being used, a device such as a hand geometry reader would be unrealistic. Physical Barriers An even more common security feature than locks is a physical barrier.
  • 78.
    Physical barriers helpimplement the physical-world equivalent of layered security. The outermost layer of physical security should contain the more publicly visible activities. A guard at a gate in a fence, for example, would be visible by all who happen to pass by. As you progress through the lay- ers, the barriers and security mechanisms should become less publicly vis- ible to make determining what mechanisms are in place more difficult for observers. Signs are also an important element in security, as they announce to the public which areas are public and which are private. A man trap can also be used in this layered approach. It generally consists of a small space that is large enough for only one person at a time, with two locking doors. An individual has to enter the first door, close the first door, then attempt to open the second door. If unsuccessful, perhaps because they do not have the proper access code, the person can be caught inside this small location until security personnel show up. In addition to walls and fences, open space can also serve as a barrier. While this may at first seem to be an odd statement, consider the use of large areas of open space around a facility. For an intruder to cross this open space takes time—time in which they are vulnerable and their pres-
  • 79.
    ence may bediscovered. In today’s environment in which terrorist attacks have become more common, additional precautions should be taken for areas that may be considered a possible target for terrorist activity. In addi- tion to open space, which is necessary to lessen the effect of explosions, concrete barriers that stop vehicles from getting too close to facilities should also be used. It is not necessary for these to be unsightly concrete walls; many facilities have placed large, round concrete circles, filled them with dirt, and then planted flowers and other plants to construct a large, immov- able planter. ■■ Environmental Issues Environmental issues may not at first seem to be related to security, but when considering the availability of a computer system or network, they must be taken into consideration. Environmental issues include items such as heating, ventilation, and air conditioning (HVAC) systems, electrical power, and the “environments of nature.” HVAC systems are used to maintain the Tech Tip Biometric Devices Once only seen in spy or science fiction movies, biometrics such as hand and fingerprint readers,
  • 80.
    eye-scanning technology, and voiceprintdevices are now becoming more common in the real world. The accuracy of these devices has improved and the costs have dropped, making them realistic solutions to many access control situations. Tech Tip Signs Signs can be an effective control, warning unauthorized personnel not to enter, locating critical elements for first responders, and providing paths to exits in emergencies. Proper signage is an important aspect of physical security controls. 03-ch03.indd 63 05/11/15 10:05 am Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 64 65 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 comfort of an office environment. A few years back, they were also critical for the smooth operation of computer systems that had low tolerances for
  • 81.
    humidity and heat.Today’s desktop systems are much more tolerant, and the limiting factor is now often the human user. The exception to this HVAC limitation is when large quantities of equipment are co-located, in server rooms and network equipment closets. In these heat-dense areas, HVAC is needed to keep equipment temperatures within reasonable ranges. Often certain security devices such as firewalls and intrusion detection systems are located in these same equipment closets and the loss of HVAC systems can cause these critical systems to fail. One interesting aspect of HVAC sys- tems is that they themselves are often computer controlled and frequently provide remote access via telephone or network connections. These con- nections should be protected in a similar manner to computer modems, or else attackers may locate them and change the HVAC settings for an office or building. Electrical power is obviously an essential requirement for computer systems and networks. Electrical power is subject to momentary surges and disruption. Surge protectors are needed to protect sensitive electronic equip- ment from fluctuations in voltage. An uninterruptible power supply (UPS) should be considered for critical systems so that a loss of power will not
  • 82.
    halt processing. Thesize of the batteries associated with a UPS will deter- mine the amount of time that it can operate before it too loses power. Many sites ensure sufficient power to provide administrators the opportunity to cleanly bring the system or network down. For installations that require continuous operations, even in the event of a power outage, electric gen- erators that automatically start when a loss of power is detected can be installed. These systems may take a few seconds to start before they reach full operation, so a UPS should also be considered to smooth the transition between normal and backup power. Fire Suppression Fires are a common disaster that can affect organizations and their com- puting equipment. Fire detection and fire suppression devices are two approaches to addressing this threat. Detectors can be useful because some may be able to detect a fire in its very early stages before a fire suppres- sion system is activated, and they can potentially sound a warning. This warning could provide employees with the opportunity to deal with the fire before it becomes serious enough for the fire suppression equipment to kick in. Suppression systems come in several varieties, including sprinkler- based systems and gas-based systems. Standard sprinkler-based
  • 83.
    systems are not optimalfor data centers because water will ruin large electrical infrastructures and most integrated circuit–based devices—such as com- puters. Gas-based systems are a good alternative, though they also carry special concerns. More extensive coverage of fire detection and suppression is provided in Chapter 8. HVAC systems for server rooms and network equipment closets are important because the dense equipment environment can generate significant amounts of heat. HVAC outages can result in temperatures that are outside equipment operating ranges, forcing shutdowns. 03-ch03.indd 64 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 64 65 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 ■■ Wireless When someone talks about wireless communication, they generally are
  • 84.
    referring to cellulartelephones (“cell phones”). These devices have become ubiquitous in today’s modern office environment. A cell phone network consists of the phones themselves, the cells with their accompanying base stations that they are used in, and the hardware and software that allow them to communicate. The base stations are made up of antennas, receivers, transmitters, and amplifiers. The base stations communicate with those cell phones that are currently in the geographical area that is serviced by that station. As a person travels across town, they may exit and enter multiple cells. The stations must conduct a handoff to ensure continuous operation for the cell phone. As the individual moves toward the edge of a cell, a mobile switching center notices the power of the signal beginning to drop, checks whether another cell has a stronger signal for the phone (cells fre- quently overlap), and, if so, switches operation to this new cell and base station. All of this is done without the user ever knowing that they have moved from one cell to another. Wireless technology can also be used for networking. There are two main standards for wireless network technology. Bluetooth is designed as a short-range (approximately ten meters) personal area network (PAN)
  • 85.
    cable-replacement technology thatcan be built into a variety of devices, such as mobile phones, tablets, and laptop computers. The idea is to cre- ate low-cost wireless technology so that many different devices can com- municate with each other. Bluetooth is also interesting because, unlike other wireless technology, it is designed so that devices can talk directly with each other without having to go through a central device (such as the base station described previously). This is known as peer-to- peer com- munication. The other major wireless standard is the IEEE 802.11 set of standards, which is well suited for the local area network (LAN) environment. 802.11 networks can operate either in an ad hoc peer-to-peer fashion or in infra- structure mode, which is more common. In infrastructure mode, computers with 802.11 network cards communicate with a wireless access point. This access point connects to the network so that the computers communicating with it are essentially also connected to the network. While wireless networks are very useful in today’s modern office (and home), they are not without their security problems. Access points are gen- erally placed throughout a building so that all employees can access the
  • 86.
    corporate network. Thetransmission and reception areas covered by access points are not easily controlled. Consequently, many publicly accessible areas might fall into the range of one of the organization’s access points, or its Bluetooth-enabled systems, and thus the corporate network may become vulnerable to attack. Wireless networks are designed to incorporate some security measures, but all too often the networks are set up without security enabled, and serious security flaws exist in the 802.11 design. Tech Tip Wireless Network Security Issues Due to a number of advantages, such as the ability to take your laptop with you as you move around your building and still stay connected, wireless networks have grown in popularity. They also eliminate the need to string network cables all over the office. At the same time, however, they can be a security nightmare if not adequately protected. The signal for your network doesn’t stop at your office door or wall just because it is there. It will continue propagating to areas that may be open to anybody. This provides the opportunity for others to access your network. To avoid
  • 87.
    this, you musttake steps such as encrypting transmissions so that your wireless network doesn’t become the weak link in your security chain. 03-ch03.indd 65 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 66 67 BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 Cross Check Wireless Networks Wireless network security is discussed in this chapter in relationship to physical issues such as the placement of wireless access points. There are, however, numerous other issues with wireless security, which are discussed in Chapter 12. Make sure to understand how the physical location of wireless access points affects the other wireless security issues. ■■ Electromagnetic Eavesdropping In 1985, a paper by Wim van Eck of the Netherlands described what became known as the van Eck phenomenon. In the paper van Eck
  • 88.
    described how eavesdropping onwhat was being displayed on monitors could be accom- plished by picking up and then decoding the electromagnetic interference produced by the monitors. With the appropriate equipment, the exact image of what is being displayed can be re-created some distance away. While the original paper discussed emanations as they applied to video display units (monitors), the same phenomenon applies to other devices such as printers and computers. This phenomenon had actually been known about for quite some time before van Eck published his paper. The U.S. Department of Defense used the term TEMPEST (referred to by some as the Transient ElectroMagnetic Pulse Emanation STandard) to describe both a program in the military to control these electronic emanations from electrical equipment and the actual process for controlling the emanations. There are three basic ways to prevent these emanations from being picked up by an attacker: ■■ Put the equipment beyond the point that the emanations can be picked up. ■■ Provide shielding for the equipment itself. ■■ Provide a shielded enclosure (such as a room) to put the
  • 89.
    equipment in. One ofthe simplest ways to protect against equipment being monitored in this fashion is to put enough distance between the target and the attacker. The emanations can be picked up from only a limited distance. If the physi- cal security for the facility is sufficient to put enough space between the equipment and publicly accessible areas that the signals cannot be picked up, then the organization doesn’t have to take any additional measures to ensure security. Distance is not the only way to protect against eavesdropping on elec- tronic emanations. Devices can be shielded so their emanations are blocked. Acquiring enough property to provide the necessary distance needed to pro- tect against an eavesdropper may be possible if the facility is in the country with lots of available land surrounding it. Indeed, for smaller organizations that occupy only a few offices or floors in a large office building, it would 03-ch03.indd 66 03/11/15 5:20 pm Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security 66 67
  • 90.
    BaseTech / Principlesof Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 be impossible to acquire enough space. In this case, the organization may resort to purchasing shielded equipment. A “TEMPEST approved” com- puter will cost significantly more than what a normal computer would cost. Shielding a room (in what is known as a Faraday cage) is also an extremely expensive endeavor. A natural question to ask is, how prevalent is this form of attack? The equipment needed to perform electromagnetic eavesdropping is not read- ily available, but it would not cost an inordinate amount of money to pro- duce it. The cost could certainly be afforded by any large corporation, and industrial espionage using such a device is a possibility. While there are no public records of this sort of activity being conducted, it is reasonable to assume that it does take place in large corporations and the government, especially in foreign countries. Modern Eavesdropping Not just electromagnetic information can be used to carry information out of a system to an adversary. Recent advances have demonstrated the feasi- bility of using the webcams and microphones on systems to spy
  • 91.
    on users, recording keystrokesand other activities. There are even devices built to intercept the wireless signals between wireless keyboards and mice and transmit them over another channel to an adversary. USB-based keylog- gers can be placed in the back of machines, as in many cases the back of a machine is unguarded or facing the public (watch for this the next time you see a receptionist’s machine). One of the challenges in security is determining how much to spend on security without spending too much. Security spending should be based on likely threats to your systems and network. While electronic emanations can be monitored, the likelihood of this taking place in most situations is remote, which makes spending on items to protect against it at best a low priority. 03-ch03.indd 67 03/11/15 5:20 pm 68 Principles of Computer Security BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3
  • 92.
    Chapter 3 Review ■Chapter Summary After reading this chapter and completing the exercises, you should understand the following regarding opera- tional and organizational security. Identify various operational aspects to security in your organization ■■ Prevention technologies are designed to keep individuals from being able to gain access to systems or data they are not authorized to use. ■■ Previously in operational environments, prevention was extremely difficult and relying on prevention technologies alone was not sufficient. This led to the rise of technologies to detect and respond to events that occur when prevention fails. ■■ An important part of any organization’s approach to implementing security is to establish policies, procedures, standards, and guidelines to detail what users and administrators should be doing to maintain the security of the systems and network. Identify various policies and procedures in your organization ■■ Policies, procedures, standards, and guidelines are important in establishing a security program within an organization. ■■ The security policy and supporting policies play an important role in establishing and managing
  • 93.
    system risk. ■■ Policiesand procedures associated with Human Resources functionality include job rotation, mandatory vacations, and hiring and termination policies. Identify the security awareness and training needs of an organization ■■ Security training and awareness efforts are vital in engaging the workforce to act within the desired range of conduct with respect to security. ■■ Security awareness and training is important in achieving compliance objectives. ■■ Security awareness and training should be measured and managed as part of a comprehensive security program. Understand the different types of agreements employed in negotiating security requirements ■■ The different interoperability agreements, including SLA, BPA, MOU and ISA, are used to establish security expectations between various parties. Describe the physical security components that can protect your computers and network ■■ Physical security consists of all mechanisms used to ensure that physical access to the computer systems and networks is restricted to only authorized users.
  • 94.
    ■■ The purposeof physical access controls is the same as that of computer and network access controls— to restrict access to only those who are authorized to have it. ■■ The careful placement of equipment can provide security for known security problems exhibited by wireless devices and that arise due to electronic emanations. Identify environmental factors that can affect security ■■ Environmental issues are important to security because they can affect the availability of a computer system or network. ■■ Loss of HVAC systems can lead to overheating problems that can affect electronic equipment, including security-related devices. ■■ The frequency of natural disasters is a contributing factor that must be considered when making contingency processing plans for an installation. ■■ Fires are a common problem for organizations. Two general approaches to addressing this problem are fire detection and fire suppression. Identify factors that affect the security of the growing number of wireless technologies used for data transmission ■■ Wireless networks have many security issues, including the transmission and reception areas covered by access points, which are not easily controlled and can thus provide easy network
  • 95.
    access for intruders. 03-ch03.indd68 03/11/15 5:20 pm 69 Chapter 3: Operational and Organizational Security BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 Prevent disclosure through electronic emanations ■■ With the appropriate equipment, the exact image of what is being displayed on a computer monitor can be re-created some distance away, allowing eavesdroppers to view what you are doing. ■■ Providing a lot of distance between the system you wish to protect and the closest place an eavesdropper could be is one way to protect against eavesdropping on electronic emanations. Devices can also be shielded so that their emanations are blocked. ■ Key Terms acceptable use policy (AUP) (50) biometrics (62) Bluetooth (65) business partnership agreement (BPA) (59) due care (53) due diligence (53) guidelines (43) heating, ventilation, and air conditioning (HVAC) (63) IEEE 802.11 (65)
  • 96.
    incident response policy(54) interconnection security agreement (ISA) (59) memorandum of understanding (MOU) (59) physical security (61) policies (43) procedures (43) security policy (44) service level agreement (SLA) (59) standards (43) TEMPEST (66) uninterruptible power supply (UPS) (64) user habits (57) ■ Key Terms Quiz Use terms from the Key Terms list to complete the sen- tences that follow. Don’t use the same term more than once. Not all terms will be used. 1. _______________ are high-level statements made by management that lay out the organization’s position on some issue. 2. The collective term used to refer to the systems that are used to maintain the comfort of an office environment and that are often controlled by computer systems is _______________. 3. A(n) _______________ is a device designed to provide power to essential equipment for a period of time when normal power is lost. 4. _______________ are a foundational security tool in engaging the workforce to improve the overall security posture of an organization.
  • 97.
    5. _______________ areaccepted specifications providing specific details on how a policy is to be enforced. 6. _______________ is a wireless technology designed as a short-range (approximately ten meters) personal area network (PAN) cable- replacement technology that may be built into a variety of devices such as mobile phones, tablets, and laptop computers. 7. A(n) _______________ is a legal document used to describe a bilateral agreement between parties. 8. _______________ are step-by-step instructions that describe exactly how employees are expected to act in a given situation or to accomplish a specific task. 9. The set of standards for wireless networks that is well suited for the LAN environment and whose normal mode is to have computers with network cards communicating with a wireless access point is _______________. 10. A(n) _______________ is a legal agreement between organizations establishing the terms, conditions, and expectations of the relationship between them. 03-ch03.indd 69 03/11/15 5:20 pm 70 Principles of Computer Security
  • 98.
    BaseTech / Principlesof Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 ■ Multiple-Choice Quiz 5. Biometric access controls are typically used in conjunction with another form of access control because: A. Biometrics are still expensive. B. Biometrics cannot be copied. C. Biometrics are not always convenient to use. D. Biometrics are not 100 percent accurate, having some level of misidentifications. 6. Procedures can be described as: A. High-level, broad statements of what the organization wants to accomplish B. Step-by-step instructions on how to implement the policies C. Mandatory elements regarding the implementation of a policy D. Recommendations relating to a policy 7. What technique can be used to protect against electromagnetic eavesdropping (known as the van Eck phenomenon)?
  • 99.
    A. Provide sufficientdistance between the potential target and the nearest location an attacker could be. B. Put the equipment that you are trying to protect inside a shielded room. C. Purchase “TEMPEST approved” equipment. D. All of the above. 8. Key user habits that can improve security efforts include: A. Do not discuss business issues outside of the office. B. Never leave laptops or tablets inside your car unattended. C. Be alert of people violating physical access rules (piggybacking through doors). D. Items B and C. 1. Which of the following is a physical security threat? A. Cleaning crews are allowed unsupervised access because they have a contract. B. Employees undergo background criminal checks before being hired. C. All data is encrypted before being backed up. D. All the above.
  • 100.
    2. The benefitof fire detection equipment over fire suppression devices is: A. Fire detection equipment is regulated, whereas fire suppression equipment is not. B. Fire detection equipment will often catch fires at a much earlier stage, meaning that the fire can be addressed before significant damage can occur. C. Fire detection equipment is much more reliable than fire suppression equipment. D. There is no advantage of fire detection over fire suppression other than the cost of fire detection equipment is much less than the cost of fire suppression equipment. 3. Which of the following is a contractual agreement between entities that describes specified levels of service that the servicing entity agrees to guarantee for the customer? A. Service level agreement B. Support level agreement C. Memorandum of understanding D. Business service agreement 4. During which step of the policy lifecycle does training of users take place?
  • 101.
    A. Plan forsecurity. B. Implement the plans. C. Monitor the implementation. D. Evaluate for effectiveness. 03-ch03.indd 70 03/11/15 5:20 pm 71 Chapter 3: Operational and Organizational Security BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3 9. When should a human security guard be used for physical access control? A. When other electronic access control mechanisms will not be accepted by employees B. When necessary to avoid issues such as piggybacking, which can occur with electronic access controls C. When other access controls are too expensive to implement D. When the organization wants to enhance its image 10. What device should be used by organizations to protect sensitive equipment from fluctuations
  • 102.
    in voltage? A. Asurge protector B. An uninterruptible power supply C. A backup power generator D. A redundant array of inline batteries (RAIB) Lab Projects Take a tour of your building on campus or at work. What is secured at night when workers are absent? Record the location and type of physical access control devices. How do these access controls change at night when workers are absent? How well trained do guards and other employees appear to be? Do they allow “piggybacking” (somebody slipping into a facility behind an authorized individual without being challenged)? What are the policies for visitors and contractors? How does this all impact physical security? • Lab Project 3.1 • Lab Project 3.2 Describe the four steps of the policy lifecycle. Obtain a policy from your organization (such as an acceptable use policy or Internet usage policy). How are users informed of this policy? How often is it reviewed? How would changes to it be suggested and who would make decisions on whether the
  • 103.
    changes were accepted? ■Essay Quiz 1. Describe the difference between fire suppression and fire detection systems. 2. Discuss why physical security is also important to computer security professionals. 3. Why should we be concerned about HVAC systems when discussing security? 4. Outline the various components that make up (or should make up) an organization’s security perimeter. Which of these can be found in your organization (or school)? 03-ch03.indd 71 03/11/15 5:20 pm As a consultant with the Security Advisors Co., you have been asked to develop a process for each of the following tasks: 1. Fire an employee at Accounting and Finance department 2. Hire new employee at research and development department 3. Backup customers records in the company Please consider the following instructions: · You should develop a process for each task separately. · Do not copy directly from the internet (we will do a plagiarism checker and below 20%). · If you get any information from any resource, you shall provide references and cite them within the text. · Keep your discussion precise and short (maximum 1500 words).
  • 104.
    CHAPTER Domain 9: Operations security10 EXAM OBJECTIVES IN THIS CHAPTER • Administrative Security • Sensitive Information/Media Security • Asset Management • Continuity of Operations • Incident Response Management UNIQUE TERMS AND DEFINITIONS • Collusion—An agreement between two or more individuals to subvert the secu- rity of a system. • Remanence—Data that might persist after removal attempts. • Redundant Array of Inexpensive Disks (RAID)—A method of using multiple disk drives to achieve greater data reliability, greater speed, or both. • Mirroring—Complete duplication of data to another disk, used by some levels
  • 105.
    of RAID. • Striping—Spreadingdata writes across multiple disks to achieve performance gains, used by some levels of RAID. INTRODUCTION Operations Security is concerned with threats to a production operating environ- ment. Threat agents can be internal or external actors, and operations security must account for both of these threat sources in order to be effective. Ultimately opera- tions security centers on the fact that people need appropriate access to data. This data will exist on some particular media, and is accessible by means of a system. So operations security is about people, data, media, hardware, and the threats asso- ciated with each of these in a production environment. CISSP® Study Guide. DOI: 10.1016/B978-1-59749-563- 9.00010-X © 2010 Elsevier, Inc. All rights reserved. 371
  • 106.
    ADMINISTRATIVE SECURITY All organizationscontain people, data, and means for people to use the data. A fun- damental aspect of operations security is ensuring that controls are in place to inhibit people either inadvertently or intentionally compromising the confidentiality, integ- rity, or availability of data or the systems andmedia holding that data. Administrative Security provides the means to control people’s operational access to data. Administrative Personnel Controls Administrative Personnel Controls represent important operations security concepts that should be mastered by the CISSP� candidate. These are fundamental concepts within information security that permeate through multiple domains. Least Privilege or Minimum Necessary Access One of the most important concepts in all of information security is that of the principle of least privilege. The principle of least privilege dictates that persons have no more than the access that is strictly required for the performance of their
  • 107.
    duties. The principleof least privilege may also be referred to as the principle of minimum necessary access. Regardless of name, adherence to this principle is a fundamental tenet of security, and should serve as a starting point for administrative security controls. Although the principle of least privilege is applicable to organizations leveraging Mandatory Access Control (MAC), the principle’s application is most obvious in Discretionary Access Control (DAC) environments. With DAC, the principle of least privilege suggests that a user will be given access to data if, and only if, a data owner determines that a business need exists for the user to have the access. With MAC, we have a further concept that helps to inform the principle of least privilege: need to know. Need to know In organizations with extremely sensitive information that leverage Mandatory Access Control (MAC), basic determination of access is
  • 108.
    enforced by thesystem. The access determination is based upon clearance levels of subjects and classifica- tion levels of objects. Though the vetting process for someone accessing highly sensitive information is stringent, clearance level alone is insufficient when dealing with the most sensitive of information. An extension to the principle of least privi- lege in MAC environments is the concept of compartmentalization. Compartmentalization, a method for enforcing need to know, goes beyond the mere reliance upon clearance level and necessitates simply that someone requires access to information. Compartmentalization is best understood by considering a highly sensitive military operation: while there may be a large number of indivi- duals (some of high rank), only a subset “need to know” specific information. The others have no “need to know,” and therefore no access. 372 CHAPTER 10 Domain 9: Operations security
  • 109.
    Separation of Duties Whilethe principle of least privilege is necessary for sound operational security, in many cases it alone is not a sufficient administrative control. As an example, imag- ine that an employee has been away from the office for training, and has submitted an expense report indicating $1,000,000 was needed for reimbursement. This indi- vidual happens to be a person who, as part of her daily duties, had access to print reimbursement checks, and would therefore meet the principle of least privilege for printing her own reimbursement check. Should she be able to print herself a nice big $1,000,000 reimbursement check? While this access may be necessary for her job function, and thus meet the requirements for the principle of least privilege, additional controls are required. The example above serves to illustrate the next administrative security control, separation of duties. Separation of duties prescribes that
  • 110.
    multiple people are requiredto complete critical or sensitive transactions. The goal of separation of duties is to ensure that in order for someone to be able to abuse their access to sen- sitive data or transactions; they must convince another party to act in concert. Col- lusion is the term used for the two parties conspiring to undermine the security of the transaction. The classic action movie example of separation of duties involves two keys, a nuclear sub, and a rogue captain. LEARN BY EXAMPLE: SEPARATION OF DUTIES Separation of duties is a hard lesson to learn for many organizations, but many only needed to learn this lesson once. One such organization had a relatively small and fledgling security department that was created as a result of regulatory compliance mandates. Most of the other departments were fairly antagonistic toward this new department because it simply cobbled together various perceived security functions and was not mindfully built. The original intent was for the department to serve primarily in an advisory capacity regarding all things in security, and for the department not to have operational responsibilities regarding changes. The result meant that security ran a lot of vulnerability scans, and took these to operations for resolution. Often
  • 111.
    operations staff werebusy with more pressing matters than patch installations, the absence of which posed little perceived threat. Ultimately, because of their incessant nagging, the security department was given the, thankless if ever there was one, task of enterprise patch management for all but the most critical systems. Though this worked fine for a while, eventually, one of the security department staff realized that his performance review depended upon his timely remediation of missing patches, and, in addition to being the person that installed the patches, he was also the person that reported whether patches were missing. Further scrutiny was applied when management thought it odd that he reported significantly less missing patches than all of his security department colleagues. Upon review it was determined that though the employee had indeed acted unethically, it was beneficial in bringing the need for separation of duties to light. Though many departments have not had such an egregious breach of conduct, it is important to be mindful of those with audit capabilities also being operationally responsible for what they are auditing. The moral of the story: Quis custodiet ipsos custodes?1 Who watches the watchers? 373Administrative security Rotation of Duties/Job Rotation
  • 112.
    Rotation of Duties,also known as job rotation or rotation of responsibilities, pro- vides an organization with a means to help mitigate the risk associated with any one individual having too many privileges. Rotation of duties simply requires that critical functions or responsibilities are not continuously performed by the same single person without interruption. There are multiple issues that rotation of duties can help begin to address. One issue addressed by job rotation is the “hit by a bus” scenario: imagine, morbid as it is, that any one individual in the organization is hit by a bus on their way to work. If the operational impact of the loss of an individual would be too great, then perhaps one way to assuage this impact would be to ensure that there is additional depth of coverage for this individual’s responsibilities. Rotation of duties can also mitigate fraud. Over time some employees can develop a sense of ownership and entitlement to the systems and
  • 113.
    applications they work on.Unfortunately, this sense of ownership can lead to the employee’s finding and exploiting a means of defrauding the company with little to no chance of arousing suspicion. One of the best ways to detect this fraudulent behavior is to require that responsibilities that could lead to fraud be frequently rotated amongst multiple people. In addition to the increased detection capabilities, the fact that responsibilities are routinely rotated itself deters fraud. EXAM WARNING Though job or responsibility rotation is an important control, this, like many other controls, is often compared against the cost of implementing the control. Many organizations will opt for not implementing rotation of duties because of the cost associated with implementation. For the exam, be certain to appreciate that cost is always a consideration, and can trump the implementation of some controls. Mandatory Leave/Forced Vacation An additional operational control that is closely related to rotation of duties is that of mandatory leave, also known as forced vacation. Though
  • 114.
    there are variousjus- tifications for requiring employees to be away from work, the primary security considerations are similar to that addressed by rotation of duties; reducing or detecting personnel single points of failure, and detection and deterrence of fraud. Discovering a lack of depth in personnel with critical skills can help organizations understand risks associated with employees unavailable for work due to unforeseen circumstances. Forcing all employees to take leave can identify areas where depth of coverage is lacking. Further, requiring employees to be away from work while it is still operating can also help discover fraudulent or suspicious behavior. As stated before, the sheer knowledge that mandatory leave is a possibility might deter some individuals from engaging in the fraudulent behavior in the first place, because of the increased likelihood of getting caught. 374 CHAPTER 10 Domain 9: Operations security
  • 115.
    Non-Disclosure Agreement A non-disclosureagreement (NDA) is a work-related contractual agreement that ensures that, prior to being given access to sensitive information or data, an indi- vidual or organization appreciates their legal responsibility to maintain the confi- dentiality of sensitive information. Non-disclosure agreements are often signed by job candidates before they are hired, as well as consultants or contractors. Non-disclosure agreements are largely a directive control. NOTE Though non-disclosure agreements are commonly now part of the employee orientation process, it is vitally important that all departments within an organization appreciate the need for non-disclosure agreements. This is especially important for organizations where it is commonplace for individual departments to engage with outside consultants and contractors. Background Checks Background checks (also known as background investigations or preemployment screening) are an additional administrative control commonly
  • 116.
    employed by many organizations.The majority of background investigations are performed as part of a preemployment screening process. Some organizations perform cursory back- ground investigations that include a criminal record check. Others perform more in-depth checks, such as verifying employment history, obtaining credit reports, and in some cases requiring the submission of a drug screening. The sensitivity of the position being filled or data to which the individual will have access strongly determines the degree to which this information is scrutinized and the depth to which the investigation will report. The overt purpose of these preemployment background investigations is to ensure that persons who will be employed have not exhibited behaviors that might suggest they cannot be trusted with the responsibilities of the position. Ongoing, or postemployment, investiga- tions seek to determine whether the individual continues to be worthy of the trust
  • 117.
    required of theirposition. Background checks performed in advance of employ- ment serve as a preventive control while ongoing repeat background checks consti- tute a detective control and possibly a deterrent. Privilege Monitoring The business needs of organizations require that some individuals have privileged access to critical systems, or systems which contain sensitive data. These indivi- duals’ heightened privileges require both greater scrutiny and more thoughtful con- trols in order to ensure that the confidentiality, integrity, and availability remain intact. Some of the job functions that warrant greater scrutiny include: account cre- ation/modification/deletion, system reboots, data backup, data restoration, source code access, audit log access, security configuration capabilities, etc. 375Administrative security SENSITIVE INFORMATION/MEDIA SECURITY
  • 118.
    Though security andcontrols related to the people within an enterprise are vitally important, so is having a regimented process for handling sensitive information, including media security. This section discusses concepts that are an important component of a strong overall information security posture. Sensitive Information All organizations have sensitive information that requires protection, and that sen- sitive information physically resides on some form of media. In addition to primary storage, backup storage must also be considered. It is also likely that sensitive information is transferred, whether internally or externally, for use. Wherever the data exists, there must be processes that ensure the data is not destroyed or inacces- sible (a breach of availability), disclosed, (a breach of confidentiality) or altered (a breach of integrity). Labeling/marking Perhaps the most important step in media security is the process of locating sensi-
  • 119.
    tive information, andlabeling or marking it as sensitive. How the data is labeled should correspond to the organizational data classification scheme. Handling People handling sensitive media should be trusted individuals who have been vetted by the organization. They must understand their role in the organization’s informa- tion security posture. Sensitive media should have strict policies regarding its handling. Policies should require the inclusion of written logs detailing the person responsible for the media. Historically, backup media has posed a significant problem for organizations. Storage When storing sensitive information, it is preferable to encrypt the data. Encryption of data at rest greatly reduces the likelihood of the data being disclosed in an un- authorized fashion due to media security issues. Physical storage of the media containing sensitive information should not be performed in a haphazard fashion,
  • 120.
    whether the datais encrypted or not. Care should be taken to ensure that there are strong physical security controls wherever media containing sensitive informa- tion is accessible. Retention Media and information have a limited useful life. Retention of sensitive informa- tion should not persist beyond the period of usefulness or legal requirement 376 CHAPTER 10 Domain 9: Operations security (whichever is greater), as it needlessly exposes the data to threats of disclosure when the data is no longer needed by the organization. Keep in mind there may be regulatory or other legal reasons that may compel the organization to maintain such data for keeping data beyond its time of utility. Media Sanitization or Destruction of Data It is time to destroy data or the associated media once an organization has identi- fied that it no longer requires retention from an operations or
  • 121.
    legal perspective. While somedata might not be sensitive and not warrant thorough data destruction measures, an organization will have data that must be verifiably destroyed, or otherwise rendered nonusable in case the media on which it was housed is recov- ered by a third party. The process for sanitization of media or destruction of data varies directly with the type of media and sensitivity of data. NOTE The concepts of data destruction and data remanence are also referenced as part of Chapter 5, Domain 4: Physical (Environmental) Security. As is often the case with the CISSP�, some content easily falls within multiple domains, and might deserve coverage in both sections, as is the case here. Data Remanence The term data remanence is important to understand when discussing media sani- tization and data destruction. Data remanence is data that persists beyond noninva- sive means to delete it. Though data remanence is sometimes used specifically to
  • 122.
    refer to residualdata that persists on magnetic storage, remanence concerns go beyond just that of magnetic storage media. Security professionals must understand and appreciate the steps to make data unrecoverable. Wiping, overwriting, or shredding File deletion is an important concept for security professionals to understand. In most file systems, if a user deletes a file, the file system merely removes metadata pointers or references to the file. The file allocation table references are removed, but the file data itself remains. Significant amounts of “deleted data” may be recovered (“undeleted”); forensic tools are readily available to do so. Reformatting a file system may also leave data intact. Though simple deletion of files or reformatting of hard disks is not sufficient to render data unrecoverable, files may be securely wiped or overwritten. Wiping, also called overwriting or shredding, writes new data over each bit or block of file data. One of the shortcomings of wiping is when hard disks become physically
  • 123.
    damaged, preventing thesuccessful overwriting of all data. An attacker with means and motive could attempt advanced recovery of the hard disks if there was signifi- cant perceived value associated with the media. 377Sensitive information/media security NOTE For many years security professionals and other technologists accepted that data could theoretically be recovered even after having been overwritten. Though the suggested means of recovery involved both a clean room and an electron microscope, which is likely beyond the means of most would be attackers, organizations typically employed either what has been referred to as the DoD (Department of Defense) short method, DoD standard method or Gutmann approach2 to wiping, which involved either 3, 7, or 35 successive passes, respectively. Now it is commonly considered acceptable in industry to have simply a single successful pass to render data unrecoverable. This has saved organizations many hours that were wasted on unnecessary repeat wipes. Degaussing By introducing an external magnetic field through use of a degausser, the data on
  • 124.
    magnetic storage mediacan be made unrecoverable. Magnetic storage media depends upon the magnetization of the media being static unless intentionally changed by the storage media device. A degausser destroys the integrity of the magnetization of the storage media, making the data unrecoverable. Physical Destruction Physical destruction, when carried out properly, is considered the most secure means of media sanitization. One of the reasons for the higher degree of assurance is because of the greater likelihood of errors resulting in data remanence with wip- ing or degaussing. Physical destruction is certainly warranted for the most sensitive of data. Common means of destruction include incineration and pulverization. Shredding A simple form of media sanitization is shredding, a type of physical destruction. Though this term is sometimes used in relation to overwriting of data, here shred-
  • 125.
    ding refers tothe process of making data printed on hard copy, or on smaller objects such as floppy or optical disks, unrecoverable. Sensitive information such as printed information needs to be shredded prior to disposal in order to thwart a dumpster diving attack. Dumpster diving is a physical attack in which a person recovers trash in hopes of finding sensitive information that has been merely dis- carded in whole rather than being run through a shredder, incinerated, or otherwise destroyed. Figure 10.1 shows locked shred bins that contain material that is intended for shredding. The locks are intended to ensure that dumpster diving is not possible during the period prior to shredding. ASSET MANAGEMENT A holistic approach to operational information security requires organizations to focus on systems as well as the people, data, and media. Systems security is another vital component to operational security, and there are specific controls that
  • 126.
    can greatly helpsystem security throughout the system’s lifecycle. 378 CHAPTER 10 Domain 9: Operations security Configuration Management One of the most important components of any systems security work is the develop- ment of a consistent system security configuration that can be leveraged throughout the organization. The goal is to move beyond the default system configuration to one that is both hardened and meets the operational requirements of the organization. One of the best ways to protect an environment against future zero-day attacks (attacks against vulnerabilities with no patch or fix) is to have a hardened system that only provides the functionality strictly required by the organization. Development of a security-oriented baseline configuration is a time consuming process due to the significant amount of research and testing involved. However, once an organizational security baseline is adopted, then the
  • 127.
    benefits of havinga known, hardened, consistent configuration will greatly increase system security for an extended period of time. Further, organizations do not need to start from scratch with their security baseline development, as different entities provide guid- ance on baseline security. These predefined baseline security configurations might come from the vendor who created the device or software, government agencies, or also the nonprofit Center for Internet Security (see: http://www.cisecurity.org/). Basic configuration management practices associated with system security will involve tasks such as: disabling unnecessary services, removing extraneous pro- grams, enabling security capabilities such as firewalls, antivirus, and intrusion detection or prevention systems, and the configuration of security and audit logs. FIGURE 10.1 Locked shred bins.
  • 128.
    Source: http://commons.wikimedia.org/wiki/File:Confidential_shred_bin s.JPG. Photograph by: #BrokenSphere/Wikimedia Commons. Image under permission of Creative Commons Attribution ShareAlike 3.0 379Asset management Baselining Standardizing on a security configuration is certainly important, but there is an additional consideration with respect to security baselines. Security baselining is the process of capturing a point in time understanding of the current system secu- rity configuration. Establishing an easy means for capturing the current system security configuration, can be extremely helpful in responding to a potential secu- rity incident. Assuming that the system or device in question was built from a stan- dardized security baseline, and also that strong change control measures (see Change Management section below) are adhered to, then there would be little need
  • 129.
    to capture thecurrent security configuration. However, in the real world, unautho- rized changes can and will occur in even the most strictly controlled environment, which necessitates the monitoring of a system’s security configuration over time. Further, even authorized system modifications that adhere to the change manage- ment procedures need to be understood and easily captured. Another reason to emphasize continual baselining is because there may be systems that were not orig- inally built to an initial security baseline. A common mistake that organizations make regarding system security is focusing on establishing a strong system secu- rity configuration, but failing to quickly and easily appreciate the changes to a sys- tem’s security configuration over time. Patch Management One of the most basic, yet still rather difficult, tasks associated with maintaining strong system security configuration is patch management, the process of manag-
  • 130.
    ing software updates.All softwares have flaws or shortcomings that are not fully addressed in advance of being released. The common approach to fixing software is by applying patches to address known issues. Not all patches are concerned with security; many are associated with simple nonsecurity related bug fixes. However, security patches do represent a significant piece of the overall patch pie. Software vendors announce patches both publicly and directly to their customers. Once noti- fied of a patch, organizations need to evaluate the patch from a risk management per- spective to determine how aggressively the patch will need to be deployed. Testing is typically required to determine whether any adverse outcomes are likely to result from the patch installation. From a timeline standpoint, testing often occurs concomitantly with the risk evaluation. Installation is the final phase of the patch management process, assuming adverse effects do not require remediation.
  • 131.
    While the processof installing a single patch from a single vendor on a single system might not seem that onerous, managing the identification, testing, and instal- lation of security patches from dozens of vendors across thousands of systems can become extremely cumbersome. Also, the degree to which patch installations can be centrally deployed or automated varies quite a bit amongst vendors. A relatively recent change in the threat landscape has made patch management even more diffi- cult; attackers increasingly are focused on targeting clients rather than server based systems. With attackers emphasizing client side applications such as browsers, and their associated plugins, extensions, and frameworks, office suites, and PDF readers, the patch management landscape is rapidly growing in complexity. 380 CHAPTER 10 Domain 9: Operations security Vulnerability Management Security patches are typically intended to eliminate a known
  • 132.
    vulnerability. Organi- zations areconstantly patching desktops, servers, network devices, telephony devices and other information systems. The likelihood of an organization having fully patched every system is low. While un-patched systems may be known, it is also common to have systems which were thought to have been patched which were not. It is even more common an occurrence to find systems in need of an unknown patch. Vulnerability scanning is a way to discover poor configurations and missing patches in an environment. While it might seem obvious, it bears men- tioning that vulnerability scanning devices are only capable of discovering the exis- tence of known vulnerabilities. Though discovering missing patches is the most significant feature provided by vulnerability scanning devices or software, some are also capable of discovering vulnerabilities associated with poor configurations. The term vulnerability management is used rather than just
  • 133.
    vulnerability scan- ning toemphasize the need for management of the vulnerability information. Many organizations are initially a bit overzealous with their vulnerability scanning and want to continuously enumerate all vulnerabilities within the enterprise. There is limited value in simply listing thousands of vulnerabilities unless there is also a process that attends to the prioritization and remediation of these vulnerabilities. The remediation or mitigation of vulnerabilities should be prioritized based on both risk to the organization and ease of remediation procedures. Zero-Day Vulnerabilities and Zero-Day Exploits Organizations intend to patch vulnerabilities before they are exploited by an attacker. As patches are released, attackers begin trying to reverse engineer exploits for the now-known patched vulnerability. This process of developing an exploit to fit a patched vulnerability has been occurring for quite some time, but what is changing is the typical time-to-development of an
  • 134.
    exploit. The average windowof time between a patch being released and an associated exploit being made public is decreasing. Recent research even suggests that for some vulnerabil- ities, an exploit can be created within minutes based simply on the availability of the unpatched and patched program3. In addition to attackers reverse engineering security patches to develop exploits, it is also possible for an attacker to discover a vulnerability before the vendor has devel- oped a patch, or has been made aware of the vulnerability either by internal or external security researchers. The term for a vulnerability being known before the existence of a patch is zero day vulnerability. Zero-day vulnerabilities, also commonly written 0- day, are becoming increasingly important as attackers are becoming more skilled in discovery, and, more importantly, the discovery and disclosure of zero day vulnerabil- ities is being monetized. A zero-day exploit, rather than vulnerability, refers to the
  • 135.
    existence of exploitcode for a vulnerability which has yet to be patched. Change Management As stated above, system, network, and application changes are required. A system that does not change will become less secure over time, as security updates and 381Asset management patches are not applied. In order to maintain consistent and known operational security, a regimented change management or change control process needs to be followed. The purpose of the change control process is to understand, commu- nicate, and document any changes with the primary goal of being able to under- stand, control, and avoid direct or indirect negative impact that the change might impose. The overall change management process has phases, the implementation of which will vary to some degree within each organization. Typically there is a
  • 136.
    change control boardthat oversees and coordinates the change control process. In smaller organizations, the change control board might be a much less formal group than is found in larger organizations, sometimes even consisting of just one or two individuals. The intended change must first be introduced or proposed to the change control board. The change control board then gathers and documents sufficient details about the change to attempt to understand the implications. The person or group proposing the change should attempt to supply information about any potential negative impacts that might result from the change, as well as any negative impacts that could result from not implementing the change. Ultimately, the decision to implement the change, and the timeliness of this implementation, will be driven by principles of risk and cost management. Therefore, details related to the organi- zational risk associated with both enacting or delaying the
  • 137.
    change must bebrought to the attention of the change control board. Another risk-based consideration is whether or not the change can be easily reversed should unforeseen impacts be greater than anticipated. Many organizations will require a rollback plan, which is sometimes also known as a backout plan. This plan will attempt to detail the pro- cedures for reversing the change should that be deemed necessary. If the change control board finds that the change is warranted, then a schedule for testing and implementing the change will be agreed upon. The schedule should take into account other changes and projects impacting the organization and its resources. Associated with the scheduling of the change implementation is the notification process that informs all departments impacted by the change. The next phase of the change management process will involve the testing and subsequent implementation of the change. Once implemented, a report
  • 138.
    should be provided backto the change control board detailing the implementation, and whether or not the change was successfully implemented according to plan. Change management is not an exact science, nor is the prescribed approach a perfect fit for either all organizations or all changes. In addition to each organiza- tion having a slightly different take on the change management process, there will also likely be particular changes that warrant deviation from the organizational norm either because the change is more or less significant than typical changes. For instance, managing the change associated with a small patch could well be handled differently than a major service pack installation. Because of the variabil- ity of the change management process, specific named phases have not been offered in this section. However, the general flow of the change management process includes:
  • 139.
    382 CHAPTER 10Domain 9: Operations security • Identifying a change • Proposing a change • Assessing the risk associated with the change • Testing the change • Scheduling the change • Notifying impacted parties of the change • Implementing the change • Reporting results of the change implementation All changes must be closely tracked and auditable. A detailed change record should be kept. Some changes can destabilize systems or cause other problems; change management auditing allows operations staff to investigate recent changes in the event of an outage or problem. Audit records also allow auditors to verify that change management policies and procedures have been followed. CONTINUITY OF OPERATIONS
  • 140.
    Although some continuityconcepts have already been covered in Chapter 7: Domain 6: Business Continuity and Disaster Recovery Planning, this section will focus on more overtly operational concerns related to continuity. Needless to say, continuity of operations is principally concerned with the availability portion of the confidentiality, integrity, availability triad. Service Level Agreements (SLA) As organizations leverage service providers and hosted solutions to a greater extent, the continuity of operations consideration become critical in contract negotiation such as service level agreements. Service level agreements have been important for some time, but they are becoming increasingly critical as organizations are increasingly choosing to have external entities perform critical services or host significant assets and applications. The goal of the service level agreement is to stipulate all expecta- tions regarding the behavior of the department or organization that is responsible for
  • 141.
    providing services andthe quality of the services provided. Often service level agree- ments will dictate what is considered acceptable regarding things such as bandwidth, time to delivery, response times, etc. Though availability is usually the most critical security consideration of a service level agreement, the consideration of other security aspects will increase as they become easier to quantify through better metrics. Further, as organizations increasingly leverage hosting service providers for more than just commoditized connectivity, the degree to which security is emphasized will increase. One important point to realize about service level agreements is that it is paramount that organizations negotiate all security terms of a service level agreement with their service prior to engaging with the company. Typi- cally, if an organization wants a service provider to agree after the fact to specific terms of a service level agreement, then the organization will be required to pay an additional premium for the service.
  • 142.
    383Continuity of operations NOTE Themost obvious example of a trend toward increasingly critical information and services being hosted by a service provider is that of the growing popularity of cloud computing. Cloud computing allows for organizations to effectively rent computing speed, storage, and bandwidth from a service provider for the hosting of some of their infrastructure. Security and quality of service of these solutions constitutes an extremely important point of distinction between the service offerings and their associated costs. Though not overtly testable for the CISSP�, cloud computing is becoming an important concept for security professionals to appreciate. Fault Tolerance In order for systems and solutions within an organization to be able to continually provide operational availability they must be implemented with fault tolerance in mind. Availability is not solely focused on system uptime requirements, but also requires that data be accessible in a timely fashion as well. Both system and data
  • 143.
    fault tolerance willbe attended to within this section. Backup The most basic and obvious measure to increase system or data fault tolerance is to provide for recoverability in the event of a failure. Given a long enough timeframe accidents, such as that in Figure 10.2, will happen. In order for data to be able to be recovered in case of a fault some form of backup or redundancy must be provided. Though magnetic tape media is quite an old technology, it is still the most common FIGURE 10.2 Why are backups necessary? Source: http://commons.wikimedia.org/wiki/File:Backup_Backup_Backu p_-_And_Test_Restores.jpg. Photograph by: John Boston. Image used under Creative Commons Attribution 2.0 License. 384 CHAPTER 10 Domain 9: Operations security repository of backup data. Three basic types of backups exist: full backup; the incremental backup; and the differential backup.
  • 144.
    Full The full backupis the easiest to understand of the types of backup; it simply is a replica of all allocated data on a hard disk. Full backups contain all of the allocated data on the hard disk, which makes them simple from a recovery standpoint in the event of a failure. Though the time and media necessary to recover are less for full backups than those approaches that employ other methods, the amount of media required to hold full backups is greater. Another downside of using only full back- ups is the time it takes to perform the backup itself. The time required to complete a backup must be within the backup window, which is the planned period of time in which backups are considered operationally acceptable. Because of the larger amount of media, and therefore cost of media, and the longer backup window requirements, full backups are often coupled with either incremental or differential backups to balance the time and media considerations.
  • 145.
    Incremental One alternative toexclusively relying upon full backups is to leverage incremental backups. Incremental backups only archive files that have changed since the last backup of any kind was performed. Since fewer files are backed up, the time to perform the incremental backup is greatly reduced. To understand the tape require- ments for recovery, consider an example backup schedule using tapes, with weekly full backups on Sunday night and daily incremental backups. Each Sunday, a full backup is performed. For Monday’s incremental backup, only those files which have been changed since Sunday’s backup will be marked for backup. On Tuesday, those files which have been changed since Monday’s incremental backup will be marked for backup. Wednesday, Thursday, Friday, and Saturday would all simply perform a backup of those files that had changed since the previous incremental backup.
  • 146.
    Given this schedule,if a data or disk failure occurs and there is a need for recovery, then the most recent full backup and each and every incremental backup since the full backup is required to initiate a recovery. Though the time to perform each incremental backup is extremely short, the downside is that a full restore can require quite a few tapes, especially if full backups are performed less frequently. Also, the odds of a failed restoration due to a tape integrity issue (such as broken tape) rise with each additional tape required. Differential Another approach to data backup is the differential backup method. While the incremental backup only archived those files that had changed since any backup, the differential method will back up any files that have been changed since the last full backup. The following is an example of a backup schedule using tapes, with weekly full backups on Sunday night and daily differential backups.
  • 147.
    385Continuity of operations EachSunday, a full backup is performed. For Monday’s differential backup, only those files which have been changed since Sunday’s backup will be archived. On Tuesday, again those files which have been changed since Sunday’s full backup, including those backed up with Monday’s differential, will be archived. Wednesday, Thursday, Friday, and Saturday would all simply archive all files that had changed since the previous full backup. Given this schedule, if a data or disk failure occurs and there is a need for recovery, then only the most recent full backup and most recent differential backup are required to initiate a full recovery. Though the time to perform each differential backup is shorter than a full backup, as more time passes since the last full backup the length of time to perform a differential backup will also increase. If much of
  • 148.
    the data beingbacked up regularly changes or the time between full backups is long, then the length of time for a backup might approach that of the full backup. Redundant Array of Inexpensive Disks (RAID) Even if only one full backup tape is needed for recovery of a system due to a hard disk failure, the time to recover a large amount of data can easily exceed the recov- ery time dictated by the organization. The goal of a Redundant Array Inexpensive Disks (RAID) is to help mitigate the risk associated with hard disk failures. There are various RAID levels that consist of different approaches to disk array config- urations. These differences in configuration have varying cost, in terms of number of disks lost to achieve the configuration’s goals, and capabilities in terms of reli- ability and performance advantages. Table 10.1 provides a brief description of the various RAID levels that are most commonly used. Three terms that are important to understand with respect to RAID are: mirror- ing; striping; and parity.
  • 149.
    • Mirroring isthe most obvious and basic of the fundamental RAID concepts, and is simply used to achieve full data redundancy by writing the same data to multiple hard disks. Since mirrored data must be written to multiple disks the write times are slower. However, there can be performance gains when reading mirrored data by simultaneously pulling data from multiple hard disks. Other than read and write performance considerations, a major cost associated Table 10.1 RAID Levels RAID Level Description RAID 0 Striped set RAID 1 Mirrored set RAID 3 Byte level striping with dedicated parity RAID 4 Block level striping with dedicated parity RAID 5 Block level striping with distributed parity RAID 6 Block level striping with double distributed parity 386 CHAPTER 10 Domain 9: Operations security
  • 150.
    with mirroring isdisk usage; at least half of the drives are used for redundancy when mirroring is used. • Striping is a RAID concept that is focused on increasing the read and write per- formance by spreading data across multiple hard disks. With data being spread amongst multiple disk drives, reads and writes can be performed in parallel across multiple disks rather than serially on one disk. This parallelization pro- vides a performance increase, and does not aid in data redundancy. The final concept is parity. • Parity is a means to achieve data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance. EXAM WARNING While the ability to quickly recover from a disk failure is the goal of RAID there are configurations that do not have reliability as a capability. For
  • 151.
    the exam, besure to understand that not all RAID configurations provide additional reliability. RAID 0: Striped Set As is suggested by the title, RAID 0 employs striping to increase the performance of read and writes. By itself, striping offers no data redundancy so RAID 0 is a poor choice if recovery of data is the reason for leveraging RAID. Figure 10.3 shows visually what RAID 0 entails. RAID 1: Mirrored Set This level of RAID is perhaps the simplest of all RAID levels to understand. RAID 1 creates/writes an exact duplicate of all data to an additional disk. The write per- formance is decreased, though the read performance can see an increase. Disk cost is one of the most troubling aspects of this level of RAID, as at least half of all disks are dedicated to redundancy. Figure 10.4 shows RAID 1 visually. A C E
  • 152.
    G B D F H RAID 0 FIGURE 10.3 RAID0—Striped Set. 387Continuity of operations RAID 2: Hamming Code RAID 2 is not considered commercially viable for hard disks and is not used. This level of RAID would require either 14 or 39 hard disks and a specially designed hardware controller, which makes RAID 2 incredibly cost prohibitive. RAID 2 is not likely to be tested. RAID 3: Striped Set with Dedicated Parity (byte level) Striping is desirable due to the performance gains associated with spreading data
  • 153.
    across multiple disks.However, striping alone is not as desirable due to the lack of redundancy. With RAID 3 data, at the byte level, is striped across multiple disks, but an additional disk is leveraged for storage of parity information, which is used for recovery in the event of a failure. RAID 4: Striped Set with Dedicated Parity (block level) RAID 4 provides the exact same configuration and functionality as that of RAID 3, but stripes data at the block, rather than byte, level. Like RAID 3, RAID 4 employs a dedicated parity drive rather than having parity data distributed amongst all disks, as in RAID 5. RAID 5: Striped Set with Distributed Parity One of the most popular RAID configurations is that of RAID 5, Striped Set with Distributed Parity. Again with RAID 5 there is a focus on striping for the performance increase it offers, and RAID 5 leverages a block level striping. Like RAIDs 3 and 4, RAID 5writes parity information that is used for recovery purposes. However, unlike
  • 154.
    RAIDs 3 and4, which require a dedicated disk for parity information, RAID 5 distri- butes the parity information across multiple disks. One of the reasons for RAID 5’s popularity is that the disk cost for redundancy is lower than that of a Mirrored set. Another important reason for this level’s popularity is the support for both hardware and software based implementations, which significantly reduces the barrier to entry A B C D A B C D RAID 1 FIGURE 10.4 RAID 1—Mirrored Set.
  • 155.
    388 CHAPTER 10Domain 9: Operations security for RAID configurations. RAID 5 allows for data recovery in the event that any one disk fails. Figure 10.5 provides a visual representation of RAID 5. RAID 6: Striped Set with Dual Distributed Parity While RAID 5 accommodates the loss of any one drive in the array, RAID 6 can allow for the failure of two drives and still function. This redundancy is achieved by writing the same parity information to two different disks. NOTE There are many and varied RAID configurations which are simply combinations of the standard RAID levels. Nested RAID solutions are becoming increasingly common with larger arrays of disks that require a high degree of both reliability and speed. Some common nested RAID levels include RAID 0þ1, 1þ0, 5þ0, 6þ0, and (1þ0)þ0, which are also commonly written as RAID 01, 10, 50, 60, and 100, respectively. RAID 1þ0 or RAID 10 RAID 1þ0 or RAID 10 is an example of what is known as nested RAID or multi-
  • 156.
    RAID, which simplymeans that one standard RAID level is encapsulated within another. With RAID 10, which is also commonly written as RAID 1þ0 to explic- itly indicate the nesting, the configuration is that of a striped set of mirrors. System Redundancy Though redundancy and resiliency of data, provided by RAID and backup solu- tions, is important, further consideration needs to be given to the systems them- selves that provide access to this redundant data. Redundant Hardware Many systems can provide internal hardware redundancy of components that are extremely prone to failure. The most common example of this in-built redundancy A1 A2 1 Parity C2 C3 RAID 5
  • 157.
    3 Parity B1 2 Parity B3 FIGURE10.5 RAID 5—Striped Set with Distributed Parity. 389Continuity of operations is systems or devices which have redundant onboard power in the event of a power supply failure. In addition to redundant power, it is also common to find redundant network interface cards (NICs), as well as redundant disk controllers. Sometimes systems simply have field replaceable modular versions of commonly failing com- ponents. Though physically replacing a power supply might increase downtime, having an inventory of spare modules to service the entire datacenter’s servers would be less expensive than having all servers configured with
  • 158.
    an installed redun- dantpower supply. Redundant Systems Though quite a few fault-prone internal components can be configured to have redundancy built into systems, there is a limit to the internal redundancy. If system availability is extremely important, then it might be prudent to have entire systems available in the inventory to serve as a means to recover. While the time to recover might be greater, it is fairly common for organizations to have an SLA with their hardware manufacturers to be able to quickly procure replacement equipment in a timely fashion. If the recovery times are acceptable, then quick procurement options are likely to be far cheaper than having spare equipment on-hand for ad hoc system recovery. High-Availability Clusters Some applications and systems are so critical that they have more stringent uptime requirements than can be met by standby redundant systems, or
  • 159.
    spare hardware. These systemsand applications typically require what is commonly referred to as a high-availability (HA) or failover cluster. A high- availability cluster employs multiple systems that are already installed, configured, and plugged in, such that if a failure causes one of the systems to fail then the other can be seamlessly lever- aged to maintain the availability of the service or application being provided. The actual implementation details of a high-availability cluster can vary quite a lot, but there are a few basic considerations that need to be understood. The primary implementation consideration for high-availability clusters is whether each node of a HA cluster is actively processing data in advance of a failure. This is known as an active-active configuration, and is commonly referred to as load balancing. Having systems in an active-active, or load balancing, configuration is typically more costly than having the systems in an active-passive, or hot standby,
  • 160.
    configuration in which thebackup systems only begin processing when a failure state is detected. INCIDENT RESPONSE MANAGEMENT Although this chapter has provided many operational security measures that would aid in the prevention of a security incident, these measures will only serve to decrease the likelihood and frequency with which security incidents are experi- enced. All organizations will experience security incidents, about this fact there is little doubt. Because of the certainty of security incidents eventually impacting 390 CHAPTER 10 Domain 9: Operations security organizations, there is a great need to be equipped with a regimented and tested methodology for identifying and responding to these incidents. We will first define some basic terms associated with incident response. To be able to determine whether an incident has occurred or is occurring, security events are reviewed. Events are any observable data associated with
  • 161.
    systems or networks. Asecurity incident exists if the events suggest that violation of an organization’s security posture has or is likely to occur. Security incidents can run the gamut from a basic policy violation to an insider exfiltrating millions of credit card numbers. Incident handling or incident response are the terms most commonly associated with how an organization proceeds to identify, react, and recover from security incidents. Finally, a Computer Security Incident Response Team (CSIRT) is a term used for the group that is tasked with monitoring, identifying, and responding to security incidents. The overall goal of the incident response plan is to allow the organization to control the cost and damage associated with incidents, and to make the recovery of impacted systems quicker. Methodology Different books and organizations may use different terms and phases associated with incident response; this section will mirror the terms associated with the exam-
  • 162.
    ination. Though eachorganization will indeed have a slightly different understand- ing of the phases of incident response, the general tasks performed will likely be quite similar among most organizations. Detection One of the most important steps in the incident response process is the detection phase. Detection is the phase in which events are analyzed in order to determine whether these events might comprise a security incident. Without strong detective capabilities built into the information systems, the organization has little hope of being able to effectively respond to information security incidents in a timely fashion. Organizations should have a regimented and, preferably, automated fashion for pull- ing events from systems and bringing those events into the wider organizational con- text. Often when events on a particular system are analyzed independently and out of context, then an actual incident might easily be overlooked. However, with the
  • 163.
    benefit of seeingthose same system logs in the context of the larger organization pat- terns indicative of an incident might be noticed. An important aspect of this phase of incident response is that during the detection phase it is determined made as to whether an incident is actually occurring or has occurred. It is a rather common occurrence for potential incidents to be deemed strange, but innocuous after further review. Containment The containment phase of incident response is the point at which the incident response team attempts to keep further damage from occurring as a result of the incident. Containment might include taking a system off the network, isolating 391Incident response management traffic, powering off the system, or other items to control both the scope and sever- ity of the incident. This phase is also typically where a binary (bit by bit) forensic
  • 164.
    backup is madeof systems involved in the incident. An important trend to under- stand is that most organizations will now capture volatile data before pulling the power plug on a system. Eradication The eradication phase involves the process of understanding the cause of the inci- dent so that the system can be reliably cleaned and ultimately restored to opera- tional status later in the recovery phase. In order for an organization to be able to reliably recover from an incident, the cause of the incident must be determined. The cause must be known so that the systems in question can be returned to a known good state without significant risk of compromise persisting or reoccurring. A common occurrence is for organizations to remove the most obvious piece of malware affecting a system and think that is sufficient. In reality, the obvious malware may only be a symptom, with the cause still undiscovered.
  • 165.
    Once the causeand symptoms are determined then the system is restored to a good state and should not be vulnerable to further impact. This will typically involve either rebuilding the system from scratch or restoring from a known good backup. A key question is whether the known good backup can really be trusted. Root cause analysis is key here: it can help develop a timeline of events that lends credence to the suggestion of a backup or image known to be good. Another aspect of eradication that helps with the prevention of future impact is bolstering defenses of the system. If the incident was caused by exploitation of a known vulnerability, then a patch would be prudent. However, improving the system’s firewall config- uration might also be a means to help defend against the same or similar attacks. Once eradication has been completed, then the recovery phase begins. Recovery The recovery phase involves cautiously restoring the system or
  • 166.
    systems to opera- tionalstatus. Typically, the business unit responsible for the system will dictate when the system will go back online. Remember to be cognizant of the possibility that the infection, attacker, or other threat agent might have persisted through the eradication phase. For this reason, close monitoring of the system after it is returned to production is necessary. Further, to make the security monitoring of this system easier, strong preference is given to the restoration of operations occur- ring during off or nonpeak production hours. Reporting Unfortunately, the reporting phase is the one most likely to be neglected in immature incident response programs. This fact is unfortunate because the reporting phase, if done right, is the phase that has the greatest potential to effect a positive change in secu- rity posture. The goal of the reporting phase is to provide a final report on the incident, which will be delivered to management. Important
  • 167.
    considerations for thisphase are detailing ways in which the identification could have occurred sooner, the response 392 CHAPTER 10 Domain 9: Operations security could have been quicker ormore effective, and organizational shortcomings that might have contributed to the incident, and potential areas for improvement. Though after significant security incidents security personnel might have greater attention of the management, now is not the time to exploit this focus unduly. If a basic operational change would have significantly increased the organization’s ability to detect, contain, eradicate, or recover from the incident, then the final report should detail this fact whether it is a technical or administrative measure. Types of attacks Now that the phases of incident response are understood, types of attacks that fre- quently require incident response will be described. Though this section will by no
  • 168.
    means present anexhaustive list of attack types, it will provide basic information on the types of attacks more commonly experienced and responded to in organiza- tions. Before attending specifically to the common attacks, a brief discussion on threats will aid in bringing the common attacks into the organizational risk assess- ment model. Attention should be paid to ways in which the attacks can be classi- fied and organized, which is summarized in Table 10.2. Threat Agents Threat agents are the actors causing the threats that might exploit a vulnerability. While the easiest threat agent to understand is the single dedicated attacker, per- haps working from his mother’s basement, it would be foolish to think this is the only manifestation of threat agents. One of the most alarming recent trends is the increasing organization of the threat agents. Organized crime, terrorists, political dis- sidents, and even nation states are now common threat agents that can easily target
  • 169.
    any organization. Thoughthe untrained or careless worker is likely the most common threat agent, this section’s preference for attacks will tend towards the intentional attackers. Malware, or malicious code, can also be considered a threat agent, even though it is automated and lacks creativity. One of the primary reasons to consider the various threat agents is to appreciate the fact that all organizations can be targets when the number, types, and motivations of threat agents are so broad. Threat Vectors What medium allows the threat agent potentially exploit the vulnerability? The answer to this question describes the threat vectors that must be considered. Historically, one of the most common threat vectors that persist even today is that of email attachments. Attackers have been using email attachments as a means to exploit vulnerabilities for a long time, and the practice continues going strong, though the types of attachments that are effective has changed. Other common vec-
  • 170.
    tors include: externalattacker targeting public-facing systems via open ports, web applications, and clients; using phone lines to target internal servers and already compromised internal clients to target internal servers; and internal attackers tar- geting internal systems. Table 10.2 provides additional details regarding these common attack vectors. 393Incident response management Password Guessing and Password Cracking Though some fail to distinguish between the two, it is prudent to differentiate between password guessing and cracking as the techniques differ. Password gues- sing is the simpler of the two techniques from both the attacker’s and defender’s vantage point. Password guessing is an online technique that involves attempting Table 10.2 Threat Vectors Attacker’s Origin
  • 171.
    Attacker’s Target Medium orVector External Public facing servers Network Attack—direct attacks against ports open through network and system firewalls. This is the conventional attack vector that is most commonly defended against. External Web Application components Web Applications—though some organizations view this as a subset of the above, the attacks and associated defenses are drastically different. The attacker targets the web application, associated servers, and content, rather than merely the web server. Traditional perimeter security defenses fall short when protecting web applications. External SMTP Gateways, Antimalware systems, Internal Clients Attack using malicious email attachments. Used to be straightforward virus attachments, but now commonly uses malicious files that exploit client-side application vulnerabilities (.doc, .xls, .ppt, .pdf, .jpg). Note: these seemingly innocuous file types are also being hosted on malicious websites (see below).
  • 172.
    External Internal Servers Phone lines—attacksleveraging phone systems are some of the oldest by nature of the technology involved. Many organizations still leverage these systems, especially for critical legacy components, yet often this medium is now overlooked during security assessments. External Internal Clients Browser attacks—attacker hosts a malicious web site or leverages a compromised trusted site to exploit internal clients. External Internal Servers Pivot attack—leverage an internal client (compromised via another vector) to attack internal servers. Increasingly common as organizations are making better use of perimeter security. Internal Internal Clients, Internal Servers, Infrastructure Insider threat—attacker is an insider (employee, contractor, consultant, transient worker, someone with VPN access, etc.) which typically translates to greater access just by virtue of where they are situated with respect to perimeter defenses. Most organizations have limited internal security when compared to their external facing security.
  • 173.
    394 CHAPTER 10Domain 9: Operations security to authenticate a particular user to the system. Password cracking refers to an off- line technique in which the attacker has gained access to the password hashes or database. Note that most web-based attacks on passwords are of the password guessing variety, so web applications should be designed with this in mind from a detective and preventive standpoint. Password guessing may be detected by monitoring the failed login system logs. In order to differentiate between the normal user accidentally mistyping their pass- words and the attacker, clipping levels are useful. Clipping levels define a mini- mum reporting threshold level. Using the password guessing example, a clipping level might be established such that the audit system only alerts if failed authenti- cation occurs more frequently than five times in an hour for a particular user. Clip-
  • 174.
    ping levels canhelp to differentiate the attacks from noise, however they can also cause false negatives if the attackers can glean the threshold beneath which they must operate. Preventing successful password guessing attacks is typically done with account lockouts. Account lockouts are used to prevent an attacker from being able to sim- ply guess the correct password by attempting a large number of potential pass- words. Some organizations require manual remediation of locked accounts, usually in the form of intervention by the help desk. However, some organizations configure account lockouts to simply have an automatic reset time, which would not necessarily require manual intervention. Care should be taken in the account lockout configuration as an attacker, though unsuccessful at retrieving a correct password, might be able to cause significant administrative burden by intentionally locking out a large volume of accounts.
  • 175.
    Password cracking isconsidered an offline attack because the attacker has gained access to a password hash for a particular account or the entire password database. Most password databases store the passwords as hashes rather than clear text. These one way cryptographic hashes are created by running the plaintext password through a hashing algorithm such as MD5, LM, NT Hash (MD4), etc. The attacker will attempt to crack the password with a dictionary, hybrid, and then finally a brute force method if suitably motivated to achieve the plaintext pass- word. The dictionary method simply directs the password cracking tool to use a supplied list of words as potential passwords. The tool will encrypt the supplied word using the matching password algorithm, and compare the resulting hash with the hash in the database. If the two hashes match then the plaintext password is now known. If the dictionary method is unsuccessful then the hybrid approach will
  • 176.
    likely be attempted.The hybrid approach to password cracking still leverages a word list (dictionary), but makes alterations to the word before putting the guess through the hashing algorithm. Common alterations made by hybrid crackers include prepending or appending numbers or symbols to the password, changing the case of the letters in the word, making common symbol or number substitutions for letters (e.g., replacing an “o” with a “0”). Finally, password brute forcing involves simply attempting every possible password until the correct match is 395Incident response management found. Brute forcing will eventually yield the password, but the question is whether it will return the plaintext password quickly enough (days, months, or years) for it to still be of value. A variation on typical password brute forcing that can greatly increase the speed with which the correct password can be
  • 177.
    retrieved is aprecom- putation brute force attack. This technique employs rainbow tables which are tables of precomputed password-hash combinations, sometimes within specific confines such as an upper limit on password length or only including the more common symbols, collection of all password hashes that are applicable for a given algorithm. While rainbow tables can reduce the password cracking to a mere table lookup to find the password hash in question, the creation of these rainbow tables is an extremely time consuming process. NOTE The efficacy of precomputation brute force attacks leveraging rainbow tables is dependent upon the password hashing algorithm’s implementation. The main feature that determines whether rainbow tables will greatly increase the speed of password recovery is whether the implementation of the algorithm involves salts, which is simply a way of introducing randomness into the resultant hashes. In the absence of salts, the same password will yield the exact same hash every single time. Notably, Windows’ LM and NT hashes do not include
  • 178.
    salts, which makesthem particularly vulnerable to this type of brute forcing. Linux and UNIX systems have employed salts for decades. A 16 bit salt would effectively require an attacker to create 65,536 separate sets of rainbow tables, one set for each possible salt. Prevention of successful password cracking attempts can be achieved by strong password policies that prescribe appropriate length, complexity, expiration, and rotation of passwords. Further, strong system security that precludes that attacker ever gaining access to the password database in the first place is another preventive measure. Session Hijacking and MITM Another attack technique that needs to be understood is session hijacking, which compromises an existing network session, sometimes seizing control of it. Older protocols such as Telnet may be vulnerable to session hijacking. A Man In The Middle (MITM, also called Monkey In the Middle) attack places the attacker between the victim and another system: the attacker’s goal is to be able
  • 179.
    to serve asan undiscovered proxy for either or both of two endpoints engaging in communication. Effectively, an attacker suitably positioned through a combination of spoofing, masquerading as another endpoint, and sniffing traffic is potentially able to insert herself in the middle of a connection. The capabilities of session hijacking include: changing content as it is delivered to one of the endpoints, initi- ating transactions as one side of the connection, distribution of malware to either end of the connection, and other attacks. Prevention of session hijacking is best done by leveraging encrypted communications which provide mutual endpoint authentication. 396 CHAPTER 10 Domain 9: Operations security Malware Malware, or malicious code/software, represents one of the best known types of threats to information systems. There are numerous types of malware, some
  • 180.
    detailed in Table10.3, that have evolved over the years to continually cause stress to operations. This section will provide a brief description of the major classes of malware. One important note is that distinguishing between the classes of malware is growing more difficult as one piece of malware code is being used as the deliv- ery mechanism to distribute other malware. Antivirus, or antimalware, suites are a basic protection mechanism for malicious code. However, most antivirus systems are heavily reliant upon signature based detection which is often considered a reac- tive approach. Many antivirus tools have evolved into larger suites that include functionality beyond just basic signature based virus detection (e.g., host based firewalls, intrusion prevention systems, antispyware functionality, etc.). Two of the most important considerations for preventing malware infection beyond anti- virus suites are system hardening and user awareness training.
  • 181.
    Table 10.3 Typesof Malware Malicious Code Description Virus Virus is the term that most lay persons use for all bad things that can happen on a computer. Information security professionals require a bit more specificity of the term, and reserve the word virus to indicate malicious code that hooks onto executable code, and requires user interaction to spread. In addition to spreading, the actual payload of the virus, that is, what it is intended to do, could be anything. Macro Virus The termmacro virus refers to malicious code that infects Microsoft Office documents by means of embedding malicious macros within them. Many organizations were wholly unaware of the macro functionality provided by Microsoft Office until they were hit with macro viruses. Worm The distinguishing feature of worms is their ability to self-propagate, or, spread without user interaction. This has made worms exceedingly good at spreading very rapidly throughout the internet. Some of the most well known names of malware fall under the worm category: Code Red, Nimda, SQL Slammer, Blaster, MyDoom, Witty. Trojan Horse Trojans, which get their name from the famous
  • 182.
    Trojan Horse fromGreek mythology, are defined by how they are concealed, and are most often associated with providing an attacker with persistent backdoor access. Trojans provide ostensibly desirable functionality that the user is seeking, but also comewith malicious functionality that the user does not anticipate. Rooktkit The term rootkit is used for malware that is focused on hiding its own existence from a savvy administrator trying to detect the malware. Typical capabilities include file, folder, process, and network connection hiding. The techniques developed with rootkits are now commonly included in other types of malware. 397Incident response management Denial of Service (DoS) and Distributed Denial of Service (DDoS) Denial of Service (DoS) is a one-to-one availability attack; Distributed Denial Of Service (DDoS) is a many-to-one availability attack. They are among the easiest attack techniques to understand as they are simply availability attacks against a site, system, or network. Though there are many local denial of service techniques,
  • 183.
    this section focuseson remote denial of service techniques. DoS attacks come in all shapes and sizes, ranging from those involving one specially crafted packet and a vulnerable system to see that packet, to DDoS attacks that leverage tens of thousands (or more) bots to target an online service provider with a flood of seem- ingly legitimate traffic attempting to overwhelm their capacity. Historically there have been well known named tools for instigating denial of service attacks, how- ever, these seem to have to become less popular with the rise of botnets that pro- vide denial of service techniques as part of their generic feature set. It is unlikely that the CISSP� will require knowledge of more recent specific variations of bots used for distributed denial of service, so Table 10.4 below will include some his- torical examples of malicious packet attacks as well as some general resource exhaustion, or flooding, techniques.
  • 184.
    SUMMARY OF EXAMOBJECTIVES In this chapter we have discussed operational security. Operations security con- cerns the security of systems and data while being actively used in a production Table 10.4 Denial of Service Examples DoS Name Type Description Land Malformed packet The land attack uses a spoofed SYN packet that includes the victim’s IP address and TCP port as both source and destination. This attack targets the TCP/IP stack of older unpatched Windows systems. Smurf Resource Exhaustion A smurf attack involves ICMP flooding. The attacker sends ICMP Echo Request messages with spoofed source addresses of the victim to the directed broadcast address of a network known to be a Smurf amplifier. A smurf amplifier is a public facing network that is misconfigured such that it will forward packets sent to the network broadcast address to each host in the network. Assuming a /24 Smurf amplifier, this means that for every single spoofed ICMP Echo Request sent the victim could receive up to 254 ICMP Echo Responses. As with most of resource exhaustion denial of service attacks, prevention involves having infrastructure that can filter the DoS traffic and/or an ISP
  • 185.
    that can provideassistance in filtering the traffic. Continued 398 CHAPTER 10 Domain 9: Operations security environment. Ultimately operations security is about people, data, media, and hard- ware; all of which are elements that need to be considered from a security perspec- tive. The best technical security infrastructure in the world will be rendered moot if an individual with privileged access decides to turn against the organization and there are no preventive or detective controls in place within the organization. Table 10.4 Denial of Service Examples—cont’d DoS Name Type Description SYN Flood Resource Exhaustion SYN Floods are themost basic type of resource exhaustion attacks, and involve an attacker, or attacker controlled
  • 186.
    machines, initiating manyconnections to the victim, but not responding to the victim’s SYN/ACK packets. The victim’s connection queue will eventually be unable to process any more new connections. Configuring a system to more quickly recycle half-open connections can help with this technique. As with most of resource exhaustion denial of service attacks, prevention involves having infrastructure that can filter the DoS traffic and/or an ISP that can provide assistance in filtering the traffic. Teardrop Malformed packet The teardrop attack is a malformed packet attack that targets issues with systems’ fragmentation reassembly. The attack involves sending packets with overlapping fragment offsets, which can cause a system attempting to reassemble the fragments issues. Ping of Death Malformed packet The Ping of Death denial of service involved sending a malformed ICMP Echo Request (Ping) that was larger than the maximum size of an IP packet. Historically, sending the Ping of Death would crash systems. Patching the TCP/IP stacks of systems removed the vulnerability to this DoS attack. Fraggle Resource Exhaustion The fraggle attack is a variation of the smurf attack. Themain
  • 187.
    difference between smurfand fraggle being that fraggle leverages UDP for the request portion, and stimulates, most likely, an ICMP Port Unreachablemessage being sent to the victim rather than an ICMP Echo Response. DNS Reflection A more recent denial of service technique that, like the smurf attack, leverages a third party is the DNS reflection attack. The attacker who has poorly configured third- party DNS servers query an attacker-controlled DNS server and cache the response (a maximum-size DNS record). Once the large record is cached by many third party DNS servers, the attacker sends DNS requests for those records with a spoofed source of the victim. This causes these extremely large DNS records to be sent to the victim in response. As with most of resource exhaustion denial of service attacks, prevention involves having infrastructure that can filter the DoS traffic and/or an ISP that can provide assistance in filtering the traffic. 399Summary of exam objectives There must be controls associated with even the most trusted individuals. This chapter discussed items such as the principle of least privilege, separation and rota- tion of duties, and mandatory vacations which can all help provide needed security controls for our operational personnel. In addition to personnel
  • 188.
    related security, this sectiondealt with media, where the data physically resides. Even though an organization’s access control methodology might be superlative, if they allow for sensitive information to be written to backup tapes in plaintext and then hand that tape to a courier, bad things will almost certainly follow. Further, media security also dealt with retention and destruction of data, both of which need to be strictly controlled from an operational security perspective. Another aspect of operational security is maintaining the availability of systems and data. To this end, data backup methodologies, RAID, and hardware availability were all attended to. Data backups are one of the most common data and system reliability measures that can be undertaken by an organization. RAID, in most con- figurations, can provide for increased data availability by making systems more resilient to disk failures. In addition to disk and data reliability though, system
  • 189.
    hardware must alsobe continually available in order to access those disks and the data they contain. Hardware availability via redundancy and clustering should also be considered if the systems or data has strict availability requirements. The final aspect of this chapter on operations security dealt with how to respond to incidents and some common attack techniques. An incident response methodology was put forth, because incidents will inevitably occur in organizations; it is just a matter of time. Having a regimented process for detecting, containing, eradicating, recovering, and reporting security incidents is paramount in every organization that is concerned with information security, or, more simply, the confidentiality, integrity, and availabil- ity of their information systems and the data contained therein. Finally, some common attack techniqueswere discussed including password cracking, denial of service techni- ques, session hijacking, and malicious software. Though this is by no means a compre-
  • 190.
    hensive list, itdoes provide some basic information about some of the more common attack techniques that are likely to be seen from an operational security vantage point. SELF TEST 1. Which type of control requires multiple parties in order for a critical transac- tion to be performed? A. Separation of duties B. Rotation of duties C. Principle of least privilege D. Need to know 2. Which concept only allows for individuals to be granted the minimum access necessary to carry out their job function? A. Rotation of duties B. Principle of least privilege 400 CHAPTER 10 Domain 9: Operations security C. Separation of duties
  • 191.
    D. Mandatory leave 3.Which level of RAID does NOT provide additionally reliability? A. RAID 1 B. RAID 5 C. RAID 0 D. RAID 3 4. Which type of RAID uses block level striping with parity information distributed across multiple disks? A. RAID 1 B. RAID 3 C. RAID 4 D. RAID 5 5. Which type of backup will include only those files that have changed since the most recent Full backup? A. Full B. Differential C. Incremental
  • 192.
    D. Binary 6. Whichsecurity principle might disallow access to sensitive data even if an individual had the necessary security clearance? A. Principle of least privilege B. Separation of duties C. Need to know D. Nash analytics 7. Which type of malware is able to propagate itself without user interaction? A. Rootkit B. Trojan C. Virus D. Worm 8. Separation of Duties requires that two parties act in concert in order to carry out a critical transaction. What is the term associated with two individuals working together to perpetrate a fraud? A. Hijacking
  • 193.
    B. Espionage C. Terrorism D.Collusion 9. Which type of malware is commonly associated with office productivity documents? A. Macro B. Worm 401Self test C. Spyware D. Rootkit 10. What type of backup is obtained during the Containment phase of Incident Response? A. Incremental B. Full C. Differential D. Binary
  • 194.
    11. Which typeof attack will make use of misconfigured third party systems to perpetrate a DoS? A. Smurf B. Session hijacking C. Teardrop D. Land 12. Which attack technique might involve a seemingly trusted endpoint resolving as a website hosting malware? A. Password cracking B. Trojan horse C. Session hijacking D. UI redressing 13. Which principle involves defining a trusted security baseline image of critical systems? A. Configuration management B. Change management
  • 195.
    C. Patch management D.Vulnerability management 14. Which type of attack leverages overlapping fragments to cause a denial of service? A. Smurf B. Teardrop C. Fraggle D. Session hijacking 15. What security principle can be used to help detect fraud coming from users becoming comfortable in their position? A. Separation of duties B. Principle of least privilege C. Rotation of duties D. Collusion 402 CHAPTER 10 Domain 9: Operations security SELF TEST QUICK ANSWER KEY 1. A
  • 196.
    2. B 3. C 4.D 5. B 6. C 7. D 8. D 9. A 10. D 11. A 12. C 13. A 14. B 15. C References 1. Juvenal Satires Book II: Satire 6, 346-348. 1st-2nd Century CE. 2. Gutmann P. Secure Deletion of Data from Magnetic and Solid-State Memory. 1996. http://www.cs.auckland.ac.nz/�pgut001/pubs/secure_del.html [accessed February 17, 2010]. 3. Brumley D, Poosankam P, Song D, Zheng J. Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy, April; 2008. 403Self test quick answer key