02 Administrative Network Security

Question 1

Why organizations need compliance:

Answer 1

• Improves Security
• Minimizes Losses
• Maintain trust

Question 2

Regulatory Frameworks:

Answer 2

• HIPPA
• Sarbanes Oxley Act (SOX)
• FISMA
• GLBA
• PCI-DSS

Question 3

HIPPA:

Answer 3

Health insurance portability and accountability act (HIPPA): doctor’s office, insurance companies, business associates, and employers

Question 4

SOX:

Answer 4

Sarbanes Oxley Act (SOX): US Public company boards, management, and public accounting firms

Question 5

SOX Section 302:

Answer 5

• A mandate that requires senior management to certify the accuracy of the reported financial statement.
• CEOS and CFOs of accounting company’s clients must sign statements verifying the completeness and accuracy of the financial reports.

Question 6

SOX Section 404:

Answer 6

• A requirement that management and auditors establish internal controls and reporting methods on the adequacy of those controls.
• CEOS, CFPs and auditors must report on and attest to the effectiveness of internal controls for financial reporting.

Question 7

FISMA:

Answer 7

Federal Information Security Management act of 2002 (FISMA): All federal agencies must develop a method of protecting information systems.

It includes:

• Standards for categorizing info systems by mission impact.
• Standards for minimizing security requirements for information and info systems.
• Guidance for selecting appropriate security controls for info systems.
• Guidance for assessing security controls in information systems and determining security control effectiveness.
• Guidance for the security authorization of information systems

Question 8

GLBA:

Answer 8

Gramm Leach Bliley Act (GLBA): Companies that offer financial products or services to individuals such as loans, investment advice, or insurance.

Key Points:

• Protecting consumers personal financial information held by financial institutions and their services providers.
• The officers and directors of the financial institution shall be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation.

Question 9

PCI-DSS

Answer 9

Payment Card Industry Data Security Standard (PCI-DSS): Companies handling credit card information.

Question 10

ISO/IEC 27004:

Answer 10

Information security metrics

Question 11

ISO/IEC 27005:

Answer 11

Information security risk management

Question 12

ISO/IEC 27014:

Answer 12

Information security governance

Question 13

ISO/IEC 27016:

Answer 13

Info sec economics

Question 14

ISO/IEC 27032:

Answer 14

Cyber Security

Question 15

DMCA:

Answer 15

The digital Millennium Copyright ACT (DMCA)

Is a united states copyright law that implements two 1996 treaties of the world intellectual property organization.

Defines legal prohibitions against the circumvent of technological protection measures employed by copyright owners to protect their works, and against the removal or alteration of copyright management information.

Question 16

Additional Information Security Acts and Laws:

Answer 16

1. USA Patriot Act 2001
2. Freedom of Information Act (FOIA)
3. The electronic communications privacy act
4. The human Rights act of 1998
5. The freedom of information act 2000
6. Computer fraud and abuse act

Question 17

Characters of a Security Policy:

Answer 17

• Clear and Concise
• Usable
• Economically feasible
• Understandable
• Realistic
• Consistent
• Procedurally tolerable
• Legal compliance
• Based on standards and regulations

Question 18

Contents of a Security Policy:

Answer 18

• High-level security requirements: This features the requirements of a system when implementing security policies that include discipline security, safeguard security, procedural and assurance security.
• Policy description based on requirements: Focuses on the security disciplines, safeguards, procedures, continuity of operations, and documentation.
• Security concept of operation: Defines the roles, responsibilities, and functions of a security policy.
• Allocation of security enforcement to architecture elements provides a computer system architecture allocation to each system in the program.

Question 19

Typical Security Policy Document Contents:

Answer 19

• Document control
• Document location
• Revision history
• Approvals
• Distribution
• Document history
• Overview
• Purpose
• Scope
• Definitions
• Roles & responsibilities
• Target Audience
• Policy Statements
• Sanctions and Violations
• Related standards, Policies, and Processes
• Contact Information
• Where to find more information
• Glossary/ acronyms

Question 20

Policy Statements Examples:

Answer 20

1. All computers must have anti-virus protection activated to provide real-time, continuous protection
2. All servers must have the minimum services configured to perform their designated functions
3. All access to data is based on a valid business need and subject to formal approval process
4. All computer software must be purchased by the IT department in accordance with the organizations procurement policy
5. A copy of all backup and restoration media must be kept with the off-site backup media
6. while using the internet, no user is permitted to abuse, defame, stalk, harass, threaten anyone, or violate local and international cyber laws.

Question 21

Steps to Create and Implement a Security Policy:

Answer 21

1. Performs risk assessment.
2. Learn from standard guidelines and other orgs.
3. Include senior management in policy development.
4. Set clear penalties and enforce them.
5. Publish the final version to everyone in org.
6. Ensure everyone reads, signs and understands the policy.
7. Deploy tools to enforce policies.
8. Train employees on policy
9. Regularly review & update

Question 22

Security Policy Design Structure Points:

Answer 22

• Detailed description of policy issues
• Functionalities of those affected by the policy.
• Compatibility level of the policy is necessary.
• Consequences of non-compliance
• Applicability of policy to the environment
• Descriptions of policy status

Question 23

Types of Information Security Policies:

Answer 23

• EISP
• ISSP
• SSSP

Question 24

EISP:

Answer 24

Enterprise Info Security Policy (EISP)

Drives an organizations scope and provides direction to their security policy

Question 25

Examples of EISP:

Answer 25

• App policy
• Network and network device security policy
• Security policy auditing
• Back up and restore policy
• System security policy

Question 26

ISSP:

Answer 26

Issue specific Security Policy (ISSP):

Directs the audience on the usage of technology-based systems with the help of guidelines.

Question 27

Examples of ISSP:

Answer 27

Remote access and wireless policy, incident response plan, password policy, policies for personal devices, user account policies

Question 28

SSSP:

Answer 28

System Specific Security Policy (SSSP):

Directs users while configuring or maintaining a system

Question 29

Examples of SSSP:

Answer 29

DMZ policy, encryption policy, acceptable use policy, secure cloud computing, access control policy

Question 30

4 Types of Internet Access Policies:

Answer 30

• Promiscuous Policy
• Permissive Policy
• Paranoid Policy
• Prudent Policy

Question 31

Promiscuous Internet Policy:

Answer 31

No internet usage restrictions

Question 32

Permissive Internet Policy:

Answer 32

• Known dangerous services/attacks blocked.
• Policy begins with no restrictions.
• Known holes plugged, known dangers stopped.
• Impossible to keep up with current exploits; admins always play catch up.

Question 33

Paranoid Internet Policy:

Answer 33

• Everything is forbidden.
• No internet connection, or severely limited internet usage
• Users find ways around overly severe restrictions.

Question 34

Prudent Internet Policy:

Answer 34

• Provides maximum security while allowing known, but necessary dangers.
• All services are blocked.
• Safe/necessary services are enabled individually.
• Nonessential services/procedures that cannot be made safe are not allowed.
• Everything is logged.

Question 35

AUP:

Answer 35

Acceptable Use Policy (AUP):

Defines the proper use of an organizations information, electronic computing devices, system accounts, user accounts, and network resources.

Question 36

User Account Policy:

Answer 36

Defines the creation process of user accounts and included user rights and responsibilities.

Question 37

Remote Access Policy:

Answer 37

Defines who can have remote access, access mediums, and remote access security controls.

Question 38

Information Protection Policy:

Answer 38

Defines guidelines for processing, storing, and transmitting sensitive information.

Question 39

Firewall Management Policy:

Answer 39

Defines access, management, and monitoring of firewall in the organization.

Question 40

Special Access Policy:

Answer 40

Defines the terms and conditions of granting special access to system resources.

Question 41

Network Connection Policy:

Answer 41

Defines the standards for establishing the connection for computers, servers, or other devices to the network.

Question 42

Business Partner Policy:

Answer 42

Defines the agreements, guidelines, and responsibilities for business partners to run business securely.

Question 43

Email Security Policy:

Answer 43

Defines proper usage of corporate email.

Question 44

Password Policy:

Answer 44

Guidelines for using strong passwords for an organizations resource.

Question 45

Physicals Security Policy:

Answer 45

Defines guidelines to ensure that adequate physical security measures are in place.

Question 46

Information Security Policy:

Answer 46

Defines guidelines to safeguard an organizations information system from malicious use.

Question 47

BYOD Policy:

Answer 47

Bring Your Own Devices (BYOD) Policy:

Provides a set of guidelines to maximize business benefits and minimize risks while using an employee’s personal devices on an organizations network.

Question 48

Software/Application Security Policy:

Answer 48

Mandates proper measures that enhance the security of in-house and purchased applications.

Question 49

Data Backup Policy:

Answer 49

Helps an organization recover and safeguard information in the event of a security incident/network failure.

Question 50

Confidential Data Policy:

Answer 50

Defines guidelines for identifying an organizations confidential data and procedures to handle them.

Question 51

DATA Classification Policy:

Answer 51

Establishes a framework for classifying organizational data based on its level of sensitivity, value, and criticality within the IT security policy.

3 sensitivity levels: restricted, private, and public

Question 52

Internet Usage Policy:

Answer 52

Governs the way the organizations internet connection is used by every device on the network.

Question 53

Server Policy:

Answer 53

Establishes a standard for the base configuration of an organization’s server.

Question 54

Wireless Network Policy:

Answer 54

States the rule and regulations for accessing an organizations wireless network resource.

Question 55

User Access Control Policy:

Answer 55

Gives an organization the ability to control, restrict, monitor, and protect corporate resource availability, integrity, and confidentiality.

Question 56

Switch Security Policy:

Answer 56

Describes a required minimal security config for the switches in the network.

Question 57

IDS/IPS Policy:

Answer 57

Intrusion Detection and Prevention Policy (IDS/IPS):

Facilitates detection and prevention of intrusion into an organizations network.

Question 58

Encryption Policy:

Answer 58

Defines an acceptable use and management of encryption methods, techniques, and tools throughout an enterprise.

Is applicable to all enterprise network resources users/staff, internal networks (LAN/WIFI) and remote (WAN) connections.

Question 59

Router Policy:

Answer 59

Describes required minimal security configuration for all routers in the network.

Question 60

Policy Implementation Checklist:

Answer 60

1. make sure the security policy is approved by senior management
2. make sure the security policy is officially adopted as a company policy
3. review each policy and decide how it can be enforced within an org
4. ensure that appropriate tools and techniques are in place to conform to the policy
5. develop a policy change plan for both the network and the policy itself
6. Coordinate with other departments to develop procedures based on the policies
7. Provide basic info security awareness training to employees.

Question 61

What is the most difficult part of Policy Implementation?

Answer 61

After the security policy has been created, the most difficult part of the process is deploying it throughout the organization.

Question 62

Employee Awareness and Training:

Answer 62

Employees are one of the primary assets of organization and can be part of an organizations attack surface.

Question 63

Employee Awareness & Training: What MUST employees know?

Answer 63

• How to defend themselves and the organization against threats
• Follow security policies and procedures for working with IT.
• Know whom to contact if they discover a security threat.
• Can identify the nature of the data based on data classification.
• Protect physical and informational assets of that organization.

Question 64

Methods of training employees:

Answer 64

• Classroom style training
• Online training
• Round table discussions
• Security awareness website
• Providing hints
• Making short films
• Conducting seminars

Question 65

Employee Awareness and Training: Security Policy

Answer 65

• Teaches employees how to perform their duties and to comply with the security policy.
• Orgs should train their employees before granting them access to the network or provide limited access until the completion of their training.

Question 66

Employee Awareness and Training: Physical Security

Answer 66

Training should educate employees how to:

• Minimize breaches.
• Identify the elements that are more prone to hardware theft.
• Assess the risks handling sensitive data.
• Ensure physical security at the workplace.

Question 67

Employee Awareness and Training: Social Engineering

Answer 67

• Phone: Impersonation, employee should be trained on not providing any confidential information
• Dumpsters: employees should be trained on not throwing sensitive documents in the trash, shredding docs before putting into the trash, erasing magnetic data before putting into trash.
• Email: Differentiate between legitimate email and a targeted phishing email, not downloading malicious attachments.

Question 68

Employee Awareness and Training: Data Classification

Answer 68

Train employees/help desk on: how to classify and mark document-based classification levels and keep sensitive documents in secured place.

Question 69

Employee Monitoring:

Answer 69

Conduct indiscriminate monitoring of employees activates to detect any act related to the policy violation.

Question 70

Employee monitoring software:

Answer 70

Spytech SpyAgent

Question 71

GPMC:

Answer 71

The Group Policy Management Console (GPMC)

is a scriptable Microsoft Management Console

Question 72

MMC:

Answer 72

Microsoft Management Console (MMC)

snap-in, providing a single administrative tool for managing group policy across the enterprise.

Question 73

Order of Processing Group Policies:

Answer 73

Local computer policy (applied locally to the system and user)

AD (active directory) policies (site -> domain-> OU) (organizational units)

Site: Applied to all members of a site; will override settings that are configured at the local level

Domain: GPOs (group policy object) linked to the domain; will override the GPO linked at the local and site level.

Organizational unit: GPOs linked to OU will override any other GPOs, other than those linked to a sub-OU, or a GPO that is marked as “Enforced”

Enforced: Will override all other GPOs, unless blocked by Block Inheritance.

Question 74

Which command runs GPMC?

Answer 74

gpmc.msc

Question 75

which command runs and opens ADUC?

Answer 75

Active Directory Users and Computers: run -> dsa.msc

Question 76

To force update group policy via CMD Prompt, which command is used?

Answer 76

gpupdate /force