Ch9: Implementing Controls to Protect Assets Flashcards
Layered security/defense-in-depth practices
uses control diversity, implementing administrative, technical, and physical security controls
Vendor diversity
utilizes controls from different vendors
User training
informs users of threats, helping them avoid common attacks
In the event of a fire, door access systems should…
allow personnel to exit the building without any form of authentication
Access points to data centers and server rooms should be limited to…
a single entrance and exit whenever possible
Proximity cards
credit-card sized access cards. Users pass the card near a proximity card reader and it reads data on the card. Some access control points use proximity cards with PINs for authentication
Door access systems include
cipher locks, proximity cards, and biometrics
Cipher locks do not…
identify users
Proximity cards can…
identify and authenticate users when combined with a PIN
Biometrics can..
identify and authenticate users
Tailgating
a social engineering tactic that occurs when one user follows closely behind another user without using credentials
Mantraps
allow only a single person to pass at a time
Sophisticated mantraps can
identify and authenticate individuals before allowing access
Video surveillance provides
reliable proof of a person’s location and activity. It can identify who enters and exits secure areas and record theft of assets
These provide physical security
fencing, lighting, and alarms. Often used together to provide layered security
To increase the effectiveness of fencing, lighting, and alarms, use…
motion detection methods
Infrared detectors…
detect movement by objects of different temperatures
Barricades
provide stronger barriers than fences and attempt to deter attackers
Bollards
effective barricades that can block vehicles
Effective threat deterrents for small equipment such as laptops and workstations
cable locks
Locked cabinets prevent…
unauthorized access to equipment mounted in server bays
Higher-tonnage HVAC systems
provide more cooling capacity. This keeps server rooms at lower temperatures and results in fewer failures
HVAC systems increase…
availability by controlling temperature and humidity
Temperature controls help ensure
a relatively constant temperature
Humidity controls
reduce the potential for damage from elecrostatic discharge and damage from condensation
HVAC systems should be integrated with
fire alarm systems and either have dampers or the ability to be turned off in the event of a fire
EMI shielding
Electromagnetic interference (EMI) shielding prevents outside interference sources from corrupting data and prevents data from emanating outside the cable
Cable troughs
protect cables distributed throughout a building in metal containers
Faraday cage
prevents signals from emanating beyond the cage
Single point of failure is
any component whose failure results in the failure of an entire system
Elements to remove single points of failure include
RAID, failover clustering, UPSs, and generators
RAID is an inexpensive method to
add fault tolerance and increase availability
RAID-5
can survive the failure of one disk
RAID-6
can survive the failure of two disks
Failover clusters
are one method of server redundancy and they provide high availability for servers, removing one server as a single point of failure
Load balancing
increases the overall processing power of a service by sharing the load among multiple servers
Scheduling methods (load balancing)
round-robin and source IP address affinity
Source IP address affinity scheduling
ensures clients are redirected to the same server for an entire session
Full backup
For unlimited time and money, this provides the fastest recovery time
Full/incremental backup
reduces the amount of time needed to perform backups
Full/differential
reduces the amount of time needed to restore backups
Best way to test the integrity of a company’s backup data
test restores
Backup media should be protected with…
the same level of protection as the data on the backup
Geographic considerations for backups
storing backups off-site, choosing the best location, considering legal implications and sovereignty
BIA
The Business Impact Analysis identifies mission-essential functions and critical systems that are essential to the organization’s success. Identifies maximum downtime limits for these systems, various scenarios that can impact these systems, and potential losses from an incident
Privacy threshold assessment
typically a simple questionnaire completed by system or data owners that helps identify if a system processes data that exceeds the threshold for PII
Privacy impact assessment
For systems that process PII, helps identify and reduce risks related to potential loss of the PII
RTO
The recovery time objective identifies the maximum amount of time it should take to restore a system after an outage. Derived from the maximum allowable outage time in the BIA. RPO refers to the amount of data you can afford to lose
Hot site
includes personnel, equipment, software, and communication capabilities of the primary site with all the data up to date. Provides the shortest recovery time (compared to warm and cold sites) and is the most effective disaster recovery solution, but also most expensive to maintain
Cold site
will have power and connectivity needed for a recovery site, but little else. Least expensive and hardest to test
Warm site
compromise between hot site and a cold site (e.g. contains all necessary hardware, but not all data is up-to-date)
Mobile site
does not have a dedicated location but can provide temporary support during a disaster
DRP
Disaster Recovery Plan includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. Testing validates the plan
Final phase of disaster recovery includes
a review to identify any lessons learned and may include an update of the plan
You can validate BCPs (business continuity plans) through
testing
Tabletop exercises are
discussion-based only and are typically performed in a classroom or conference setting
Functional exercieses are
hands-on exercises
