Chapter 9 Implementing Controls to Protect Assests Flashcards
Layered security (or defense in depth) employs multiple layers of security to protect against threats. Personnel constantly monitor, update, add to, and improve existing security controls.
Control diversity is the use of different security control types, such as technical controls, administrative controls, and physical controls.
Vendor diversity is the practice of implementing security controls from different vendors to increase security.
Physical security controls are controls you can physically touch. They often control entry and exit points, and include various types of locks.
An airgap is a physical security control that ensures that a computer or network is physically isolated from another computer or network.
Controlled areas such as data centers and server rooms should only have a single entrance and exit point. Door lock types include cipher locks, proximity cards, and biometrics.
A proximity card can electronically unlock a door and helps prevent unauthorized personnel from entering a secure area. By themselves, proximity cards do not identify and authenticate users. Some systems combine proximity cards with PINs for identification and authentication.
Tailgating occurs when one user follows closely behind another user without using credentials. A mantrap can prevent tailgating.
Security guards are a preventive physical security control and they can prevent unauthorized personnel from entering a secure area. A benefit of guards is that they can recognize people and compare an individual’s picture ID for people they don’t recognize.
Cameras and closed-circuit television (CCTV) systems provide video surveillance. They provide reliable proof of a person’s identity and activity.
Fencing, lighting, and alarms are commonly implemented with motion detection systems for physical security. Infrared motion detection systems detect human activity based on the temperature.
Barricades provide stronger physical security than fences and attempt to deter attackers. Bollards are effective barricades that allow people through, but block vehicles.
Cable locks secure mobile computers such as laptop computers in a training lab. Server bays include locking cabinets or enclosures within a server room. Small devices can be stored in safes or locking office cabinets to prevent the theft of unused resources.
Asset management processes protect against vulnerabilities related to architecture and design weaknesses, system sprawl, and undocumented assets.
Heating, ventilation, and air conditioning (HVAC) systems control airflow for data centers and server rooms. Temperature controls protect systems from damage due to overheating.
Hot and cold aisles provide more efficient cooling of systems within a data center.
EMI shielding prevents problems from EMI sources such as fluorescent lighting fixtures. It also prevents data loss in twisted-pair cables. A Faraday cage prevents signals from emanating beyond a room or enclosure.
A single point of failure is any component that can cause the entire system to fail if it fails.
RAID disk subsystems provide fault tolerance and increase availability. RAID-1 (mirroring) uses two disks. RAID-5 uses three or more disks and can survive the failure of one disk. RAID-6 and RAID-10 use four or more disks and can survive the failure of two disks.
Load balancers spread the processing load over multiple servers. In an
active-active configuration, all servers are actively processing requests. In an active-passive configuration, at least one server is not active, but is instead monitoring activity ready to take over for a failed server. Software-based load balancers use a virtual IP.
Affinity scheduling sends client requests to the same server based on the client’s IP address. This is useful when clients need to access the same server for an entire online session. Round-robin scheduling sends requests to servers using a predefined order.
Backup strategies include full, full/ differential, full/ incremental, and snapshot strategies. A full backup strategy alone allows the quickest recovery time.
Full/ incremental backup strategies minimize the amount of time needed to perform daily backups.
Test restores verify the integrity of backups. A test restore of a full backup verifies a backup can be restored in its entirety.
Backups should be labeled to identify the contents. A copy of backups should be kept off-site.
It’s important to consider the distance between the main site and the off-site location.
The data contained in the backups can have legal implications. If it includes Personally Identifiable Information (PII) or Protected Health Information (PHI), it must be protected according to governing laws.
The location of the data backups affects the data sovereignty. If backups are stored in a different country, the data on the backups is now subject to the laws and regulations of that country.
A business impact analysis (BIA) is part of a business continuity plan (BCP) and it identifies mission-essential functions, critical systems, and vulnerable business processes that are essential to the organization’s success.