Chapter 9: Operations Security Flashcards

1
Q

Types of controls

A

Preventative: reduce the frequency and impact of errors

Detective: discovers errors after they occur

Corrective: mitigates the impact of a loss

Deterrent: Encourage compliance with external controls

Application level: minimize and detect software irregularities

Transaction level: control over stages of a transaction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Strong security system elements

A

Employing competent people into a clear authority structure

Adequate separation of duties

Proper procedures for authorizing changes

Maintaining adequate documentation and records

Maintaining proper physical controls over assets and records

Executing independent checks on performance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The three factors in engagement in fraudulent or immoral behavior

A

Motivation: why do they need the result of their crime (usually money driven reasons here, but could be an ego or thrill factor, too)

Justification: why it isn’t as bad as others might say it is (the company “owes” them, or it is hurting a company, not people, etc)

Opportunity: the (either reasonable or unreasonable) idea that the person is not likely to get caught, usually because of a shortcoming at the company

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Process controls

A

Ensures security principles inform all processes, both human and technological processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Trusted recovery controls

A

Ensures that systems stay safe even when the system crashes or loses power; dictates “fail-secure” systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Configuration and Change Management controls

A

Ensuring accountability for how changes in a system are approved and occur; a threat to this sort of accountability would be a “block upgrade” in which the request changes are too big to manage or track well

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Record retention processes

A

Ensures that records are kept for an appropriate amount of time; could be both hard and soft records

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Personnel security controls

A

Ensures quality people are at the company. Includes preemployment checks, criminal checks, and mandatory vacation time. Also could include rotating duties and proper disciplinary structures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Resource protection controls

A

Guards physical assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Privileged entity controls

A

Special controls for system administrators; may involve eliminating default accounts or shared accounts to ensure nonrepudiability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Media viability controls

A

Marking media so that everyone knows classification levels, or owners, or dates, or whatever might matter to someone picking up the physical asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Operation process controls

A

Permission constraints or accountabilities for operators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Sarbanes-Oxley Act (SOX)

A

Passed after Enron meltdown. Requires integrity of financial records. Section 404 pertains to the data centers in which financial records reside

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Operation Security Controls in Action:
Software Support

A

Limiting which software can run on which system

Inspecting or testing software before distribution or usage

Auditing software licensing

Prohibiting unauthorized changes or modifications to existing software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Operation Security Controls in Action:
Config and Change Management

A

(Similar to Software Support in many cases)

Management of which connection or open to what on the network

Changes have proper documentation

Changes are audited to ensure security protocols still apply 100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Operation Security Controls in Action:
Backups

A

Backup frequency

Backup storage status

Backup testing schedule

Backup schedules may need to be different for different systems or data

17
Q

Operation Security Controls in Action:
Media Controls

A

Marking: may contain date/content style information or may contain handling instructions

Logging: Helps to ensure data does not go missing via missing drives, for example. Also can help provide location accountability when it is something that might need checked out

Integrity verification: making sure that the data is correctly matched to external label to ensure findability and correct understanding of status. Also can use hashing or other cryptography to ensure data has not been corrupted or contaminated

Physical access control: ensuring that only people who are supposed to have access to both the media and the media readers

Environmental controls: to ensure media does not encounter conditions that might result in damaged or destroyed media

Transmittal: ensuring that media moves only within authorized means, such as couriers, locked containers, etc

Disposition: ensuring that data is properly destroyed, either physically or logically, when the media is no longer being used. Overwriting, degaussing, and destroying media are acceptable

18
Q

Operation Security Controls in Action:
Documentation

A

Formalization of processes and procedures

Putting processes and procedures into an offline and accessible form in case of disaster recovery

19
Q

Operation Security Controls in Action:
Maintenance

A

Physical and logical maintenance both

Must take place within security policies

Depending on system, may require outside assistance and verification of third party personnel

Keeping maintenance records thoroughly

Ensuring “maintenance grade” passwords are changed

Encryption and decryption of certain maintenance details

20
Q

Operation Security Controls in Action:
Interdependencies

A

Being aware of crossover between areas and how they interconnect together and what vulnerabilities open up in those cases. for example, the physical security of a data center requires both IT and Security to be appeased.

(people from different departments sitting next to each other, or areas where multiple types of people have a finger in the same project or system