Video Content Lesson 10 Flashcards
Administrative Management
Overview Duty Separation Least Access Accountability Privacy and Protection Legal Requirements Illegal Activities
Overview
Policies, Guidelines, and Procedures set tone for administration
Legal Requirements of Due Care and Due Diligence
Due Care - Reasonable care used to protect the assets of the organization
Due Diligence - Sufficient steps taken to ensure the standards of the due care are being perpetually upheld
Hiring Practices - set into security policy (job requirements, specifications for specific jobs; background checking)
Termination procedures
Duty Separation
Separation of duties and responsibilities (ensure that nay critical task cannot be completely executed by a single individual)
Changes in workstation/location (decreasing the probability that the users will store personal information on the PC)
Least Access
Least Privilege -( Subjects should be granted the least possible amount of access to complete their work tasks)
Need to Know - (A subject must possess a need to know information in addition to having an appropriate security clearance)
Accountability
Job Rotation - (Periodically rotate responsibilities; Allows subsequent job holders to audit predecessor)
Mandatory Vacation Increments - (Allows sufficient time for complete audit and validations of activity)
Security Policy must set forth standards of accountability for each employee
Use Auditing to validate policy compliance
Privacy and Protection
Privacy and protection issues cover how the organization handles sensitive materials
Organizations must protect private personal information from unauthorized disclosure
Some information is protected by statute or regulation (Personal medical records; Financial information)
Legal Requirements
Local, State, National, and International
A sound security policy will ensure all laws are upheld (Hiring Practices; Software Licensing; Hazardous materials storage and disposal)
Must have policies and procedures stating how you handle issues
Illegal Activities
How do you discourage illegal activities?
Organizations must make substantive attempts to prevent illegal activities (EX - fraud, theft, unauthorized disclosure)
Preventative Controls - can help prevent illegal activities
Detective Controls - can help discover such activities
Must be spelled out in Policies
Operation Controls
Record Retention Backups Data Removal Antivirus Controls Privileged Functions Resource Protection
Record Retention
Sensitive Records (Event Logs; Audit Trails; Backups of Critical Information)
It is necessary to retain such information for possible audits and investigations
Length of retention can vary, depending on local laws and regulations
Common Retention lengths are 3, 7, or 10 years
Backups
Backup of critical information
Make sure all sensitive data is backed up perpetually
Validate all backups (assume it fails unless validated)
Media Handling (Marking - be explicit)
Storage - Safe and secure
Destruction - when the useful life has expired, remove the data using an appropriate strategy
Data Removal
Erase Data - mark file deleted but NOT data is actually removed
Clearing - Overwriting media with unclassified information
Purging - Repeated clearing
Declassification - Process of clearing media for use in a less-secure environment; often uses purging)
Degaussing - Using strong magnetic field to remove all magnetic data from media; Returns magnetic media to a pristine state
Destruction - (Physically destroying media; shredding, incineration, crushing)
Sanitation (Series of processes to result in a pristine media or destruction)
Antivirus Controls
Control Types 1-Preventative 2-Detective 3-Deterrent 4-Corrective 5-Recovery (restore to previous state) Antivirus Management All servers/clients need antivirus protection (preventative and detective) antivirus shield (preventative) Scanning (detective) Fix the Virus (corrective and recovery) Up-to-date virus definitions (check back to antivirus site for updates) Administrative controls (restrict or prohibit installation of uncontrolled software on client machines)(preventative controls)
Privileged Functions
Administrator has extended access to resources required for specific job functions
Restrict these functions to specific users and monitor their use
Trusted Recover Process (Security maintained during crash and recovery)
Change control Management (Track and manage software and document changes)
SCM (Software Configuration Management) (log all events that result in changes or change requests)
Resource Protection
Software, Hardware, Data Operating System (backup, current patches) Source Code (archive current code; Maintain version change history) Purchased/proprietary (current patches) Hardware Limit Physical Access Limit Removable media access Data Access control Sensitive forms and reports Logs Databases
Auditing
Audit Procedures Frequency Audit Trails Audit Reporting Sampling Retention
Audit Procedures
What is auditing?
Ensures compliance with the company security policy and with local statutes and regulations
Internal audit are carried out by employees of organization in question
External audit utilizes auditors that are NOT associated with your organization
Generally viewed as unbiased
Frequency
Security policy should detail how frequently audits should take place
Recurring (scheduled)
Ad-hoc (specific) occur as needed for individual or sub organization or to satisfy legal proceedings
Audit Trails
Follow Audit Trails
Individual accountability on machine or group of machines
Reconstruction of events (ensure that audit logs are being created, archive and copy event logs)
look at integrity of logs so user cannot cover tracks
Identification of problems and possible resolutions
Audit Reporting
Formats vary from organization to organization
All audits reports should contain (purpose, scope, discovery details)
Specific reports will probably contain additional information
Information contained in reports should be audience-specific
Sampling
Sampling and Data Extraction
Extracting meaningful data from large data sets
Clipping levels are commonly used (base value that triggers an alarm if exceeded) (use things outside of normal)
Retention
Retain source documents and reports
As with general records, records should be retained to comply with all local, state, and federal laws and regulations
Most records kept for 3, 7, or 10 years
Monitoring
What is Monitoring? Categories Warning Banners Keystroke Monitoring Traffic Analysis Trend Analysis Tools Failure Recognition
What is Monitoring?
Monitoring is the active review of critical usage statistics (System Performance, Currently logged-in user activity, sensitive processes in use) (to maintain Confidentiality, Integrity, and Availability)
Look at each area
Let people know they are being monitored
Categories
Event Monitoring (things that happen in a system - ex- logins, logouts, login failures, database session start and stop, what is normal activity?)
Hardware monitoring (Events pertaining to hardware; CPU temperature; Removable storage access)
Illegal software monitoring
Watch for installation/use of illegal software
Warning Banners
First thing users see when logging into system
Deterrent control
Disclosure of consequences of asset misuse
Often the most visible part of your security policy
Keystroke Monitoring
Recording the actual keystrokes as they are entered (Video recorder (records users as they type)
Keystroke capture hardware/software (intercepts and stores all keystrokes)
Not normal use when investigation of individual
Traffic Analysis
Network monitoring tool
analysis of the packets passing a fixed point on a network (packet flow not packet content being observed) (useful for analyzing packet paths)
Trend Analysis
Similar to Traffic Analysis
Looks at inside of packets, looks at source and destination, Kind of packets, type of packets, detects anomalies
Tools
Real-time tools (watch activity as it happens; information can be viewed now or archived for later analysis)
Ad hoc tools (Quickly allow the viewing of a specific metric; useful to get a snapshot to detect unusual activity)
Passive tools (users and attackers are not aware that they are being monitored; CCTV (closed circuit television; record the physical movement of users throughout the system; valuable to record various activities; real-time and archived for later viewing)
Failure Recognition
First identify what "normal" looks like Recognize anomalies through manual or automated means Response Mode (identify problem, notify the appropriate authorities, take appropriate action to resolve the problem)
Intrusion Detection
Intrusion Prevention
IDS Types
Penetration Testing
Inappropriate Activity
Intrusion Prevention
Intrusion Detection is the ability to know when an attacker is either attempting to or is currently intruding into the system
Intrusion Prevention
Use very aggressive access controls that identify and authenticate all users before they are granted any type of access (identify and authenticate)
2 basic types of Intrusion Protection
Network-based will monitor a network segment (Packet storm or DoS)
Host-based will monitor a single system
IDS Types
IDS Types
1-Signature-based (has a database of recognized attacks; make certain the database is up to date)
IDS looks at activities and compares with its database and sounds alarms if anomaly occurs
2-Behaviour-based (detects usage anomalies; sometimes called an expert system)
Penetration Testing
Evaluates the strengths of controls
Act like an attacker and expose any vulnerabilities
Make sure the person conducting the test has full authority
Make sure the owner of the system is aware of the attack and has given written permission
Automated tools (Nessus, NMap, WebInspect)
Inappropriate Activity
Controls are in place to stop any inappropriate activities from affecting the data systems
Any misuse of an organization’s computing resources
Defined in Security Policy (Inclusive and Exclusive lists)
Make sure that all information system users are aware of the appropriate use policy (Through security policy awareness programs and through a banner)
Examples (Fraud, Collusion, Harassment, Pornography, Waste, Abuse, Theft)
Threats and Countermeasures
Interception Human Factors Fraud and Theft Employee Sabotage Disaster Recovery Hackers Espionage Malicious Code
Interception
1-War dialing (using a modem to find a system that will accept incoming connections)
Secure all modems (Written Policy)
Ensure that all modems are controlled
Require that anyone dialing into the system establishes handshake, hang up and call back
2-Sniffing (monitoring network traffic to intercept unencrypted messages with NIC in permissive mode)
Easiest countermeasure is to use encryption
3-Eavesdropping (can be part of sniffing) (includes recording or listening to real-time conversations)(use encryption or physical access to protect against)
4-Radiation monitoring (interception of radiation transmissions) (Cell phones, radios, any type of wireless technology) (implement both shielding and encryption)
5-Dumpster Diving (leafing through discarded trash to extract useful information) (Countermeasure - never discard useful information) (shredding, incineration, crushing)
Human Factors
1-Social Engineering (process of convincing an authorized user to perform an unauthorized action) (keystroke monitor, malicious code) (countermeasure - security awareness training)
2-Errors and Omissions (basic human errors) (no direct countermeasure) (provide good functional training)
Fraud and Theft
Use of computer to commit fraud or theft (countermeasure - access control and appropriate activity policy)
Employee Sabotage
Any intentional damage by an employee (Countermeasure- Aggressive employee morale policy and aggressive termination policy)
Disaster Recovery
Have a very stringent disaster recovery plan
Hackers
Common security threat (countermeasure - aggressive use of controls)
Espionage
collecting information or materials for disclosure to an external party (countermeasure - aggressive activity auditing and access control)
Malicious Code
any code intended to cause harm to an information system or the data it contains (worms/virus) (countermeasure - content filtering and antivirus policy)
