damage to tape media, shortening its life span. Here are some useful guidelines for handling media: Keep new media in its original sealed packaging until it’s needed to keep it isolated from the environment’s dust and dirt. When opening a media package, take extra caution not to damage the media in any way. This includes avoiding sharp objects and not twisting or flexing the media. Avoid exposing the media to temperature extremes; it shouldn’t be stored too close to heat- ers, radiators, air conditioners, or anything else that could cause extreme temperatures. Do not use media that has been damaged in any way, exposed to abnormal levels of dust and dirt, or dropped. Media should be transported from one site to another in a temperature-controlled vehicle. Media should be protected from exposure to the outside environment; avoid sunlight, moisture, humidity, heat, and cold. Always transport media in an airtight, waterproof, secured container. Media should be acclimated for 24 hours before use. Appropriate security should be maintained over media from the point of departure from the backup device to the secured offsite storage facility. Media is vulnerable to damage and theft at any point during transportation. Appropriate security should be maintained over media at all other times including when it’s reused throughout the lifetime of the media until destruction. Storing Media Media should be stored only in a secured location in which the temperature and humidity is con- trolled, and it should not be exposed to magnetic fields, especially tape media. Elevator motors, printers, and CRT monitors all have strong electric fields. The cleanliness of the storage area will directly affect the life span and usefulness of media. Access to the storage facility should be controlled at all times. Physical security is essential to maintaining the confidentiality, integrity, and availability of backup media. Managing Media Life Span All media has a useful life span. Reusable media will have a mean time to failure MTTF that is usually represented in the number of times it can be reused. Most tape backup media can be reused 3 to 10 times. When media is reused, it must be properly cleared. Clearing is a method of sufficiently deleting data on media that will be reused in the same secured environment. Purg- ing is erasing the data so the media can be reused in a less-secure environment. Unless absolutely necessary, do not employ media purging. The cost of supplying each classification level with its own media is insignificant compared to the damage that can be caused by disclosure. If media is not to be archived or reused within the same environment, it should be securely destroyed. Once a backup media has reached its MTTF, it should be destroyed. Secure destruction of media that contained confidential and sensitive data is just as important as the storage of such media. When destroying media, it should be erased properly to remove data remanence. Once properly purged, media should be physically destroyed to prevent easy reuse and attempted data gleaning through casual keyboard attacks or high-tech laboratory attacks means. Physical crushing is often sufficient, but incineration may be necessary. Preventing Disclosure via Reused Media Preventing disclosure of information from backup media is an important aspect of maintaining operational security. Disclosure prevention must occur at numerous instances in the life span of media. It must be addressed upon every reuse in the same secure environment, upon every reuse in a different or less-secure environment, upon removal from service, and upon destruction. Addressing this issue can take many forms, including erasing, clearing, purging, declassifica- tion, sanitization, overwriting, degaussing, and destruction. Erasing media is simply performing a delete operation against a file, a selection of files, or the entire media. In most cases, the deletion or removal process only removes the directory or cat- alog link to the data. The actual data remains on the drive. The data will remain on the drive until it is overwritten by other data or properly removed from the media. Clearing, or overwriting, is a process of preparing media for reuse and assuring that the cleared data cannot be recovered by any means. When media is cleared, unclassified data is writ- ten over specific locations or over the entire media where classified data was stored. Often, the unclassified data is strings of 1s and 0s. The clearing process typically prepares media for reuse in the same secure environment, not for transfer to other environments. Purging is a more intense form of clearing that prepares media for reuse in less-secure envi- ronments. Depending on the classification of the data and the security of the environment, the purging process is repeated 7 to 10 times to provide assurance against data recovery via labo- ratory attacks. Declassification involves any process that clears media for reuse in less-secure environments. In most cases, purging is used to prepare media for declassification, but most of the time, the efforts required to securely declassify media are significantly greater than the cost of new media for a less-secure environment. Sanitization is any number of processes that prepares media for destruction. It ensures that data cannot be recovered by any means from destroyed or discarded media. Sanitization can also be the actual means by which media is destroyed. Media can be sanitized by purging or degaussing without physically destroying the media. Degaussing magnetic media returns it to its original pristine, unused state. Sanitization methods that result in the physical destruction of the media include incineration, crushing, and shredding. Care should be taken when performing any type of sanitization, clearing, or purging process. It is possible that the human operator or the tool involved in the activity will not properly per- form the task of removing data from the media. Software can be flawed, magnets can be faulty, and either can be used improperly. Always verify that the desired result is achieved after per- forming a sanitization process. Destruction is the final stage in the life cycle of backup media. Destruction should occur after proper sanitization or as a means of sanitization. When media destruction takes place, you must ensure that the media cannot be reused or repaired and that data cannot be extracted from the destroyed media by any possible means. Methods of destruction can include incineration, crush- ing, shredding, and dissolving using caustic or acidic chemicals. You might also consider demagnetizing the hard drive. However, in practice this activity is a function of degaussing, which is itself unreliable. When donat- ing or selling used computer equipment, it is usually recommended to remove and destroy storage devices rather than attempting to purge or sanitize them. Security Control Types There are several methods used to classify security controls. The classification can be based on the nature of the control, such as administrative, technicallogical, or physical. It can also be based on the action or objective of the control, such as directive, preventative, detective, cor- rective, and recovery. Some controls can have multiple actionobjective classifications. A directive control is a security tool used to guide the security implementation of an organi- zation. Examples of directive controls include security policies, standards, guidelines, proce- dures, laws, and regulations. The goal or objective of directive controls is to cause or promote a desired result. A preventive control is a security mechanism, tool, or practice that can deter or mitigate undesired actions or events. Preventive controls are designed to stop or reduce the occurrence of various crimes, such as fraud, theft, destruction, embezzlement, espionage, and so on. They are also designed to avert common human failures such as errors, omissions, and oversights. Preventative controls are designed to reduce risk. Although not always the most cost effective, they are preferred over detective or corrective controls from a perspective of maintaining secu- rity. Stopping an unwanted or unauthorized action before it occurs results in a more secure envi- ronment than detecting and resolving problems after they occur does. Examples of preventive controls include firewalls, authentication methods, access controls, antivirus software, data classification, separation of duties, job rotation, risk analysis, encryption, warning banners, data validation, prenumbered forms, checks for duplications, and account lockouts. A detective control is a security mechanism used to verify whether the directive and preven- tative controls have been successful. Detective controls actively search for both violations of the security policy and actual crimes. They are used to identify attacks and errors so that appropri- ate action can be taken. Examples of detective controls include audit trails, logs, closed-circuit television CCTV, intrusion detection systems, antivirus software, penetration testing, pass- word crackers, performance monitoring, and cyclical redundancy checks CRCs. Corrective controls are instructions, procedures, or guidelines used to reverse the effects of an unwanted activity, such as attacks and errors. Examples of corrective controls include man- uals, procedures, logging and journaling, incident handling, and fire extinguishers. A recovery control is used to return affected systems back to normal operations after an attack or an error has occurred. Examples of recovery controls include system restoration, backups, rebooting, key escrow, insurance, redundant equipment, fault-tolerant systems, failover, checkpoints, and contingency plans. Operations Controls Operations controls are the mechanisms and daily procedures that provide protection for sys- tems. They are typically security controls that must be implemented or performed by people rather than automated by the system. Most operations controls are administrative in nature, but they also include some technical or logical controls. When possible, operations controls should be invisible or transparent to users. The less a user sees the security controls, the less likely they will feel that security is hampering their produc- tivity. Likewise, the less users know about the security of the system, the less likely they will be able to circumvent it. Resource Protection The operations controls for resource protection are designed to provide security for the resources of an IT environment. Resources are the hardware, software, and data assets that an organization’s IT infrastructure comprises. To maintain confidentiality, integrity, and availabil- ity of the hosted assets, the resources themselves must be protected. When designing a protec- tion scheme for resources, it is important to keep the following aspects or elements of the IT infrastructure in mind: Communication hardwaresoftware Boundary devices Processing equipment Password files Application program libraries Application source code Vendor software Operating system System utilities Directories and address tables Proprietary packages Main storage Removable storage Sensitivecritical data System logsaudit trails Violation reports Backup files and media Sensitive forms and printouts Isolated devices, such as printers and faxes Telephone network Privileged Entity Controls Another aspect of operations controls is privileged entity controls. A privileged entity is an administrator or system operator who has access to special, higher-order functions and capa- bilities that normal users don’t have access to. Privileged entity access is required for many administrative and control job tasks, such as creating new user accounts, adding new routes to a router table, or altering the configuration of a firewall. Privileged entity access can include sys- tem commands, system control interfaces, system logaudit files, and special control parame- ters. Access to privileged entity controls should be restricted and audited to prevent usurping of power by unauthorized users. Hardware Controls Hardware controls are another part of operations controls. Hardware controls focus on restricting and managing access to the IT infrastructure hardware. In many cases, periodic maintenance, errorattack repair, and system configuration changes require direct physical access to hardware. An operations control to manage access to hardware is a form of physical access control. All personnel who are granted access to the physical components of the system must have authorization. It is also a good idea to provide supervision while hardware operations are being performed by third parties. Other issues related to hardware controls include management of maintenance accounts and port controls. Maintenance accounts are predefined default accounts that are installed on hard- ware and in software and have preset and widely known passwords. These accounts should be renamed and a strong password assigned. Many hardware devices have diagnostic or con- figurationconsole ports. They should be accessible only to authorized personnel, and if possi- ble, they should disabled when not in use for approved maintenance operations. InputOutput Controls Input and output controls are mechanisms used to protect the flow of information into and out of a system. These controls also protect applications and resources by preventing invalid, over- sized, or malicious input from causing errors or security breaches. Output controls restrict the data that is revealed to users by restricting content based on subject classification and the secu- rity of the communication’s connection. Input and output controls are not limited to technical mechanisms; they can also be physical controls for example, restrictions against bringing mem- ory flashcards, printouts, floppy disks, CD-Rs, and so on into or out of secured areas. Application Controls Application controls are designed into software applications to minimize and detect operational irregularities. They limit end users’ use of applications in such a way that only particular screens, records, and data are visible and only specific authorized functions are enabled. Par- ticular uses of application can be focused on for monitoring and auditing. Application controls are transparent to the endpoint applications, so changes are not required to the applications involved. Some applications include integrity verification controls, much like those employed by DMBS. These controls look for evidence of data manipulation, errors, and omissions. These types of controls are considered to be application controls i.e., internal controls rather than software management controls i.e., external controls. Media Controls Media controls are similar to the topics discussed in the section “Sensitive Information and Media” earlier in this chapter. Media controls should encompass the marking, handling, stor- age, transportation, and destruction of media such as floppies, memory cards, hard drives, backup tapes, CD-Rs, CD-RWs, and so on. A tracking mechanism should be used to record and monitor the location and uses of media. Secured media should never leave the boundaries of the secured environment. Likewise, any media brought into a secured environment should not con- tain viruses, malicious code, or other unwanted code elements, nor should that media ever leave the secured environment except after proper sanitization or destruction. Administrative Controls Operations controls include many of the administrative controls that we have already discussed numerous times, such as separation of duties and responsibilities, rotation of duties, least priv- ilege, and so on. However, in addition to these controls we must consider how the maintenance of hardware and software is performed. When assessing the controls used to manage and sustain hardware and software mainte- nance, here are some key issues to ponder: Are program libraries properly restricted and controlled? Is version control or configuration management enforced? Are all components of a new product properly tested, documented, and approved prior to release to production? Are the systems properly hardened? Hardening a system involves removing unnecessary processes, segregating interprocess communications, and reducing executing privileges to increase system security. Personnel Controls No matter how much effort, expense, and expertise you put into physical access control and logicaltechnical security mechanisms, you will always have to deal with people. In fact, people are both your last line of defense and your worse security management issue. People are vul- nerable to a wide range of attacks, plus they can intentionally violate security policy and attempt to circumvent physical and logicaltechnical security controls. Because of this, you must endeavor to employ only those people who are the most trustworthy. Security controls to manage personnel are considered a type of administrative controls. These controls and issues should be clearly outlined in your security policy and followed as closely as possible. Failing to employ strong personnel controls may render all of your other security efforts worthless. The first type of personnel controls are used in the hiring process. To hire a new employee, you must first know what position needs to be filled. This requires the creation of a detailed job description. The job description should outline the work tasks and responsibilities of the posi- tion, which will in turn dictate the access and privileges needed in the environment. Further- more, the job description defines the knowledge, skill, and experience level required by the position. Only after the job description has been created is it possible to begin screening appli- cants for the position. The next step in using personnel controls is selecting the best person for the job. In terms of security, this means the most trustworthy. Often trustworthiness is determined through back- ground and reference checks, employment history verification, and education and certification verification. This process could even include credit checks and FBI background checks. Once a person has been hired, personnel controls should be deployed to continue to monitor and evaluate their work. Personnel controls monitoring activity should be deployed for all employees, not just new ones. These controls can include access audit and review, validation of security clearances, periodic skills assessment, supervisory employee ratings, and supervisor oversight and review. Often companies will employ a policy of mandatory vacations in one or two week increments. Such a tool removes the employee from the environment and allows another cross-trained employee to perform their work tasks during the interim. This activity serves as a form of peer review, providing a means to detect fraud and collusion. At any time, if an employee is found to be in violation of security policy, they should be properly repri- manded and warned. If the employee continues to commit security policy violations, they should be terminated. Finally, there are personnel controls that govern the termination process. When an employee is to be fired, an exit interview should be conducted. For the exit interview, the soon-to-be- released employee is brought to a manager’s office for a private meeting. This meeting is designed to remove them from their workspace and to minimize the effect of the firing activity on other employees. The meeting usually consists of the employee, a manager, and a security guard. The security guard acts as a witness and as a protection agent. The exit interview should be coordinated with the security administration staff so that just as the exit interview begins, the employee’s network and building access is revoked. During the exit interview, the employee is reminded of his legal obligations to comply with any nondisclosure agreements and not to dis- close any confidential data. The employee must return all badges, keys, and other company equipment on their person. Once the exit interview is complete, the security guard escorts the terminated employee out of the facility and possibly even off of the grounds. If the ex-employee has any company equipment at home or at some other location, the security guard should accompany the ex-employee to recover those items. The purpose of an exit interview is prima- rily to reinforce the nondisclosure issue, but it also serves the purpose of removing the ex- employee from the environment, having all access removed and devices returned, and prevent- ing or minimizing any retaliatory activities because of the termination. Summary There are many areas of day-to-day operations that are susceptible to security breaches. There- fore, all standards, guidelines, and procedures should clearly define personnel management practices. Important aspects of personnel management include antivirus management and oper- ations security. Personnel management is a form of administrative control or administrative management. You must include clearly defined personnel management practices in your security policy and subsequent formalized security documentation. From a security perspective, personnel manage- ment focuses on three main areas: hiring practices, ongoing job performance, and termination procedures. Operations security consists of controls to maintain security in an office environment from design to deployment. Such controls include hardware, media, and subject user controls that are designed to protect against asset threats. Because viruses are the most common form of secu- rity breach in the IT world, managing a system’s antivirus protection is one of the most impor- tant aspect of operations security. Any communications pathway, such as e-mail, websites, and documents, and even commercial software, can and will be exploited as a delivery mechanism for a virus or other malicious code. Antivirus management is the design, deployment, and main- tenance of an antivirus solution for your IT environment. Backing up critical information is a key part of maintaining the availability and integrity of data and an essential part of maintaining operations security. Having a reliable backup is the best form of insurance that the data on the affected system is not permanently lost. Changes in a user’s workstation or their physical location within an organization can be used as a means to improve or maintain security. When a user’s workstation is changed, the user is less likely to alter the system or install unapproved software because the next person to use the system would most likely be able to discover it. The concepts of need-to-know and the principle of least privilege are two important aspects of a high-security environment. A user must have a need-to-know to gain access to data or resources. To comply with the principle of least privilege, users should be granted the least amount of access to the secure environment as possible for them to be able to complete their work tasks. Activities that require special access or privilege to perform within a secured IT environment are considered privileged operations functions. Such functions should be restricted to adminis- trators and system operators. Due care is performing reasonable care to protect the interest of an organization. Due dili- gence is practicing the activities that maintain the due care effort. Operational security is the ongoing maintenance of continued due care and due diligence by all responsible parties within an organization. Another central issue for all organizations is privacy, which means providing protection of personal information from disclosure to any unauthorized individual or entity. The protection of privacy should be a core mission or goal set forth in an organization’s security policy. It’s also important that an organization operate within the legal requirements, restrictions, and regulations of its country and industry. Complying with all applicable legal requirements is a key part of sustaining security. Illegal activities are actions that violate a legal restriction, regulation, or requirement. Fraud, misappropriation, unauthorized disclosure, theft, destruction, espionage, and entrapment are all examples of illegal activities. A secure environment should provide mechanisms to prevent the committal of illegal activities and the means to track illegal activities and maintain account- ability from the individuals perpetrating the crimes. In a high-security environment where sensitive, confidential, and proprietary data is pro- cessed, managing information and media properly is crucial to the environment’s security and stability. There are four key areas of information and media management: marking, handling, storage, and destruction. Record retention is the organizational policy that defines what infor- mation is maintained and for how long. If data about individuals is being retained by your orga- nization, the employees and customers need to be made aware of it. The classification of security controls can be based on their nature, such as administrative, technicallogical, or physical. It can also be based on the action or objective of the control, such as directive, preventative, detective, corrective, and recovery. Operations controls are the mechanisms and daily procedures that provide protection for systems. They are typically security controls that must be implemented or performed by people rather than automated by the system. Most operations controls are administrative in nature, but as you can see from the following list, they also include some technical or logical controls: Resource protection Privileged-entity controls Change control management Hardware controls Inputoutput controls Media controls Administrative controls Trusted recovery process Exam Essentials Understand that personnel management is a form of administrative control, also called admin- istrative management. You must clearly define personnel management practices in your secu- rity policy and subsequent formalized security structure documentation. Personnel manage- ment focuses on three main areas: hiring practices, ongoing job performance, and termination procedures. Understand antivirus management. Antivirus management includes the design, deployment, and maintenance of an antivirus solution for your IT environment. Know how to prevent unrestricted installation of software. To provide a virus-free environ- ment, installation of software should be rigidly controlled. This includes allowing users to install and execute only company-approved and -distributed software as well as thoroughly testing and scanning all new software before it is distributed on a production network. Even commercial software has become an inadvertent carrier of viruses. Understand backup maintenance. A key part of maintaining the availability and integrity of data is a reliable backup of critical information. Having a reliable backup is the only form of insurance that the data on a system that has failed or has been damaged or corrupted is not per- manently lost. Know how changes in workstation or location promote a secure environment. Changes in a user’s workstation or their physical location within an organization can be used as a means to improve or maintain security. Having a policy of changing users’ workstations prevents them from altering the system or installing unapproved software and encourages them to keep all material stored on network servers where it can be easily protected, overseen, and audited. Understand the need-to-know concept and the principle of least privilege. Need-to-know and the principle of least privilege are two standard axioms of high-security environments. To gain access to data or resources, a user must have a need to know. If users do not have a need to know, they are denied access. The principle of least privilege means that users should be granted the least amount of access to the secure environment as possible for them to be able to complete their work tasks. Understand privileged operations functions. Privileged operations functions are activities that require special access or privilege to perform within a secured IT environment. For maxi- mum security, such functions should be restricted to administrators and system operators. Know the standards of due care and due diligence. Due care is using reasonable care to pro- tect the interest of an organization. Due diligence is practicing the activities that maintain the due care effort. Senior management must show reasonable due care and due diligence to reduce their culpability and liability when a loss occurs. Understand how to maintain privacy. Maintaining privacy means protecting personal infor- mation from disclosure to any unauthorized individual or entity. In today’s online world, the line between public information and private information is often blurry. The protection of pri- vacy should be a core mission or goal set forth in the security policy of an organization. Know the legal requirements in your region and field of expertise. Every organization oper- ates within a certain industry and country, both of which impose legal requirements, restric- tions, and regulations on its practices. Legal requirements can involve licensed use of software, hiring restrictions, handling of sensitive materials, and compliance with safety regulations. Understand what constitutes an illegal activity. An illegal activity is an action that violates a legal restriction, regulation, or requirement. A secure environment should provide mechanisms to prevent illegal activities from being committed and the means to track illegal activities and maintain accountability from the individuals perpetrating the crimes. Know the proper procedure for record retention. Record retention is the organizational pol- icy that defines what information is maintained and for how long. In most cases, the records in question are audit trails of user activity. This can include file and resource access, logon pat- terns, e-mail, and the use of privileges. Understand the elements of securing sensitive media. Managing information and media properly, especially in a high-security environment where sensitive, confidential, and propri- etary data is processed, is crucial to the security and stability of an organization. In addition to media selection, there are several key areas of information and media management: marking, handling, storage, life-span, reuse, and destruction. Know and understand the security control types. There are several methods used to classify security controls. The classification can be based on the nature of the control administrative, technicallogical, or physical or on the action or objective of the control directive, preventa- tive, detective, corrective, and recovery. Know the importance of control transparency. When possible, operations controls should be invisible or transparent to users to prevent users from feeling that security is hampering their productivity. Likewise, the less users know about the security of the system, the less likely they will be able to circumvent it. Understand how to protect resources. The operations controls for resource protection are designed to provide security for the IT environment’s resources, including hardware, software, and data assets. To maintain confidentiality, integrity, and availability of the hosted assets, the resources themselves must be protected. Be able to explain change and configuration control management. Change in a secure envi- ronment can introduce loopholes, overlaps, misplaced objects, and oversights that can lead to new vulnerabilities. Therefore, you must systematically manage change by logging, auditing, and monitoring activities related to security controls and security mechanisms. The resulting data is then used to identify agents of change, whether they are objects, subjects, programs, communication pathways, or even the network itself. The goal of change management is to ensure that any change does not lead to reduced or compromised security. Understand the trusted recovery process. The trusted recovery process ensures that a system is not breached during a crash, failure, or reboot and that every time they occur, the system returns to a secure state. Review Questions 1. Personnel management is a form of what type of control?

A. Administrative

B. Technical

C. Logical

D. Physical 2. What is the most common means of distribution for viruses? A. Unapproved software

B. E-mail

C. Websites

D. Commercial software

3. Which of the following causes the vulnerability of being affected by viruses to increase?

A. Length of time the system is operating

B. The classification level of the primary user

C. Installation of software

D. Use of roaming profiles 4. In areas where technical controls cannot be used to prevent virus infections, what should be used to prevent them? A. Security baselines

B. Awareness training

C. Traffic filtering

D. Network design

5. Which of the following is not true?

A. Complying with all applicable legal requirements is a key part of sustaining security.

B. It is often possible to disregard legal requirements if complying with regulations would cause a reduction in security.

C. The legal requirements of an industry and of a country should be considered the baseline or

foundation upon which the remainder of the security infrastructure must be built. D. Industry and governments impose legal requirements, restrictions, and regulations on the practices of an organization. 6. Which of the following is not an illegal activity that can be performed over a computer network?

A. Theft

B. Destruction of assets

C. Waste of resources

D. Espionage 7. Who does not need to be informed when records about their activities on a network are being recorded and retained? A. Administrators

B. Normal users

C. Temporary guest visitors

D. No one

8. What is the best form of antivirus protection?

A. Multiple solutions on each system

B. A single solution throughout the organization

C. Concentric circles of different solutions

D. One-hundred-percent content filtering at all border gateways 9. Which of the following is an effective means of preventing and detecting the installation of unap- proved software? A. Workstation change

B. Separation of duties

C. Discretionary access control

D. Job responsibility restrictions

10. What is the requirement to have access to, knowledge about, or possession of data or a resource

to perform specific work tasks commonly known as?

A. Principle of least privilege

B. Prudent man theory

C. Need-to-know

D. Role-based access control 11. Which are activities that require special access to be performed within a secured IT environment? A. Privileged operations functions

B. Logging and auditing

C. Maintenance responsibilities

D. User account management

12. Which of the following requires that archives of audit logs be kept for long periods of time?

A. Data remanence

B. Record retention

C. Data diddling

D. Data mining 13. What is the most important aspect of marking media? A. Date labeling

B. Content description

C. Electronic labeling

D. Classification

14. Which operation is performed on media so it can be reused in a less-secure environment?

A. Erasing

B. Clearing

C. Purging

D. Overwriting 15. Sanitization can be unreliable due to which of the following? A. No media can be fully swept clean of all data remnants.

B. Even fully incinerated media can offer extractable data.

C. The process can be performed improperly.

D. Stored data is physically etched into the media.

16. Which security tool is used to guide the security implementation of an organization?

A. Directive control

B. Preventive control

C. Detective control

D. Corrective control 17. Which security mechanism is used to verify whether the directive and preventative controls have been successful? A. Directive control

B. Preventive control

C. Detective control

D. Corrective control

18. When possible, operations controls should be ________________ .

A. Simple

B. Administrative

C. Preventative

D. Transparent 19. What is the primary goal of change management? A. Personnel safety

B. Allowing rollback of changes

C. Ensuring that changes do not reduce security

D. Auditing privilege access

20. What type of trusted recovery process requires the intervention of an administrator?

A. Restricted

B. Manual

C. Automated

D. Controlled Answers to Review Questions

1. A. Personnel management is a form of administrative control. Administrative controls also include

separation of duties and responsibilities, rotation of duties, least privilege, and so on.

2. B. E-mail is the most common distribution method for viruses.

3. C. As more software is installed, more vulnerabilities are added to the system, thus adding more

avenues of attack for viruses.

4. B. In areas where technical controls cannot prevent virus infections, users should be trained on

how to prevent them.

5. B. Laws and regulations must be obeyed and security concerns must be adjusted accordingly.

6. C. Although wasting resources is considered inappropriate activity, it is not actually a crime in

most cases.

7. D. Everyone should be informed when records about their activities on a network are being

recorded and retained.

8. C. Concentric circles of different solutions is the best form of antivirus protection.

9. A. Workstation change is an effective means of preventing and detecting the presence of unap-

proved software.

10. C. Need-to-know is the requirement to have access to, knowledge about, or possession of data

or a resource to perform specific work tasks. 11. A. Privileged operations functions are activities that require special access to perform within a secured IT environment. They may include auditing, maintenance, and user account management. 12. B. To use record retention properly, archives of audit logs must be kept for long periods of time.

13. D. Classification is the most important aspect of marking media because it determines the pre-

cautions necessary to ensure the security of the hosted content.

14. C. Purging of media is erasing media so it can be reused in a less-secure environment. The purg-

ing process may need to be repeated numerous times depending on the classification of the data and the security of the environment. 15. C. Sanitization can be unreliable because the purging, degaussing, or other processes can be per- formed improperly. 16. A. A directive control is a security tool used to guide the security implementation of an organization.

17. C. A detective control is a security mechanism used to verify whether the directive and preven-

tative controls have been successful.

18. D. When possible, operations controls should be invisible, or transparent, to users. This keeps

users from feeling hampered by security and reduces their knowledge of the overall security scheme, thus further restricting the likelihood that users will violate system security deliberately.

19. C. The goal of change management is to ensure that any change does not lead to reduced or com-

promised security. 20. B. A manual recovery type of trusted recovery process requires the intervention of an administrator. Chapter 14 Auditing and Monitoring THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE: Auditing and Audit Trails Monitoring Penetration Testing Inappropriate Activities Indistinct Threats and Countermeasures The Operations Security domain of the Common Body of Knowl- edge CBK for the CISSP certification exam deals with the activ- ities and efforts directed at maintaining operational security and includes the primary concerns of auditing and monitoring. Auditing and monitoring prompt IT departments to make efforts at detecting intrusions and unauthorized activities. Vigilant admin- istrators must sort through a selection of countermeasures and perform penetration testing that helps to limit, restrict, and prevent inappropriate activities, crimes, and other threats. We discussed the Operations Security domain in some detail in Chapter 13, “Administrative Management,” and we will be finishing up coverage on this domain in this chapter. Be sure to read and study the materials from both chapters to ensure complete coverage of the essential operations security material for the CISSP certification exam. Auditing Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Secure IT environments rely heavily on auditing. Overall, auditing serves as the primary type of detec- tive control used in a secure environment. Auditing Basics Auditing encompasses a wide variety of different activities, including the recording of event occurrence data, examination of data, data reduction, the use of eventoccurrence alarm trig- gers, and log analysis. These activities are also known as, for example, logging, monitoring, examining alerts, analysis, and even intrusion detection. Logging is the activity of recording information about events or occurrences to a log file or database. Monitoring is the activity of manually or programmatically reviewing logged information looking for something specific. Alarm triggers are notifications sent to administrators when a specific event occurs. Log anal- ysis is a more detailed and systematic form of monitoring in which the logged information is analyzed in detail for trends and patterns as well as abnormal, unauthorized, illegal, and policy- violating activities. Intrusion detection is a specific form of monitoring both recorded informa- tion and real-time events to detect unwanted system access. Accountability Auditing and monitoring are required factors for sustaining and enforcing accountability. Mon- itoring is the programmatic means by which subjects are held accountable for their actions while authenticated on a system. Without an electronic account of a subject’s actions, it is not possible to correlate IT activities, events, and occurrences with subjects. Monitoring is also the process by which unauthorized or abnormal activities are detected on a system. It is needed to detect malicious actions by subjects, attempted intrusions, and system failures and to recon- struct events, provide evidence for prosecution, and produce problem reports and analysis. Auditing and logging are usually native features of an operating system and most applications and services. Thus, configuring the system to record information about specific types of events is fairly straightforward. Auditing is also used to monitor the health and performance of a system through recording the activities of subjects and objects as well as core system functions that maintain the operating environment and the security mechanisms. The audit trails created by recording system events to logs can be used to evaluate the health and performance of a system. System crashes can indi- cate faulty programs, corrupt drivers, or intrusion attempts. The event logs leading up to a crash can often be used to discover the reason a system failed. Log files provide an audit trail for re- creating step-by-step the history of an event, intrusion, or system failure. In most cases, when sufficient logging and auditing is enabled to monitor a system, so much data is collected that the important details get lost in the bulk. The art of data reduction is cru- cial when working with large volumes of monitoring data. There are numerous tools to search through log files for specific events or ID codes. However, for true automation and even real- time analysis of events, an intrusion detection system IDS is required. IDS solutions are dis- cussed in Chapter 2, “Attacks and Monitoring.” Compliance Auditing is also commonly used for compliance testing, or compliance checking. Verification that a system complies with laws, regulations, baselines, guidelines, standards, and policies is an important part of maintaining security in any environment. Compliance testing ensures that all of the necessary and required elements of a security solution are properly deployed and func- tioning as expected. Compliance checks can take many forms, such as vulnerability scans and penetration testing. They can also be performed using log analysis tools to determine if any vul- nerabilities for which countermeasures have been deployed have been realized on the system. Audits can be performed from one of two perspectives: internal or external. Organizational employees from inside the IT environment who are aware of the implemented security solutions perform internal audits. Independent auditors from outside the IT environment who are not familiar with the implemented security solutions perform external audits. Insurance agencies, accounting firms, or even the organization itself hire external auditors to test the validity of security claims. The goal of both internal and external auditing is to measure the effectiveness of the deployed security solution. Audit Time Frames The frequency of an IT infrastructure security audit or security review is based on risk. When per- forming risk analysis, it must be determined whether sufficient risk exists to warrant the expense of and interruption caused by a security audit on a more or less frequent basis. In any case, the fre- quency of audit reviews should be clearly defined in the security guidelines or standards of an organization. Once defined in the formalized security infrastructure, it should be adhered to. Without regular assessments of the state of security of an IT infrastructure, there is no way to know how secure the environment is until an attack is either successful or thwarted. Waiting until the battle to determine whether or not you will succeed is a very poor business strategy. As with many other aspects of deploying and maintaining security, security audits and effec- tiveness reviews are often viewed as key elements in displaying due care. If senior management fails to enforce compliance with regular periodic security reviews, then they will be held account- able and liable for any asset losses that occur due to security breaches or policy violations. Audit Trails Audit trails are the records created by recording information about events and occurrences into a database or log file. They are used to reconstruct an event, to extract information about an incident, to prove or disprove culpability, and much more. They allow events to be examined or traced in forward or reverse order. This flexibility is useful when tracking down problems, coding errors, performance issues, attacks, intrusions, security breaches, and other security pol- icy violations. Using audit trails is a passive form of detective security control. They serve as a deterrent in the same manner closed-circuit television CCTV or security guards do: if the attacker knows they are being watched and their activities recorded, they are less likely to per- form the illegal, unauthorized, or malicious activity. Audit trails are also essential as evidence in the prosecution of criminals. They can often be used to produce a before-and-after picture of the state of resources, systems, and assets. This in turn helps to identify whether the change or alteration is the result of the action of a user or an action of the OS or software or caused by some other sources such as hardware failure. Accountability is maintained for individual subjects through the use of audit trails. When activities of users and events caused by the actions of users while online are recorded, individ- uals can be held accountable for their actions. This directly promotes good user behavior and compliance with the organization’s security policy. Users who are aware that their IT activities are being recorded are less likely to attempt to circumvent security controls or to perform unau- thorized or restricted activities. Audit trails give system administrators the ability to reconstruct events long after they have passed. When a security violation is detected, the conditions and system state leading up to the event, during the event, and after the event can be reconstructed through a close examination of the audit trail. Audit trails offer details about recorded events. A wide range of information can be recorded in log files, including time, date, system, user, process, and type of errorevent. Log files can even capture the memory state or the contents of memory. This information can help pinpoint the cause of the event. Using log files for this purpose is often labeled as problem identification. Once a problem is identified, performing problem resolution is little more than following up on the disclosed information. Audit trails record system failures, OS bugs, and software errors as well as abuses of access, violations of privileges, attempted intrusions, and many forms of attacks. Intrusion detection is a specialized form of problem identification through the use of audit trails. If auditing records or logs are transmitted across a network from a sentry agent to a collector warehouse, the transaction should be encrypted. Log and audit information should never be allowed on the network in cleartext. Once a security policy violation or a breach occurs, the source of that violation should be determined. If it is possible to track the individual who perpetrated the activity, they should be reprimanded or terminated if an employee or prosecuted if an external intruder. In every case where a true security policy violation or breach has occurred especially if a loss can be pin- pointed, you should report the incident to your local authorities, possibly the FBI, and if the violation occurred online, to one or more Internet incident tracking organizations. You should time-synchronize all systems against a centralized or trusted public time server. This ensures that all audit logs are in sync so you can perform dependable and secure logging activities. Reporting Concepts The actual formats used by an organization to produce reports from audit trails will vary greatly. However, the reports should all address a few basic or central concepts: the purpose of the audit, the scope of the audit, and the results discovered or revealed by the audit. In addition to these basic foundational concepts, audit reports often include many details specific to the environment, such as time, date, specific systems, and so on. Audit reports can include a wide range of content that focuses on problemseventsconditions, standardscriteriabaselines, causesreasons, impacteffect, or solutionsrecommendationssafeguards. Reporting Format Audit reports should have a structure or design that is clear, concise, and objective. It is common for the auditor to include opinions or recommendations for response to the content of a report, but the actual findings of the audit report should be based on fact and evidence from audit trails. Audit reports include sensitive information and should be assigned a classification label and handled appropriately. Within the hierarchy of the organization, only those people with suffi- cient privilege should have access to audit reports. An audit report may also be prepared in var- ious forms according to the hierarchy of the organization. They should provide only the details relevant to the position of the staff members who have access to them. For example, senior man- agement does not need to know all of the minute details of an audit report. Therefore, the audit report for senior management is much more concise and offers more of an overview or summary of the findings. An audit report for the IT manager or the security administrator should be very detailed and include all available information on the events contained in it. Reporting Time Frames The frequency of producing audit reports is based on the value of the assets and the level of risk. The more valuable the asset and the higher the risk, the more often an audit report should be pro- duced. Once an audit report is completed, it should be submitted to the assigned recipient as defined in the security policy documentation and a signed confirmation of receipt should be filed. When an audit report contains information about serious security violations or perfor- mance issues, the report should be escalated to higher levels of management for review, notifi- cation, and assignment of a response. Keep in mind that, in a formalized security infrastructure, only the higher levels of management have any decision-making power. All entities at the lower end of the structure must follow prescribed procedures and follow instruction. Sampling Sampling, or data extraction, is the process of extracting elements from a large body of data in order to construct a meaningful representation or summary of the whole. In other words, sam- pling is a form of data reduction that allows an auditor to quickly determine the important issues or events from an audit trail. There are two forms of sampling: statistical and nonstatis- tical. An auditing tool using precise mathematical functions to extract meaningful information from a large volume of data performs statistical sampling. There is always a risk that sampled data is not an accurate representation of the whole body of data and that it may mislead audi- tors and managers, and statistical sampling can be used to measure that risk. Clipping, a form of sampling, selects only those error events that cross the clipping level threshold. Clipping levels are widely used in the process of auditing events to establish baseline of system or user activity that is considered routine activity. If this baseline is exceeded, an unusual event alarm is triggered. This works especially well when individuals exceed their authority, when there are too many people with unrestricted access, and for serious intrusion patterns. Clipping levels are often associated with a form of mainframe auditing known as violation analysis. In violation analysis, an older form of auditing, the environment is monitored for occurrences of errors. A baseline of errors is expected and known, and this level of common errors is labeled as the clipping level. Any errors that exceed the clipping level threshold trigger a violation and details about such events are recorded into a violation record for later analysis. Nonstatistical sampling can be described as random sampling or sampling at the auditor’s discretion. It offers neither assurance of an accurate representation of the whole body of data nor a gauge of the sampling risk. Nonstatistical sampling is less expensive, requires less training, and does not require computer facilities. Both statistical and nonstatistical sampling are accepted as valid mechanisms to create sum- maries or overviews of large bodies of audit data. However, statistical sampling is more reliable.