Proximity protection is put into place to provide four main services. First, it is used to control flow of vehicles and pedestrians. Different places on the property require different levels of protection as well. Buffers and delaying mechanisms are used in case of intrusion. The last service proximity protection is used for is control the entry points. These services can be provided using the various means describes below.
Access control - access systems, locks and keys. Also, educating personnel to be aware of their surroundings.
Physical barriers - walls, doors, fences, etc.
Intrusion detection - alarms, sensors that detect motion
Assessment - Cameras or security guards
Response - The ability to quickly get in touch with law enforcement
Deterrents - smart environmental design of an area
Thursday, September 25, 2014
Chapter 5: Physical and Environmental Security - Locks
From a physical security standpoint, locks are used to delay intruders. They should never be the only method used for physical protection. There are many different kinds of locks, and they can be used for various things. However, the right type of lock should be used for each purpose. For example, you would not want to use a simple tumbler lock for the main door of your facility because it can be easily picked. In this post, I want to focus on ways a particular device can be physically locked. Switch controls cover up on/off switches so that important hardware is not powered off by accident or when it not supposed to be off. Slot locks are used to make sure that pieces of hardware stay in the same physical location. Port controls are used to prevent the unauthorized use of disk drives or other ports such as a USB port. Peripheral switch controls are used to make sure that items such as keyboards as mouse are not taken away from where they are supposed to be. Another method to do this is called cable traps, which lock up the device's cable so that it cannot be removed from its station.
Chapter 5: Physical and Environmental Security - Protecting Assets
To protect against potential power issues, there are a few best practices that all organizations should use to prevent fires, blackouts, or data loss. Surge protectors prevent excessive current and should be used whenever possible. When shutting down equipment, a process should be in place to ensure that machines are powered off properly and orderly. This is essential for devices to be protected from voltage changes that disorderly shut down can cause. Voltage and amplitude should always be monitored, and unauthorized access to breakers and transformers should always be prevented. When it comes to potential water damage, positive drains should be implemented. This term means that the flow of water should always be directed outside. To add to this, fire protection and proper ventilation should also be used to successfully protect a company's computerized assets.
Chapter 5: Physical and Environmental Security - Designing a Physical Security Program
To design a proper physical security program, all aspects of your physical surroundings should be surveyed and assessed. This goes for everything; an obvious example would be the construction material of walls. A more obscure or less obvious example would be the vehicle activity outside of the building. It is also very important to understand how a certain facility is used, identify potential vulnerabilities, and decide what the best ways are to protect against these vulnerabilities. For example, if you have a building that houses some of your company's servers in an area that has high burglary rates, it might be a good idea to have security systems within the actual building as well as security guards within the actual building. The person that is in charge of making sure an organization's physical assets are protected is known as the facility safety officer. A person in this position should understand what physical components make up a facility and discover the best ways to protect it while staying in compliance with regulations.
Chapter 5: Physical and Environmental Security - Developing A Plan
When developing a physical security plan, there are five goals that an organization to look to achieve. First off, crime prevention should be addressed by having physical deterrents in place. Some examples of these are fences, guards, and waring signs. Second, delaying mechanisms should be implemented if the perpetrator gets past your primary line of defense. Some examples here would be having locks, inside security personnel, or other barriers. Next, you must include detectors inside the buildings if your organization such as detectors that can sense motion and others that detect physical disasters such as fires and floods. Fourth, if an incident does occur, certain personnel should be responsible for assessing the damage that has been done. Lastly, a proper response plan should be in place to assist in the mitigation process of the infiltration.
Tuesday, September 23, 2014
Chapter 5: Physical and Environmental Security - Overview
Physical security is just as important as all of the other types of security that has been previously discussed. There are various physical threats that companies face when it come to protecting the hardware on which companies' systems run. Proper countermeasures to physical threats should be in place in order to keep an organization's assets safe. Without physical security, there would be no need for all of the other types of information security. The threats to physical security are as follows:
Natural environmental threats: Any natural disaster including fires. (Tornadoes, floods, etc.)
Supply system threats: Anything that could disrupt the system such as lack of power and water and gas leaks.
Manmade threats: Employee errors, physical theft of hardware, vandalism.
Politically motivated threats: terrorist attacks, strikes, riots.
When it comes to physical security, protecting human life is the first priority above anything else. Referred to as life safety.
Natural environmental threats: Any natural disaster including fires. (Tornadoes, floods, etc.)
Supply system threats: Anything that could disrupt the system such as lack of power and water and gas leaks.
Manmade threats: Employee errors, physical theft of hardware, vandalism.
Politically motivated threats: terrorist attacks, strikes, riots.
When it comes to physical security, protecting human life is the first priority above anything else. Referred to as life safety.
Wednesday, September 17, 2014
Chapter 4: Security Architecture and Design - Final Notes
I want to hit a few key concepts near the end of chapter 4 here. Fist of all, the difference between certification and accreditation. Certification is a technical evaluation that can lead to accreditation. Accreditation is a formal acceptance of system security. Next, the difference between an open system and a closed system. Open systems follow standards and published specs. Closed, on the other hand, do not follow specific, industry standards. In other words, it is proprietary, and there might be room for more advanced security. Systems will always have flaws, bugs, and "open doors". Hackers are always trying to identify these imperfections and exploit them. The book puts it a good way. No matter how many laws and improvements society makes, there are always going to be cops and robbers. In the same sense, there are always going to be hackers that will try to get into systems.
Chapter 4: Security Architecture and Design - Systems Evaluation Methods
Trusted Computer Systems Evaluation Criteria (TCSEC) - used to evaluate products, apps, and operating systems. Developed by the US Department of Defense.
These criteria are published in what is known as the "Orange Book". Used for customers to compare different products, as well as for manufacturers so that they have direct access to specs used to build. It os broken down into seven different categories:
-Security Policy
-Identification
-Labels
-Documentation
-Accountability
-Life-cycle Assurance
-Continuous protection
*Moving to Common Criteria instead of the Orange Book, but Orange Book is still important
Trusted Network Interpretation (TNI) - a.k.a. the "Red Book". Discusses the eval. of security of networks and what makes up the network. Compares how things really work compared to how they should theoretically. Includes:
-Communication integrity
-Denial of service prevention
-Compromise protection
These criteria are published in what is known as the "Orange Book". Used for customers to compare different products, as well as for manufacturers so that they have direct access to specs used to build. It os broken down into seven different categories:
-Security Policy
-Identification
-Labels
-Documentation
-Accountability
-Life-cycle Assurance
-Continuous protection
*Moving to Common Criteria instead of the Orange Book, but Orange Book is still important
Trusted Network Interpretation (TNI) - a.k.a. the "Red Book". Discusses the eval. of security of networks and what makes up the network. Compares how things really work compared to how they should theoretically. Includes:
-Communication integrity
-Denial of service prevention
-Compromise protection
Chapter 4: Security Architecture and Design - Security Modes of Operation
A mode of operation are conditions under which the system is allowed to function. Systems can use different modes depending on what is going on in the system. The four modes are outlined below.
Dedicated Security Mode - When all uses are able to access all data being processes within a system. Users have normally signed a non-disclosure agreement in this one.
System High Security Mode - All users have the need to know about some of the data, not every bit of it.
Compartmented Security Mode - Every user can access some data, but only based on a need to know or if they go through a formal access approval process.
Multilevel Security Mode - Users can only get to the data that they have explicitly cleared to access. Bell-LaPadula model is good example that uses this mode.
Dedicated Security Mode - When all uses are able to access all data being processes within a system. Users have normally signed a non-disclosure agreement in this one.
System High Security Mode - All users have the need to know about some of the data, not every bit of it.
Compartmented Security Mode - Every user can access some data, but only based on a need to know or if they go through a formal access approval process.
Multilevel Security Mode - Users can only get to the data that they have explicitly cleared to access. Bell-LaPadula model is good example that uses this mode.
Chapter 4: Security Architecture and Design - Security Models
A security policy was discussed in my previous post. Basically, it is a plan to implement required security. The security model describes the do's and font's that will accomplish what the security policy has outlines. There are many different models used for security. I will focus on that that I felt were interesting. The first is the Biba model. Bia is concerned with the integrity of data within applications. There are three rules that this model follows: no "write up", no "write down", and subjects can't get service from a higher integrity. Another important concept in this model is that dirty data should not be mixed with clean data. The Brewer and Nash model lets access control change at dynamic level, according to what the user has done in the past. It is based upon information flow. No subject-object interaction that is conflicting is allowed.
Chapter 4: Security Architecture and Design - System Security Architectures
Everything that should be captured in a security policy (tool that shows how info is secured and protected) is listed below straight from the CISSP exam guide. I felt the need to include this list here as a visual for potential study notes in case I want to someday take the exam, as I feel they are important enough to reiterate.
1. Acces control based OS id discretionary
2. Role based access control is provided
3. Data can be classified public and confidential or private
4. No unauthorized access allowed
5. Separation of duties is enforced
6. Auditing is capable of being performed
7. Trusted paths are there for activity processing
8. Identification, authentication, and authorization are used properly
9. Capability based authentication methodology is used
10. No covert channels allowed
11. Contains integrity on files that are considered critical
Multi-Level Security policy - Subject security >= object classification
1. Acces control based OS id discretionary
2. Role based access control is provided
3. Data can be classified public and confidential or private
4. No unauthorized access allowed
5. Separation of duties is enforced
6. Auditing is capable of being performed
7. Trusted paths are there for activity processing
8. Identification, authentication, and authorization are used properly
9. Capability based authentication methodology is used
10. No covert channels allowed
11. Contains integrity on files that are considered critical
Multi-Level Security policy - Subject security >= object classification
Chapter 4: Security Architecture and Design - OS Architectures
There are five different OS Architectures discussed in the study guide. The first is monolithic, where all OS procedures run in kernel mode. Next is the layered architecture, where the processes run in kernel mode, but in addition, implement a hierarchical model. In the microkernel architecture, only core processed run in kernel mode. The remainder of the processes run in in what is known as user mode. The final OS architecture discussed in the CISSP exam guide is the Hybrid microkernel. In this architecture, all operating system processes run in kernel mode, but core process have a specified microkernel or run within a client/server model.
Important to note that there days the terms monolithic OS and monolithic kernel are used in the industry interchangeably.
Important to note that there days the terms monolithic OS and monolithic kernel are used in the industry interchangeably.
Chapter 4: Security Architecture and Design - Input/Output Device Management and CPU Architecture
Different methods for carrying out I/O are listed below. After the I/O list, I will discuss basic CPU architecture from a high level.
Programmed - CPU sends data to a device, and then waits to see if the device is ready for the next bit of data. Can waste a lot of time.
Interrupt-driven - Book puts this one in nice wording: send character -> go do something else -> interrupt -> send another character.
DMA - Direct memory access. Does not even use the CPU. Uses a controller instead. Really speeds up I/O.
Premapped - Deals with security. OS trusts the device to behave properly. CPU does not control interactions. Could be a problem.
Fully Mapped - Also deals with security pertaining to I/O. OS does not trust device interaction with memory directly.
In CPU architecture, lower level ring process are more trusted.
Level 0 - OS Kernel
Level 1- OS
Level 2 - OS Utilities and File System Drivers
Level 3 - Other Applications
Programmed - CPU sends data to a device, and then waits to see if the device is ready for the next bit of data. Can waste a lot of time.
Interrupt-driven - Book puts this one in nice wording: send character -> go do something else -> interrupt -> send another character.
DMA - Direct memory access. Does not even use the CPU. Uses a controller instead. Really speeds up I/O.
Premapped - Deals with security. OS trusts the device to behave properly. CPU does not control interactions. Could be a problem.
Fully Mapped - Also deals with security pertaining to I/O. OS does not trust device interaction with memory directly.
In CPU architecture, lower level ring process are more trusted.
Level 0 - OS Kernel
Level 1- OS
Level 2 - OS Utilities and File System Drivers
Level 3 - Other Applications
Tuesday, September 16, 2014
Chapter 4: Security Architecture and Design - Memory Types
For this section of chapter 4, I want to discuss the various types of Random Access Memory (RAM). Prior to this reading, I was not aware that so many different types existed. With Dynamic RAM, it must be continually refreshed so that the capacitor does not lose its electrons and become corrupt. Since all of this refreshing has to take place, it is slower than static RAM. Static RAM does not have to refresh all of the time, which in turn makes it faster. However, more transistors are required in order to use it. After these two basic types of RAM there are four more. Synchronous DRAM which connects with the CPU so that the timing is right, which in turn makes executing data faster. Extended data out DRAM allows the next bit of data to get ready while the current data is being sent to the CPU. I kind of like to refer to this as "On Deck RAM". Just like a batter in baseball is preparing to step into the batter's box as the current batter is hitting. Burst EDO DRAM does exactly what it sounds like. It is capable of sending bursts of data. A type of RAM that can double the speed of SDRAM is called Double data rate SDRAM. It carries out two operations per clock cycle.
Chapter 4: Security Architecture and Design - Operating System Components Part 2
The memory manager is the part of the OS that keeps track of how memory is allocated and used. Below is a summary its five responsibilities.
1) Relocation - contents of RAM go to the HD and give pointers to apps when needed.
2) Protection - Allows process to interact only with memory assigned to it and gives access control to memory.
3) Sharing - Implements controls when various processes have to access the same memory segments and allows different application users access when the app is running in one segment of memory.
4) Logical Organization - Segment memory types abstractly and allows sharing between software mods.
5) Physical Organization - Segment physical space for applications or OS processes.
I seem to always get the two of these mixed up. Here is a reminder:
RAM - place where data can be temporarily held.
ROM - Nonvolatile. Data is still help in chips when the computer is turned off.
1) Relocation - contents of RAM go to the HD and give pointers to apps when needed.
2) Protection - Allows process to interact only with memory assigned to it and gives access control to memory.
3) Sharing - Implements controls when various processes have to access the same memory segments and allows different application users access when the app is running in one segment of memory.
4) Logical Organization - Segment memory types abstractly and allows sharing between software mods.
5) Physical Organization - Segment physical space for applications or OS processes.
I seem to always get the two of these mixed up. Here is a reminder:
RAM - place where data can be temporarily held.
ROM - Nonvolatile. Data is still help in chips when the computer is turned off.
Chapter 4: Security Architecture and Design - Operating System Components Part 1
A process is a program that is in memory that can be executed. When more than one process is interleavedly executed at one time, it is referred to as multiprogramming. Similarly, when more than one process is simultaneously executed, it is referred to as multitasking. There are three states a specific process can be in within a computer system: ready, running, and blocked. Ready means that the process is waiting on input, running means that it is currently being executed by the CPU, and blacked means that there is one or more impediments that are keeping the process from running. Interrupts within an operating system are important because they make running process more efficient by using a method known as time slicing. To carry out activities within the OS, threads are created by processes. One the activity is complete, the thread is destroyed. Sometimes, a software deadlock occurs. This is consequence of two process waiting on computer resources simultaneously.
Chapter 4: Security Architecture and Design - Computer Architecture
A computer architecture are all parts of a computer system that make it functional, including all hardware, software, and interfaces. The components that make up a computer are below, and this will be helpful since I am not all that familiar with what the hardware actually does in a computer
CPU (Central Processing Unit) - fetches instructions form memory and processes these instructions
ALU (Arithmetic Logic Unit - where the actual execution takes place.
Control Unit - Manages the system while multiple processes are taking place.
General Register - Holds variables and temporary results as the ALU is working.
Program Counter - Contains the address of the instructions to be fetched next.
Special Register - Holds PSW, counters, and stack pointers.
PSW - Holds conditions and determines whether the computer should be in user mode or privilege mode.
Address Bus - connection between RAM chips and I/O devices.
Data Bus - Used to transmit data during processes.
CPU (Central Processing Unit) - fetches instructions form memory and processes these instructions
ALU (Arithmetic Logic Unit - where the actual execution takes place.
Control Unit - Manages the system while multiple processes are taking place.
General Register - Holds variables and temporary results as the ALU is working.
Program Counter - Contains the address of the instructions to be fetched next.
Special Register - Holds PSW, counters, and stack pointers.
PSW - Holds conditions and determines whether the computer should be in user mode or privilege mode.
Address Bus - connection between RAM chips and I/O devices.
Data Bus - Used to transmit data during processes.
Chapter 4: Security Architecture and Design - Overview
ISO/IEC 42010:2007
Architecture - How a system and its components are organized and the way that they interact with one another. Also the principles used to design it and how it is improved.
Architectural Description - Documents that formally describe a system architecture.
Stakeholder - A person, group, or company that have interests in a system.
View - Represents a whole system to a particular stakeholder
Viewpoint - A template in order to develop a certain view by taking into consideration who the view is being produced for. Analysis and techniques used to produce a view are also included
Architecture - How a system and its components are organized and the way that they interact with one another. Also the principles used to design it and how it is improved.
Architectural Description - Documents that formally describe a system architecture.
Stakeholder - A person, group, or company that have interests in a system.
View - Represents a whole system to a particular stakeholder
Viewpoint - A template in order to develop a certain view by taking into consideration who the view is being produced for. Analysis and techniques used to produce a view are also included
Wednesday, September 10, 2014
Chapter 3: Access Control - Threats to Access Control
There is more of a risk from attacks with the organization than from outside of the organization. A dictionary attack is designed to steal passwords. All passwords should be encrypted and never stored in clear-text. Brute force attacks are where a hacker uses many different input to reach their goal. A successful countermeasure for these types of attacks might be to use an IDS that scans for this type of malicious activity. Spoofing is also a technique used by hackers, in which the hacker presents a fake logon screen to a user in order to obtain user information. Attackers user phishing to lure for data by tricking users into clicking links and directing them to dangerous websites. Email is a popular tool hackers often use for phishing. A way to help prevent attacks is threat modeling, which tries to uncover who might want to attack the organization and how they might attack. Instead of trying to fix access control, the organization uncovers ways the current controls could be attacked. There are two types of identity theft. True name, where thieves use personal information of others to open new accounts, and account-takeover, where they use obtained info to gain access to a user's existing accounts.
Chapter 3: Access Control - Access Control Practices
These practices insure that the the level of access control that you have set stays at the same level as originally designed. You should be careful when reusing an object. All old info that is stored on an object should be deleted before the object is used to assess new subjects. This ensures that info is not disclosed to individuals and systems that should not have access to the old subject data. TEMPEST is a standard that suppresses electrical signals that devices emit to prevent others from having access to these signals. This tech is expensive, so it is usually only used in highly sensitive areas. Intrusion detection is a practice used to mitigate hacks. If the IDS suspects something, it notifies the proper parties immediately. There are three types of IDS. Signature-based, Anomaly-based, and Rule-based.
Chapter 3: Access Control - Accountability
It is a must to track all use within a system. This way, the person that is responsible for wrong-doing can be held accountable for their actions. To keep from overloading an audit log, an audit reduction tool can be used to help spot suspicious activity. It gets rid of info that was recorded such as redundant task information. SEM and SIEM systems provide analysis for audits. To protect audio data, write-once media is often utilized within organizations. An auditing tool that is very in depth is keystroke monitoring. Each key a user hits is recorded! Usually this only needs to be implemented for a short period of time in order to help uncover suspicious activity.
Chapter 3: Access Control - Access Control Methods
Again, access control can be broken down into three broad categories of controls. Administrative, Physical, and Technical. I will elaborate on a couple of methods of each category that I find interesting below.
Administrative
Supervisory structure - Each employee within an organization must report to someone above them, and that superior must be responsible for their employees actions. The idea is that there is a vested interest in employee actions.
Testing - All controls must be tested on a periodic basis to see if they are working the way they should be. Because change is constant in technology, it is a must to test regularly. Management should be responsible for this and make sure it is done properly.
Physical
Network segregation - Only allowing certain individuals the ability to gain physical access to certain parts of the system. For example only network admins should be allowed access to networking hardware and others should only have physical access to their workstations.
Cabling - All cables should be out of the way so that they are not exposed to potential danger. Also. protective sheaths should be used to deter electrical interference.
Technical
Network Architecture - Should be segregated physically and logically. Physically by walls and location of hardware and logically by controlling communication in segments.
Auditing - Tracks network activity on devices. Used to inform the administrator of any fishy activity that might be going on within the network.
Administrative
Supervisory structure - Each employee within an organization must report to someone above them, and that superior must be responsible for their employees actions. The idea is that there is a vested interest in employee actions.
Testing - All controls must be tested on a periodic basis to see if they are working the way they should be. Because change is constant in technology, it is a must to test regularly. Management should be responsible for this and make sure it is done properly.
Physical
Network segregation - Only allowing certain individuals the ability to gain physical access to certain parts of the system. For example only network admins should be allowed access to networking hardware and others should only have physical access to their workstations.
Cabling - All cables should be out of the way so that they are not exposed to potential danger. Also. protective sheaths should be used to deter electrical interference.
Technical
Network Architecture - Should be segregated physically and logically. Physically by walls and location of hardware and logically by controlling communication in segments.
Auditing - Tracks network activity on devices. Used to inform the administrator of any fishy activity that might be going on within the network.
Chapter 3: Access Control - Access Control Administration
After a model is chosen, and the techniques and technologies are in place, an organization must decide how they want to administer access. Centralized access control administration is that one individual (rather it be one person or department) has the role of giving access to all of the resources in the organization. A couple of protocols for this that the study guide outlines are listed below.
RADIUS - Remote Authentication Dial-in User Service. A network protocol that authenticates and authorizes on the client/server and keeps a watch on remote users. ISPs use this to allow customers access to the internet. Uses UDP as its transport protocol.
TACACS - Terminal Access Controller Access Control System. Uses TCP as its transport protocol. Used if more advanced authentication is necessary. One example would be corporate networks.
RADIUS - Remote Authentication Dial-in User Service. A network protocol that authenticates and authorizes on the client/server and keeps a watch on remote users. ISPs use this to allow customers access to the internet. Uses UDP as its transport protocol.
TACACS - Terminal Access Controller Access Control System. Uses TCP as its transport protocol. Used if more advanced authentication is necessary. One example would be corporate networks.
Chapter 3: Access Control - Access Control Techniques and Technologies
After determining the framework that will be used for access control, it is then appropriate to decide appropriate techniques, along with the technology, to support the chosen framework. The first technique is called rule-based access. It is kind of like an if statement in object oriented programming. If a certain condition is true, then the subject can access objects within the predefined rules. Another technique would be a restricted interface, which limits a user's access to objects as the name implies. Access that is context based looks at situations rather than being only based on identity. Content based access makes decisions based on data. One that is really straightforward is the compatibility table. The subject shows what objects and operations the subject can access. The same is true for an access control list. Another technique that is related to the latter but not completely the same is the matrix. It is a table that shows subject object relationships.
Tuesday, September 9, 2014
Chapter 3: Access Control - Access Control Models
Access control models are frameworks that allow subjects access objects. I described what a subject and an object is relating to access control in a previous post. A couple of key terms in this section that are worth reiterating are DAC and MAC, where the AC in there abbreviations stand for access control. The first letter of each of there is where their difference comes into play. DAC allows a resource owner to determine which subjects can access specific objects. MAC does not allow owners this discretion. MAC is a lot more strict than DAC in that a MAC system is used for an explicit purpose and nothing more. A third framework after used is role-based (RBAC) in which a central controls are set to determine subject-object interaction.
Chapter 3: Access Control - Authorization
After appropriate authentication has taken place, the next step to access control is authorization. This step is important once the user has gained access to the system, to make sure that that they should be there. Roles, groups, location, and time of day are often used to grant authenticated users authorization. This section of the study guide also goes into more detail about single sign on technologies. They are:
Kerberos - Utilizes tickets and a KDC. Deals with symmetric key cryptography.
SESAME - Utilizes PAS and PACs, both systemic and asymmetric cryptography.
Security domains - Managed by the same group and the same security policies.
Directory services - Access control maintained centrally and resources are standardized.
Thin clients - Relies on a central server for access control, processing, and storage.
Kerberos - Utilizes tickets and a KDC. Deals with symmetric key cryptography.
SESAME - Utilizes PAS and PACs, both systemic and asymmetric cryptography.
Security domains - Managed by the same group and the same security policies.
Directory services - Access control maintained centrally and resources are standardized.
Thin clients - Relies on a central server for access control, processing, and storage.
Chapter 3: Access Control - Other Identification Methods
There are a few methods is this section of the exam guide that are somewhat self explanatory and I have heard of them before. I want to elaborate on a few that I am not so familiar with or that I have never heard of before by definition. The first is a method known as password hashing. Salts are used in order to add more complexity to add more randomness to the process of encrypting the authentication technique. Hashing makes it a lot harder for a hacker to get to the correct format of the system that implements this technique of identification. Another technique that I have never had the chance use in a real life situation for authentication and identification are the use of cards to gain access to systems. There is one main difference here concerning cards. Memory cards cannot process information whereas smart cards can.
Chapter 3: Access Control - Identity Management Solutions Part 2
This is a follow up to my previous post concerning the six technologies relating to identity management. The first three were described in a previous post, and the next three are examined below.
Legacy single-sign on- Commonly abbreviated to SSO. Idea behind this one is that a user only has to authenticate once to access information while not having to re-authentencate while in that environment.
Account management- Deals with the delegation of user accounts. Create accounts for all systems, modify privileges, and getting rid of the accounts whenever it comes to point in time in which a specific account is no longer needed.
Profile update- Basically refers to the fact that more than a name is used for an individual profile. A lot of info about the user should be captured. When this collection is associated with a user, it is called a profile. The data for profiles should be centrally located.
Legacy single-sign on- Commonly abbreviated to SSO. Idea behind this one is that a user only has to authenticate once to access information while not having to re-authentencate while in that environment.
Account management- Deals with the delegation of user accounts. Create accounts for all systems, modify privileges, and getting rid of the accounts whenever it comes to point in time in which a specific account is no longer needed.
Profile update- Basically refers to the fact that more than a name is used for an individual profile. A lot of info about the user should be captured. When this collection is associated with a user, it is called a profile. The data for profiles should be centrally located.
Chapter 3: Access Control - Identity Management Solutions Part 1
This post is part one of a two part post. I will identify and briefly describe the technologies that a person who wants take the CISSP exam should be aware of relating to identity management. There are six total. I will describe three here, and the other three will be examined in my following post.
Directories- Usually follow a hierarchical database format that keep track of network resources and users.
Web access management- Controls what users can view and do when utilizing a web-browser to interact with organization or company assets.
Password management - Three technologies that you should be aware of:
1. Password Synchronization - Allows users to use one password for many systems.
2. Self-Service Password Reset - Allows users to reset their own passwords
3. Assisted Password Reset - Includes other forms of authentication for a password reset such as tokens or biometrics.
Directories- Usually follow a hierarchical database format that keep track of network resources and users.
Web access management- Controls what users can view and do when utilizing a web-browser to interact with organization or company assets.
Password management - Three technologies that you should be aware of:
1. Password Synchronization - Allows users to use one password for many systems.
2. Self-Service Password Reset - Allows users to reset their own passwords
3. Assisted Password Reset - Includes other forms of authentication for a password reset such as tokens or biometrics.
Chapter 3: Access Control - Overview Part 2
When dealing with access control, it is important to realize what the three main things are that can be used for authentication. The three keywords here are knows, is, and has. These keywords correlate to authentication by knowledge, by ownership, and by characteristic. A couple of other ideas that should stand out from this section is the idea of strong authentication. All these means is that the authentication process has to contain nit one, but two of the identification characteristics described above.
Thursday, September 4, 2014
Chapter 3: Access Control - Overview Part 1
As this chapter opened, I immediately noticed that there was one key concept that I need to comprehend in order to understand the remainder of the chapter. First off, Access Controls are features of security that will determine how users and systems are going to interact with one another. Access means how a subject and an object will share info. A subject is the part that is requesting access, whereas the object is what is actually being accessed. The book also puts it this way; subjects are active and objects are passive. The three main principles of security that were discussed in chapter two are expanded on a bit. A little more about them relating to chapter three:
Availability - resources must be able to be accessed in a secure and timely manner.
Integrity - prevent resources from being changed in a malicious manner or accidentally.
Confidentiality - info cannot be disclosed to individuals or other systems that are not authorized to view or change it.
I felt the need to reiterate these three principles of security because of their importance.
Availability - resources must be able to be accessed in a secure and timely manner.
Integrity - prevent resources from being changed in a malicious manner or accidentally.
Confidentiality - info cannot be disclosed to individuals or other systems that are not authorized to view or change it.
I felt the need to reiterate these three principles of security because of their importance.
Tuesday, September 2, 2014
Chapter 2: IS Governance and Risk Management - Layers of Responsibility
Most of these terms in this section of chapter two I have heard of, but did not understand their role when it comes to security. There is a link below that I found that would be extremely helpful while studying for this portion of the CISSP exam.
http://www.cram.com/flashcards/cissp-layers-of-responsibility-personnel-security-2644286
This site provides descriptions of each of the roles that apply to information security in a flashcard format.
In a nutshell, each role is an important piece to maintaining security within an organization. Some need to be clearly defined from the start in order to implement a successful security effort. Also, rotation of these duties can be helpful when attempting to uncover fraudulent activities.
http://www.cram.com/flashcards/cissp-layers-of-responsibility-personnel-security-2644286
This site provides descriptions of each of the roles that apply to information security in a flashcard format.
In a nutshell, each role is an important piece to maintaining security within an organization. Some need to be clearly defined from the start in order to implement a successful security effort. Also, rotation of these duties can be helpful when attempting to uncover fraudulent activities.
Chapter 2: IS Governance and Risk Management - Information Classification
Table 2-11 in book helpful for in-depth descriptions. Below is a basic view. 1 = most sensitive.
Commercial Businesses:
1. Confidential - if it got out could seriously effect the company
2. Private - potentially hurt the company
3. Sensitive - extra precautions to avoid accidental modification or deletion
4. Public - Still do not want it disclosed, but not at all detrimental
Military:
1. Top secret - could cause grave damage to national security
2. Secret - if disclosed, leads to security breach
3. Confidential - no one should no about it except people who need to
4. Sensitive but unclassified - minor security breach
5. Unclassified - No sensitive data here
These are just common models of information classification. There could be a lot of variance here depending on the company. Even whole systems should sometimes be classified, not just data. These classifications should exist no matter what form the data is in. Whether it's electronic, on paper, etc. it should all be treated in the same manner.
Commercial Businesses:
1. Confidential - if it got out could seriously effect the company
2. Private - potentially hurt the company
3. Sensitive - extra precautions to avoid accidental modification or deletion
4. Public - Still do not want it disclosed, but not at all detrimental
Military:
1. Top secret - could cause grave damage to national security
2. Secret - if disclosed, leads to security breach
3. Confidential - no one should no about it except people who need to
4. Sensitive but unclassified - minor security breach
5. Unclassified - No sensitive data here
These are just common models of information classification. There could be a lot of variance here depending on the company. Even whole systems should sometimes be classified, not just data. These classifications should exist no matter what form the data is in. Whether it's electronic, on paper, etc. it should all be treated in the same manner.
Chapter 2: IS Governance and Risk Management - Policies, Standards, Baselines, Guidelines, and Procedures
Security Policy - What role security has in an individual organization. Usually in the form of a statement made by upper management. There are a few different ones. Organizations specific, issue specific, and system specific.
Standards - Directions and mandatory actions within an organization. Really helpful in defining expected user behavior of a system.
Baselines - Used to determine when future changes should be made. A good example is showing the minimum level of protection that should be used in a system.
Guidelines - To me, these are best practices. They are more flexible than explicit standards.
Procedures - Detailed steps to help attain a goal. Companies have a myriad of procedures and steps to get certain things done. Often used in configuration and installation of systems.
All of theses are often in place for auditing purposes. Employees should be informed and aware of all of these in order to be effective.
Standards - Directions and mandatory actions within an organization. Really helpful in defining expected user behavior of a system.
Baselines - Used to determine when future changes should be made. A good example is showing the minimum level of protection that should be used in a system.
Guidelines - To me, these are best practices. They are more flexible than explicit standards.
Procedures - Detailed steps to help attain a goal. Companies have a myriad of procedures and steps to get certain things done. Often used in configuration and installation of systems.
All of theses are often in place for auditing purposes. Employees should be informed and aware of all of these in order to be effective.
Chapter 2: IS Governance and Risk Management - Risk Handling
I was fairly familiar with the terms used in this portion of chapter two because I took a risk management class earlier in my college career. Basically, companies have various methods of handing risk available to them such as avoidance, transfer, mitigation, and acceptance. Each method has various costs associated with it. Risk transfer is the safest, but it is improbable that every single risk needs to be transferred. Avoidance is the easiest to use in my opinion, but you cannot always avoid every single aspect of a risk. This is where mitigation comes into play. The company will introduce measures to reduce the risk. A firewall is a good example of mitigation. Acceptance merely means that the risk is simply just dealt with and nothing to protect against it is used. If a risk is accepted, it is usually a small risk with not very many negative consequences associated with it. If the loss is not that big of a deal and the countermeasure is considerably more expensive than the loss, then this risk handling measure would be used.
Chapter 2: IS Governance and Risk Management - Risk Analysis Approaches
Two approaches exist in analyzing risk: quantitative and qualitative. Basically quantitative deals with number calculations while qualitative is a little less logical. It is more focused on opinions and a rating system and the opinions of those conducting the analysis. Equations are associated with the quantitative side. The equations are on page 87 of the study guide. On the qualitative side, scales are often used. As with everything else, there are pros and cons to using each of these approaches. The two that stood out most to me are as follows. Qualitatively, standard do not exist. Different companies use different ways and scales to interpret results. Quantitatively, the calculations can be extremely complicated. Every person involved may not be able to understand what goes into each risk evaluation.
Chapter 2: IS Governance and Risk Management - Risk Assessment Methodologies
In this post, I want to outline the risk methodologies presented in the book. Each will be paired with a brief description about them as well as what their abbreviations stand for.
NIST - "Risk Management guide to Information Technology Systems". Mostly used for computer systems and IT security issues.
FRAP - Facilitated Risk Analysis Process. Only focus on the risks that need the most attention. Goal is to save time and money. Only to be used to analyze one thing at a time.
OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation. Used to look at all systems within an organization.
FMEA - Failure Modes and Effect Analysis. Uncovers flaws and the effects of these flaws.
CRAMM - Central Computing and Telecommunications Agency Risk Analysis and Management Method. This is the most generic approach in that it covers everything in risk analysis.
NIST - "Risk Management guide to Information Technology Systems". Mostly used for computer systems and IT security issues.
FRAP - Facilitated Risk Analysis Process. Only focus on the risks that need the most attention. Goal is to save time and money. Only to be used to analyze one thing at a time.
OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation. Used to look at all systems within an organization.
FMEA - Failure Modes and Effect Analysis. Uncovers flaws and the effects of these flaws.
CRAMM - Central Computing and Telecommunications Agency Risk Analysis and Management Method. This is the most generic approach in that it covers everything in risk analysis.
Chapter 2: IS Governance and Risk Management - Risk Assessment and Analysis
A risk assessment is used to identify risks and their potential impact. After completing it, it will help an organization identify where they need to put in security controls. It also helps with prioritization of the identified risks, and shows the analysis team which risks should be dealt with first. The third major thing that risk analysis accomplishes is that it will show a company what resources and how much of a particular resource should be used to protect against individual identified risks. Four main goals exist in information security risk analysis. First, you have got to identify your assets and what value they bring to the company or organization. Next, you find out what your potential threats are. After that you figure out what the probability of each of the threats occurring is. Finally you calculate what the cost of protecting against the threat will be, and determine if it is worth the resources you put in to protect each asset.
One term that I found while reading the section that I though was interesting was project sizing. I do not recall ever learning about this, so I thought it would be helpful to put it here...it simply means determining which assists and threats should be looked at prior to initiating risk analysis.
One term that I found while reading the section that I though was interesting was project sizing. I do not recall ever learning about this, so I thought it would be helpful to put it here...it simply means determining which assists and threats should be looked at prior to initiating risk analysis.
Chapter 2: IS Governance and Risk Management - Risk Management
Risks are everywhere. There is absolutely no such thing as no risk in any area of life. When it comes to information systems security, risks can be broken down into 7 main categories.
1. Physical damage
2. Human interaction
3. Equipment malfunction
4. Inside and outside attacks
5. Misuse of data
6. Loss of data
7. Application error
In order for a fitting risk management plan to be in place from a security standpoint, each of these categories must be analyzed. Then, potential damage should be calculated. Of course, you never really know how much damage not managing a certain risk will have on your organization until something bad actually occurs. The main objective here is to identify which risks are potentially more damaging, and then take precautions in that order.
1. Physical damage
2. Human interaction
3. Equipment malfunction
4. Inside and outside attacks
5. Misuse of data
6. Loss of data
7. Application error
In order for a fitting risk management plan to be in place from a security standpoint, each of these categories must be analyzed. Then, potential damage should be calculated. Of course, you never really know how much damage not managing a certain risk will have on your organization until something bad actually occurs. The main objective here is to identify which risks are potentially more damaging, and then take precautions in that order.
Chapter 2: IS Governance and Risk Management - Security Frameworks
The thing that I found the most interesting in this section of chapter two is the difference between enterprise and system architectures. I had never really thought about the similarities and differences of the two before reading this section and I feel as if it is pretty important to understand. Enterprise architecture is generally centered around an organization's structure. On the other hand, system architecture has to do with software and computing. I had been using these two terms kind of synonymously. Although they are not exactly the same thing, one supports the other in a direct fashion. Basically, an application for a business cannot be designed without first knowing how the business works and what the company wants the system to do. This is how the two architectures are intertwined, but are not the same thing like I had originally thought.
Chapter 2: IS Governance and Risk Management - Controls
There are three major control types: administrative, technical, and physical. Administrative controls (a.k.a. soft controls) are mostly management oriented. Common examples include security documentation, risk management, and training. Technical controls usually have to do with software and hardware. My two favorite examples of there types of controls are encryption and firewalls because I am familiar with both of these. Physical controls are exactly what they sound like. Security guards, cameras, locks and high fences with barbed-wire are examples of this last type of control.
The 6 control functionalities are as follows (most are self explanatory):
-Deterrent
-Preventative
-Corrective
-Recovery
-Detective
-Compensating -- Alternative control that provides similar protection as the original
Important for all controls to work together. If they do not do so in an effective manner, or if they contradict each other, security gaps will be prevalent.
The 6 control functionalities are as follows (most are self explanatory):
-Deterrent
-Preventative
-Corrective
-Recovery
-Detective
-Compensating -- Alternative control that provides similar protection as the original
Important for all controls to work together. If they do not do so in an effective manner, or if they contradict each other, security gaps will be prevalent.
Chapter 2: IS Governance and Risk Management - Security Definitions
I feel as is the best way for me to summarize this section of chapter two is to basically define all of the terms. This will be helpful if I ever decide to actually take the CISSP exam, as these security terms will be here for me to view.
1.) Vulnerability - No measure to counter potential attacks, or an inferior countermeasure is in place.
2.) Threat - Danger that is associated with a vulnerability.
3.) Threat Agent - An entity that takes advantage of a vulnerability.
4.) Risk - The probability of a threat agent exploiting a vulnerability and the associated impact.
5.) Control - Something that is put in place to reduce a risk. Also known as a countermeasure.
6.) Exposure - When a vulnerability is present that might expose one or more threats to an organization.
Figure 2-1 in the text gives a great graphical representation of how all of the above terms are connected and how they relate to one another.
1.) Vulnerability - No measure to counter potential attacks, or an inferior countermeasure is in place.
2.) Threat - Danger that is associated with a vulnerability.
3.) Threat Agent - An entity that takes advantage of a vulnerability.
4.) Risk - The probability of a threat agent exploiting a vulnerability and the associated impact.
5.) Control - Something that is put in place to reduce a risk. Also known as a countermeasure.
6.) Exposure - When a vulnerability is present that might expose one or more threats to an organization.
Figure 2-1 in the text gives a great graphical representation of how all of the above terms are connected and how they relate to one another.
Chapter 2: IS Governance and Risk Management - Fundamental Principles of Security
There are three main objectives of security.
- Integrity
-Availability
-Confidentiality
Integrity from a security perspective means that there is assurance that information provided by the system is reliable and accurate. This also means that modification that is unauthorized, or not supposed to happen, is prevented.
The second main objective, availability, means that authorized users are able to access their data and resources in a timely manner. Proper precautions should be in place that will prevent outsiders from affecting availability of data and resources.
Confidentiality refers to the goal of only allowing authorized individuals the ability to view and edit parts of the system that they should see. It should prevail while data is hanging out in a system, being moved around, as well as when it is received by another person or system.
All three are of equal importance and sort of "feed" off one another.
- Integrity
-Availability
-Confidentiality
Integrity from a security perspective means that there is assurance that information provided by the system is reliable and accurate. This also means that modification that is unauthorized, or not supposed to happen, is prevented.
The second main objective, availability, means that authorized users are able to access their data and resources in a timely manner. Proper precautions should be in place that will prevent outsiders from affecting availability of data and resources.
Confidentiality refers to the goal of only allowing authorized individuals the ability to view and edit parts of the system that they should see. It should prevail while data is hanging out in a system, being moved around, as well as when it is received by another person or system.
All three are of equal importance and sort of "feed" off one another.
Subscribe to:
Comments (Atom)