CompTIA Security+ Exam Cram: Risk Management

Date: Jan 4, 2012

Return to the article

In covering the official CompTIA Security+, SY0-301 exam objectives, this chapter examines risk, mitigation strategies, and the value of security-awareness training in managing risk.

This chapter covers the following official CompTIA Security+, SY0-301 exam objectives:

(For more information on the official CompTIA Security+, SY0-301 exam topics, see the “About the CompTIA Security+, SY0-301 Exam” section in the Introduction.)

The traditional “C-I-A Triad” of security directives includes maintaining the confidentiality, integrity, and availability of data and services. Threats to these three principles are constantly present and evolving. Defensive measures must be put into place to mitigate risk within the enterprise. This chapter examines risk, mitigation strategies, and the value of security-awareness training in managing risk.

Exemplify the Concepts of Confidentiality, Integrity, and Availability

CramSaver

If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.

  1. Which element of the C-I-A Triad is addressed by biometric controls?
  2. Off-site backup tapes ensure which element of the C-I-A Triad?
  3. Battery backup power supplies (UPSs) support which element of the C-I-A Triad?

Answers

  1. Confidentiality. Access control mechanisms such as biometric authentication systems ensure that data confidentiality is maintained.
  2. Availability. Backup media is used to restore data lost, corrupted, or otherwise at risk of becoming unavailable.
  3. Availability. Loss of power prevents services from remaining available to authorized access requests.

Confidentiality

The first principle of information security is that of confidentiality. Confidentiality involves controls to ensure that security is maintained when data is both at rest (stored) and in use (during processing and transport) to protect against unauthorized access or disclosure.

Confidentiality controls include physical access controls, data encryption, logical access controls, and management controls to put in place policies to protect against shoulder surfing, social engineering, and other forms of observational disclosure. We discuss individual access control mechanisms later in this book; this chapter addresses them only in terms of risk mitigation.

ExamAlert

Some questions might include controls that fulfill more than one principle of security, such as access controls that protect both confidentiality and integrity by limiting unauthorized access to examine data (confidentiality) and to modify data (integrity), or malware defenses that protect against key loggers (confidentiality) as well as drive deletion logic bombs (integrity). In these cases, it is best to look for additional details that can reveal the best answer.

Integrity

The second principle of information security is that of integrity. Integrity involves controls to preserve the reliability and accuracy of data and processes against unauthorized modification. Integrity controls include malware defenses protecting against data corruption or elimination, validation code that protects against code injection or malformed data input, data hashing validation identifying modifications, and limited user interface options controlling the types of access available to data.

ExamAlert

Integrity is focused on preserving data against unauthorized modification, which might include deletion, but controls for recovery in the case of deletion might fall more accurately into the Availability arena.

Availability

The final principle of information security is that of availability. Availability involves controls to preserve operations and data in the face of service outages, disaster, or capacity variation. Availability controls include load balancing systems, redundant services and hardware, backup solutions, and environmental controls intended to overcome outages affecting networking, power, system, and service outages.

Cram Quiz

Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.

  1. Which two of the following support the preservation of data availability?

    • A. Anti-static carpet
    • B. Firewall
    • C. Mirrored windows
    • D. Physical access control

  2. Antivirus software preserves which two elements of data security?

    • A. Confidentiality and Integrity
    • B. Integrity and Availability
    • C. Availability and Confidentiality
    • D. Accuracy and Reliability
  3. Regularly expiring passwords preserves data __________ and __________.
    • A. Confidentiality
    • B. Integrity
    • C. Availability
    • D. Longevity

Cram Quiz Answers

  1. A and D. Environmental controls such as anti-static carpeting aid in protecting against system failure and so preserve availability of data and services. Physical access controls protect against system theft, destruction, or damage. Answer B is incorrect because firewalls restrict access data and services, and although deletion is possible, this control is focused on preserving confidentiality and integrity. Answer C is incorrect because mirrored windows protect confidentiality by preventing observation of displayed data, user keystrokes, and other information of potential interest.
  2. A. Malware defenses such as antivirus services protect the confidentiality and integrity of data by eliminating viral agents that could otherwise capture keystrokes, relay webcam audio/video, or modify data and services. Answers B and C are incorrect because malware defenses are not focused on the preservation of data and service availability beyond preventing outright wipe of the infected system. Answer D is incorrect because accuracy and reliability are data qualities within the Integrity principle, not directly parts of the C-I-A Triad.
  3. A and B. Regular password expiration protects against reuse of compromised passwords and mitigates brute-force attacks by changing keys before all combinations can be tested. These actions protect access controls over data review and modification, preserving confidentiality and integrity of data. Answer C is incorrect because password expiration does not directly affect data and service availability. Similarly, answer D is incorrect because data longevity is unrelated to passwords and exists only as business operations allow. Some data might be updated many times every minute whereas other data remains static for years.

Explain Risk-Related Concepts

CramSaver

If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.

  1. Purchasing an insurance plan to cover the costs of a stolen computer is an example of which risk management strategy?
  2. If a risk has an ALE of $25,000 and an ARO of 50%, what is the value of its SLE?
  3. What are the three categories commonly used to identify the likelihood of a risk?

Answers

  1. Transference. The costs if the risk is actualized are transferred to the insurance company. The risk, however, is not reduced; only its cost effect has been transferred, and other issues, such as client loss of trust, might produce second-order effects.
  2. The single loss expectancy (SLE) is $50,000 per event. With an annualize rate of occurrence (ARO) of 50%, this risk is expected to occur once every other year on average, so the annualized loss expectancy (ALE) is equal to the SLE ($50,000) times the ARO (.5) or $25,000.
  3. Likelihood is commonly assigned as High (1.0), Medium (0.5), or Low (0.1) values for risk comparison.

Risk Responses

Risk management deals with the alignment of five potential responses with an identified risk:

ExamAlert

Risk management employs several terms that you should familiarize yourself with before the exam:

Types of Controls

You can apply three general types of controls to mitigate risks, typically by layering defensive controls to protect data with multiple control types when possible. This technique is called a layered defensive strategy or “defense in depth.”

The three types of controls include the following:

ExamAlert

Controls are intended to mitigate risk in some manner, but at times they might fail in operation. You should be familiar with the following terms for the exam:

Identifying Vulnerabilities

Many risks to enterprise networks relate to vulnerabilities present in system and service configurations and to network and user logon weaknesses. For the exam, you should be familiar with some of the more common tools used to conduct vulnerability assessments, including the following:

Identifying Risk

Risk is the possibility of loss or danger. Risk management is the process of identifying and reducing risk to a level that is comfortable and then implementing controls to maintain that level. Risk analysis helps align security objectives with business objectives. Here, we deal with how to calculate risk and return on investment. Risk comes in a variety of forms. Risk analysis identifies risks, estimates the effect of potential threats, and identifies ways to reduce the risk without the cost of the prevention outweighing the risk.

Measuring Risk

The annual cost of prevention against threats is compared to the expected cost of loss—a cost/benefit comparison. To calculate costs and return on investment, you must first identify your assets, the threats to your network, your vulnerabilities, and what risks result. For example, a virus is a threat; the vulnerability would be not having antivirus software; and the resulting risk would be the effects of a virus infection. All risks have loss potential. Because security resources will always be limited in some manner, it is important to determine what resources are present that may need securing. Then, you need to determine the threat level of exposure that each resource creates and plan your network defenses accordingly.

Asset Identification

Before you can determine which resources are most in need of protection, it is important to properly document all available resources. A resource can refer to a physical item (such as a server or piece of networking equipment), a logical object (such as a website or financial report), or even a business procedure (such as a distribution strategy or marketing scheme). Sales demographics, trade secrets, customer data, and even payroll information could be considered sensitive resources within an organization. When evaluating assets, consider the following factors:

After you have identified and valued assets, an appropriate dollar amount can be spent to help protect those assets from loss.

The Risk and Threat Assessment

After assets have been identified, you must determine the assets’ order of importance and which assets pose significant security risks. During the process of risk assessment, it is necessary to review many areas, such as the following:

Risk assessment should include planning against both external and internal threats. An insider familiar with an organization’s procedures can pose a very dangerous risk to network security.

During a risk assessment, it is important to identify potential threats and document standard response policies for each. Threats may include the following:

Likelihood

When examining threat assessment, you have to consider the likelihood that the threats you’ve identified might actually occur. To gauge the probability of an event occurring as accurately as possible, you can use a combination of estimation and historical data. Most risk analyses use a fiscal year to set a time limit of probability and confine proposed expenditures, budget, and depreciation.

The National Institute of Standards and Technology (NIST) 800.30 document suggests measuring likelihood as High, Medium, or Low based on the motivation and capability of the threat source, the nature of the vulnerability, and the existence and effectiveness of current controls to mitigate the threat. Often the three values are translated into numerical equivalents for use in quantitative analytical processes: High (1.0), Medium (0.5), Low (0.1).

Responses must be coupled to the likelihood determined in the risk analysis, such as identifying the need to put corrective measures in place as soon as possible for all High-level threats, whereas Medium-level threats might only require an action plan for implementation as soon as is reasonable, and Low-level threats might be dealt with as possible or simply accepted.

Calculating Risk

To calculate risk, use this formula:

Risk = Threat × Vulnerability

To help you understand this, let’s look at an example using DoS attacks. Firewall logs indicate that the organization was hit hard one time per month by a DoS attack in each of the past six months. You can use this historical data to estimate that it’s likely you will be hit 12 times per year. This information helps you calculate the single loss expectancy (SLE) and the annual loss expectancy (ALE).

SLE equals asset value multiplied by the threat exposure factor or probability. The formula looks like this:

Asset value × Probability = SLE

The exposure factor or probability is the percentage of loss that a realized threat could have on a certain asset. In the DoS example, let’s say that if a DoS were successful, 25% of business would be lost. The daily sales from the website are $100,000, so the SLE would be $25,000 (SLE = $100,000 × .25). The possibility of certain threats is greater than that of others. Historical data presents the best method of estimating these possibilities.

After you calculate the SLE, you can calculate the ALE. This gives you the probability of an event happening over a single year’s time. This is done by calculating the product of the SLE and the value of the asset. ALE equals the SLE times the ARO (annualized rate of occurrence):

SLE × ARO = ALE

The ARO is the estimated possibility of a specific threat taking place in a one-year time frame. When the probability that a DoS attack will occur is 50%, the ARO is 0.5. Going back to the example, if the SLE is estimated at $25,000 and the ARO is .5, our ALE is 12,500. ($25,000 × .5 = $12,500). Spending more than $12,500 might not be prudent because the cost would outweigh the risk.

ExamAlert

Other risk models for calculating risk include the cumulative loss expectancy (CLE) and Iowa risk model. The cumulative loss expectancy (CLE) model calculates risk based on single systems. It takes into account all the threats that are likely to happen to this system over the next year, such as natural disasters, malicious code outbreak, sabotage, and backup failure. The Iowa risk model determines risk based on criticality and vulnerability.

Calculating Reduced Risk on Investment

Return on investment is the ratio of money realized or unrealized on an investment relative to the amount of money invested. Because there are so many vulnerabilities to consider and so many different technologies available, calculating the ROI for security spending can prove difficult. The formulas present too many unknowns. Many organizations don’t know how many actual security incidents have occurred, nor have they tracked the cost associated with them.

One method that might be helpful in this area is called reduced risk on investment (RROI). This method enables you to rank security investments based on the amount of risk they reduce. Risk is calculated by multiplying potential loss by the probability of an incident happening and dividing the result by the total expense:

RROI = Potential loss × (Probability without expense – Probability with expense) / Total expense

By using this formula, you can base alternative security investments on their projected business value.

Another approach is to look at security as loss prevention. It can be equated to loss prevention in that attacks can be prevented. ROI is calculated using the following formula:

ROI = Loss prevented – Cost of solution

If the result of this formula is a negative number, you spent more than the loss prevented.

Qualitative versus Quantitative Measures

Quantitative measures allow for the clearest measure of relative risk and expected return on investment or risk reduction on investment. Not all risk can be measured quantitatively, though, requiring qualitative risk assessment strategies. The culture of an organization greatly affects whether its risk assessments can be performed via quantitative (numerical) or qualitative (subjective/relative) measures.

Qualitative risk assessment can involve brainstorming, focus groups, surveys, and other similar processes to determine asset worth and valuation to the organization. Uncertainty is also estimated, allowing for a relative projection of qualitative risk for each threat based on its position in a risk matrix plotting the Probability (Low to High) and Impact (Low to High) of each. It is possible to assign numerical values to each state (Very Low = 1, Low = 2, Moderate = 3, and so on) so that a quasi-quantitative analysis can be performed, but because the categories are subjectively assigned, the result remains a qualitative measure.

Quantitative measures tend to be more difficult for management to understand, require very intensive labor to gather all related measurements, and are more time consuming to determine. Qualitative measures tend to be less precise, more subjective, and difficult to assign direct costs for measuring ROI/RROI.

ExamAlert

Because risks within cloud and virtualized hosting systems require knowledge of location, host system, shared tenancy, and other operational details subject to regular and ongoing change as data is migrated within the hosting environment, risk assessment of these environments depends on subjective assessment and service-level contractual expectations. The subjective and uncertain nature of assessments within these environments falls into the qualitative form of risk assessment.

Cloud computing solutions except for a private cloud (meaning both public and hybrid clouds) encompass all of the normal concerns of enterprise resources, together with those for outsourced resources. And because cloud computing is built atop virtualized computing models, the same factors apply to virtualized as well as cloud-based computing systems and services.

These considerations include the following:

Risk Reduction Policies

To ensure that proper risk management and incident response planning is coordinated, updated, communicated, and maintained, it is important to establish clear and detailed security policies that are ratified by an organization’s management and brought to the attention of its users through regular security-awareness training. Policies of which the users have no knowledge are rarely effective, and those that lack management support can prove to be unenforceable.

A number of policies support risk-management practices within the enterprise, including the following:

Privacy

Privacy-sensitive information is referred to as personally identifiable information (PII). This is any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains. Examples of PII are name, address, phone number, fax number, email address, financial profiles, Social Security number, and credit card information. For many organizations, privacy policies are mandatory, have detailed requirements, and carry significant legal penalties (for example, entities covered under the Health Insurance Privacy and Portability Act).

To be considered PII, information must be specifically associated with an individual person. Information provided either anonymously or not associated with its owner before collection is not considered PII. Unique information, such as a personal profile, unique identifier, biometric information, and IP address that is associated with PII, can also be considered PII.

The California Online Privacy Protection Act of 2003 (OPPA), which became effective on July 1, 2004, requires owners of commercial websites or online services to post a privacy policy. OPPA requires that each operator of a commercial website conspicuously post a privacy policy on its website. The privacy policy itself must contain the following features:

Other federal and state laws might apply to PII. In addition, other countries have laws as to what information can be collected and stored by organizations. As with most of the information in this chapter, it is imperative that you know the regulations that govern the digital terrain in which your organization operates. The organization then has an obligation to put proper policies and procedures in place.

Acceptable Use

An organization’s acceptable use policy must provide details that specify what users may do with their network access. This includes email and instant messaging usage for personal purposes, limitations on access times, and the storage space available to each user. It is important to provide users the least possible access rights while allowing them to fulfill legitimate actions.

An acceptable use policy should contain these main components:

The organization should be sure the acceptable use policy complies with current state and federal legislation and does not create unnecessary business risk to the company by employee misuse of resources. Upon logon, show a statement to the effect that network access is granted under certain conditions and that all activities may be monitored. This way you can be sure that any legal ramifications are covered.

Storage and Retention

Retention and storage documentation should outline the standards for storing each classification level of data. Take, for example, the military levels of data classification used in their mandatory access control strategy (MAC). Here, documentation would include directions and requirements for handling and storing the following types of data:

Policies for data should include how to classify, handle, store, and destroy it. The important point to remember here is to document your security objectives. Then, change and adjust that policy when and as needed. There might be a reason to make new classifications as business goals change, but make sure this gets into your documentation. This is an ongoing, ever-changing process.

Log files, physical records, security evaluations, and other operational documentation should be managed within an organization’s retention and disposal policies. These should include specifications for access authorization, term of retention, and requirements for disposal. Depending on the relative level of data sensitivity, retention and disposal requirements can become extensive and detailed.

The organization should have a legal hold policy in place, have an understanding of statutory and regulatory document retention requirements, understand the varying statutes of limitations, and maintain a records-retention and destruction schedule.

Secure Disposal

ISO 17799, particularly sections 7 and 8, has established standards for dealing with the proper disposal of obsolete hardware. Standards dictate that equipment owned or used by the organization should be disposed of only in accordance with approved procedures, including independent verification that the relevant security risks have been mitigated. This policy addresses issues that you should consider when disposing of old computer hardware, for recycle, disposal, donation, or resale.

The most prominent example of a security risk involved is that the hard disk inside the computer has not been completely or properly wiped. There are some concerns about data erasure sufficiency in new solid-state drives (SSDs) that might require organizations to totally destroy drivers rather than simply erasing them for normal disposal channels.

When implementing a policy on the secure disposal of outdated equipment, you need to consider a wide range of scenarios, such as the following:

Besides properly disposing of old hardware, removable media disposal is just as important. There is a proper way to handle removable media when either the data should be overwritten or is no longer useful or pertinent to the organization.

The following methods are acceptable to use for some forms of media sanitation:

Data Labeling, Handling, and Disposal

An organization’s information sensitivity policy defines requirements for the classification and security of data and hardware resources based on their relative level of sensitivity. Some resources, such as hard drives, might require very extensive preparations before they can be discarded. Data labeling and cataloguing of information stored on each storage device, tape, or removable storage system becomes critical to identifying valuable and sensitive information requiring special handling.

Organizational data assets might also fall under legal discovery mandates, so a careful accounting is vital to ensure that data can be located if requested and is protected against destruction or recycling if it must be provided at a later time. Proper labeling also ensures that data storage media can be properly processed for reuse or disposal, where special requirements for sensitive data might require outright destruction of the storage device and logging of its destruction in the inventory catalog.

Account Provisioning

Human resources (HR) policies and practices should reduce the risk of theft, fraud, or misuse of information facilities by employees, contractors, and third-party users. The primary legal and HR representatives should review all policies, especially privacy issues, legal issues, and HR enforcement language. Legal and HR review of policies is required in many, if not most, organizations.

Security planning must include procedures for the creation and authorization of accounts (provisioning) for newly hired personnel and the planned removal of privileges (de-provisioning) following employment termination. When termination involves power users with high-level access rights or knowledge of service administrator passwords, it is critical to institute password and security updates to exclude known avenues of access while also increasing security monitoring for possible reprisals against the organization.

The hiring process should also include provisions for making new employees aware of acceptable use and disposal policies and the sanctions that might be enacted if violations occur. An organization should also institute a formal code of ethics to which all employees should subscribe, particularly power users with broad administrative rights.

Least Privilege

Policies addressing access rights for user accounts must mandate that only the minimum permissions necessary to perform work should be assigned to a user. This protects against unauthorized internal review of information as well as protecting against inadvertently enacted viral agents running with elevated permissions.

Separation of Duties

Too much power can lead to corruption, whether it is in politics or network administration. Most governments and other organizations implement some type of a balance of power through a separation of duties. It is important to include a separation of duties when planning for security policy compliance. Without this separation, all areas of control and compliance may be left in the hands of a single individual. The idea of separation of duties hinges on the concept that multiple people conspiring to corrupt a system is less likely than a single person corrupting it. Often, you will find this in financial institutions, where to violate the security controls all the participants in the process have to agree to compromise the system.

ExamAlert

For physical or operational security questions, avoid having one individual who has complete control of a transaction or process from beginning to end and implement policies such as job rotation, mandatory vacations, and cross-training. These practices also protect against the loss of a critical skill set due to injury, death, or another form of personnel separation.

Mandatory Vacations and Job Rotation

Users should be required to take mandatory vacations and rotate positions or functional duties as part of the organization’s security policy. These policies outline the manner in which a user is associated with necessary information and system resources and that access is rotated between individuals. There must be other employees who can do the job of each employee so that corruption does not occur, cross-checks can be validated, and the effect of personnel loss is minimized. It is imperative that all employees are adequately cross-trained and only have the level of access necessary to perform normal duties (least privilege).

Cram Quiz

Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.

  1. A risk has the following calculated values (SLE = $1,500, ARO = 5). What is the maximum amount that should be spent to fully mitigate the costs of this risk?

    • A. $300
    • B. $500
    • C. $1,500
    • D. $7,500

  2. Regarding qualitative versus quantitative measures, which of the following statements is true?

    • A. Quantitative measures evaluate risk based on a subjective assessment.
    • B. Qualitative measures are less precise.
    • C. Qualitative measures are easier to measure for ROI/RROI.
    • D. Quantitative measures are always better than qualitative measures.

  3. If a risk has the following measures (Asset value = $50, Probability = 10%, ARO = 100), and the mitigation costs $100 per year, what is the expected ROI?

    • A. $400
    • B. $500
    • C. $600
    • D. $700
  4. What is the likelihood of a risk requiring corrective actions planned for implementation in a reasonable period of time?
    • A. Very High
    • B. High
    • C. Medium
    • D. Low

Cram Quiz Answers

  1. D. The ALE = SLE ($1,500) × ARO (5) = $7,500. Spending more than $7,500 to mitigate the threat without other cause such as a regulatory or legal mandate would be without return. Answers A, B, and C present too low a figure and are all incorrect.
  2. B. Because qualitative measures are based on subjective values, they are less precise than quantitative measures. Answer A is incorrect because quantitative measures rely on numerical values rather than subjective ones. Answer C is incorrect because qualitative measures are harder to assign numerical values and so more difficult to determine ROI. Answer D is incorrect because each form of analysis has its own benefits and neither is always better in all situations than the other.
  3. A. The single loss expectancy (SLE) can be calculated as the product of the asset value ($50) times the probability of loss (.1) or SLE=$5/year. The annualized rate of occurrence (ARO) is 100 times per year, so the annualized loss expectancy (ALE) is SLE ($5) times the ARO (100) or ALE=$500/year. Because the cost of mitigation is $100 per year, the ROI is equal to the loss prevented (ALE = $500) less the cost of the solution ($100) or ROI = $400. Answers B, C, and D all present potential values higher than $400 and are incorrect.
  4. C. A Medium-level risk likelihood warrants implementation of controls as soon as is reasonable. Answer A is incorrect because variations between High and Very High are not based on recognized standards such as the NIST 800.30 and instead reflect categories assigned within an organization based on its own criteria. Answer B is incorrect because High-level threats should be corrected as soon as possible, whereas Low-level threats can be dealt with when time allows or be simply accepted, making answer D incorrect as well.

Carry Out Appropriate Risk-Mitigation Strategies

CramSaver

If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.

  1. What is the name of the process of removing the contents from media as fully as possible?
  2. What is the first step to developing an audit plan for your organization?
  3. What two functions should be reviewed during a user access and rights audit?

Answers

  1. Sanitization. The fully cleared media is extremely difficult if not impossible to restore.
  2. Identification of resources at risk must occur before auditing of controls is possible. Resources include data and services such as sensitive files, financial applications, and personnel files.
  3. Both user privilege and usage should be monitored to ensure that access controls are working properly.

As discussed earlier in this chapter, alignment between security controls, policies, and the risks they mitigate requires an assessment of relative risks and the costs associated with mitigation strategies for each. You must put controls in place based on the relative impact of each risk, with legal mandates considered absolute requirements unless designated as “addressable” and properly documented as part of the risk management plan. You should also formulate organizational policies to include change- and incident-management guidelines as well as audit review expectations.

Change Management

You should document all configuration changes. Many companies are lacking in this area. We are often in a hurry to make changes and say we will do the documentation later—most of the time, that doesn’t happen. You should realize that documentation is critical. It eliminates misunderstandings and serves as a trail if something goes wrong down the road. Change documentation should include the following:

After the change has occurred, the following should be added to the documentation:

After the change has been requested, documented, and approved, you should then send out notification to the users so that they know what to expect when the change has been implemented.

Incident Management

Incidents do happen from time to time in most organizations no matter how strict security policies and procedures are. It is important to realize that proper incident handling is just as vital as the planning stage, and its presence may make the difference between being able to recover quickly and ruining a business and damaging customer relations. Customers need to see that the company has enough expertise to deal with the problem.

Incident response guidelines, change-management procedures, security procedures, and many other security-related factors require extensive planning and documentation. Incident response documentation should include the identification of required forensic and data-gathering procedures and proper reporting and recovery procedures for each type of security-related incident.

The components of an incidence-response plan should include preparation, roles, rules, and procedures. Incident-response procedures should define how to maintain business continuity while defending against further attacks. Although many organizations have an incident response team (IRT), which is a specific group of technical and security investigators that respond to and investigate security incidents, many do not. In the event there is no IRT, first responders need to handle the scene and the response. Systems should be secured to prevent as many incidents as possible and monitored to detect security breaches as they occur. The National Institute of Standards and Technology (NIST) has issued a report on incident response guidelines that can help an organization spell out its own internal procedures.

First Responders

First responders are the first ones to arrive at the incident scene. The success of data recovery and potential prosecution depends on the actions of the individual who initially discovers a computer incident. How the evidence scene is handled can severely affect the ability of the organization to prosecute if need be.

Damage and Loss Control

After the response team has determined that an incident occurred, the next step in incident analysis involves taking a comprehensive look at the incident activity to determine the scope, priority, and threat of the incident. This aids with researching possible response and mitigation strategies. In keeping with the severity of the incident, the organization can act to mitigate the effect of the incident by containing it and eventually restoring operations back to normal.

Depending on the severity of the incident and the organizational policy, incident response functions can take many forms. The response team may send out recommendations for recovery, containment, and prevention to systems and network administrators at sites who then complete the response steps. The team may perform the remediation actions themselves. The follow-up response can involve sharing information and lessons learned with other response teams and other appropriate organizations and sites.

After the incident is appropriately handled, the organization might issue a report that details the cause of the incident, the cost of the incident, and the steps the organization should take to prevent future incidents.

It is important to accurately determine the cause of each incident so that it can be fully contained and the exploited vulnerabilities can be mitigated to prevent similar incidents from occurring in the future.

Regular Audits

How much you should audit depends on how much information you want to store. Keep in mind that auditing should be a clear-cut plan built around goals and policies. Without proper planning and policies, you probably will quickly fill your log files and hard drives with useless or unused information.

The more quickly you fill up your log files, the more frequently you need to check the logs; otherwise, important security events might be deleted unnoticed.

Audit Policy

Here are some items to consider when you are ready to implement an audit policy:

After you have auditing turned on, log files are generated. Schedule regular time to view the logs.

User Access and Rights Review

After you have established the proper access control scheme, it is important to monitor changes in access rights. Auditing user privileges is generally a two-step process that involves turning auditing on within the operating system and then specifying the resources to be audited. After enabling auditing, you also need to monitor the logs that are generated. Auditing should include both privilege and usage. Auditing of access use and rights changes should be implemented to prevent unauthorized or unintentional access or escalation of privileges, which might allow a guest or restricted user account access to sensitive or protected resources.

Some of the user activities that can be audited include the following:

When configuring an audit policy, it is important to monitor successful and failed access attempts. Failure events enable you to identify unauthorized access attempts; successful events can reveal an accidental or intentional escalation of access rights.

ExamAlert

The roles of the computers also determine which events or processes you need to audit and log. For example, auditing a developer’s computer might include auditing process tracking, whereas auditing a desktop computer might include auditing directory services access. To audit objects on a member server or a workstation, turn on the audit object access. To audit objects on a domain controller, turn on the audit directory service access. Do not audit the use of user rights unless it is strictly necessary for your environment. If you must audit the use of user rights, it is advisable to purchase or write an event-analysis tool that can filter only the user rights of interest to you. The following user rights are never audited mainly because they are used by processes. However, the assignment of them might be monitored

System and Service Audits

In addition to auditing events on domain controllers and user computers, servers that perform specific roles, such as a DNS, DHCP, SQL, or Exchange server, should have certain events audited. For example, you should enable audit logging for DHCP servers on your network and check the log files for an unusually high number of lease requests from clients. DHCP servers running Windows Server 2008 include several logging features and server parameters that provide enhanced auditing capabilities, such as specifying the following:

Turning on all possible audit counters for all objects could significantly affect server performance, so plan your audit settings and test them regularly.

Cram Quiz

Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.

  1. Which policy details what users may do with their network access?

    • A. Privacy
    • B. Acceptable Use
    • C. Storage and Retention
    • D. Secure Disposal

  2. When preparing to securely dispose of a hard drive, what is the term for reducing the magnetic flux density of the media to zero?

    • A. Declassification
    • B. Destruction
    • C. Degaussing
    • D. Overwriting
  3. The policy preventing too much power leading to corruption is called the __________________ policy.
    • A. Account Provisioning
    • B. Least Privilege
    • C. Separation of Duties
    • D. Acceptable Use

Cram Quiz Answers

  1. B. The Acceptable Use policy details what users may do with their network access, which generally excludes illegal acts and actions that cost the organization money or public favor. Answer A is incorrect as the Privacy policy covers PII protection requirements and practices. Both C and D deal with information storage and storage device disposal so are not related to network access use.
  2. C. Degaussing involves exposing the media to a powerful electromagnetic device, erasing all magnetic variation within the media. Answer A is incorrect because declassification is a formal process for assessing the risk involved with discarding information, rather than media sanitization itself. Answer B is incorrect because destruction involves physical destruction of the storage device rather than only magnetic degaussing. Answer D is incorrect because overwriting involves the sequential writing of 1s and 0s to mask previously stored data and does not reduce all magnetic flux in the media to zero.
  3. C. The separation of duties policy ensures that a single individual is not responsible for all areas of control and compliance over an organizational function, which ensures that proper checks and balances remain in effect. Answer A is incorrect because the account provisioning policy details new account-creation protocols, and answer B is incorrect because the principle of least privilege ensures only that permissions are only sufficient for job requirements without precluding assignment of both control and compliance functions to the same individual. Answer D is incorrect because the acceptable use policy defines only what a user may do with his network access, not what roles he may fulfill.

Explain the Importance of Security-Related Awareness and Training

CramSaver

If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.

  1. An email to ALLSTAFF detailing a new email virus improves what aspect of user security awareness?
  2. When a user switches between organizational sections, what type of security training does he or she need to cover encryption and using USB thumb drives?

Answers

  1. Threat awareness. Threat awareness includes recognizing attacks and requires constant reminders of newly emergent threat agents to remain current.
  2. Data handling. Because the policies, procedures, and types of data managed in each organizational section can vary widely, it is important to provide a transferring organizational member with data handling training to ensure her compliance with appropriate protocols ad procedures.

One of the most powerful tools available to a security administrator is the body of network users, who might notice and draw attention to unusual access methods or unexpected changes. This same body of users also creates the greatest number of potential security holes because each user might be unaware of newly emerging vulnerabilities, threats, or required standards of action and access that must be followed. Like a chain, a network is only as secure as its weakest link—and users present a wide variety of bad habits, a vast range of knowledge, and varying intent in access.

User Education

User education is mandatory to ensure that users are made aware of expectations, options, and requirements related to secure access within an organization’s network. Education can include many different forms of communication, including the following:

ExamAlert

Although all the previously mentioned practices are part of a security-awareness training program, security training during employee orientation combined with yearly seminars is the best choice, as these are active methods of raising security awareness. Email and posters are passive and tend to be less effective.

User training should ensure that operational guidelines, disaster recovery strategies, and operational mandates are clearly conveyed to users and refreshed regularly. Policies may also require refresher training during transfer between organizational components or job duties under the rotation policy. Details such as information classification, sensitivity of data and handling guidelines, legal mandates, best practices, and standards can vary widely between organizational units with the proper protocols for access, storage, and disposal varying accordingly.

User Habits and Expectations

Security awareness training is also key to managing user habits and expectations developed due to the prevalence of computing equipment at home and in their mobile devices.

Passwords

Users must be instructed in the value of their access credentials and the impact that could result from sharing their passwords and logons, using weak passwords (and the ability to identify a strong password), easily guessed passwords and expectations of password expiration schedules to avoid filling up the call center the first Monday morning every 90 days.

Data Handling

User training should address legal or regulatory requirements for accessing, transporting, storing, or disposing of data and data storage devices. This includes encryption systems for mobile and removable storage devices, data access logging requirements under laws such as HIPPA, and review of the retention and destruction policy.

Clean Desk

Training should include details of the organization’s clean desk policy, encouraging users to avoid jotting down hard-to-recall passphrases or details from electronic systems that might contain PII. Users should also understand why taping a list of their logons and passwords under their keyboards is a bad idea.

Situational Awareness

User training should encourage situational awareness at all times. Unbadged individuals wandering in secured areas should be challenged, tailgating at check-points (following an authorized individual in closely to avoid having to provide personal authorization credentials) should be prevented, and guidelines for handling other forms of physical and logical security violations must be conveyed and practiced.

Personal Technologies

Common mobile computing devices, removable media storage key fobs; file-sharing systems such as Dropbox, Box.com, or SkyDrive; peer-to-peer transfer services; and even browser-based social media solutions and games can all introduce a range of vulnerabilities and threat agents to an enterprise without requiring elevated privilege or special equipment. Users must be given training in the proper use of their various personal technologies (or reasons to not use the technologies). Because this area is constantly evolving, convey reminders and updates in the regular security-awareness newsletter.

Users must be trained in critical consideration before providing logon credentials to any service, particularly those that bring personal data interaction into the work-place. Social media services are increasingly used for business purposes, so separation of business and personal accounts become critical in the event of a legal motion for discovery that could otherwise require access to personally controlled data resources. Social media services accessed through encrypted web access also offer a route through which protected information could be inadvertently disclosed without passing in readable form through normal boundary content review systems.

Peer-to-peer (P2P) services also present a danger to intellectual property and system availability protection by allowing direct connections between random endpoints using a wide variety of protocols and service ports, making firewall and packet-shaper management much more difficult for technicians and potentially sharing otherwise secure data stores to unknown parties as in the case of a misconfigured P2P client such as BitTorrent. P2P encrypted data streams can also result in contraband content being placed on a system within an organization without proper review, potentially exposing the organization to legal action based on the type of contraband.

Threat Awareness and Zero-Day Threats

Emergent viruses, worms, Trojans, rootkits, phishing attacks, and other threats should be identified and conveyed to users as rapidly as possible before dozens of calls come in asking why the “I Love You” email didn’t show its attached greeting card properly when opened. Personalized spear-phishing attacks are becoming more prevalent, requiring vigilance on the part of the users to avoid the natural response of opening everything that seems to be coming from their family members, boss, or co-workers. This must be tempered, though, as the million-plus new viral versions every year will rapidly overwhelm users into a state of helplessness or disinterest in the face of apparent inevitability. When a new Zero-Day threat emerges that has not been specifically considered in response planning, the same communication channels can be used to alert users of actions being taken by the IT group to correct, recover, repair, or patch systems and data.

Cram Quiz

Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.

  1. Which of the following is not going to be part of a standard password policy?

    • A. Establishing a minimum password length
    • B. Selection of a strong password
    • C. Establishing password expiration schedules
    • D. Barring keeping written passwords

  2. When conducting data handling training and reviewing disposal practices, what consideration must be primary?

    • A. Breaches of health and safety protocols
    • B. Remnants of data that may remain accessible
    • C. Accidental disposal of equipment that is necessary to read archived legacy data
    • D. Disposal costs and penalties arising from regulatory mandates

  3. _____________ training teaches users not to download links from social media sites.

    • A. Data handling
    • B. Clean desk
    • C. Situational awareness
    • D. Personal technology
  4. When an employee discovers someone wandering around a secured area without a badge or escort, which user-awareness training topic should provide them with knowledge of the proper response?
    • A. Data handling
    • B. Clean desk
    • C. Situational awareness
    • D. Personal technology

Cram Quiz Answers

  1. D. The clean desk policy includes details regarding written residue of passcodes, PII, and other sensitive data that might be jotted down during normal business. Answers A, B, and C are all incorrect because the question asks which is not a part of the password policy, and all three would be found in the password policy: password length, strength criteria, and password duration before expiration.
  2. A. Because of the materials involved in the manufacturing and construction of electronic equipment, health, and safety protocols take precedence over the other considerations. Health and safety must always come first. Answer B is incorrect because it is concerned with data confidentiality. Answer C is incorrect because it is concerned with data availability, and answer D is incorrect because it focuses on risks and costs arising from regulation.
  3. D. Personal technology training should cover social networks, peer-to-peer networking, and mobile technologies owned by the employees but present in the workplace. Answer A is incorrect because the data handling training would be focused on how to manage data stored on organizational systems rather than personal ones. Answer B is incorrect because the clean desk policy provides guidance for data sanitization of the work environment. Answer C is incorrect because situational awareness training involves developing strategies and skills for dealing with physical access violations and similar events rather than addressing which personal technologies are appropriate and how they should be used properly.
  4. C. Situational-awareness training focuses on strategies and skills for dealing with physical access violations, variations from normal operational routines, and similar events. Answer A is incorrect because data handling training is focused on how to manage data stored on organizational systems rather than how to deal with unauthorized personnel in secure areas. Answer B is incorrect because the clean desk policy provides guidance for data sanitization of the work environment to protect against unauthorized data disclosure should an unauthorized individual gain access. Answer D is incorrect because personal technology training provides strategies for dealing with personal technology and services within the organizational enterprise environment.

What Next?

If you want more practice on this chapter’s exam objectives before you move on, remember that you can access all of the Cram Quiz questions on the CD. You can also create a custom exam by objective with the practice exam software. Note any objective you struggle with and go to that objective material in this chapter.

© 2024 Pearson Education, Pearson IT Certification. All rights reserved.

800 East 96th Street, Indianapolis, Indiana 46240

sale-70-410-exam    | Exam-200-125-pdf    | we-sale-70-410-exam    | hot-sale-70-410-exam    | Latest-exam-700-603-Dumps    | Dumps-98-363-exams-date    | Certs-200-125-date    | Dumps-300-075-exams-date    | hot-sale-book-C8010-726-book    | Hot-Sale-200-310-Exam    | Exam-Description-200-310-dumps?    | hot-sale-book-200-125-book    | Latest-Updated-300-209-Exam    | Dumps-210-260-exams-date    | Download-200-125-Exam-PDF    | Exam-Description-300-101-dumps    | Certs-300-101-date    | Hot-Sale-300-075-Exam    | Latest-exam-200-125-Dumps    | Exam-Description-200-125-dumps    | Latest-Updated-300-075-Exam    | hot-sale-book-210-260-book    | Dumps-200-901-exams-date    | Certs-200-901-date    | Latest-exam-1Z0-062-Dumps    | Hot-Sale-1Z0-062-Exam    | Certs-CSSLP-date    | 100%-Pass-70-383-Exams    | Latest-JN0-360-real-exam-questions    | 100%-Pass-4A0-100-Real-Exam-Questions    | Dumps-300-135-exams-date    | Passed-200-105-Tech-Exams    | Latest-Updated-200-310-Exam    | Download-300-070-Exam-PDF    | Hot-Sale-JN0-360-Exam    | 100%-Pass-JN0-360-Exams    | 100%-Pass-JN0-360-Real-Exam-Questions    | Dumps-JN0-360-exams-date    | Exam-Description-1Z0-876-dumps    | Latest-exam-1Z0-876-Dumps    | Dumps-HPE0-Y53-exams-date    | 2017-Latest-HPE0-Y53-Exam    | 100%-Pass-HPE0-Y53-Real-Exam-Questions    | Pass-4A0-100-Exam    | Latest-4A0-100-Questions    | Dumps-98-365-exams-date    | 2017-Latest-98-365-Exam    | 100%-Pass-VCS-254-Exams    | 2017-Latest-VCS-273-Exam    | Dumps-200-355-exams-date    | 2017-Latest-300-320-Exam    | Pass-300-101-Exam    | 100%-Pass-300-115-Exams    |
http://www.portvapes.co.uk/    | http://www.portvapes.co.uk/    |