- Exemplify the Concepts of Confidentiality, Integrity, and Availability
- Explain Risk-Related Concepts
- Carry Out Appropriate Risk-Mitigation Strategies
- Explain the Importance of Security-Related Awareness and Training
- What Next?
Carry Out Appropriate Risk-Mitigation Strategies
- Implement security controls based on risk
- Change management
- Incident management
- User rights and permissions reviews
- Perform routine audits
- Implement policies and procedures to prevent data loss or theft
As discussed earlier in this chapter, alignment between security controls, policies, and the risks they mitigate requires an assessment of relative risks and the costs associated with mitigation strategies for each. You must put controls in place based on the relative impact of each risk, with legal mandates considered absolute requirements unless designated as “addressable” and properly documented as part of the risk management plan. You should also formulate organizational policies to include change- and incident-management guidelines as well as audit review expectations.
You should document all configuration changes. Many companies are lacking in this area. We are often in a hurry to make changes and say we will do the documentation later—most of the time, that doesn’t happen. You should realize that documentation is critical. It eliminates misunderstandings and serves as a trail if something goes wrong down the road. Change documentation should include the following:
- Specific details, such as the files being replaced, the configuration being changed, the machines or operating systems affected, and so on
- The name of the authority who approved the changes
- A list of the departments that are involved in performing the changes and the names of the supervisors in those departments
- What the immediate effect of the change will be
- What the long-term effect of the change will be
- The date and time the change will occur
After the change has occurred, the following should be added to the documentation:
- Specific problems and issues that occurred during the process
- Any known workarounds if issues have occurred
- Recommendations and notes on the event
After the change has been requested, documented, and approved, you should then send out notification to the users so that they know what to expect when the change has been implemented.
Incidents do happen from time to time in most organizations no matter how strict security policies and procedures are. It is important to realize that proper incident handling is just as vital as the planning stage, and its presence may make the difference between being able to recover quickly and ruining a business and damaging customer relations. Customers need to see that the company has enough expertise to deal with the problem.
Incident response guidelines, change-management procedures, security procedures, and many other security-related factors require extensive planning and documentation. Incident response documentation should include the identification of required forensic and data-gathering procedures and proper reporting and recovery procedures for each type of security-related incident.
The components of an incidence-response plan should include preparation, roles, rules, and procedures. Incident-response procedures should define how to maintain business continuity while defending against further attacks. Although many organizations have an incident response team (IRT), which is a specific group of technical and security investigators that respond to and investigate security incidents, many do not. In the event there is no IRT, first responders need to handle the scene and the response. Systems should be secured to prevent as many incidents as possible and monitored to detect security breaches as they occur. The National Institute of Standards and Technology (NIST) has issued a report on incident response guidelines that can help an organization spell out its own internal procedures.
First responders are the first ones to arrive at the incident scene. The success of data recovery and potential prosecution depends on the actions of the individual who initially discovers a computer incident. How the evidence scene is handled can severely affect the ability of the organization to prosecute if need be.
Damage and Loss Control
After the response team has determined that an incident occurred, the next step in incident analysis involves taking a comprehensive look at the incident activity to determine the scope, priority, and threat of the incident. This aids with researching possible response and mitigation strategies. In keeping with the severity of the incident, the organization can act to mitigate the effect of the incident by containing it and eventually restoring operations back to normal.
Depending on the severity of the incident and the organizational policy, incident response functions can take many forms. The response team may send out recommendations for recovery, containment, and prevention to systems and network administrators at sites who then complete the response steps. The team may perform the remediation actions themselves. The follow-up response can involve sharing information and lessons learned with other response teams and other appropriate organizations and sites.
After the incident is appropriately handled, the organization might issue a report that details the cause of the incident, the cost of the incident, and the steps the organization should take to prevent future incidents.
It is important to accurately determine the cause of each incident so that it can be fully contained and the exploited vulnerabilities can be mitigated to prevent similar incidents from occurring in the future.
How much you should audit depends on how much information you want to store. Keep in mind that auditing should be a clear-cut plan built around goals and policies. Without proper planning and policies, you probably will quickly fill your log files and hard drives with useless or unused information.
The more quickly you fill up your log files, the more frequently you need to check the logs; otherwise, important security events might be deleted unnoticed.
Here are some items to consider when you are ready to implement an audit policy:
- Identify potential resources at risk within your networking environment. These resources might typically include sensitive files, financial applications, and personnel files.
- After the resources are identified, set up the audit policy through the operating system tools. Each operating system will have its own method for tracking and logging access.
- Auditing can easily add an additional 25% load or more on a server. If the policy incorporates auditing large amounts of data, be sure that the hardware has the additional space needed and processing power and memory.
After you have auditing turned on, log files are generated. Schedule regular time to view the logs.
User Access and Rights Review
After you have established the proper access control scheme, it is important to monitor changes in access rights. Auditing user privileges is generally a two-step process that involves turning auditing on within the operating system and then specifying the resources to be audited. After enabling auditing, you also need to monitor the logs that are generated. Auditing should include both privilege and usage. Auditing of access use and rights changes should be implemented to prevent unauthorized or unintentional access or escalation of privileges, which might allow a guest or restricted user account access to sensitive or protected resources.
Some of the user activities that can be audited include the following:
- Reading, modifying, or deleting files
- Logging on or off the network
- Using services such as remote access or terminal services
- Using devices such as printers
When configuring an audit policy, it is important to monitor successful and failed access attempts. Failure events enable you to identify unauthorized access attempts; successful events can reveal an accidental or intentional escalation of access rights.
System and Service Audits
In addition to auditing events on domain controllers and user computers, servers that perform specific roles, such as a DNS, DHCP, SQL, or Exchange server, should have certain events audited. For example, you should enable audit logging for DHCP servers on your network and check the log files for an unusually high number of lease requests from clients. DHCP servers running Windows Server 2008 include several logging features and server parameters that provide enhanced auditing capabilities, such as specifying the following:
- The directory path in which the DHCP server stores audit log files. By default, the DHCP audit logs are located in the %windir%\System32\Dhcp directory.
- A minimum and maximum size for the total amount of disk space that is available for audit log files created by the DHCP service.
- A disk-checking interval that determines how many times the DHCP server writes audit log events to the log file before checking for available disk space on the server.
Turning on all possible audit counters for all objects could significantly affect server performance, so plan your audit settings and test them regularly.
Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.
Which policy details what users may do with their network access?
- A. Privacy
- B. Acceptable Use
- C. Storage and Retention
- D. Secure Disposal
When preparing to securely dispose of a hard drive, what is the term for reducing the magnetic flux density of the media to zero?
- A. Declassification
- B. Destruction
- C. Degaussing
- D. Overwriting
- The policy preventing too much power leading to corruption is called the __________________ policy.
- A. Account Provisioning
- B. Least Privilege
- C. Separation of Duties
- D. Acceptable Use
Cram Quiz Answers
- C. Degaussing involves exposing the media to a powerful electromagnetic device, erasing all magnetic variation within the media. Answer A is incorrect because declassification is a formal process for assessing the risk involved with discarding information, rather than media sanitization itself. Answer B is incorrect because destruction involves physical destruction of the storage device rather than only magnetic degaussing. Answer D is incorrect because overwriting involves the sequential writing of 1s and 0s to mask previously stored data and does not reduce all magnetic flux in the media to zero.
- C. The separation of duties policy ensures that a single individual is not responsible for all areas of control and compliance over an organizational function, which ensures that proper checks and balances remain in effect. Answer A is incorrect because the account provisioning policy details new account-creation protocols, and answer B is incorrect because the principle of least privilege ensures only that permissions are only sufficient for job requirements without precluding assignment of both control and compliance functions to the same individual. Answer D is incorrect because the acceptable use policy defines only what a user may do with his network access, not what roles he may fulfill.