Video Content Lesson 10

Question 2

Administrative Management

Answer 2

Overview
Duty Separation
Least Access
Accountability
Privacy and Protection
Legal Requirements
Illegal Activities

Question 3

Overview

Answer 3

Policies, Guidelines, and Procedures set tone for administration
Legal Requirements of Due Care and Due Diligence
Due Care - Reasonable care used to protect the assets of the organization
Due Diligence - Sufficient steps taken to ensure the standards of the due care are being perpetually upheld
Hiring Practices - set into security policy (job requirements, specifications for specific jobs; background checking)
Termination procedures

Question 4

Duty Separation

Answer 4

Separation of duties and responsibilities (ensure that nay critical task cannot be completely executed by a single individual)
Changes in workstation/location (decreasing the probability that the users will store personal information on the PC)

Question 5

Least Access

Answer 5

Least Privilege -( Subjects should be granted the least possible amount of access to complete their work tasks)
Need to Know - (A subject must possess a need to know information in addition to having an appropriate security clearance)

Question 6

Accountability

Answer 6

Job Rotation - (Periodically rotate responsibilities; Allows subsequent job holders to audit predecessor)
Mandatory Vacation Increments - (Allows sufficient time for complete audit and validations of activity)
Security Policy must set forth standards of accountability for each employee
Use Auditing to validate policy compliance

Question 7

Privacy and Protection

Answer 7

Privacy and protection issues cover how the organization handles sensitive materials
Organizations must protect private personal information from unauthorized disclosure
Some information is protected by statute or regulation (Personal medical records; Financial information)

Question 8

Legal Requirements

Answer 8

Local, State, National, and International
A sound security policy will ensure all laws are upheld (Hiring Practices; Software Licensing; Hazardous materials storage and disposal)
Must have policies and procedures stating how you handle issues

Question 9

Illegal Activities

Answer 9

How do you discourage illegal activities?
Organizations must make substantive attempts to prevent illegal activities (EX - fraud, theft, unauthorized disclosure)
Preventative Controls - can help prevent illegal activities
Detective Controls - can help discover such activities
Must be spelled out in Policies

Question 10

Operation Controls

Answer 10

Record Retention
Backups
Data Removal
Antivirus Controls
Privileged Functions
Resource Protection

Question 11

Record Retention

Answer 11

Sensitive Records (Event Logs; Audit Trails; Backups of Critical Information)
It is necessary to retain such information for possible audits and investigations
Length of retention can vary, depending on local laws and regulations
Common Retention lengths are 3, 7, or 10 years

Question 12

Backups

Answer 12

Backup of critical information
Make sure all sensitive data is backed up perpetually
Validate all backups (assume it fails unless validated)
Media Handling (Marking - be explicit)
Storage - Safe and secure
Destruction - when the useful life has expired, remove the data using an appropriate strategy

Question 13

Data Removal

Answer 13

Erase Data - mark file deleted but NOT data is actually removed
Clearing - Overwriting media with unclassified information
Purging - Repeated clearing
Declassification - Process of clearing media for use in a less-secure environment; often uses purging)
Degaussing - Using strong magnetic field to remove all magnetic data from media; Returns magnetic media to a pristine state
Destruction - (Physically destroying media; shredding, incineration, crushing)
Sanitation (Series of processes to result in a pristine media or destruction)

Question 14

Antivirus Controls

Answer 14

Control Types
1-Preventative
2-Detective
3-Deterrent
4-Corrective
5-Recovery (restore to previous state)
Antivirus Management
All servers/clients need antivirus protection (preventative and detective)
antivirus shield (preventative)
Scanning (detective)
Fix the Virus (corrective and recovery)
Up-to-date virus definitions (check back to antivirus site for updates)
Administrative controls (restrict or prohibit installation of uncontrolled software on client machines)(preventative  controls)

Question 15

Privileged Functions

Answer 15

Administrator has extended access to resources required for specific job functions
Restrict these functions to specific users and monitor their use
Trusted Recover Process (Security maintained during crash and recovery)
Change control Management (Track and manage software and document changes)
SCM (Software Configuration Management) (log all events that result in changes or change requests)

Question 16

Resource Protection

Answer 16

Software, Hardware, Data
Operating System (backup, current patches)
Source Code (archive current code; Maintain version change history)
Purchased/proprietary (current patches)
Hardware
Limit Physical Access
Limit Removable media access
Data
Access control
Sensitive forms and reports
Logs
Databases

Question 17

Auditing

Answer 17

Audit Procedures
Frequency
Audit Trails
Audit Reporting
Sampling
Retention

Question 18

Audit Procedures

Answer 18

What is auditing?
Ensures compliance with the company security policy and with local statutes and regulations
Internal audit are carried out by employees of organization in question
External audit utilizes auditors that are NOT associated with your organization
Generally viewed as unbiased

Question 19

Frequency

Answer 19

Security policy should detail how frequently audits should take place
Recurring (scheduled)
Ad-hoc (specific) occur as needed for individual or sub organization or to satisfy legal proceedings

Question 20

Audit Trails

Answer 20

Follow Audit Trails
Individual accountability on machine or group of machines
Reconstruction of events (ensure that audit logs are being created, archive and copy event logs)
look at integrity of logs so user cannot cover tracks
Identification of problems and possible resolutions

Question 21

Audit Reporting

Answer 21

Formats vary from organization to organization
All audits reports should contain (purpose, scope, discovery details)
Specific reports will probably contain additional information
Information contained in reports should be audience-specific

Question 22

Sampling

Answer 22

Sampling and Data Extraction
Extracting meaningful data from large data sets
Clipping levels are commonly used (base value that triggers an alarm if exceeded) (use things outside of normal)

Question 23

Retention

Answer 23

Retain source documents and reports
As with general records, records should be retained to comply with all local, state, and federal laws and regulations
Most records kept for 3, 7, or 10 years

Question 24

Monitoring

Answer 24

What is Monitoring?
Categories
Warning Banners
Keystroke Monitoring
Traffic Analysis
Trend Analysis
Tools
Failure Recognition

Question 25

What is Monitoring?

Answer 25

Monitoring is the active review of critical usage statistics (System Performance, Currently logged-in user activity, sensitive processes in use) (to maintain Confidentiality, Integrity, and Availability)
Look at each area
Let people know they are being monitored

Question 26

Categories

Answer 26

Event Monitoring (things that happen in a system - ex- logins, logouts, login failures, database session start and stop, what is normal activity?)
Hardware monitoring (Events pertaining to hardware; CPU temperature; Removable storage access)
Illegal software monitoring
Watch for installation/use of illegal software

Question 27

Warning Banners

Answer 27

First thing users see when logging into system
Deterrent control
Disclosure of consequences of asset misuse
Often the most visible part of your security policy

Question 28

Keystroke Monitoring

Answer 28

Recording the actual keystrokes as they are entered (Video recorder (records users as they type)
Keystroke capture hardware/software (intercepts and stores all keystrokes)
Not normal use when investigation of individual

Question 29

Traffic Analysis

Answer 29

Network monitoring tool
analysis of the packets passing a fixed point on a network (packet flow not packet content being observed) (useful for analyzing packet paths)

Question 30

Trend Analysis

Answer 30

Similar to Traffic Analysis

Looks at inside of packets, looks at source and destination, Kind of packets, type of packets, detects anomalies

Question 31

Tools

Answer 31

Real-time tools (watch activity as it happens; information can be viewed now or archived for later analysis)
Ad hoc tools (Quickly allow the viewing of a specific metric; useful to get a snapshot to detect unusual activity)
Passive tools (users and attackers are not aware that they are being monitored; CCTV (closed circuit television; record the physical movement of users throughout the system; valuable to record various activities; real-time and archived for later viewing)

Question 32

Failure Recognition

Answer 32

First identify what "normal" looks like
Recognize anomalies through manual or automated means
Response Mode (identify problem, notify the appropriate authorities, take appropriate action to resolve the problem)

Question 33

Intrusion Detection

Answer 33

Intrusion Prevention
IDS Types
Penetration Testing
Inappropriate Activity

Question 34

Intrusion Prevention

Answer 34

Intrusion Detection is the ability to know when an attacker is either attempting to or is currently intruding into the system
Intrusion Prevention
Use very aggressive access controls that identify and authenticate all users before they are granted any type of access (identify and authenticate)
2 basic types of Intrusion Protection
Network-based will monitor a network segment (Packet storm or DoS)
Host-based will monitor a single system

Question 35

IDS Types

Answer 35

IDS Types
1-Signature-based (has a database of recognized attacks; make certain the database is up to date)
IDS looks at activities and compares with its database and sounds alarms if anomaly occurs
2-Behaviour-based (detects usage anomalies; sometimes called an expert system)

Question 36

Penetration Testing

Answer 36

Evaluates the strengths of controls
Act like an attacker and expose any vulnerabilities
Make sure the person conducting the test has full authority
Make sure the owner of the system is aware of the attack and has given written permission
Automated tools (Nessus, NMap, WebInspect)

Question 37

Inappropriate Activity

Answer 37

Controls are in place to stop any inappropriate activities from affecting the data systems
Any misuse of an organization’s computing resources
Defined in Security Policy (Inclusive and Exclusive lists)
Make sure that all information system users are aware of the appropriate use policy (Through security policy awareness programs and through a banner)
Examples (Fraud, Collusion, Harassment, Pornography, Waste, Abuse, Theft)

Question 38

Threats and Countermeasures

Answer 38

Interception
Human Factors
Fraud and Theft
Employee Sabotage
Disaster Recovery
Hackers
Espionage
Malicious Code

Question 39

Interception

Answer 39

1-War dialing (using a modem to find a system that will accept incoming connections)
Secure all modems (Written Policy)
Ensure that all modems are controlled
Require that anyone dialing into the system establishes handshake, hang up and call back
2-Sniffing (monitoring network traffic to intercept unencrypted messages with NIC in permissive mode)
Easiest countermeasure is to use encryption
3-Eavesdropping (can be part of sniffing) (includes recording or listening to real-time conversations)(use encryption or physical access to protect against)
4-Radiation monitoring (interception of radiation transmissions) (Cell phones, radios, any type of wireless technology) (implement both shielding and encryption)
5-Dumpster Diving (leafing through discarded trash to extract useful information) (Countermeasure - never discard useful information) (shredding, incineration, crushing)

Question 40

Human Factors

Answer 40

1-Social Engineering (process of convincing an authorized user to perform an unauthorized action) (keystroke monitor, malicious code) (countermeasure - security awareness training)
2-Errors and Omissions (basic human errors) (no direct countermeasure) (provide good functional training)

Question 41

Fraud and Theft

Answer 41

Use of computer to commit fraud or theft (countermeasure - access control and appropriate activity policy)

Question 42

Employee Sabotage

Answer 42

Any intentional damage by an employee (Countermeasure- Aggressive employee morale policy and aggressive termination policy)

Question 43

Disaster Recovery

Answer 43

Have a very stringent disaster recovery plan

Question 44

Hackers

Answer 44

Common security threat (countermeasure - aggressive use of controls)

Question 45

Espionage

Answer 45

collecting information or materials for disclosure to an external party (countermeasure - aggressive activity auditing and access control)

Question 46

Malicious Code

Answer 46

any code intended to cause harm to an information system or the data it contains (worms/virus) (countermeasure - content filtering and antivirus policy)