11.1 - The Role of the Operations Department

Companies perform important pieces of “due care and due diligence” efforts which include correct policies, procedures, standards, and guidelines.

These due diligence efforts require responsible, careful, cautious, and practical company practicing. It is important to identify systems and operations that are sensitive (meaning they need to be protected from disclosure) and critical (meaning they must remain available at all times).

Organizations consider many threats including disclosure of confidential data, theft of assets, corruption of data, interruption of services, and destruction of the physical or logical environment. The correct steps need to be taken to achieve the necessary levels of security while balancing various constraints.

Operations security departments ensure that people, applications, equipment, and the overall environment are properly and adequately secured.

10.3 - Software Development Life Cycle

The Software Development Life Cycle consists of requirements gathering, design, development, testing/validation, and release/maintenance.

• Requirements gathering: Determines the why create this software, the what the software will do, and the for whom the software will be created
• Design: deals with how the software will accomplish the goals identified
• Development: programming software code to meet specifications laid out in the design phase
• Testing/validation: validating software ti ensure that goals are met and the software works as planned
• Release/maintenance: deploying the software and then ensuring that it is properly configured, patched, and monitored

10.2 - System Development Life Cycle

A life cycle is a representation of development changes. Systems have their own developmental life cycle, which is made up of the following phases: initiation, acquisition/development, implementation, operation/maintenance, and disposal. These together are referred to as a system development life cycle (SDLC).

• Initiation:
• Need for a new system is defined
• Acquisition/development:
• New system is either created or purchased
• Implementation:
• New system is installed into production environment
• Operation/maintenance:
• System is used and cared for
• Disposal: 
• System is removed from production environment

10.1 - Where Do We Place Security?

Different Environments Demand Different Security
- Network and security administrators are overwhelmingly having to integrate various applications and computer systems to keep up with company demand.

Environment vs Application
- Application controls and are very specific to their needs and in the security compromises they understand.

Functionality vs Security
- Code security and functionality is inherently built-in.

9.3 - Ethics

• Ethics are based on many different issues and foundations because of this they are interpreted differently on an individual basis.

• Computer Ethics Institute is a nonprofit organization that works to help advance technology by ethical means.
  
• The Computer Ethics Institute has developed its own Ten Commandments of Computer Ethics:

1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people’s computer work.
3. Thou shalt not snoop around in other people’s computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people’s computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people’s intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

9.2 - Intellectual Property Laws

Intellectual property laws do not always concern themselves with what is right or wrong. Its main focus is on how organizations and individuals protect what they rightfully own from unauthorized use. This provides these entities options for what they can do if these laws are violated.

• Trade Secret
• This is something that is proprietary to an organization and vital for its profitability  and survival.
• For example, the trade secret that Coca-Cola owns is the formula used for their soft drink. This resource is highly confidential and protected with various security precautions and actions. Such actions could be both physical (Safes and Security surveillance) and legal (Non-Disclosure Agreements).

• Copyright
• Denoted by a (©), copyrights protect the right of an original author to control the distribution, reproduction, display, and adaptation of an original work. 
• This law covers various types of work: pictorial, graphic, musical, dramatic, literary, pantomime, motion picture, sculptural, sound recording, and architectural. 
• It should be noted that, unlike trade secret law, copyrights do not protect the specific resource; however, it indemnifies the “expression of the idea of the resource instead of the resource itself”.

• Trademarks
• These differ from copyrights in that they are used to protect a words, names, symbols, sounds, shapes, colors, and any combination of these. 
• Generally, trademarks are sought after they are believed to represent an entities’ brand identity to a group of people or the world.
• Patent
• Patents are granted to individuals and organizations to grant legal ownership that enables exclusive use or copying of the invention covered by the patent.
• After the inventor completes an application for a patent and it is approved, the patent grants a limited property right to exclude others from making, using, or selling the invention for a specific period of time.

9.1 - Complexities in Cybercrime

A majority of cyber attackers rarely caught because they mask their identities and addresses, this is known as spoofing. As we know, these attackers hack into networks, retrieve any resources they sought, and wipe clean all logs that may have tracked their activity. Often times, companies do not even know they have been violated.

The Evolution of Attacks

• In the early days of computing, hackers were mainly made up of people who just enjoyed the thrill of hacking. True hackers saw this as a challenging game without any real intent of harm or damage. Unfortunately, this former trends have taken on more sinister and destructive means.
• In modern times, script kiddies and others hack to simply wreak havoc and just for the fun of it. Additionally, organized criminals have now sprouted on the scene and have increased the amount of damage done.

International Issues

• The text explains, “If a hacker in Ukraine attacked a bank in France, whose legal jurisdiction is that?” Cybercrime lacks the uniformity in standard law for prosecuting these individuals.

8.1 - Business Continuity and Disaster Recovery

The goal of a business after a disaster is recovery. The steps required to minimize the effects of a disaster and disruption means that necessary actions are enacted to ensure that the resources, personnel, and business processes are able to resume operation in a timely manner. This differs from continuity planning, which provides procedures for dealing with long-term outages and disasters. The goal of a disaster recovery plan is to handle the disaster and its issues after the disaster occurs. Generally, the disaster recovery plan is information technology focused.

A disaster recovery plan (DRP) is used when in emergency mode. People are scrambling to bring critical systems back online. Business continuity plans (BCP) take a more broad approach to problems by: getting critical systems to other environments while repairs of the original facilities are under way.

7.5 - Internet Security

A common misconception that people tend to have is that the Web is the Internet, it is not. The Web actually runs on top of the Internet, it is the collection of servers that process websites. The Internet is the collection of physical devices and communication protocols that interact with these websites.

Web browsers understand protocols because they have the capability to process the various types of commands; however, they do not understand all of them. For those protocols or commands the user’s browser does not know how to process, the user can download and install plug-ins that integrates itself into the system or browser.

This is a quick and easy way to expand the functionality of the browser. However, this can cause serious security compromises, because the payload of the module can easily carry viruses and malicious software that users don't discover until it’s too late.

HTTP Secure (HTTPS) is the HTTP running over SSL. Secure Sockets Layer (SSL) uses a user's public key encryption and provides data encryption, server authentication, message integrity, and client authentication. Essentially, when clients access websites, the site site may have both secured and public portions. This HTTPS allows the user to access the secured portion via authentication, in some way.

7.4 - Link Encryption vs. End-to-End Encryption

Encryption is performed with different types of protection and communication levels. Two general types of encryption implemented are link encryption and end-to-end encryption. 

Link encryption, or online encryption, is provided by service providers and integrated into their network protocols. All of the information is encrypted, the packets must be decrypted at each point to the router to send the packet next. The router must decrypt the header portion of the packet, read the routing and address information within the header, and then re-encrypt it and send it on its way.

With end-to-end encryption, the packets do not need decryption and then encryption at each hop. This happens because the headers and trailers are unencrypted. Also, the devices between the beginning and the end destination read the necessary routing information and pass the packets on the way.

7.3 - Public Key Infrastructure

Public key infrastructure contains programs, data formats, procedures, communication protocols, security policies, and public key cryptography working together. The public key establishes trust within an environment.

This ISO framework uses public key cryptography it sets up authentication across various networks and the Internet. Public key cryptography is alternatively named as asymmetric algorithms.

We need e-mail clients, e-mail servers, and e-mail messages, which together build a type of infrastructure—an e-mail infrastructure. PKI is made up of many different parts: certificate authorities, registration authorities, certificates, keys, and users. The following sections explain these parts and how they all work together.

7.2 - Methods of Encryption

There are several parts to an encryption process; however, it should be noted that there are two main pieces: algorithms and keys. Algorithms used in computer systems are complex mathematical formulas enforce rules of how the plaintext will be turned into cipher-text. Keys are strings of bits that use these algorithms and add randomness for encryption.

To allow entities to communicate through encryption, these entities must use the same algorithm and the same key. With some encryption technologies, the receiver and the sender have the same key to use (symmetric), and in other encryption technologies, they must use different related keys for encryption and decryption (asymmetric, public and private keys).

Example of symmetric encryption.

7.1 - History of Cryptography

Cryptography is believed to originate in Egypt, around 2000 B.C. Hieroglyphics, at the time, were used to decorate tombs which told the life story of the deceased. This practice was to portray the story in a noble and ceremonial manner than to actually hide the messages themselves.

Over time, encryption evolved from being visual representations of storytelling and into applications used to obscure information from others.

For example, substitution cipher (replacement of characters with another characters), became a cryptographic method used. A method of this could be used to require the alphabet to be flipped so each letter in the original alphabet corresponds to a different letter in the flipped alphabet. This was encryption method was called atbash, which hid the true meaning of messages.

Example:

ABCDEFGHIJKLMNOPQRSTUVWXYZ
ZYXWVUTSRQPONMLKJIHGFEDCBA

“As an example, suppose we need to encrypt the message “Logical Security.” We take the first letter of this message, L, and shift up three locations within the alphabet. The encrypted version of this first letter is O, so we write that down. The next letter to be encrypted is O, which matches R when we shift three spaces. We continue this process for the whole message. Once the message is encrypted, a carrier takes the encrypted version to the destination, where the process is reversed.”
-CISSP Security Guide

Plaintext:
LOGICAL SECURITY

Ciphertext:
ORJLFDO VHFXULWB

Presently, this technique is rather too simplistic and ineffective; however, in the time of Julius Caesar, few people could read, so a high level of protection was provided. The Caesar cipher is an example of a monoalphabetic cipher. Once more people could read and reverse-engineer this type of encryption process, the cryptographers of that day increased the complexity by creating polyalphabetic ciphers.

6.5 - Networking Devices

There are several types of networking devices. These include LANs, MANs, and WANs that  provide intercommunication among computers and their networks. These different networking devices vary based on their capabilities and intelligence

• Repeaters
• These provide the most basic type of connectivity, by only repeating electrical signals between cable segments which enables it to extend a network at the physical layer. Additionally, repeaters are add-on devices that extend network connection over further distances. The device amplifies signals.
• Bridges
• Bridges are LAN devices that connect LAN segments at the data link layer. Repeaters forward all signals received. A bridge divides overburdened networks into smaller segments. This ensures efficient use of bandwidth and traffic control. Like a repeater, it then amplifies the electrical signal; however, it is more intelligent than a repeater and enables the administrator to filter frames for further control.
• Routers
• Routers operate at the network layer, they are devices that connect similar or different networks. They are devices with two or more interfaces and a routing table to receive and transmit packets to their destinations. Additionally, routers filter traffic based on access control lists (ACLs), and it fragments packets when necessary.
• Switches
• Switches combine the functions of repeaters and bridges. A switch amplifies electrical signals, like a repeater, and has the built-in circuitry and intelligence of a bridge. 

6.4 - Types of Transmission

Physical data can be transmitted in different ways, analog or digital. It can also use different schemes for synchronization, synchronous or asynchronous. Additionally, physical data can use either one sole channel over a baseband transmission medium or broadband via several different channels over a transmission medium. Transmission can takes place as electrical voltage, radiowaves, microwaves, and infrared signals.




Analog and Digital

Signals are ways of moving information in a physical format from one point to another point. In technology, there specific carrier signals that move data from one system to another system. The carrier signal transports data from one place to another. This data can be transmitted through analog or digital signaling formats.

Data moved through analog transmission technology (e.g., radio), is represented by characteristics of the waves that are carrying it. “For example, a radio station uses a transmitter to put its data (music) onto a wave that will extend all the way to your antenna. The information is stripped off by the receiver in your radio and presented to you in its original format—a song. The data is encoded onto the carrier signal and is represented by various amplitude and frequency values.” This is shown above.

Asynchronous and Synchronous

Asynchronous and synchronous networking technologies create synchronization rules that are used to govern how systems communicate with each other.

Broadband and Baseband

Broadband technology separates communication channels into independent sub-channels which different types of data can be transmitted into simultaneously. Baseband technology uses the entire communication channel for its transmission.

6.3 - TCP/IP Model

Transmission Control Protocol/Internet Protocol (TCP/IP) governs the way data travel from one device to another as a suite of protocols.

IP is a network layer protocol and provides datagram routing services. IP’s main task is to support internetwork addressing and packet routing. It is a connectionless protocol that envelops data passed to it from the transport layer. It works with other protocols to transmit the data to the destination computer and then reassemble the data back into a form that the application layer can understand and process.

The text explains IP as:

"The data, IP, and network relationship can be compared to the relationship between a letter and the postal system:

• Data = Letter
• IP = Addressed envelope
• Network = Postal system

The message is the letter, which is enveloped and addressed by IP, and the network and its services enable the message to be sent from its origin to its desti-nation, like the postal system."

6.2 - Open Systems Interconnection Reference Model

Created by the ISO (International Organization for Standardization), ISO has worked to develop protocols set to be used by all vendors throughout the world to allow the interconnection of network devices.

This ideology was perpetuated with the intent of ensuring all vendor products and technologies could communicate and interact across international and technical boundaries.

The protocol did not catch on as a standard, but the model of this protocol set, the OSI model, was adopted and is used as an abstract framework to which most operating systems and protocols adhere.

6.1 - Telecommunications & Network Security

Telecommunications and networking use various devices, software, and protocols that are interrelated and integrated.

Telecommunications is the electrical transmission of data among systems, whether through analog, digital, or wireless transmission types. While, networking is more complex in the computer field, due to evolving technologies. Modern technologies are improving exponentially in functionality and security monthly. Often times there seems to be new and emerging technologies that must be learned, understood, implemented, and secured.

Network administrators must know how to configure networking software, protocols and services, and devices and deal with interoperability issues, in addition to effective  troubleshooting.

5.5 - Perimeter Security (Part II)

As previously discussed, perimeter security deals with facility and personnel access controls, external boundary protection mechanisms, intrusion detection, and corrective actions.
Here, we will discuss the elements that make up these categories.

• Facility Access Control
• Access control needs to be enforced through physical and technical components when it comes to physical security. Having personnel within sensitive areas is one of the best security controls because they can personally detect suspicious behavior. However, they need to be trained on what activity is considered suspicious and how to report such activity.

• Personnel Access Controls
• Proper identification needs to verify whether the person attempting to access a facility or area should actually be allowed in. Identification and authentication can be verified by matching an anatomical attribute (biometric system), using smart or memory cards (swipe cards), or presenting a photo ID to a security guard, using a key, or providing a card and entering a password or PIN.
• Additionally, this stops piggybacking, or when an individual gains unauthorized access by using someone else’s legitimate credentials or access rights.

• External Boundary Protection Mechanisms
• Proximity protection components are usually put into place to provide one or more of the following services:
• Control pedestrian and vehicle traffic flows
• Various levels of protection for different security zones
• Buffers and delaying mechanisms to protect against forced entry attempts • Limit and control entry points

5.5 - Perimeter Security (Part I)

The first line of defense is perimeter control at the physical site location, this prevents unauthorized access to the facility. Perimeter security deals with facility and personnel access controls, external boundary protection mechanisms, intrusion detection, and corrective actions.

Perimeter Security Defense Model:

This defense model works in two main modes: 

1) During normal facility operations

• When the facility is in operation, security gets more complicated because authorized individuals need to be distinguished from unauthorized individuals.

2) After the facility is closed

• When closed, all doors should be locked with monitoring mechanisms in strategic positions to alert security personnel of suspicious activity. 

5.4 - Internal Support Systems

When dealing with physical security, consideration for support services must be considered. This is done because malfunctions or disruption could negatively affect the organization in many ways.

For example, in August of 2003, eight East Coast states (and parts of Canada) lost power for several days. During the investigation, there were rumors of a worm causing this disruption; however, the official report attributed it to a software bug in GE Energy’s XA/21 system. This left over 50 million people without power for days and resulted in four nuclear power plants being shut down. Security professionals must be able to handle both the smaller issues, such as power surges or sags, and the massive issues, such as what happened in the United States and Canada on August 14, 2003 when dealing with organizations.

• Electric Power
• Protecting power can be done in three ways: through UPSs, power line conditioners, and backup sources.

• Environmental Issues
• Improper environmental controls can cause damage to services, hardware, lives, and interruption of some services can cause unpredictable results.
• Maintaining appropriate temperature and humidity is important in any facility, especially facilities with computer systems. Improper levels of either can cause damage to computers and electrical devices. High humidity can cause corrosion, and low humidity can cause excessive static electricity. This static electricity can short out devices, cause the loss of information, or provide amusing entertainment for unsuspecting employees.

• Ventilation
• Ventilation has several requirements that must be met to ensure a safe and comfortable environment.
• A closed-loop recirculating air-conditioning system should be installed to maintain air quality. This means the air within the building is reused after it has been properly filtered, instead of bringing outside air in.
• Positive pressurization and ventilation should also be implemented to control contamination. Positive pressurization means that when an employee opens a door, the air goes out, and outside air does not come in. 

• Fire Prevention, Detection, and Suppression
• Fire prevention includes training employees on how to react properly when faced with a fire, supplying the right equipment and ensuring it is in working order, making sure there is an easily reachable fire suppression supply, and storing combustible elements in the proper manner. 
• Fire Detection includes the manual detection, such as, red pull boxes response systems seen on many building walls. These automatic detection response systems are built with sensors that react when they detect the presence of fire or smoke.
• Fire suppression is the use of a suppression agent to put out a fire. This takes place manually through handheld portable extinguishers, or via automated systems such as water sprinkler systems, or halon or CO2 discharge systems.

5.3 - Protecting Assets

In this section, we identify the main physical security components to fight against threats as theft, interruption to services, physical damage, compromised systems and environment integrity, and unauthorized access.

The loss from these components being damaged as well as cost to replace these systems, consultant fees, and additional negative effects on productivity and customer confidence are considered real losses. Although, companies are generally prepared for these types of losses, by using risk analysis tools, often times the data held within these systems is of high greater value than the physical systems themselves.

Protection against physical theft can be mitigated by taking the following measures:

• Inventory all laptops, including serial numbers, so they can be properly identified if recovered.
• Password protected BIOS.
• Register physical devices with the vendor to allow a report to be filed if stolen.
• Do not check physical devices as luggage, when flying.
• Never leave a physical device unattended (should be carried in a nondescript carrying case)
• Engrave the device with a symbol or number for proper identification.
• Back up the data from the laptop and store it on a stationary PC or backup media.
• Specialized safes
• Data Encryption

5.2 - The Planning Process

Physical security programs rely on the level of protection needed for the organization which it is designed to protect. Typically, this depends on the organization’s acceptable level of risk. When an organization defines the acceptable level of risk, they must first plan and design the laws and regulations for compliance and its threat profile of the overall organization.

5.1 - Introduction to Physical Security

In the early days of computing (circa 1960-1970), the physical security of computers and their resources were not nearly as difficult as they are now in modern times. This is due to the large size of those computers which comprised mostly of mainframes secured away in server rooms and the fact that a limited number of individuals knew what to do with them.

In present day, most computers are compact enough to sit on desks in every company around the world. Also, access to devices and other resources is distributed throughout the environment. Organizations now have server rooms and remote mobile users that take computers out of the company facility. "Properly protecting these computer systems, networks, facilities, and employees has become an overwhelming task to many companies." -CISSP: All In One Exam Guide

4.4 - Open vs. Closed Systems

Open systems are built upon “standards, protocols, and interfaces that have published specifications”. This type of architecture provides multi-operability between computer products created by various vendors. This interoperability is provided by all the vendors involved who follow certain standards and provide interfaces that enable the system to communicate with other systems.

A vast majority of the systems in use today are open. The book states that the reason an administrator can have several different operating systems on computers and they are still able to communicate easily on the same network is because these platforms are open.

Closed architecture systems do not require or follow industry standards. Interoperability and standardized interfaces are not used to create simple communication between different types of systems, these systems are proprietary.

A closed architecture can potentially provide more security to the system because it may operate in a more secluded environment than those of open systems. This is due to, the  proprietary nature of these closed systems. There are few tools to thwart the security mechanisms and not as many individuals who can understand its design, language, and security weaknesses to exploit them.

4.3 - System Security Architecture

Firstly, security starts at a policy level, to serve as a high-level directive that provides the foundational goals for an overall system.

A security policy is a strategic tool that dictates how sensitive information and resources are managed and protected. A security policy states exactly what the security level should become by once the goals of the security mechanisms are defined. The security policy also acts as a baseline for evaluating a system after it is built.

Security Architecture Requirements

• Trusted Computing Base: is a collection of all the hardware, software and firmware components within a system. These provide a type of security enforcement in the system’s security policy.

Security Kernel

• Similar to the Trusted Computing Base, the Security Kernel is made up of hardware, software, and firmware components. However, the security kernel mediates all access functions between subjects and objects. This makes the security kernel at the core of the most commonly used approaches to building trusted computing systems.

4.2 - Operating System Architecture

Operating system architectures have undergone changes based on industry functionality and security needs. The architecture identifies how the parts of the operating system operate with each other and the functionality that the applications require.

The complexity in operating systems is in the architectural approaches running in the kernel mode. As seen below, in a monolithic architectures, all the operating system processes operate in kernel mode.

In MS-DOS, an early operating system, its architecture was based upon monolithic design. The whole operating system acted as a software layer user applications and actual hardware. The issues that tend to arrive with this system is the complexity, portability, extensibility, and security.

If a flaw is found in a software component it becomes difficult to localize and quickly  fix it, since the core code functionality is spread throughout the system.

Alternatively, layered operating system architectures divide system functionality into hierarchical layers.

A system that follows a layered architecture had five layers of functionality. 

• Layer 0 controlled processor access and provided multiprogramming functionality; 
• Layer 1 carried out memory management; 
• Layer 2 provided interprocess communication; 
• Layer 3 dealt with I/O devices; 
• Layer 4 was where the applications resided.

Each of the processes at the different layers, each had interfaces to be used by processes in layers below and above them.

4.1 - Computer Architecture

Computer architecture encompasses all of the functioning parts of a computer system, including the operating system, memory chips, storage devices, and input and output devices, security components, buses, and networking interfaces. The relationships and internal working of these components can be quite complex, and making them work together in a secure fashion consists of complicated methods and mechanisms.

4 - Security Architecture Introduction

A majority of the compromises organizations around the world experience are flaws in software. Amazing strides in the advancement of perimeter security technology (firewalls, intrusion detection systems, etc.) are improved frequently, but the software that carries critical processing still has a lot of vulnerabilities that are exploited on a daily basis.

3.5 - Threats to Access Control

Generally, there is a higher risk that an attacker will attempt to cause issues from within an organization than from outside it. 

An attacker from the outside a system can enter through remote access entry points, firewalls and even web servers. This can be a physical break in, carry out social engineering attacks, and exploits via a partner communication paths. Insiders have legitimate reasons for using the systems and resources; however, misuse does occur and could launch an actual attack.

The danger of insiders is that they have already been given a wide range of access that a hacker would have to work to obtain; they probably have intimate knowledge of the environment; and, generally, they are trusted. 

In the previous section, we discussed the different types of access control mechanisms. These served to keep outsiders out and restrict the insiders’ abilities to a minimum and audit their actions. Here we will look at some specific attacks commonly carried out in environments today by insiders or outsiders.

Dictionary Attacks

This type of program receives lists (dictionaries) of commonly used words or combinations of characters, and then compares these values to capture passwords. A program hashes these words and then compares the message with the system password file that stores passwords in a one-way hash format. 

If a match is found, the program has uncovered a password. The dictionaries come with the password-cracking programs, and extra dictionaries can be found on several sites on the Internet.

Brute Force Attacks

Brute force is defined as multiple possible combinations until the correct one is identified. In a brute force password attack, the software tool sees the first letter and continues through the alphabet until that single value is uncovered. After, then the tool moves on to the second value. This continues until the access is created.

Spoofing at Logon

This program presents the user a fake log on screen, that tricks the user into attempting to log on. The user is asked for credentials such as a username and password, which are stored by the attacker to access at a later time. The user does not know this is not his usual logon screen because they look exactly the same. A fake error messages may appear, indicating that the user mistyped his credentials.

Phishing and Pharming

This is a type of social engineering designed to obtain personal information, credentials, credit card number, and financial data. The attackers lure, or fish, for sensitive data through various different methods.

3.4 - Access Control Practices

In this section, we will discuss additional measures to ensure there are no unnecessary open access to allow the environment to continue at the same level of security that has been established. 

What this means is that good access control practices need to be implemented and maintained from the beginning. Lack of periodical updates usually causes the most vulnerabilities in an environment.

These updates include:
• Deny access to systems to undefined users or anonymous accounts.
• Limit and monitor the usage of administrator and other powerful accounts.
• Suspend or delay access capability after a specific number of unsuccessful logon attempts.
• Remove obsolete user accounts as soon as the user leaves the company.
• Suspend inactive accounts after 30 to 60 days.
• Enforce strict access criteria.
• Enforce the need-to-know and least-privilege practices.
• Disable unneeded system features, services, and ports.
• Replace default password settings on accounts.

3.3 - Access Control Methods

As stated in the last post, access controls are often implemented at various layers of a system. Some of these controls act as core components of operating systems, devices, and applications.

Access Control Levels

Access control consists of 3 main categories: administrative, technical, and physical.  Each category has different access control mechanisms that are carried out manually or automatically.

Administrative Controls

• Policy and procedures
• Personnel controls
• Supervisory structure
• Security-awareness training
• Testing

Physical Controls

• Network segregation
• Perimeter security
• Computer controls
• Work area separation
• Data backups
• Cabling
• Control zone

Technical Controls

• System access
• Network architecture
• Network access
• Encryption and protocols
• Auditing

Administrative Controls

These construct security policies to delegate the development of supporting procedures, standards, and guidelines. Additionally, they indicate specific personnel controls should be implemented.

3.2 - Access Controls Techniques & Technologies

As stated by the CISSP All-in-One Exam Guide, Access Control Models are frameworks which dictate how objects are accessed by subjects. These frameworks are enforced by using specific control technologies and security mechanisms of the model.

Discretionary Access Control (DAC)

• Gives the resource owner the ability to specify the subjects can access specific resources. The model is named “discretionary” due to the control of access which is based on the owner’s discretion. (e.g. department managers as owners of the data within their can specify who should and should not have access).
• Additionally, the DAC model provides restricted access based granted authorization to the users. The most common implementation of DAC is dictated and set by the owners and enforced by the operating system. “This can make a user’s ability to access information dynamic versus the more static role of mandatory access control (MAC).” -CISSP All-in-One Exam Guide

Mandatory Access Control (MAC)

• Unlike the DAC model, users do not have the ability to determine who can access objects. Generally, operating systems that are MAC model based greatly reduce rights, permissions, and functionality that users have for security purposes. This means that a user cannot “install software, change file permissions, add new users”.  -CISSP All-in-One Exam Guide
• These highly specialized systems mainly serve to protect highly classified data by governmental agencies that maintain top secret information. Consequently, most people have never interacted with a MAC-based system.

Role-Based Access Control (RBAC)

• Controls are centrally administered to determine subject and object interaction. Additionally, access control levels can be based upon the necessary operations and tasks a user needs to carry out to fulfill her responsibilities without an organization. Essentially, access to resources is based on the role the user serves within an organization.

3.1 - Access Controls & Authorization

In this section, I will be discussing Access Controls, the second domain of information security. 

Access Controls:
When protecting assets, access controls act as first line defense security. An example of this can be the verification of logging into web applications, which restrict access to unauthorized users.

These controls are typically inherent administrative, physical, or technical in nature and should be applied in a layered approach, ensuring that an intruder would have to compromise more than one countermeasure to access critical assets.

Security Principles:
In the previous chapter, we learned that security management procedures include identifying threats that negatively impact the availability, integrity, and confidentiality of the assets of the company. This includes finding a cost effective means by implementing countermeasures for protection.

• Availability
• Information, systems, and resources must be available to users in a timely manner to not affect productivity.
• Integrity
• Information that is gathered must be accurate, complete, and protected from unauthorized modifications. When a security provides integrity, it protects data, or a resource, from being altered in an unauthorized fashion.
• Confidentiality
• This assures that any information is not disclosed to unauthorized individuals, programs, or processes because some information is more sensitive than others and requires a higher level of confidentiality.  Control mechanisms need to be in place to dictate who can access data and what the subject can do with it once they have accessed it.  

Security Definitions

More frequently than not the terms Vulnerability, Threat, Risk, and Exposure are often interchanged. 

It is important to acknowledge that these words have are separate and unique meanings.

Vulnerability

- the lack of a countermeasures or a weakness in those countermeasures in place 

e.g., services running on a server, unpatched applications or operating systems, an unrestricted wireless access point,

Threat
- any potential danger that is associated with the exploitation of vulnerabilities

e.g., someone, or something, will identify a specific vulnerability and use it against the company or individual

Risk
- the likelihood of a threat agent exploiting a vulnerability and the corre- sponding business impact.

Exposure
- an instance of being exposed to losses 

Fundamental Principles of Security

Within security there are 3 core fundamental goals which security must provide: Availability, Integrity, and Confidentiality. These pillars create the AIC triad which is designed to serve protection for critical assets. 

Each asset requires different levels of protection, security controls, mechanisms, and safeguards to be implemented to provide one or more of these protection types, and all risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of the AIC principles.

Availability

- ensures timely and reliable access to data and resources to authorized individuals

e.g., RAID array drives, redundant data and power lines


Integrity

- assures accuracy by restricting unauthorized modifications and creates reliability of information and systems

e.g., Hashing (data integrity), Configuration management (system integrity), Change control (process integrity) 


Confidentiality

- verifies that a necessary level of secrecy has been enforced at various junctions of data processing to prevent unauthorized disclosure

e.g., Data Encryption at rest (whole disk, database encryption), Data Encryption in transit (IPSec, SSL, PPTP, SSH) 

10 CISSP Domains

In the last post, I mentioned that the CISSP Certification Exam covers ten different security domains. These disciplines are defined as:

1. Access Control
2. Telecommunications and Network Security
3. Information Security Government and Risk Management
4. Software Development Security
5. Cryptography
6. Security Architecture and Design
7. Security Operations
8. Business Continuity and Disaster Recovery Planning
9. Legal, Regulations, Investigations, and Compliance
10. Physical (Environmental) Security

Defining CISSP

At this point, you may be wondering what exactly it takes to become a CISSP. Firstly, you should know that before you can earn the CISSP designation, you must take the CISSP Certification Exam.

The CISSP certification allows companies to find workers with the ability and experience necessary to implement solid security practices by risk analysis and other countermeasures. These measures are further defined below.

• Growing demand in the security field
• Increase knowledge on concepts and practices
• Bring expertise to your occupation
• To be more marketable and competitive in the workforce
• To show dedication to the security discipline
• Increase your salary for more employment opportunities

Out of the ten domains, these reasons are highly considered to become a CISSP. Although, the exam questions do require an individual to be familiar with different security subjects; however, there are many questions on the exam that are not detailed and do not require expertise in every subject.

Intro

Hello,

My name is Albert Adeseye, I am a Management Information Systems (MIS) major in the Terry College of Business from the University of Georgia.

For the next 16 weeks, I will be studying under the supervision of Dr. Piercy of the MIS department focusing on IT security and governance. Our main point of concentration will be guided by the CISSP (Certified Information Systems Security Professional) exam guide, which would further my goal to pursue security in the technology sector and its systems.

As computing becomes ubiquitous and more pervasive in our everyday lives, internet  security continues to be a growing concern. Throughout this course, I aim to understand what steps can be implemented to prevent current security vulnerabilities and what measures should be undertaken for the future of technology.

-AA