Chapter 6 - Security Operations and Administration, Chapter 7 - Auditing, Testing and Monitoring
Prudent
A reasonable list of things is permitted; all others are prohibited. This permission level is suitable for most businesses.
Blanket purchase agreement
A streamlined method of meeting recurring needs for supplies or services
Protocol patterns
Another way to identify attacks without a signature is to look for deviations from protocols.
Mitigation activities
Any actions intended to reduce or address vulnerabilities found in either penetration tests or vulnerability tests.
Permissive
Anything not specifically prohibited is OK. This permission level is suitable for most public Internet sites, some schools and libraries, and many training centers.
Techniques for security monitoring
Baselines Alarms, alerts, and trends Closed-circuit TV
Secure
Ensure that new, and existing, controls work together to protect the intended level of security.
Promiscuous
Everything is allowed. This permission level is used by many home users but makes it easier for attackers to succeed.
Post audit activities
Exit interview Data analysis Generation of audit report
Generation of audit report
Findings Recommendations Timeline for implementation Level of risk Management response Follow-up
Goal of penetration testing
Identify threats Bypass controls Exploit vulnerabilities
Goals of vulnerability testing
Identify vulnerability (passively) Document lack of security control or misconfiguration Examine vulnerabilities related to credentialed and noncredentialed users
Improve
Include proposals to improve the security program and controls in the audit results. This step applies to the recommended changes as accepted by management.
Steps in system life cycle
Project initiation and planning System design specification Build (develop) and document Acceptance testing Implementation (transition to production) Operations and maintenance Disposal
How to collect audit data
Questionnaires Interviews Observation Checklists Reviewing documentation Reviewing configurations Reviewing policy Performing security testing
Monitor
Review and measure all controls to capture actions and changes on the system.
Audit
Review the logs and overall environment to provide independent analysis of how well the security policy and controls work.
Auditor throughout planning and execution phases
Survey the site(s) Review documentation Review risk analysis output Review server and application logs Review incident logs Review results of penetration tests
Certifier
The individual or team that is responsible for performing the security test and evaluation (ST+E) for the system.
Organizational compliance
The organization must comply with its own policies, audits, culture, and standards.
Regulatory compliance
The organization must comply with laws and government regulations.
System Owner
The person responsible for the daily operations of the system and ensuring that the system continues to operate in compliance with the conditions set out by the AO
configuration management
The process of managing all changes to computer and device configurations
Authorizing official
The senior manager who must review the certification report and make the decision to approve the system for implementation.
Statistical-based methods
These develop baselines of normal traffic and network activity. The device creates an alert when it identifies a deviation.
Network and network devices
These include access, traffic type and patterns, malware, and performance.
Traffic-based methods
These signal an alert when they identify any unacceptable deviation from expected behavior based on traffic.
Reconnaissance
This activity involves reviewing the system to learn as much as possible about the organization, its systems, and its networks.
change control committee
This committee oversees all proposed changes to systems and networks.
Host-based activity
This includes changes to systems, access requests, performance, and startups and shutdowns.
Network mapping
This phase uses tools to determine the layout and services running on the organization's systems and networks.
Paranoid
Very few things are permitted; all others are prohibited and carefully monitored. This permission level is suitable for secure facilities.
False positives
alerts that seem malicious yet are not real security events.
Memorandum of understanding
an agreement between two or more parties that expresses areas of common interest that result in shared actions.
Interconnection security agreement
an agreement that documents the technical requirements of interconnected assets.
SOC 2 and SOC 3 reports
both address primarily security-related controls. The security-related controls in these reports are critical to the success of today's technology service provider organizations.
functional policy
declares an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing.
Baselines
define basic configurations for specific types of computers or devices.
False negatives
failure of the alarm system to detect a serious event.
Security Information and Event Management
helps organizations manage the explosive growth of their log files. It provides a common platform to capture and analyze entries.
Stateful matching
improves on simple pattern matching. It looks for specific sequences appearing across several packets in a traffic stream rather than just in individual packets.
Controls that monitor activity
intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and firewalls.
Remediation
involves fixing something that is broken or defective. With computer systems, remediation refers to fixing security vulnerabilities.
Penetration testing
is a focused attack to exploit a discovered vulnerability.
classifying data
is the duty of the person who owns the data or of someone the owner assigns.
Configuration Control
is the management of the baseline settings for a system device. The baseline settings meet security requirements. They require that you implement them carefully and only with prior approval.
Host isolation
isolates one or more host computers from your internal networks and creates a demilitarized zone
Non-real-time monitoring
keeps historical records of activity
Compliance Liaison
makes sure all personnel are aware of—and comply with—the organization's policies.
proactive change management
management initiates the change to achieve a desired goal.
reactive change management
management responds to changes in the business environment.
Job rotation
minimizes risk by rotating employees among various systems or duties.
SOC 1 report
primarily focuses on internal controls over financial reporting (ICFR). This type of report is often used to prepare financial statements for the user organization and to implement proper controls to ensure the confidentiality, integrity, and availability of the data generated by the financial reporting requirements.
Real-time monitoring
provides information on what is happening as it happens
Event logs
records of actions that your operating system or application software create. An event log records which user or system accessed data or a resource and when.
Anomaly-based IDSs
sometimes called profile-based systems, compare current activity with stored profiles of normal (expected) activity.
Change Control
the management of changes to the configuration.
Benchmark
the standard to which your system is compared to determine whether it is securely configured.
Hardening
to change hardware and software configurations to make computers and devices as secure as possible.
Vulnerability testing
tries to find a system's weaknesses.
Pattern- or signature-based IDSs
using what's known as rule-based detection, rely on pattern matching and stateful matching to compare current traffic with activity patterns (signatures) of known network attacks.
Security Administration
within an organization refers to the group of individuals responsible for planning, designing, implementing, and monitoring an organization's security plan.
