Chapter 10

Typically, standard and process documents have a well-defined format. A common format includes the following sections:

1. Document number 2. Title 3. Version/Date 4. Purpose 5. Background 6. Standard/Process 7. Roles and Responsibilities 8. Effective dates 9. Information and Assistance 10. Approval 11. Associated resources

What is the difference between Guidelines and Standards?

A guideline is a strong recommendation. A standard is a required control. A guideline recognizes that there are many acceptable ways to approach a problem, but provides one approach considered acceptable to the organization

What is the difference between a stateful and stateless firewall?

A stateful firewall watches all the traffic for a given connection. It inspects the packets containing the data and looks for patterns and sequences that don't make sense. This is useful for blocking packets from someone pretending to be someone else in an attempt to hijack your session. A stateless firewall looks at each packet independently. It is not aware of what came before and does not try to predict what should come next. It restricts and blocks traffic based on source and destination addresses or other static values. A stateless firewall uses simple rules that do not account for the possibility that a packet might be received by the firewall "pretending" to be something it's not. Stateless firewalls seldom exist anymore. Even the free firewall that comes with Windows 10 is a stateful packet inspection (SPI) firewall. Most firewalls today are stateful. In fact, many also include even more advanced features such as application firewalls. An application firewall includes additional features to protect a specific application. The classic example is a web application firewall (WAF). A WAF still conducts stateful packet inspection, but it also has specific countermeasures for common web attacks, such as SQL injection and cross-site scripting. Cross-site scripting is often referred to as XSS

Why are audits so important?

Any security-relevant event needs to be written to a log. Qualified personnel review these logs to determine if a security problem has occurred. These individuals determine who, what, where, and when activity caused the problem. Audit logs determine compliance issues, hardware misconfiguration errors, and application software security problems. They are useful in reconstructing actions that took place during a security incident. Audit logs should be well protected and only accessed by those people authorized by management

A ____ standard, for example, is a central responsibility. The standard tries to keep a workstation free from viruses and other malware. The policy is a preventive and detective control. It tries to prevent an infection by installing scanning software. It also requires the user to detect and report symptoms of an infection

Malicious Code Protection

A well-defined format will allow that individual to quickly sort through a large amount of data and focus on information of interest. Online tools can help make the collection of documents more manageable and searchable. Use online collaboration tools such as ____. Many of these tools come out of the box as preconfigured and searchable document libraries

Microsoft SharePoint

____ is important whenever baseline standards are implemented. Once configuration baselines are applied, you need to ensure these controls stay in place

Monitoring

There are several approaches that can further mitigate security risks, regardless of the approach implemented. The first is ____. It functions by scanning a device when it first connects. This scan looks to see if the device meets minimum security requirements and has no obvious malware on it. This can be done in either an agentless or agent manner. The agent approach installs a small software agent on the device in order to scan. This is far more effective, but some people object to the agent being installed

Network Access Control (NAC)

The number of threats against a network can be substantial. The ability to assess these threats takes a combination of technical knowledge and experience. ____ can transfer that experience and knowledge by walking an individual through core principles and different ways to look at LAN risks

Guidelines

____ for implementing control standards are useful to planners and managers

Guidelines

An ____ is a server that acts as an intermediary between users and the Internet. The server receives requests and responses and filters unwanted traffic.

Internet proxy

____ focus on connectivity, such as defining how devices attach to the network. The policies also define how to control traffic, such as through segmentation and router filtering.

LAN security policies

The ____ domain refers to the technical infrastructure that connects an organization's LAN to a wide area network (WAN). The main concern is controlling network traffic between the outside network, or the WAN, and the private network, or the LAN

LAN-to-WAN

____ in this domain (the WAN domain) tend to focus on configuration and maintenance of the WAN. This may include specific configuration procedures for WAN devices such as routers and firewalls.

Procedures

The ____ domain refers to the technology that controls how end users connect to an organization's LAN remotely. An example is someone needing to connect to the office network from his or her home or on the road

Remote Access

____ generally refers to the ability to authenticate once to get onto the network and then be automatically authenticated on different devices and applications after that

Single sign-on

Control standards for the LAN domain address a wide array of connectivity issues such as firewall controls, denial of service (DoS) protection, and Wi-Fi security control. Wireless connectivity is also a part of the Workstation domain. This is a good example of a ____. It also underscores the importance of configuring workstations and servers to protect data as it leaves a workstation and travels on a network.

cross-domain security issue

When you do see WAN-specific standards, they address WAN management, Domain Name System (DNS), router security, protocols, and web services. The standards might call out specific security requirements for WAN devices such as routers, switches, and wireless devices (T/F)

True

A ____ is a network that covers a large geographical area; the Internet is an example of one

WAN

____ are an example of a WAN guideline. It describes when and how web services may be used. DNS management guidelines are another example that offers recommendations on the use of DNS within the LAN and WAN environments

Web services

____ relate to any computing device used by an end user. Devices are often a user's desktop or laptop computer

Workstation domain policies

Because there are no clearly drawn lines between domains, you need to ensure that requirements between the domains do not conflict. To give a simple example...

a conflict could arise from requiring passwords of six characters on a workstation but eight characters on a server. This minor difference can make it difficult or impossible to implement a single sign-on solution

The Remote Access domain standards include standards related to VPN connections and multifactor authentication. For example...

a virtual private network standard describes the security requirements for establishing an encrypted session

Mobile devices, by their nature, are distributed. This means policies need to...

address unique monitoring and patching challenges in a distributed environment

LAN configuration issues are similar to those for workstations. The primary difference is ____. The LAN domain is often centralized to a small group of network administrators. This means devices are less distributed and are under tighter control.

administration

Security standards in this domain focus on remote user authentication and secure connections. Creating a remote computing environment that is secure is a challenge. Beyond authentication and connectivity, you need to secure the remote device. Some standards require...

all remote users to use employer-owned laptops. This allows the organization to control the remote device itself. These types of business choices drive what standards you see in this domain

An ____ is the act of recording relevant security events that occur on a computing or network device

audit

Many of the same procedures' issues exist between domains such as configuration and patch management. In the case of WAN-to-LAN connectivity, there is a greater emphasis on managing changes and detecting and responding to network attacks. For example, you can view the DMZ as the "front door" to your private network. Changes to configuration in this domain...

can have a serious impact on the publicly facing website or the ability to prevent an intrustion. It is not uncommon to see procedures in this domain require senior-level approval and extensive testing before changes are applied.

Individual security policies frequently look and feel alike. This makes them easy to read and understand. The challenge is how to organize policies as a ____. Policies need to be easily accessible and align to how an organization manages its IT environment

collection

No matter how good any single security control is in place today, you must assume it can and will be hacked at some point. There is someone, or some group, out there with enough time and resources to hack the control. This is why...

common security practice suggests multiple lines of defense, layers of security, or in-depth security, from the perimeter through the network layers to ultimately protecting the data

When it comes to mobile devices, one solution doesn't fit all. With mobile devices being so ubiquitous, network security professionals must address them. As with any security issue, an objective threat assessment must be...

conducted, risks analyzed, and only then can appropriate policies be implemented and enforced.

Baseline standards are particularly important because they establish connectivity between devices. This ____ is important to ensure data protection in transit. To accomplish this, configure each device with an identity and method of authenticating network traffic it receives. This is no small task given the volume of network traffic generated. The network typically contains mixed traffic, such as sensitive business transactions; routine user-related transactions; and, potentially, hacker traffic. Separating business and routine user transactions depends on properly configuring network devices. These transactions do not attempt to be in conflict and thus are reasonably easy to identify and separate

connectivity

A ____ can be an effective method of reducing malware attacks. This is achieved by blocking sites known to have malware. This also means blocking sites employees may wish to access

content filtering standard

Organizations use different terms to describe control standards. Some describe them as ____

core policy statements

Audit logs also play an important role in monitoring network traffic. Configuring devices to generate logs about network events helps you to...

determine later what occurred during an attack.

LAN policies are also a good place to consider ____. You want to ensure policies take steps to avoid both copyright infringement and your organization's own confidential data being exfiltrated

digital rights management (DRM)

Creating policies by functional area of responsibility is a challenge. The disadvantage is that...

functional areas may change due to organizational realignment. This means policies may have to change, too. Typically, organizing policies by functional area is the approach used in mature companies whose processes rarely change

Another approach is to allow devices to connect to only a ____, not the corporate network. In this way, the employee still can use the networked device, but it poses far less of a threat to the organization's network. There is still a threat, but no more than from any guest accessing the guest network.

guest network

The LAN-to-WAN domain denotes, for many organizations, its connection to the Internet. This connection represents significant risk. LAN-to-WAN security standards often focus on...

how to configure devices to maintain message and transaction integrity

Defense in depth is not the only aspect of layered security. It is also important to have multiple controls for the same vulnerability. For example...

if your concern is malware, antivirus is one control to mitigate that risk

An ____ recognizes a network attack and sends an alert

intrusion detection system (IDS)

An ____ recognizes a network attack, stops the attack, and sends an alert

intrusion prevention system (IPS)

The same individuals who use network policies often write them. This is an advantage because...

it reduces training and interpretation errors

Creating policies by layers of security is also a challenge. A core principle in information security is the concept often referred to as...

layers of security, layered security, or defense in depth

A baseline standard is also called a technology ____. The key point is that policy documents make a distinction between core policy requirements and requirements unique to technology

minimum security baseline (MSB)

Information security professionals must understand well these common IT infrastructure needs and policies. If you do understand these foundational policy concepts and focus areas, you'll be able to...

navigate infrastructure policy documents, regardless of how they are organized

Another important concern of baseline LAN standards is ____. Regardless of how good firewalls and routers are, they have their limitations. These devices prevent attacks against known and predicted threats. Intrusion systems provide a broad range of protection. They look for patterns of attack. Just as a virus scanner looks for patterns to indicate a file has become infected, an intrusion system looks for network traffic patterns to detect a network attack

network traffic monitoring

However, as much as organizations differ in size and mission, all ____ must provide layers of security—from the perimeter through the network layers to, ultimately, the data being accessed

networks

Establishing secure point-to-point communications is an important part of the connectivity through the Internet. The Internet should ____ have a direct connection to the organization's private network without the traffic being heavily filtered and inspected.

never

Typically, the LAN-to-WAN domain addresses many of the WAN connectivity standards. As a result, this domain's standards tend to focus...

primarily on the WAN build-out and supporting components

A greater challenge is how to configure devices to ensure hackers cannot masquerade as valid transactions. Another concern is hackers monitoring sensitive transactions in the clear. A hacker can configure a network card to "promiscuous mode." When a network card is in ____, it captures all the network traffic on a segment. Normally, a network card only captures traffic addressed to its device. In other words, a device in promiscuous mode allows you to listen to all the traffic messages between every device on the segment. With this information, a hacker can create his or her own messages in an attempt to masquerade as valid sensitive transactions

promiscuous mode

It is important to use industry best practices when developing baseline standards. These industry best practices standards allow you to defend to ____ the choices being made and to gain from others' experience. It is more efficient to modify an existing standard than to create your own from scratch

regulators

Additionally, infrastructure policies ensure that ____ policies act collectively. Taking this end-to-end view ensures that controls are in place to protect data at rest (in storage) as well as data in transit—as when data passing from an employee's home is encrypted through a virtual private network firewall and securely routed to an internal database server at the organization's headquarters or at some other data center

remote access, network, and authentication

Network ____ can be an effective control for limiting traffic and thus help keep hackers out. Network segmentation involves isolating parts of the network from other parts. This can be achieved in many ways, including adding access lists to routers that limit traffic between segments

segmentation

The third approach is to organize policies by domains. This is one logical way to view requirements and policies. The ____ are a common taxonomy, or classification system, used across the industry. This taxonomy clearly illustrates how each domain can be used to create a layered security approach

seven domains

For each baseline standard, you need a related procedure document. That does not mean every device configuration requires a unique procedure. Many of these configuration activities reuse the same procedure. The key to these procedures is to ensure...

that the administrators know how to access and apply the baseline configuration. If the tools and methods are substantially different, the process may be unique enough to require its own procedure

It's important to understand the interactions of these infrastructure layers. The interactions of network layers provide an end-to-end view of infrastructure security. This understanding ensures...

that the impact of changes to the infrastructure will be well understood and well coordinated. This includes coordination of changes

Creating policies by functional area of responsibility is a challenge. The advantage of this method is...

that the policies can be tailored for a specific audience

Mobile devices are part of our lives. Smartphones are the obvious example; however, there are other devices, including smartwatches and tablets. Many people use these devices as an integral part of their daily lives, and...

they bring them to work

The LAN domain refers to the organization's local area network (LAN) infrastructure. A LAN allows...

two or more computers to connect within a small physical area. The small area can be a home, office, or group of buildings.

The problem with organizing policies by domain is that many issues pertain to multiple domains. For example...

virus control is a concern for workstations and servers

INFORMATION TECHNOLOGY (IT) infrastructure security policies are represented in many types of policy documents, depending on the organization's network and infrastructure needs. For example, a national telecommunications company's network policies...

will look different from those of a regional retailer. These differences stem from different cybersecurity risks. They also present organizations with different choices to define and make in their security policies.

A ____ can be any user device that accesses data, such as a smartphone

workstation

List additional types of workstation domain control standards

1. Access control for portable and mobile systems 2. Acquisitions 3. Configuration management control 4. Device identification and authentication 5. Session lock 6. Software use 7. System use notification 8. Unsuccessful logon attempts 9. Disposal 10. Bring your own device (BYOD)

The following guideline documents are useful when dealing with workstations:

1. Acquisition Guidelines 2. Guidelines on Active Content and Mobile Code

A DNS control procedure might be included in the WAN standard. This standard describes the requirements for obtaining and assigning a domain name for use by external parties. Approvals can be used to track domains and often include:

1. An explanation of how the domain will be used 2. A justification for using a new domain name 3. The server name and IP address where the DNS will be registered 4. Information on who will administer the domain name 5. The date of last vulnerability scan on the targeted server(s)

Examples of some control statements (Malicious Code Protection standard) in this type of policy are as follows:

1. Anti-malware software must be used on all devices connected to the organization's network. IT staff is responsible for ensuring that all devices have an approved version of anti-malware software installed. They are also responsible for ensuring a mechanism is in place to keep malware definitions current. 2. No executable software, regardless of the source, may knowingly be installed without prior IT staff approval. 3. IT staff must verify that all software is free of malicious code before installation. 4. Users must not intentionally disable anti-malware software without prior approval. 5. IT staff must scan data that will be transferred from the organization's network to a customer. Scanning must indicate that the data is free of malicious code before the transfer may occur.

What are additional types of LAN domain control standards?

1. Audit events 2. Configuration change control 3. Controlled maintenance 4. Controls over media 5. Device identification and authentication 6. Intrusion detection and prevention 7. Protection of audit information 8. Router security controls 9. Security assessments 10. Segmentation 11. Trusted timestamps 12. Wi-Fi security controls

The first issue is defining how these devices can be integrated into the organization. Some established terms accomplish this:

1. Bring your own device (BYOD) 2. Choose your own device (CYOD) 3. Company-owned and personally enabled (COPE)

A DoS protection standard describes controls that protect against or limit the effects of DoS attacks. This standard attempts to prevent using the organization's network as a launching point against another network. Here is an example of control statements from this type of standard:

1. Configure routers and firewalls to forward IP packets only if those packets have the correct source IP address for the organization's network. 2. Configure access control lists (ACLs) on routers to allow only the traffic you want. 3. Only allow packets to leave the network with valid source IP addresses that belong to the organization's network. This will minimize the chance that the organization's network will be the source of a DoS attack.

Two key areas of LAN domain controls are:

1. Connectivity 2. Controlling network traffic

A LAN-to-WAN domain baseline standard focuses on perimeter devices that separate the WAN from the LAN. The following are some examples:

1. Content-Blocking Tools Configuration Standard 2. Intrusion Detection and Prevention Tools Configuration Standard 3. Proxy Server Configuration Standard 4. Firewall Configuration Standard

The basic anatomy of a policy starts with understanding the different types of documents that capture the domain security control requirements. Five common documents are:

1. Control standards 2. Baseline standards 3. Procedure documents 4. Guidelines 5. A dictionary

Guidelines in this domain are useful for individuals who must determine how much Internet access should be permitted. Controls and baselines create crisp lines on minimum standards. The guidelines establish additional choices while balancing the additional risk. The following guideline documents are examples:

1. DMZ Guidelines 2. Intrusion Detection and Prevention Systems Guidelines 3. Content-Filtering Guidelines

A private WAN can be built for a specific organization to link offices across the country or globally. These types of WANs are constructed using:

1. Dedicated leased lines 2. Satellites 3. Microwave communications

An intrusion system can be:

1. Detective 2. Preventitive

The following are examples of control statements you might find in this standard. They are adapted from the SANS Institute's "Virtual Private Network Policy" document:

1. Employees with VPN privileges must not share their VPN credentials to the organization's internal networks with unauthorized users. 2. VPN use must be controlled using one-time password authentication. This may include a token device or a public/private key system with a strong passphrase. 3. VPN users will be automatically disconnected from the organization's network after 30 minutes of inactivity.

Here are several additional examples of policies that deal with LAN-to-WAN connectivity and filtering:

1. External Information System Services Connect Standard 2. DMZ Control Standard 3. User Internet Proxy Standard

There is no limit to the number of ways to organize collections of policies. Three common ways, though, are to organize by:

1. Functional area 2. Layers of security 3. Domain

The LAN-to-WAN key standards define the security requirements to:

1. Harden Internet-facing servers 2. Filter traffic between these networks 3. Monitor for breaches in security

The following are examples of baseline documents you may need to prepare:

1. Host hardening standards for each workstation product family, such as Microsoft Windows, UNIX, Mac OS, and smartphones 2. Virus scanner configuration standards 3. Patch management agent standards 4. Automated backup standards for workstations 5. Wireless security standards

The firewall must always block the following types of traffic:

1. Inbound traffic from a nonauthenticated system with a destination address of the firewall system. This type of packet usually represents a probe or attack against the firewall. 2. Inbound traffic with a source address indicating that the packet originated on a network behind the firewall. This type of packet may represent a spoofing attempt. 3. Inbound traffic containing Internet Control Message Protocol (ICMP) traffic. An attacker can use ICMP traffic to map the networks behind some firewalls. Therefore, ICMP traffic should not be allowed from the Internet or any untrusted external network.

The goal is to develop a cohesive set of documents that do not require constant revisions to stay current and relevant. When there is overlap, reference the corresponding document rather than duplicating content. Here are a few common reasons why policy documents vary from one organization to another:

1. Organizations use unique sets of technical tools and hardware. 2. Risk management practices are often customized to an organization. 3. The size of IT departments varies according to business needs.

Many of the same procedure issues exist between domains, such as configuration and patch management. There is a greater emphasis in the LAN domain on detecting and responding to network attacks. An attack on a workstation is isolated. An attack on the network threatens the entire organization. You can see this difference reflected in several network procedures, as follows:

1. Response to Audit Processing Failures 2. Firewall Port/Protocol Alerts 3. Monitoring Wi-Fi APs 4. Audit Record Retention

With core policies defined, the focus then turns to how to configure the devices. Baseline standards provide the specific technology requirements for each device. IT staff use documented procedures to implement baseline standards. These configurations by devices ensure the following:

1. Secure connectivity for remote devices 2. Virus and malware protection 3. Patch management capability 4. Backup and recovery 5. Hardening of the device 6. Encryption of the hard drive as needed

These guidelines are useful to planners, systems administrators, network administrators, and their managers. These individuals must assess LAN threats and build appropriate countermeasures. The following guidelines illustrate this point:

1. Security Assessments Guidelines 2. Firewall Architecture and Management Guidelines 3. Router Architecture and Management Guidelines 4. IDS and IPS Architecture and Management Guidelines 5. Wi-Fi Security Guidelines

A WAN controls standard might include the following statements:

1. The IS department shall approve all access points to the WAN. 2. The IS department shall approve all physical and logical connections to the WAN that provide access to individuals or groups. 3. The IS department shall approve all WAN-related address changes and configurations. 4. Employees who plan to connect to the organization's network must first sign an agreement to abide by the requirements outlined in the WAN Security Standard.

The key purpose of infrastructure security policies is to provide technical knowledge of:

1. The interaction among various layers of the network 2. The placement of key controls 3. The types of risks that will be detected and guarded against

Others standards related to the WAN domain may include:

1. WAN Router Security Standard 2. Web Services Standard

Increasingly, WAN domain policies will include what data may be sent outside the organization's private network. The WAN standards-related questions include:

1. What types of connections are required? 2. What types of data are allowed to use these connections? 3. Who can authorize the creation of a WAN connection? 4. Who can authorize the permit to send data outside the network?

The following are examples of baseline standards that configure devices to address connectivity and monitoring activity:

1. Wi-Fi Access Point (AP) Security Standard 2. Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) Standard 3. Baseline OS Configuration(s) Standard 4. Remote Maintenance Standard 5. Audit Storage and Records Standard 6. Firewall Baseline Security Standard 7. Router Baseline Security Standard 8. Server Baseline Configuration(s)

The lines between baseline and control standards can blur in the WAN domain. The reason is that the topics tend to focus on specific technology solutions such as routers, protocols, and web services. Many organizations tend to focus on a small set of network vendors such as...

Cisco Systems or Juniper Networks. Because the standards are often written with these technologies in mind, you can find a convergence of control and baseline standards in one document versus two

The ____ is the commonly used method of assigning meaningful website names on the Internet. It can also be used to assign meaningful names to any device on a private or public network

Domain Name System (DNS)

____ is a common method used to protect workstations, laptops, and other devices

Encryption

____ deals with how to create, integrate, secure, disseminate, and manage data across the enterprise. Larger organizations tend to deal with management of data as its own discipline, cutting across all domains

Enterprise data management (EDM)

____ need to be highly structured to be understood quickly. It is common for an individual to scan a dozen standards looking for a particular piece of information such as scope or responsibility

Standards

Explain Bring your own device (BYOD)

This is a scenario in which employees bring whatever device they may have purchased and can connect, at least to a guest network. This poses the greatest security risk, but it is quite common

Explain Choose your own device (CYOD)

This is a situation wherein the organization provides a list of approved devices. If the employee purchases a device from that list, then they can attach the device to the organizational network. This provides some level of security. The company at least knows the device meets minimum security requirements

Explain Company-owned and personally enabled (COPE)

This is an approach wherein the company provides personal devices, most often phones, to employees who can then also utilize the devices for personal use. This poses the most direct security, because the company has a high degree of control over the device's security. However, when the employee exits, parsing the employee's personal data from company data can be problematic