566-7

Ace your homework & exams now with Quizwiz!

The acquisition process should be designed to meet specific objectives, including:

- Gaining the most value from expenditures - Strategic planning for system and application upgrades - Reducing risk of data loss or breach - Disposing of assets in a cost-effective manner that secures data and meets recycling goals

network services

- MFDs often come with a number of services enabled, many of which are not required in a given environment and should be disabled - Two categories of network services are management protocols and services protocols

Physical security Proper physical security is needed to guard against a number of threats including:

- Making modifications to the global configuration via the console interface - Sending unauthorized faxes - Obtaining printouts or faxes that do not belong to them - Physically removing the hard disk, which might contain print spool file and other information

There are essentially two approaches to managing IT-related hardware assets within an organization

- One is an ad hoc approach that follows guidance in the installation, configuration, and user's manual on a case-by-case basis with no overall approach - The other is an organized hardware life cycle management policy, perhaps under a designated hardware asset manager

IBM integrated solution brings a variety of benefits to an enterprise, including:

- Predicting the best time to perform maintenance on a monitored asset - Uncovering process deficiencies that can affect product quality - Identifying the root causes of asset failures

Denial-of-Service Attacks These types of attacks, which may also result in denial of service for legitimate users, include:

- Sending multiple bogus print jobs to exhaust paper resources and tie up a printer - Modifying settings to make the device unusable - Stopping or deleting jobs - Setting the IP address of the MFD to be the same as a router, causing routing confusion

multifunction device (MFD)

A network-attached document production device that combines two or more of these functions: copy, print, scan, and fax

A repository containing information on all the devices, software, interconnections, and users in use, together with relevant configuration settings. Generally, a CMDB also includes historical configuration information

Configuration management database (CMDB)

The DHS has offered these recommendations for protecting ICSs

Implement application whitelisting Ensure configuration management and patch management Reduce attack surface areas Build a defendable environment Manage authentication Implement secure remote access Monitor and respond

The best resource in developing a security plan for an ICS is the

Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) website, maintained by the U.S. Department of Homeland Security

consists of combinations of control components (for example, electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective

Industrial control systems

include supervisory control and data acquisition (SCADA) systems used to control geographically dispersed assets, as well as distributed control systems (DCSs) and smaller control systems, using programmable logic controllers to control localized processes

Industrial control systems

Many office devices run an embedded commercial operating system, which renders them subject to the same threats and vulnerabilities as any other computing devices running those same operating systems Manufacturers may embed versions of operating systems for which the operating system provider is no longer providing updates or the functionality to install patches or updates is not available

Operating system security

IBM offers a solution called that uses information collected about products, processes, and assets to optimize maintenance schedules, production processes, and product quality

Predictive Maintenance and Quality (PMQ)

Information Disclosure Three potential sources of vulnerability are:

Print, fax, and copy/scan logs Address books Mailboxes

Applies physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques. This can be achieved by performing multiple overwrites. For a self-encrypting drive (SED), cryptographic erasure can be used. If the drive automatically encrypts all user-addressable locations, then all that is required is to destroy the encryption key, which could be done by multiple overwrites

Purge

A security feature for computers and mobile devices that helps prevent unauthorized access to the device. A screen lock requires the user to perform a specific action, such as entering a PIN code or presenting a fingerprint, to gain access to the device

Screen lock

Relates to security controls in place for HAM and planned for meeting strategic security objectives.

Security plan

Details how security concerns will be incorporated into the hardware life cycle.

Security policy

A hard drive with a circuit built into the disk drive controller chip that encrypts all data to the magnetic media and decrypts all the data from the media automatically. All SEDs encrypt all the time from the factory onward, performing like any other hard drive, with the encryption being completely transparent or invisible to the user. To protect the data from theft, the user must provide a password to read from or write data to the disk

Self-encrypting drive (SED)

Measures some parameter of a physical, chemical, or biological entity and delivers an electronic signal proportional to the observed characteristic, either in the form of an analog voltage level or a digital signal

Sensor

Elements of an Industrial control systems ics

Sensor Actuator Controller Human-machine interface Remote diagnostics and maintenance

An attack enabled by leakage of information from a physical cryptosystem. Characteristics that could be exploited in a side-channel attack include timing, power consumption, and electromagnetic and acoustic emissions

Side-channel attack

Includes designation of a responsible individual and a budget for HAM.

Strategic plan

PLANNING PHASE

Strategic plan Security plan Security policy Acceptable use policy

Develops a threat model consisting of six areas and provides a detailed summary of the greatest threats in each area as well as current mitigations and defenses.

Study on Mobile Device Security

A number of documents for U.S. agencies are valuable resources for any organization. The following are particularly useful:

Study on Mobile Device Security Assessing Threats to Mobile Devices & Infrastructure Guidelines for Managing and Securing Mobile Devices in the Enterprise Vetting the Security of Mobile Applications Guidelines on Hardware-Rooted Security in Mobile Devices Mobile Device Security

The DHS's Study on Mobile Device Security lists the following as common threats resulting from gaining physical access to a device:

Substitution of a compromised Bluetooth headset to facilitate eavesdropping Replacement of a SIM card to facilitate illegal activity such as identity fraud or theft of services Brute-force attacks on a stolen device Side-channel attacks to obtain cryptographic private keys Installation of malicious apps via USB, an infected computer, or a charging station without the user's knowledge

NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations, in control family CM-1, provides detailed guidance in the area of tracking and IT hardware configuration management T or F

T

The small, portable nature of mobile devices increases their susceptibility to physical-based threats T or F

T

many organizations find it convenient or even necessary to adopt a bring your own device (BYOD) policy that allows the personal mobile devices of employees to have access to corporate resources. T or F

T

Mobile device security

Portable computing and communications device with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices

Including existing contracts and new opportunities

Vendor relationships

Describes in detail app vetting and app approval/rejection activities.

Vetting the Security of Mobile Applications

The security strategy can also include

firewall policies specific to mobile device traffic

Hardware life cycle management, also known as

hardware asset management (HAM)

Office equipment

includes printers, photocopiers, facsimile machines, scanners, and multifunction devices (MFDs). Office equipment often contains the same components as a server (e.g., operating system, hard disk drives, and network interface cards) and runs services such as web, mail, and ftp. As a result, sensitive information processed by or stored on office equipment is subject to similar threats as to servers, yet this equipment is often poorly protected.

IT managers should be able to

inspect each device before allowing network access

Hardware life cycle management

is a subset discipline of IT asset management, which deals specifically with the hardware portion of IT assets.

Industrial control system (ICS)

is used to control industrial processes such as manufacturing, product handling, production, and distribution.

In Deployment Each item should be categorized based on

its security impact

A strong authentication protocol should be used to

limit access from the device to the resources of the organization

Once equipment is deployed it needs to be

maintained and managed

Each hardware item needs to be included in a .......................... perhaps as part of a CMDB. The register should be complete and protected.

master register or database

A restricted-use, logical (that is, artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (that is, real) network (for example, the Internet), often using encryption (located at hosts or gateways) and authentication. The endpoints of the virtual network are said to be tunneled through the larger network

virtual private network (VPN)

There are a number of reasons an organization should adopt a detailed hardware life cycle management policy, including:

- Systematic approach to life cycle management can provide guidance on when to replace particular equipment - Bridge communication gaps that allow assets to be lost, acquisitions to be made when spares are in the warehouse, or upgrades to fail due to incomplete information -Hardware information can be centralized in a CMBD - Risk can be reduced by having and using the appropriate tools to track and manage hardware -With hardware life cycle management, an organization can use a number of automated tools for tasks

Applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard read and write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state

Clear

NIST SP 800-88, Guidelines for Media Sanitization, defines three actions:

Clear Purge Destroy

Relates to how users are allowed to use hardware assets. In addition to security concerns, users need to be aware that the assets belong to the organization, without expectation of privacy, unless an organization's privacy policy dictates otherwise.

Acceptable use policy

With a formal selection processes, contract negotiations, and contracts execution

Acquisition

Receives an electronic signal from a controller and responds by interacting with its environment to produce an effect on some parameter of a physical, chemical, or biological entity

Actuator

An online repository of applications that can be browsed, purchased, and downloaded

App store

Provides a detailed description of the threats related to mobile devices and the enterprise.

Assessing Threats to Mobile Devices & Infrastructure

The reachable and exploitable vulnerabilities in a system

Attack surface

Because EMM systems have elevated privileges, intruders can leverage control over EMMs to launch attacks against mobile devices and the mobile enterprise An attacker may steal administrative credentials or exploit vulnerabilities in the EMM infrastructure or software to gain unauthorized access to the administrative console and launch attacks against mobile devices Defenses against such attacks can include security audits threat intelligence, strong authentication, and secure network connections

Attacks on the EMM system

It may be possible for an adversary to bypass the vetting process and introduce apps with malware delivered to devices from the enterprise app store Such malware can target the mobile device or can be used to spread malware to other platforms in the enterprise

Attacks related to an enterprise app store

These enterprise threats are in two broad areas:

Attacks related to an enterprise app store Attacks on the EMM system

According to SP 800-82, possible threats ICSs may face include the following:

Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life Inaccurate information sent to system operators, either to disguise unauthorized changes or to cause the operators to initiate inappropriate actions, which could have various negative effects ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment Interference with the operation of safety systems, which could endanger human life

Operating system security Some examples of these vulnerabilities include:

Buffer overflows Execution of arbitrary code Taking control of the device using remote administration capabilities

Interprets the signals and generates corresponding manipulated variables, based on a control algorithm and target set points, which it transmits to the actuators

Controller

An attack that prevents authorized access to resources or delays time-critical operations

Denial-of-service (DoS) attacks

refers to the preliminary steps taken prior to installation followed by the installation of the hardware so that it is ready to use.

Deployment

Renders target data recovery infeasible using state-of-the-art laboratory techniques and results in the subsequent inability to use the media for storage of data. Typically, the medium is pulverized or incinerated at an outsourced metal destruction or licensed incineration facility

Destroy

The DHS report recommends the following defenses:

Ensure that devices are enterprise managed so that the organization can enforce security policies, monitor device state, and remotely track or wipe lost or stolen devices Ensure that the device's screen lock is enabled. The lock should be enabled with an appropriately strong password

is an important security area that should not be overlooked as part of an organization's security program for office devices

Equipment disposal

The SGP breaks down physical asset management best practices into two areas

Equipment management Mobile computing

A collection of data records, in a centralized database or a synchronized distributed database, defined to be authoritative within the organization. The golden record encompasses all relevant data entities in the organizational information system. The golden record can be used as a basis for reconciliation, as a guarantee of data integrity, and as the basis for backups and archives

Golden record

Also called single version of truth

Golden record

Mobile device security organization's networks must accommodate the following:

Growing use of new devices Cloud-based applications De-perimeterization External business requirements

Provides recommendations for selecting, implementing, and using centralized management technologies, explains the security concerns inherent in mobile device use, and provides recommendations for securing mobile devices throughout their life cycles.

Guidelines for Managing and Securing Mobile Devices in the Enterprise:

Focuses on defining the fundamental security primitives and capabilities needed to securely enable mobile devices.

Guidelines on Hardware-Rooted Security in Mobile Devices

entails managing the physical components of computers, computer networks and systems, beginning with acquisition and continuing through maintenance until the hardware's ultimate disposal.

HAM

Any physical asset that is used to support corporate information or systems (e.g., a server, network device, mobile device, printer or specialized equipment, such as that used by manufacturing, transport or utility companies), including the software embedded within them and the operating systems supporting them

Hardware

Operators and engineers use human interfaces to monitor and configure set points, control algorithms, and adjust and establish parameters in the controller

Human-machine interface

All traffic should be ....................... and travel by secure means, such as SSL or IP Security (Ipsec)

encrypted

SP 800-124, Guidelines for Managing and Securing Mobile Devices in the Enterprise, lists seven major security concerns for mobile devices

Lack of physical security controls Use of untrusted mobile devices Use of untrusted networks Use of applications created by unknown parties Interaction with other systems Use of untrusted content Use of location services

The principle that access control should be implemented so that each system entity is granted the minimum system resources and authorizations needed for the entity to do its work. This principle tends to limit damage that can be caused by an accident, an error, or a fraudulent or unauthorized act

Least privilege

Cloud and Hybrid Builds: Contains reference architectures; demonstrates implementation of standards-based, commercially available cybersecurity technologies; and helps organizations use technologies to reduce the risk of intrusion via mobile devices.

Mobile Device Security

The use of two or more factors to achieve authentication. Factors include something you know (for example, password/ PIN), something you have (for example, cryptographic identification device, token), or something you are (for example, biometric). MFA can involve two or three factors

Multifactor authentication (mfa)

To trigger payment of invoices and creation of incidents to configure and deliver to the correct individual/location/department

Receipt

Utilities used to prevent, identify, and recover from abnormal operation or failures

Remote diagnostics and maintenance

Including application of standards, redeployment, and initiation of a purchase, if appropriate

Request and approval

The International Association of Information Technology Asset Managers [IAT12] states that the processes and systems of acquisition should include the following:

Request and approval Vendor relationships Acquisition Receipt

The deployment process involves ...................................such as changing default vendor passwords and applying secure configuration settings.

ensuring that any software running on the new hardware is subject to security hardening,

A number of individuals and groups should be involved in the hardware acquisition process, including an

acquisition manager, stakeholders, receivers, technical personnel, and the financial manager.

A preferable strategy is to have a two-layer authentication mechanism, which involves

authenticating the device and also authenticating the user of the device

IT should establish

configuration guidelines for operating systems and applications

Whether a device is owned by the organization or an employee, the organization should

configure the device with security controls

Intrusion detection and intrusion prevention systems can be

configured with tighter rules for mobile device traffic

The process of encrypting the data on a medium and then destroying the key, making recovery impossible

cryptographic erasure

The SGP recommends that sensitive information stored on office equipment be securely destroyed before the equipment is

decommissioned, sold, or transferred to an external party

Automated asset identification, such as with a bar code or radio-frequency identification (RFID) tag, is often........................... This supports inventory management, life cycle management, and, ultimately, disposal management.

desirable

The organization should have security mechanisms to

protect the network from unauthorized access

The act of removing a restricted mode of operation. For example, rooting may enable content with digital rights to be used on any computer, or it may allow enhanced third-party operating systems or applications to be used on a mobile device. While rooting is the term used for Android devices, jailbreaking is the equivalent term used for Apple's devices

rooting

management simplest approach is to

schedule maintenance in accordance with supplier/manufacturer recommendations

Firewall policies can limit the

scope of data and application access for all mobile devices

The act of down-loading an app to a device without going through the official app store, via links or websites. While enterprises often use sideloading as a method for distributing home-grown apps, malicious actors also use sideloading (via enterprise certificates in many cases bought on the black market) to distribute their malware

sideloading

Attacks on mobile devices with enterprise access can..................... to other enterprise systems

spread

VPNs can be configured so that all traffic between a mobile device and the organization's network is

via a VPN

There are numerous potential threats to office equipment:

•Network Services •Information Disclosure •Denial-of-Service Attacks •Physical Security •Operating System Security


Related study sets

HESI Prep: Neurologic and Sensory Systems

View Set

Intro to Marketing Exam 1: Ch. 1-6

View Set

quizlet match hack, School edition!

View Set

Substance-Related and Addictive Disorders-DSM 5

View Set