Upload
ejespino1127
View
7
Download
2
Embed Size (px)
DESCRIPTION
Improving information security
Citation preview
Expert Reference Series of White Papers
1-800-COURSES wwwglobalknowledgecom
Applying the Four Standards of Security-
Based CIA
Copyright copy2013 Global Knowledge Training LLC All rights reserved 2
Applying the Four Standards of Security-Based CIA Kerry Doyle MA MSr CPL
IntroductionConstant change in the technology landscape has been mirrored by the steady evolution of information security The current information system environment is increasingly complex comprising storage servers LANsWANs workstations Unified Communications Intranet and Internet connections
Recent innovations such as social media have had a profound effect on security deployment within companies introducing new threats and vulnerabilities Moreover the explosion of related trends such as bring your own device (BYOD) further compromises security because users are accessing corporate content (data applications e-mails etc) from remote locations beyond perimeter security for example
Increased threat sophistication requires equally effective defense responses In addition to measuring compli-ance incorporating logsaudits and using outsourced security services and point products defining corporate-wide security policies is a critical first step Based on the C-I-A information security triad (confidentiality integ-rity availability) key areas to address should include questions such as ldquoWho sees the datardquo ldquoHas the data been corruptedrdquo and ldquoCan I access the server and data as neededrdquo
The range of security-based concerns and solutions is extensive and covers operational procedural environmen-tal and system-related areas In this white paper wersquoll explore the principles of information security and the four standards of security-based CIA that can effectively protect your environment
Standard 1 Operational Security and Identity Access Management (IAM)In order to protect against threats to the confidentiality integrity and availability of information assets orga-nizations need to put in place coherent security measures and policies The goal should be to define the opera-tional procedures guidelines and practices for configuring and managing security within an environment
The importance of having a corporate security policy in place cannot be understated Not only does it minimize risk it helps to show due diligence and compliance in terms of regulations that affect nearly every industry from finance to healthcare (PCI Sarbanes-Oxley HIPAA etc)
Copyright copy2013 Global Knowledge Training LLC All rights reserved 3
Because organizations face an array of both internal and external threats they require a thorough systematized approach to security Performing risk analysis is an important first step Security vulnerability assessments com-bined with protocols to follow and well-defined counter-actions are all part of creating a methodical approach to protection
Performing regular assessments of current security policies is also important It ensures that corporate policies are up to date and that an organization is able to respond adequately to new and developing threats
Establishing identityaccess management (IAM) controls guarantees that effective operational measures are in place in terms of security IAM tools and processes offer a critical framework for managing electronic identities Moreover well-defined business policies for IAM and for assigning access rights should be centrally controlled and enforced consistently across an organization
A centralized framework supports the critical processes that are the basis for successful identity access and risk management They include
bull Establishing compliance initiatives and meeting regulation requirements
bull Controlling user accessinstituting lifecycle management
bull Ensuring accountability
bull Automating processes to manage access risk
Increasingly organizations are choosing automated IAM approaches that include centralized dashboards of-fering data analysis via graphs charts and reports as well as advanced analytics that can be applied to pre-defined or customized security reports
In terms of operational security IAM controls can establish a clear operational ldquosnapshotrdquo of user access that enables corrective actions to be undertaken as needed Such an approach also ensures that all governance ac-tions are ldquostickyrdquo that is unable to be reversed unless approved by a recognized authority
In addition IAM has direct links to areas like security information and event management (SIEM) Often ad-ministrators are overwhelmed by the sheer amount of security data they must process Analysts and administra-tors have only enough time to manage the most critical SIEM notifications These include an excess of solution challenges (more issues than time to address) and false-positive overload Itrsquos no surprise that streamlined IAM controls can offer administrators critical support
Standard 2 Ensuring Procedural SecurityProcedural security looks at information security from the point of view of managementworkforce policies and controls Some examples include personnel screening policies guidelines for classifying and accessing informa-tion and procedures for assigning IDs and user access status to name a few
Copyright copy2013 Global Knowledge Training LLC All rights reserved 4
In terms of management policies well-defined and logical procedures ensure a measure of accountability and assurance They provide for the tracing of actions and events back in time to the users systems or processes to establish responsibility
The first step to procedural security involves identification Once a stakeholder is identified then authentication and authorization can take place Authentication is based on the axiom What You Know (passwords PINs codes etc) What You Have (keys tokens etc) and What You Are (biometric authentication fingerprint iris etc)
Logs and audit trails represent the next step in procedural security These relay detailed information about system-related actions and events as long as the integrity of the data can be established lsquoFunctionalityrsquo versus lsquoassurancersquo is one aspect of procedural security that is the most challenging Essentially the question centers on whether certain security actions performed were indeed successfully implemented
Confidentiality the ability to circumvent security controls has led to more stringent measures such as cryptog-raphy Encryption converts plain text into ciphered text ensuring a measure of confidentiality If intercepted illegally ciphered data canrsquot be easily read The Advanced Encryption Standard (AES) is a fast efficient algorithm for data at rest trusted platform modules (TPMs) can encrypt whole drives and SMIME encrypts e-mail
When it comes to ensuring integrity for example a hashing algorithm can create a hash or number for reli-able data security Detection systems can calculate hash consistency for all types of files including e-mails and protect against tampering Any modifications for example if a file is infected with a virus indicate that a file has lost integrity
Procedural controls for protecting against loss of availability extend to systems that provide redundancies back-ups and fault-tolerance Such failure systems ensure that if a security measure or control has failed the system is not rendered to an insecure state Backups make sure that data stays current Redundancies extend to servers that provide failover protection For example in the case of one server being compromised another secure server can instantly take its place
Standard 3 Taking Control of Physical Environment SecurityData center or physical environment security is centered on the notion of availability Attacks such as distributed denial of service (DDoS) cross-site scripting and advanced persistent threats (APTs) represent actions whose goal is to deny availability
Such initiatives strike at the heart of most data centers which are based on near 247 access For example a primary aim of DDoS attacks is to deny users resources and to inflict collateral damage Downed servers which are the primary consequence of these attacks can be costly to both users and companies
Copyright copy2013 Global Knowledge Training LLC All rights reserved 5
Natural and man-made disasters also affect availability although theyrsquore less frequent and not as severe as planned attacks To ensure physical security frequent off-site backups are critical As mentioned earlier redun-dancy also offers a key environment security feature
Operational measures for protection overlap with initiatives that ensure physical environment security A multi-layer approach is meant to cover any shortfalls or inadequacies It includes
bull Separate Security Agents Individual discrete agents manage network endpoint and virtual security However this defense in-depth approach consists of multiple agents that can be challenging to coordinate and control
bull Multi-vendor Approach Combining the protection of multiple vendors reduces the overall risk posture Thatrsquos because if a threat eludes one vendor agent therersquos a greater possibility it will be denied by the second agent
bull Security Intelligence Layer Encompassing an entire landscape with an integrated view of security means that different point products can now be unified such an intelligence layer combined with a pre-existing security landscape offers comprehensive protection and better value
In addition to the multi-layer approach having good business continuity (BC) and disaster recovery (DR) capa-bilities in place are critical These represent key components of effective physical environment security
To achieve this protection level increasing numbers of companies are also turning to suite-based products Instead of creating manual ldquohome-brewrdquo security solutions with ad hoc technologies they choose third-party suite-based access governance solutions that offer automated user-friendly security tools Most of these solu-tions centralize identity data capture business policy model roles and proactively manage user and resource risk factors
Standard 4 NetworkApplication Security Certain security controls are more relevant to an organizationrsquos physical infrastructure while others have more to do with management and administration When it comes to system-related security such as network safe-guards or application controls a number of diverse technologies offer protection
Generally the most effective and secure network environments are based on the principles of least privilege minimization and compartmentalization These are also considered universal security principles and can be applied to a number of areas
In terms of applications and network architecture these standards should be considered fundamental
bull Least Privilege This prevention measure reduces the number of privileges that can be assigned to either users or administrators and IT staff Minimizing the number of capabilities reduces the potential for possible abuse and limits the extent of damage
All information system environments can benefit from the least privilege measure However such security controls are especially important for networks because any abuse can have far-reaching implications
Copyright copy2013 Global Knowledge Training LLC All rights reserved 6
bull Minimization The principle of minimization prohibits the use of any system beyond its designated function For example a server designated for email could not have unrelated software installed or be used for purposes other than email Such limitations increase security minimize misuse and enhance system performance
bull Compartmentalization The use of compartments works to limit damage caused by unforeseen disasters or attacks Having applications and processes separated from one another increases security because the effects or malfunctions of compromised systems can be isolated Such a powerful security mechanism ensures that the effects of disasters or attacks can be contained until solutions are found
Itrsquos necessary to create precise processes that define and control network access and configuration capabili-ties A well-functioning change management process means that any system-based alterations are logged and executed in a controlled way Logs can then be checked for any deviations or violations of a network security policy
The concept of authorization is important here because network- and system-related access restrictions can limit changes and minimize potential damage from deliberate misconfigurations Moreover the concept of dual control reinforces security across a network
Such a procedure assigns different responsibilities between the security group and administrative group in charge of network processes A combination of checks and balances ensures that network configuration logs are controlled not by administrators but by the security group which could identify compromises in a network
ConclusionAs organizations evaluate the available approaches to information security they need to address a number of considerations in terms of operational procedural environmental and system-related areas
Itrsquos no longer about just protecting data Businesses need to formulate coherent systematic approaches to security by incorporating regulatory compliance periodic assessments and the application of relevant tools to eliminate security issues
Effective authentication and authorization are basic principles that should be applied along with log-keeping and audit trails Moreover any physical environment should incorporate a multi-layer approach to compensate for inadequacies Finally effective protection of applications and networks is essential
It requires a framework based on the concepts of least privilege minimization and compartmentalization to guarantee a comprehensive approach to company-wide security Such high levels of optimization help to ensure that an organizationrsquos information security approach is both well-rounded and flexible enough to meet current and future threats
Copyright copy2013 Global Knowledge Training LLC All rights reserved 7
Learn MoreLearn more about how you can improve productivity enhance efficiency and sharpen your competitive edge through training
Cybersecurity Foundations
Security+ Prep Course (SYO-301)
Visit wwwglobalknowledgecom or call 1-800-COURSES (1-800-268-7737) to speak with a Global Knowledge training advisor
About the AuthorKerry Doyle (MA MSr CPL) writes for a diverse group of companies based in technology business and higher education As an educator former editor at PC Computing reporter for PC Week Magazine and editor at ZDNetCNetcom he specializes in computing trends vital to IT professionals from virtualization and open source to disaster recovery and network storage
Copyright copy2013 Global Knowledge Training LLC All rights reserved 2
Applying the Four Standards of Security-Based CIA Kerry Doyle MA MSr CPL
IntroductionConstant change in the technology landscape has been mirrored by the steady evolution of information security The current information system environment is increasingly complex comprising storage servers LANsWANs workstations Unified Communications Intranet and Internet connections
Recent innovations such as social media have had a profound effect on security deployment within companies introducing new threats and vulnerabilities Moreover the explosion of related trends such as bring your own device (BYOD) further compromises security because users are accessing corporate content (data applications e-mails etc) from remote locations beyond perimeter security for example
Increased threat sophistication requires equally effective defense responses In addition to measuring compli-ance incorporating logsaudits and using outsourced security services and point products defining corporate-wide security policies is a critical first step Based on the C-I-A information security triad (confidentiality integ-rity availability) key areas to address should include questions such as ldquoWho sees the datardquo ldquoHas the data been corruptedrdquo and ldquoCan I access the server and data as neededrdquo
The range of security-based concerns and solutions is extensive and covers operational procedural environmen-tal and system-related areas In this white paper wersquoll explore the principles of information security and the four standards of security-based CIA that can effectively protect your environment
Standard 1 Operational Security and Identity Access Management (IAM)In order to protect against threats to the confidentiality integrity and availability of information assets orga-nizations need to put in place coherent security measures and policies The goal should be to define the opera-tional procedures guidelines and practices for configuring and managing security within an environment
The importance of having a corporate security policy in place cannot be understated Not only does it minimize risk it helps to show due diligence and compliance in terms of regulations that affect nearly every industry from finance to healthcare (PCI Sarbanes-Oxley HIPAA etc)
Copyright copy2013 Global Knowledge Training LLC All rights reserved 3
Because organizations face an array of both internal and external threats they require a thorough systematized approach to security Performing risk analysis is an important first step Security vulnerability assessments com-bined with protocols to follow and well-defined counter-actions are all part of creating a methodical approach to protection
Performing regular assessments of current security policies is also important It ensures that corporate policies are up to date and that an organization is able to respond adequately to new and developing threats
Establishing identityaccess management (IAM) controls guarantees that effective operational measures are in place in terms of security IAM tools and processes offer a critical framework for managing electronic identities Moreover well-defined business policies for IAM and for assigning access rights should be centrally controlled and enforced consistently across an organization
A centralized framework supports the critical processes that are the basis for successful identity access and risk management They include
bull Establishing compliance initiatives and meeting regulation requirements
bull Controlling user accessinstituting lifecycle management
bull Ensuring accountability
bull Automating processes to manage access risk
Increasingly organizations are choosing automated IAM approaches that include centralized dashboards of-fering data analysis via graphs charts and reports as well as advanced analytics that can be applied to pre-defined or customized security reports
In terms of operational security IAM controls can establish a clear operational ldquosnapshotrdquo of user access that enables corrective actions to be undertaken as needed Such an approach also ensures that all governance ac-tions are ldquostickyrdquo that is unable to be reversed unless approved by a recognized authority
In addition IAM has direct links to areas like security information and event management (SIEM) Often ad-ministrators are overwhelmed by the sheer amount of security data they must process Analysts and administra-tors have only enough time to manage the most critical SIEM notifications These include an excess of solution challenges (more issues than time to address) and false-positive overload Itrsquos no surprise that streamlined IAM controls can offer administrators critical support
Standard 2 Ensuring Procedural SecurityProcedural security looks at information security from the point of view of managementworkforce policies and controls Some examples include personnel screening policies guidelines for classifying and accessing informa-tion and procedures for assigning IDs and user access status to name a few
Copyright copy2013 Global Knowledge Training LLC All rights reserved 4
In terms of management policies well-defined and logical procedures ensure a measure of accountability and assurance They provide for the tracing of actions and events back in time to the users systems or processes to establish responsibility
The first step to procedural security involves identification Once a stakeholder is identified then authentication and authorization can take place Authentication is based on the axiom What You Know (passwords PINs codes etc) What You Have (keys tokens etc) and What You Are (biometric authentication fingerprint iris etc)
Logs and audit trails represent the next step in procedural security These relay detailed information about system-related actions and events as long as the integrity of the data can be established lsquoFunctionalityrsquo versus lsquoassurancersquo is one aspect of procedural security that is the most challenging Essentially the question centers on whether certain security actions performed were indeed successfully implemented
Confidentiality the ability to circumvent security controls has led to more stringent measures such as cryptog-raphy Encryption converts plain text into ciphered text ensuring a measure of confidentiality If intercepted illegally ciphered data canrsquot be easily read The Advanced Encryption Standard (AES) is a fast efficient algorithm for data at rest trusted platform modules (TPMs) can encrypt whole drives and SMIME encrypts e-mail
When it comes to ensuring integrity for example a hashing algorithm can create a hash or number for reli-able data security Detection systems can calculate hash consistency for all types of files including e-mails and protect against tampering Any modifications for example if a file is infected with a virus indicate that a file has lost integrity
Procedural controls for protecting against loss of availability extend to systems that provide redundancies back-ups and fault-tolerance Such failure systems ensure that if a security measure or control has failed the system is not rendered to an insecure state Backups make sure that data stays current Redundancies extend to servers that provide failover protection For example in the case of one server being compromised another secure server can instantly take its place
Standard 3 Taking Control of Physical Environment SecurityData center or physical environment security is centered on the notion of availability Attacks such as distributed denial of service (DDoS) cross-site scripting and advanced persistent threats (APTs) represent actions whose goal is to deny availability
Such initiatives strike at the heart of most data centers which are based on near 247 access For example a primary aim of DDoS attacks is to deny users resources and to inflict collateral damage Downed servers which are the primary consequence of these attacks can be costly to both users and companies
Copyright copy2013 Global Knowledge Training LLC All rights reserved 5
Natural and man-made disasters also affect availability although theyrsquore less frequent and not as severe as planned attacks To ensure physical security frequent off-site backups are critical As mentioned earlier redun-dancy also offers a key environment security feature
Operational measures for protection overlap with initiatives that ensure physical environment security A multi-layer approach is meant to cover any shortfalls or inadequacies It includes
bull Separate Security Agents Individual discrete agents manage network endpoint and virtual security However this defense in-depth approach consists of multiple agents that can be challenging to coordinate and control
bull Multi-vendor Approach Combining the protection of multiple vendors reduces the overall risk posture Thatrsquos because if a threat eludes one vendor agent therersquos a greater possibility it will be denied by the second agent
bull Security Intelligence Layer Encompassing an entire landscape with an integrated view of security means that different point products can now be unified such an intelligence layer combined with a pre-existing security landscape offers comprehensive protection and better value
In addition to the multi-layer approach having good business continuity (BC) and disaster recovery (DR) capa-bilities in place are critical These represent key components of effective physical environment security
To achieve this protection level increasing numbers of companies are also turning to suite-based products Instead of creating manual ldquohome-brewrdquo security solutions with ad hoc technologies they choose third-party suite-based access governance solutions that offer automated user-friendly security tools Most of these solu-tions centralize identity data capture business policy model roles and proactively manage user and resource risk factors
Standard 4 NetworkApplication Security Certain security controls are more relevant to an organizationrsquos physical infrastructure while others have more to do with management and administration When it comes to system-related security such as network safe-guards or application controls a number of diverse technologies offer protection
Generally the most effective and secure network environments are based on the principles of least privilege minimization and compartmentalization These are also considered universal security principles and can be applied to a number of areas
In terms of applications and network architecture these standards should be considered fundamental
bull Least Privilege This prevention measure reduces the number of privileges that can be assigned to either users or administrators and IT staff Minimizing the number of capabilities reduces the potential for possible abuse and limits the extent of damage
All information system environments can benefit from the least privilege measure However such security controls are especially important for networks because any abuse can have far-reaching implications
Copyright copy2013 Global Knowledge Training LLC All rights reserved 6
bull Minimization The principle of minimization prohibits the use of any system beyond its designated function For example a server designated for email could not have unrelated software installed or be used for purposes other than email Such limitations increase security minimize misuse and enhance system performance
bull Compartmentalization The use of compartments works to limit damage caused by unforeseen disasters or attacks Having applications and processes separated from one another increases security because the effects or malfunctions of compromised systems can be isolated Such a powerful security mechanism ensures that the effects of disasters or attacks can be contained until solutions are found
Itrsquos necessary to create precise processes that define and control network access and configuration capabili-ties A well-functioning change management process means that any system-based alterations are logged and executed in a controlled way Logs can then be checked for any deviations or violations of a network security policy
The concept of authorization is important here because network- and system-related access restrictions can limit changes and minimize potential damage from deliberate misconfigurations Moreover the concept of dual control reinforces security across a network
Such a procedure assigns different responsibilities between the security group and administrative group in charge of network processes A combination of checks and balances ensures that network configuration logs are controlled not by administrators but by the security group which could identify compromises in a network
ConclusionAs organizations evaluate the available approaches to information security they need to address a number of considerations in terms of operational procedural environmental and system-related areas
Itrsquos no longer about just protecting data Businesses need to formulate coherent systematic approaches to security by incorporating regulatory compliance periodic assessments and the application of relevant tools to eliminate security issues
Effective authentication and authorization are basic principles that should be applied along with log-keeping and audit trails Moreover any physical environment should incorporate a multi-layer approach to compensate for inadequacies Finally effective protection of applications and networks is essential
It requires a framework based on the concepts of least privilege minimization and compartmentalization to guarantee a comprehensive approach to company-wide security Such high levels of optimization help to ensure that an organizationrsquos information security approach is both well-rounded and flexible enough to meet current and future threats
Copyright copy2013 Global Knowledge Training LLC All rights reserved 7
Learn MoreLearn more about how you can improve productivity enhance efficiency and sharpen your competitive edge through training
Cybersecurity Foundations
Security+ Prep Course (SYO-301)
Visit wwwglobalknowledgecom or call 1-800-COURSES (1-800-268-7737) to speak with a Global Knowledge training advisor
About the AuthorKerry Doyle (MA MSr CPL) writes for a diverse group of companies based in technology business and higher education As an educator former editor at PC Computing reporter for PC Week Magazine and editor at ZDNetCNetcom he specializes in computing trends vital to IT professionals from virtualization and open source to disaster recovery and network storage
Copyright copy2013 Global Knowledge Training LLC All rights reserved 3
Because organizations face an array of both internal and external threats they require a thorough systematized approach to security Performing risk analysis is an important first step Security vulnerability assessments com-bined with protocols to follow and well-defined counter-actions are all part of creating a methodical approach to protection
Performing regular assessments of current security policies is also important It ensures that corporate policies are up to date and that an organization is able to respond adequately to new and developing threats
Establishing identityaccess management (IAM) controls guarantees that effective operational measures are in place in terms of security IAM tools and processes offer a critical framework for managing electronic identities Moreover well-defined business policies for IAM and for assigning access rights should be centrally controlled and enforced consistently across an organization
A centralized framework supports the critical processes that are the basis for successful identity access and risk management They include
bull Establishing compliance initiatives and meeting regulation requirements
bull Controlling user accessinstituting lifecycle management
bull Ensuring accountability
bull Automating processes to manage access risk
Increasingly organizations are choosing automated IAM approaches that include centralized dashboards of-fering data analysis via graphs charts and reports as well as advanced analytics that can be applied to pre-defined or customized security reports
In terms of operational security IAM controls can establish a clear operational ldquosnapshotrdquo of user access that enables corrective actions to be undertaken as needed Such an approach also ensures that all governance ac-tions are ldquostickyrdquo that is unable to be reversed unless approved by a recognized authority
In addition IAM has direct links to areas like security information and event management (SIEM) Often ad-ministrators are overwhelmed by the sheer amount of security data they must process Analysts and administra-tors have only enough time to manage the most critical SIEM notifications These include an excess of solution challenges (more issues than time to address) and false-positive overload Itrsquos no surprise that streamlined IAM controls can offer administrators critical support
Standard 2 Ensuring Procedural SecurityProcedural security looks at information security from the point of view of managementworkforce policies and controls Some examples include personnel screening policies guidelines for classifying and accessing informa-tion and procedures for assigning IDs and user access status to name a few
Copyright copy2013 Global Knowledge Training LLC All rights reserved 4
In terms of management policies well-defined and logical procedures ensure a measure of accountability and assurance They provide for the tracing of actions and events back in time to the users systems or processes to establish responsibility
The first step to procedural security involves identification Once a stakeholder is identified then authentication and authorization can take place Authentication is based on the axiom What You Know (passwords PINs codes etc) What You Have (keys tokens etc) and What You Are (biometric authentication fingerprint iris etc)
Logs and audit trails represent the next step in procedural security These relay detailed information about system-related actions and events as long as the integrity of the data can be established lsquoFunctionalityrsquo versus lsquoassurancersquo is one aspect of procedural security that is the most challenging Essentially the question centers on whether certain security actions performed were indeed successfully implemented
Confidentiality the ability to circumvent security controls has led to more stringent measures such as cryptog-raphy Encryption converts plain text into ciphered text ensuring a measure of confidentiality If intercepted illegally ciphered data canrsquot be easily read The Advanced Encryption Standard (AES) is a fast efficient algorithm for data at rest trusted platform modules (TPMs) can encrypt whole drives and SMIME encrypts e-mail
When it comes to ensuring integrity for example a hashing algorithm can create a hash or number for reli-able data security Detection systems can calculate hash consistency for all types of files including e-mails and protect against tampering Any modifications for example if a file is infected with a virus indicate that a file has lost integrity
Procedural controls for protecting against loss of availability extend to systems that provide redundancies back-ups and fault-tolerance Such failure systems ensure that if a security measure or control has failed the system is not rendered to an insecure state Backups make sure that data stays current Redundancies extend to servers that provide failover protection For example in the case of one server being compromised another secure server can instantly take its place
Standard 3 Taking Control of Physical Environment SecurityData center or physical environment security is centered on the notion of availability Attacks such as distributed denial of service (DDoS) cross-site scripting and advanced persistent threats (APTs) represent actions whose goal is to deny availability
Such initiatives strike at the heart of most data centers which are based on near 247 access For example a primary aim of DDoS attacks is to deny users resources and to inflict collateral damage Downed servers which are the primary consequence of these attacks can be costly to both users and companies
Copyright copy2013 Global Knowledge Training LLC All rights reserved 5
Natural and man-made disasters also affect availability although theyrsquore less frequent and not as severe as planned attacks To ensure physical security frequent off-site backups are critical As mentioned earlier redun-dancy also offers a key environment security feature
Operational measures for protection overlap with initiatives that ensure physical environment security A multi-layer approach is meant to cover any shortfalls or inadequacies It includes
bull Separate Security Agents Individual discrete agents manage network endpoint and virtual security However this defense in-depth approach consists of multiple agents that can be challenging to coordinate and control
bull Multi-vendor Approach Combining the protection of multiple vendors reduces the overall risk posture Thatrsquos because if a threat eludes one vendor agent therersquos a greater possibility it will be denied by the second agent
bull Security Intelligence Layer Encompassing an entire landscape with an integrated view of security means that different point products can now be unified such an intelligence layer combined with a pre-existing security landscape offers comprehensive protection and better value
In addition to the multi-layer approach having good business continuity (BC) and disaster recovery (DR) capa-bilities in place are critical These represent key components of effective physical environment security
To achieve this protection level increasing numbers of companies are also turning to suite-based products Instead of creating manual ldquohome-brewrdquo security solutions with ad hoc technologies they choose third-party suite-based access governance solutions that offer automated user-friendly security tools Most of these solu-tions centralize identity data capture business policy model roles and proactively manage user and resource risk factors
Standard 4 NetworkApplication Security Certain security controls are more relevant to an organizationrsquos physical infrastructure while others have more to do with management and administration When it comes to system-related security such as network safe-guards or application controls a number of diverse technologies offer protection
Generally the most effective and secure network environments are based on the principles of least privilege minimization and compartmentalization These are also considered universal security principles and can be applied to a number of areas
In terms of applications and network architecture these standards should be considered fundamental
bull Least Privilege This prevention measure reduces the number of privileges that can be assigned to either users or administrators and IT staff Minimizing the number of capabilities reduces the potential for possible abuse and limits the extent of damage
All information system environments can benefit from the least privilege measure However such security controls are especially important for networks because any abuse can have far-reaching implications
Copyright copy2013 Global Knowledge Training LLC All rights reserved 6
bull Minimization The principle of minimization prohibits the use of any system beyond its designated function For example a server designated for email could not have unrelated software installed or be used for purposes other than email Such limitations increase security minimize misuse and enhance system performance
bull Compartmentalization The use of compartments works to limit damage caused by unforeseen disasters or attacks Having applications and processes separated from one another increases security because the effects or malfunctions of compromised systems can be isolated Such a powerful security mechanism ensures that the effects of disasters or attacks can be contained until solutions are found
Itrsquos necessary to create precise processes that define and control network access and configuration capabili-ties A well-functioning change management process means that any system-based alterations are logged and executed in a controlled way Logs can then be checked for any deviations or violations of a network security policy
The concept of authorization is important here because network- and system-related access restrictions can limit changes and minimize potential damage from deliberate misconfigurations Moreover the concept of dual control reinforces security across a network
Such a procedure assigns different responsibilities between the security group and administrative group in charge of network processes A combination of checks and balances ensures that network configuration logs are controlled not by administrators but by the security group which could identify compromises in a network
ConclusionAs organizations evaluate the available approaches to information security they need to address a number of considerations in terms of operational procedural environmental and system-related areas
Itrsquos no longer about just protecting data Businesses need to formulate coherent systematic approaches to security by incorporating regulatory compliance periodic assessments and the application of relevant tools to eliminate security issues
Effective authentication and authorization are basic principles that should be applied along with log-keeping and audit trails Moreover any physical environment should incorporate a multi-layer approach to compensate for inadequacies Finally effective protection of applications and networks is essential
It requires a framework based on the concepts of least privilege minimization and compartmentalization to guarantee a comprehensive approach to company-wide security Such high levels of optimization help to ensure that an organizationrsquos information security approach is both well-rounded and flexible enough to meet current and future threats
Copyright copy2013 Global Knowledge Training LLC All rights reserved 7
Learn MoreLearn more about how you can improve productivity enhance efficiency and sharpen your competitive edge through training
Cybersecurity Foundations
Security+ Prep Course (SYO-301)
Visit wwwglobalknowledgecom or call 1-800-COURSES (1-800-268-7737) to speak with a Global Knowledge training advisor
About the AuthorKerry Doyle (MA MSr CPL) writes for a diverse group of companies based in technology business and higher education As an educator former editor at PC Computing reporter for PC Week Magazine and editor at ZDNetCNetcom he specializes in computing trends vital to IT professionals from virtualization and open source to disaster recovery and network storage
Copyright copy2013 Global Knowledge Training LLC All rights reserved 4
In terms of management policies well-defined and logical procedures ensure a measure of accountability and assurance They provide for the tracing of actions and events back in time to the users systems or processes to establish responsibility
The first step to procedural security involves identification Once a stakeholder is identified then authentication and authorization can take place Authentication is based on the axiom What You Know (passwords PINs codes etc) What You Have (keys tokens etc) and What You Are (biometric authentication fingerprint iris etc)
Logs and audit trails represent the next step in procedural security These relay detailed information about system-related actions and events as long as the integrity of the data can be established lsquoFunctionalityrsquo versus lsquoassurancersquo is one aspect of procedural security that is the most challenging Essentially the question centers on whether certain security actions performed were indeed successfully implemented
Confidentiality the ability to circumvent security controls has led to more stringent measures such as cryptog-raphy Encryption converts plain text into ciphered text ensuring a measure of confidentiality If intercepted illegally ciphered data canrsquot be easily read The Advanced Encryption Standard (AES) is a fast efficient algorithm for data at rest trusted platform modules (TPMs) can encrypt whole drives and SMIME encrypts e-mail
When it comes to ensuring integrity for example a hashing algorithm can create a hash or number for reli-able data security Detection systems can calculate hash consistency for all types of files including e-mails and protect against tampering Any modifications for example if a file is infected with a virus indicate that a file has lost integrity
Procedural controls for protecting against loss of availability extend to systems that provide redundancies back-ups and fault-tolerance Such failure systems ensure that if a security measure or control has failed the system is not rendered to an insecure state Backups make sure that data stays current Redundancies extend to servers that provide failover protection For example in the case of one server being compromised another secure server can instantly take its place
Standard 3 Taking Control of Physical Environment SecurityData center or physical environment security is centered on the notion of availability Attacks such as distributed denial of service (DDoS) cross-site scripting and advanced persistent threats (APTs) represent actions whose goal is to deny availability
Such initiatives strike at the heart of most data centers which are based on near 247 access For example a primary aim of DDoS attacks is to deny users resources and to inflict collateral damage Downed servers which are the primary consequence of these attacks can be costly to both users and companies
Copyright copy2013 Global Knowledge Training LLC All rights reserved 5
Natural and man-made disasters also affect availability although theyrsquore less frequent and not as severe as planned attacks To ensure physical security frequent off-site backups are critical As mentioned earlier redun-dancy also offers a key environment security feature
Operational measures for protection overlap with initiatives that ensure physical environment security A multi-layer approach is meant to cover any shortfalls or inadequacies It includes
bull Separate Security Agents Individual discrete agents manage network endpoint and virtual security However this defense in-depth approach consists of multiple agents that can be challenging to coordinate and control
bull Multi-vendor Approach Combining the protection of multiple vendors reduces the overall risk posture Thatrsquos because if a threat eludes one vendor agent therersquos a greater possibility it will be denied by the second agent
bull Security Intelligence Layer Encompassing an entire landscape with an integrated view of security means that different point products can now be unified such an intelligence layer combined with a pre-existing security landscape offers comprehensive protection and better value
In addition to the multi-layer approach having good business continuity (BC) and disaster recovery (DR) capa-bilities in place are critical These represent key components of effective physical environment security
To achieve this protection level increasing numbers of companies are also turning to suite-based products Instead of creating manual ldquohome-brewrdquo security solutions with ad hoc technologies they choose third-party suite-based access governance solutions that offer automated user-friendly security tools Most of these solu-tions centralize identity data capture business policy model roles and proactively manage user and resource risk factors
Standard 4 NetworkApplication Security Certain security controls are more relevant to an organizationrsquos physical infrastructure while others have more to do with management and administration When it comes to system-related security such as network safe-guards or application controls a number of diverse technologies offer protection
Generally the most effective and secure network environments are based on the principles of least privilege minimization and compartmentalization These are also considered universal security principles and can be applied to a number of areas
In terms of applications and network architecture these standards should be considered fundamental
bull Least Privilege This prevention measure reduces the number of privileges that can be assigned to either users or administrators and IT staff Minimizing the number of capabilities reduces the potential for possible abuse and limits the extent of damage
All information system environments can benefit from the least privilege measure However such security controls are especially important for networks because any abuse can have far-reaching implications
Copyright copy2013 Global Knowledge Training LLC All rights reserved 6
bull Minimization The principle of minimization prohibits the use of any system beyond its designated function For example a server designated for email could not have unrelated software installed or be used for purposes other than email Such limitations increase security minimize misuse and enhance system performance
bull Compartmentalization The use of compartments works to limit damage caused by unforeseen disasters or attacks Having applications and processes separated from one another increases security because the effects or malfunctions of compromised systems can be isolated Such a powerful security mechanism ensures that the effects of disasters or attacks can be contained until solutions are found
Itrsquos necessary to create precise processes that define and control network access and configuration capabili-ties A well-functioning change management process means that any system-based alterations are logged and executed in a controlled way Logs can then be checked for any deviations or violations of a network security policy
The concept of authorization is important here because network- and system-related access restrictions can limit changes and minimize potential damage from deliberate misconfigurations Moreover the concept of dual control reinforces security across a network
Such a procedure assigns different responsibilities between the security group and administrative group in charge of network processes A combination of checks and balances ensures that network configuration logs are controlled not by administrators but by the security group which could identify compromises in a network
ConclusionAs organizations evaluate the available approaches to information security they need to address a number of considerations in terms of operational procedural environmental and system-related areas
Itrsquos no longer about just protecting data Businesses need to formulate coherent systematic approaches to security by incorporating regulatory compliance periodic assessments and the application of relevant tools to eliminate security issues
Effective authentication and authorization are basic principles that should be applied along with log-keeping and audit trails Moreover any physical environment should incorporate a multi-layer approach to compensate for inadequacies Finally effective protection of applications and networks is essential
It requires a framework based on the concepts of least privilege minimization and compartmentalization to guarantee a comprehensive approach to company-wide security Such high levels of optimization help to ensure that an organizationrsquos information security approach is both well-rounded and flexible enough to meet current and future threats
Copyright copy2013 Global Knowledge Training LLC All rights reserved 7
Learn MoreLearn more about how you can improve productivity enhance efficiency and sharpen your competitive edge through training
Cybersecurity Foundations
Security+ Prep Course (SYO-301)
Visit wwwglobalknowledgecom or call 1-800-COURSES (1-800-268-7737) to speak with a Global Knowledge training advisor
About the AuthorKerry Doyle (MA MSr CPL) writes for a diverse group of companies based in technology business and higher education As an educator former editor at PC Computing reporter for PC Week Magazine and editor at ZDNetCNetcom he specializes in computing trends vital to IT professionals from virtualization and open source to disaster recovery and network storage
Copyright copy2013 Global Knowledge Training LLC All rights reserved 5
Natural and man-made disasters also affect availability although theyrsquore less frequent and not as severe as planned attacks To ensure physical security frequent off-site backups are critical As mentioned earlier redun-dancy also offers a key environment security feature
Operational measures for protection overlap with initiatives that ensure physical environment security A multi-layer approach is meant to cover any shortfalls or inadequacies It includes
bull Separate Security Agents Individual discrete agents manage network endpoint and virtual security However this defense in-depth approach consists of multiple agents that can be challenging to coordinate and control
bull Multi-vendor Approach Combining the protection of multiple vendors reduces the overall risk posture Thatrsquos because if a threat eludes one vendor agent therersquos a greater possibility it will be denied by the second agent
bull Security Intelligence Layer Encompassing an entire landscape with an integrated view of security means that different point products can now be unified such an intelligence layer combined with a pre-existing security landscape offers comprehensive protection and better value
In addition to the multi-layer approach having good business continuity (BC) and disaster recovery (DR) capa-bilities in place are critical These represent key components of effective physical environment security
To achieve this protection level increasing numbers of companies are also turning to suite-based products Instead of creating manual ldquohome-brewrdquo security solutions with ad hoc technologies they choose third-party suite-based access governance solutions that offer automated user-friendly security tools Most of these solu-tions centralize identity data capture business policy model roles and proactively manage user and resource risk factors
Standard 4 NetworkApplication Security Certain security controls are more relevant to an organizationrsquos physical infrastructure while others have more to do with management and administration When it comes to system-related security such as network safe-guards or application controls a number of diverse technologies offer protection
Generally the most effective and secure network environments are based on the principles of least privilege minimization and compartmentalization These are also considered universal security principles and can be applied to a number of areas
In terms of applications and network architecture these standards should be considered fundamental
bull Least Privilege This prevention measure reduces the number of privileges that can be assigned to either users or administrators and IT staff Minimizing the number of capabilities reduces the potential for possible abuse and limits the extent of damage
All information system environments can benefit from the least privilege measure However such security controls are especially important for networks because any abuse can have far-reaching implications
Copyright copy2013 Global Knowledge Training LLC All rights reserved 6
bull Minimization The principle of minimization prohibits the use of any system beyond its designated function For example a server designated for email could not have unrelated software installed or be used for purposes other than email Such limitations increase security minimize misuse and enhance system performance
bull Compartmentalization The use of compartments works to limit damage caused by unforeseen disasters or attacks Having applications and processes separated from one another increases security because the effects or malfunctions of compromised systems can be isolated Such a powerful security mechanism ensures that the effects of disasters or attacks can be contained until solutions are found
Itrsquos necessary to create precise processes that define and control network access and configuration capabili-ties A well-functioning change management process means that any system-based alterations are logged and executed in a controlled way Logs can then be checked for any deviations or violations of a network security policy
The concept of authorization is important here because network- and system-related access restrictions can limit changes and minimize potential damage from deliberate misconfigurations Moreover the concept of dual control reinforces security across a network
Such a procedure assigns different responsibilities between the security group and administrative group in charge of network processes A combination of checks and balances ensures that network configuration logs are controlled not by administrators but by the security group which could identify compromises in a network
ConclusionAs organizations evaluate the available approaches to information security they need to address a number of considerations in terms of operational procedural environmental and system-related areas
Itrsquos no longer about just protecting data Businesses need to formulate coherent systematic approaches to security by incorporating regulatory compliance periodic assessments and the application of relevant tools to eliminate security issues
Effective authentication and authorization are basic principles that should be applied along with log-keeping and audit trails Moreover any physical environment should incorporate a multi-layer approach to compensate for inadequacies Finally effective protection of applications and networks is essential
It requires a framework based on the concepts of least privilege minimization and compartmentalization to guarantee a comprehensive approach to company-wide security Such high levels of optimization help to ensure that an organizationrsquos information security approach is both well-rounded and flexible enough to meet current and future threats
Copyright copy2013 Global Knowledge Training LLC All rights reserved 7
Learn MoreLearn more about how you can improve productivity enhance efficiency and sharpen your competitive edge through training
Cybersecurity Foundations
Security+ Prep Course (SYO-301)
Visit wwwglobalknowledgecom or call 1-800-COURSES (1-800-268-7737) to speak with a Global Knowledge training advisor
About the AuthorKerry Doyle (MA MSr CPL) writes for a diverse group of companies based in technology business and higher education As an educator former editor at PC Computing reporter for PC Week Magazine and editor at ZDNetCNetcom he specializes in computing trends vital to IT professionals from virtualization and open source to disaster recovery and network storage
Copyright copy2013 Global Knowledge Training LLC All rights reserved 6
bull Minimization The principle of minimization prohibits the use of any system beyond its designated function For example a server designated for email could not have unrelated software installed or be used for purposes other than email Such limitations increase security minimize misuse and enhance system performance
bull Compartmentalization The use of compartments works to limit damage caused by unforeseen disasters or attacks Having applications and processes separated from one another increases security because the effects or malfunctions of compromised systems can be isolated Such a powerful security mechanism ensures that the effects of disasters or attacks can be contained until solutions are found
Itrsquos necessary to create precise processes that define and control network access and configuration capabili-ties A well-functioning change management process means that any system-based alterations are logged and executed in a controlled way Logs can then be checked for any deviations or violations of a network security policy
The concept of authorization is important here because network- and system-related access restrictions can limit changes and minimize potential damage from deliberate misconfigurations Moreover the concept of dual control reinforces security across a network
Such a procedure assigns different responsibilities between the security group and administrative group in charge of network processes A combination of checks and balances ensures that network configuration logs are controlled not by administrators but by the security group which could identify compromises in a network
ConclusionAs organizations evaluate the available approaches to information security they need to address a number of considerations in terms of operational procedural environmental and system-related areas
Itrsquos no longer about just protecting data Businesses need to formulate coherent systematic approaches to security by incorporating regulatory compliance periodic assessments and the application of relevant tools to eliminate security issues
Effective authentication and authorization are basic principles that should be applied along with log-keeping and audit trails Moreover any physical environment should incorporate a multi-layer approach to compensate for inadequacies Finally effective protection of applications and networks is essential
It requires a framework based on the concepts of least privilege minimization and compartmentalization to guarantee a comprehensive approach to company-wide security Such high levels of optimization help to ensure that an organizationrsquos information security approach is both well-rounded and flexible enough to meet current and future threats
Copyright copy2013 Global Knowledge Training LLC All rights reserved 7
Learn MoreLearn more about how you can improve productivity enhance efficiency and sharpen your competitive edge through training
Cybersecurity Foundations
Security+ Prep Course (SYO-301)
Visit wwwglobalknowledgecom or call 1-800-COURSES (1-800-268-7737) to speak with a Global Knowledge training advisor
About the AuthorKerry Doyle (MA MSr CPL) writes for a diverse group of companies based in technology business and higher education As an educator former editor at PC Computing reporter for PC Week Magazine and editor at ZDNetCNetcom he specializes in computing trends vital to IT professionals from virtualization and open source to disaster recovery and network storage
Copyright copy2013 Global Knowledge Training LLC All rights reserved 7
Learn MoreLearn more about how you can improve productivity enhance efficiency and sharpen your competitive edge through training
Cybersecurity Foundations
Security+ Prep Course (SYO-301)
Visit wwwglobalknowledgecom or call 1-800-COURSES (1-800-268-7737) to speak with a Global Knowledge training advisor
About the AuthorKerry Doyle (MA MSr CPL) writes for a diverse group of companies based in technology business and higher education As an educator former editor at PC Computing reporter for PC Week Magazine and editor at ZDNetCNetcom he specializes in computing trends vital to IT professionals from virtualization and open source to disaster recovery and network storage