Tuesday, January 14, 2014

CIS 481-20: INTRO TO INFORM SECURITY EXAM 3 PART 2

  • Question 1

    10 out of 10 points
    Assume that you have converted part of an area of general office space into a server room that will be staffed. Describe the factors you would consider when planning for each of the following:
    • Walls and doors
    • Physical access control
    • Fire detection and suppression
    Make recommendations for each and justify your choices.
    Correct Answer:
    Correct
    • Walls and doors: Due to the construction of the walls and doors of the facility, the security of information assets can sometimes be compromised. In high security areas such as a server room, firewalls and doors with either mechanical or electromechanical locks should be used.
    • Physical access control: For physical security, a secure facility is an ideal location that has been engineered with a number of controls designed to minimize the risk of attacks from physical threats. An organization should consider using as many security controls as feasible in order to secure a server room. Typical physical security controls include:
      Walls, fencing, and gates: Deter unauthorized access to the facility
      Guards: Evaluate each situation as it arises and make reasoned responses
      ID Cards and badges: Authenticate an authorized individual with access to the facility
      Locks and keys: Avoid an intruder to gain access to the secured location
      Mantraps: Deny unauthorized entry and trap an intruder in a small enclosure
      Electronic monitoring: Record events within a specific area that guard might miss, or to record events in areas where other types of physical controls are not practical
      Alarms and alarm systems: Notify the appropriate individual when a predetermined event or activity occurs
      Interior walls and doors: Provide not only physical security from potential intruders but from fires
    • Fire detection and suppression: Either manual or automatic fire detection systems need to be installed since you can't suppress a fire if it hasn't been detected. Automatic detection systems include thermal detections systems, smoke detection systems, and flame detector. An organization should consider placing one of these fire detection systems depending on its budget. There are a variety of fire suppression systems commonly used in many organizations including portable, manual, and automatic apparatus. One or more fire suppression systems should be prepared in case of emergency. As a server room, most sprinkler systems are inappropriate because of the risk to the equipment, though newer ultra-fine mist systems might be a good choice. These systems produce a fog-like mist that, because the droplets are much less susceptible to gravity, stays buoyant (airborne) much longer. As a result, a much smaller quantity of water is required. A gaseous fire suppression system would be ideal for the server equipment but can be lethal to humans. A carbon dioxide system would be a poor choice for this reason. Some newer gaseous clean agents present less of a risk to humans and could be considered if employees have the ability to evacuate in a timely manner.


  • Question 2

    10 out of 10 points
    Name and describe the four basic conversion strategies discussed in the text that may be used when converting to a new system. Be sure to mention the advantages and disadvantages of each approach?


    Correct Answer:
    Correct
    • Direct changeover: Also known as going “cold turkey,” a direct changeover involves stopping the old method and beginning the new. This could be as simple as having employees follow the existing procedure one week, and then use a new procedure the next. Some cases of direct changeover are simple, such as a change that involves requiring employees to use a new password (which uses a stronger degree of authentication) beginning on an announced date; some may be more complex, such as requiring the entire company to change procedures when the network team disables an old firewall and activates a new one. The primary drawback to the direct changeover approach is that if the new system fails or needs modification, users may be without services while the system’s bugs are worked out. Complete testing of the new system in advance of the direct changeover helps to reduce the probability of these problems.
    • Phased implementation: A phased implementation is the most common conversion strategy and involves rolling out a piece of the system across the entire organization. This could mean that the security group implements only a small portion of the new security profile, giving users a chance to get used to it and resolving small issues as they arise. This is usually the best approach to security project implementation. For example, if a new VPN solution that employees can use to connect to the organization’s network while they’re traveling is to be introduced, then each week one department might be added to the group allowed to use the new VPN, and this process would continue until all departments are using the new approach.
    • Pilot implementation: The pilot implementation involves implementing all security improvements in a single office, department, or division, and resolving issues within that group before expanding to the rest of the organization. The pilot implementation works well when an isolated group can serve as the “guinea pig,” which keeps the implementation from dramatically impacting the performance of the organization as a whole. The operation of a research and development group, for example, may not impact the real-time operations of the organization and could assist security in resolving issues that emerge.
    • Parallel operations: The parallel operations strategy involves running the new methods alongside the old methods. In general, this means running two systems concurrently, and in terms of information systems, it might involve, for example, running two firewalls concurrently. Although this approach is usually a complex operation, it can be one that reinforces an organization’s information security by allowing the old system(s) to serve as backup for the new systems if they fail or are compromised. Drawbacks usually include the need to deal with both systems and maintain both sets of procedures.


  • Question 3

    9.25 out of 10 points
    A proven method for prioritizing a program of complex change is the bulls-eye method. As presented in the figure below, the approach relies on a process of project plan evaluation in four layers. Explain how these layers are used and in what order.

    bullseye2.png
    Correct Answer:
    Correct
    1. Policies: This is the outer, or first, ring in the bull’s-eye diagram. The critical importance of policies has been emphasized throughout the text. The foundation of all effective information security programs is sound information security and information technology policy. Since policy establishes the ground rules for the use of all systems and describes what is appropriate and what is inappropriate, it enables all other information security components to function correctly. When deciding how to implement complex changes and choose from conflicting options, you can use policy to clarify what the organization is trying to accomplish with its efforts.
    2. Networks: In the past, most information security efforts focused on this layer, and so until recently information security was often considered synonymous with network security. In today’s computing environment, implementing information security is more complex because networking infrastructure often comes into contact with threats from the public network. Those organizations new to the Internet find (as soon as their policy environment defines how their networks should be defended) that designing and implementing an effective DMZ is the primary way to secure an organization’s networks. Secondary efforts in this layer include providing the necessary authentication and authorization when allowing users to connect over public networks to the organization’s systems.
    3. Systems: Many organizations find that the problems of configuring and operating information systems in a secure fashion become more difficult as the number and complexity of these systems grow. This layer includes computers used as servers, desktop computers, and systems used for process control and manufacturing systems.
    4. Applications: The layer that receives attention last is the one that deals with the application software systems used by the organization to accomplish its work. This includes packaged applications, such as office automation and e-mail programs, as well as high-end enterprise resource planning (ERP) packages that span the organization. Custom application software developed by the organization for its own needs is also included.
    The bull’s-eye model can also be used to evaluate the sequence of steps taken to integrate parts of the information
    security blueprint into a project plan. As suggested by its bull’s-eye shape, this model dictates the following:
    • Until sound and useable IT and information security policies are developed, communicated, and enforced, no additional resources should be spent on other controls.
    • Until effective network controls are designed and deployed, all resources should go toward achieving this goal (unless resources are needed to revisit the policy needs of the organization).
    • After policies and network controls are implemented, implementation should focus on the information, process, and manufacturing systems of the organization. Until there is well-informed assurance that all critical systems are being configured and operated in a secure fashion, all resources should be spent on reaching that goal.
    • Once there is assurance that policies are in place, networks are secure, and systems are safe, attention should move to the assessment and remediation of the security of the organization’s applications. As in all planning efforts, attention should be paid to the most critical applications first.


  • Question 4

    10 out of 10 points
    Answer one of the two options:
    1. Compare and contrast the functions of a CISO, a security manager, and a security technician.
    2. Describe the options available for the location of the information security functions within the organization, including the advantages and disadvantages of each. Be sure to mention at least three of the likely locations, including the most common location.


    Correct Answer:
    Correct
    1. Chief Information Security Officer (CISO): This is typically the top information security officer in the organization. Though CISOs are business managers first and technologists second, they must be conversant in all areas of information security, including the technical, planning, and policy areas. In many cases, the CISO is the major definer or architect of the information security program. The CISO performs the following functions:
      • Manages the overall information security program for the organization
      • Drafts or approves information security policies
      • Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans
      • Develops information security budgets based on available funding
      • Sets priorities for the purchase and implementation of information security projects and technology
      • Makes decisions or recommendations on the recruiting, hiring, and firing of security staff
      • Acts as the spokesperson for the information security team
      Security Manager: Security managers are accountable for the day-to-day operation of the information security program. They accomplish objectives identified by the CISO and resolve issues identified by technicians. Management of technology requires an understanding of the technology administered, but does not necessarily require proficiency in the technology’s configuration, operation, and fault resolution.
      Security Technician: Security technicians are the technically qualified individuals tasked to configure firewalls, deploy IDPSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that an organization’s security technology is properly implemented. The position of security technician is often entry level, but to be hired in this role, candidates must possess some technical skills.
    2. There are several valid choices for positioning the information security department within an organization. The model commonly used by large organizations places the information security department within the information technology department and usually designates as its head the CISO, who reports directly to the company’s top computing executive, or CIO. Such a structure implies that the goals and objectives of the CISO and CIO are aligned. This is not always the case, however. By its very nature, an information security program can, at times, be at odds with the goals and objectives of the information technology department as a whole. The CIO, as the executive in charge of the organization’s technology, strives to create efficiency in the processing and accessing of the organization’s information, and thus, anything that limits access or slows information processing can impede the CIO’s mission for the entire organization. The CISO’s function is more like that of an internal auditor in that the CISO must direct the information security department to examine existing systems in order to discover information security faults and flaws in technology, software, and employees’ activities and processes. These examinations can disrupt the processing and accessing of an organization’s information. Because the addition of multiple layers of security inevitably slows the data users’ access to information, information security may be viewed as a hindrance to the organization’s operations.

      Because the goals and objectives of CIOs and CISOs tend to contradict each other, the trend among many organizations has been to separate their information security function from their IT division. The information security function can be placed within any of the other following organizational functions:
      • Physical security function, as a peer of physical security or protective services
      • Administrative services function, as a peer of human resources or purchasing
      • Insurance and risk management function
      • Legal department
      Once an information security function’s organizational position has been determined, the challenge is to design a reporting structure that balances the competing needs of each of the communities of interest. Organizations should find a rational compromise by placing the information security function where it can best balance its duty to enforce organizational policy (that is, monitor compliance) with its ability to provide the education, training, awareness, and customer service needed to make information security an integral part of the organizational culture.


  • Question 5

    10 out of 10 points
    In digital forensics, most investigations follow the same basic methodology. Describe the steps involved after permission to investigate has been granted.


    Correct Answer:
    Correct
    In digital forensics, all investigations follow the same basic methodology:
    1. Identify relevant items of evidentiary value (EM) - One of the crucial aspects of any digital forensic investigation is the process of identifying the potential EM and its probable location. Users have access to many online server locations, via free e-mail archives, ftp servers, video archives, and the like, and could have terabytes of information stored in offsite locations across the Web or on their local systems. Unless investigators have an idea of what to look for, they may never find it in such a vast array of possible locations.
    2. Acquire (seize) the evidence without alteration or damage - The principal responsibility of the response team is to acquire the information without altering it. A normal system consequence of the search for EM could be portrayed by a defense attorney as affecting the authenticity or integrity of the EM, which could lead a jury to suspect that the EM was planted or is otherwise suspect. The biggest challenge is to show that the person under investigation is the one who stored, used, and maintained the EM, or who conducted the unauthorized activity.
    3. Take steps to assure that the evidence is at every step verifiably authentic and is unchanged from the time it was seized - Once the evidence is acquired, both the copy image and the original drive should be handled so as to avoid legal challenges based on authenticity and preservation of integrity. If the organization or law enforcement cannot demonstrate that no one had physical access to the evidence, they cannot provide strong assurances that it has not been altered. Once the evidence is in the possession of investigators, they must track its movement, storage, and access until the resolution of the event or case. This is typically accomplished by means of chain of evidence or chain of custody procedures.
    4. Analyze the data without risking modification or unauthorized access - The copy or image is typically transferred to the laboratory for the next stage of authentication. The team must be able to demonstrate that any analyzed copy or image is a true and accurate replica of the source EM. This is accomplished by the use of cryptographic hash tools. The most complex part of an investigation is the analysis of the copy
      or image for potential EM. Two industry leading applications dominate the market for digital forensics: Guidance Software’s EnCase and AccessData Forensics Tool Kit (FTK). Each of these tools is designed to support a law enforcement investigation and assist in the management of the entire case.
    5. Report the findings to the proper authority - As investigators examine the analyzed copies or images and identify potential EM, they can tag it and add it to their case files. Once they have found a suitable amount of information they can summarize their findings, along with a synopsis of their investigatory procedures, in a report and submit it to the appropriate authority. This authority could be law enforcement or management.


  • Question 6

    10 out of 10 points
    Does the use of passwords (as a single factor) to authenticate users for access to systems (especially online) still provide the necessary security? A complete answer will need to explain what problems exist and how they might be resolved going forward. So, if you're going to support passwords, you'll have to explain how they can still offer security given the problems identified in class and in the referenced articles. If you're going to support other options, you'll have to explain how they address the problems identified in class and in the referenced articles (explaining why they are better). This is a critical thinking question, so there is no right or wrong answer prescribed in advance. You'll earn the points by defending whatever position you take.


    Correct Answer:
    Correct 
    This is a critical thinking question, so there is no right or wrong answer prescribed in advance. You'll earn the points by defending whatever position you take.


  • Question 7

    10 out of 10 points (Extra Credit)
    Extra Credit: The text's recommended model for dealing with change caused by information security maintenance (the maintenance model) is based on five subject areas or domains. Name and briefly describe each of these domains.
    Correct Answer:
    Correct
    The five domains on the maintenance model are:
    1. External Monitoring – provide early awareness of new and emerging threats, threat agents, vulnerabilities, and attacks that is needed to mount an effective and timely defense. External monitoring entails collecting intelligence from various data sources and then giving that intelligence context and meaning for use by decision makers within the organization.
    2. Internal Monitoring – maintain an informed awareness of the state of all of the organization’s networks, information systems, and information security defenses. This awareness must be communicated and documented, especially for components that are exposed to the external network. The value of internal monitoring is high when the resulting knowledge of the network and systems configuration is fed into the vulnerability assessment and remediation maintenance domain. But this knowledge becomes invaluable when incident response processes are fully integrated with the monitoring processes.
    3. Planning and risk assessment – keep a lookout over the entire information security program, in part by identifying and planning ongoing information security activities that further reduce risk. In fact, the bulk of the security management maintenance model could fit in this domain. Also, the risk assessment group identifies and documents risks introduced by both IT projects and information security projects. It also identifies and documents risks that may be latent in the present environment.
    4. Vulnerability assessment and remediation – the identification of specific, documented vulnerabilities and their timely remediation. This would include using documented vulnerability assessment procedures to collect intelligence about networks (internal and public-facing), platforms (servers, desktops, and process control), dial-in modems, and wireless network systems safely. Penetration testing might also be performed.
    5. Readiness and review – keep the information security program functioning as designed and to keep it continuously improving over time.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)