CISSP - Certified Information Systems Security Professional Study Guide, 2nd Edition (2004)
.pdf
Review Questions |
391 |
18.What is the time-of-check?
A.The length of time it takes a subject to check the status of an object
B.The time at which the subject checks on the status of the object
C.The time at which a subject accesses an object
D.The time between checking and accessing an object
19.How can electromagnetic radiation be used to compromise a system?
A.Electromagnetic radiation can be concentrated to disrupt computer operation.
B.Electromagnetic radiation makes some protocols inoperable.
C.Electromagnetic radiation can be intercepted.
D.Electromagnetic radiation is necessary for some communication protocol protection schemes to work.
20.What is the most common programmer-generated security flaw?
A.TOCTTOU vulnerability
B.Buffer overflow
C.Inadequate control checks
D.Improper logon authentication
392 Chapter 12 Principles of Security Models
Answers to Review Questions
1.B. A system certification is a technical evaluation. Option A describes system accreditation. Options C and D refer to manufacturer standards, not implementation standards.
2.A. Accreditation is the formal acceptance process. Option B is not an appropriate answer because it addresses manufacturer standards. Options C and D are incorrect because there is no way to prove that a configuration enforces a security policy and accreditation does not entail secure communication specification.
3.C. A closed system is one that uses largely proprietary or unpublished protocols and standards. Options A and D do not describe any particular systems, and Option B describes an open system.
4.C. A constrained process is one that can access only certain memory locations. Options A, B, and D do not describe a constrained process.
5.A. An object is a resource a user or process wishes to access. Option A describes an access object.
6.D. A control limits access to an object to protect it from misuse from unauthorized users.
7.B. IPSec is a security protocol that defines a framework for setting up a secure channel to exchange information between two entities.
8.C. TCSEC defines four major categories: Category A is verified protection, category B is mandatory protection, category C is discretionary protection, and category D is minimal protection.
9.C. The TCB is the part of your system you can trust to support and enforce your security policy.
10.A, B. Although the most correct answer in the context of this chapter is B, option A is also a correct answer in the context of physical security.
11.C. Options A and B are not valid TCB components. Option D, the security kernel, is the collection of TCB components that work together to implement the reference monitor functions.
12.B. Option B is the only option that correctly defines a security model. Options A, C, and D define part of a security policy and the certification and accreditation process.
13.D. The Bell-LaPadula and Biba models are built on the state machine model.
14.A. Only the Bell-LaPadula model addresses data confidentiality. The other models address data integrity.
15.C. The no read up property, also called the Simple Security Policy, prohibits subjects from reading a higher security level object.
16.A. A covert channel is any method that is used to secretly pass data and that is not normally used for communication. All of the other options describe normal communication channels.
17.A. An entry point that only the developer knows about into a system is a maintenance hook, or back door.
Answers to Review Questions |
393 |
18.B. Option B defines the time-of-check (TOC), which is the time at which a subject verifies the status of an object.
19.C. If a receiver is in close enough proximity to an electromagnetic radiation source, it can be intercepted.
20.B. By far, the buffer overflow is the most common, and most avoidable, programmer-generated vulnerability.
Chapter Administrative
13 Management
THE CISSP EXAM TOPICS COVERED IN THIS
CHAPTER INCLUDE:
Operations Security Concepts
Handling of Media
Types of Security Controls
Operations Security Controls
All companies must take into account the issues that can make day-to-day operations susceptible to breaches in security. Personnel management is a form of administrative control, or adminis-
trative management, and is an important factor in maintaining operations security. Clearly defined personnel management practices must be included in your security policy and subsequent formalized security structure documentation (i.e., standards, guidelines, and procedures). The topics of antivirus management and operations security are related to personnel management because personnel management can directly affect security and daily operations. They are included in the Operations Security domain of the Common Body of Knowledge (CBK) for the CISSP certification exam, which deals with topics and issues related to maintaining an established secure IT environment. Operations security is concerned with maintaining the IT infrastructure after it has been designed and deployed and involves using hardware controls, media
controls, and subject (user) controls that are designed to protect against asset threats.
This domain is discussed in this chapter and further in the following chapter (Chapter 14, “Auditing and Monitoring”). Be sure to read and study both chapters to ensure complete coverage of the essential antivirus and operations material for the CISSP certification exam.
Antivirus Management
Viruses are the most common form of security breach in the IT world. Any communications pathway can be and is being exploited as a delivery mechanism for a virus or other malicious code. Viruses are distributed via e-mail (the most common means), websites, and documents and even within commercial software. Antivirus management is the design, deployment, and maintenance of an antivirus solution for your IT environment.
If users are allowed to install and execute software without restriction, then the IT infrastructure is more vulnerable to virus infections. To provide a more virus-free environment, you should make sure software is rigidly controlled. Users should be able to install and execute only company approved and distributed software. All new software should be thoroughly tested and scanned before it is distributed on a production network. Even commercial software has become an inadvertent carrier of viruses.
Users should be trained in the skills of safe computing, especially if they are granted Internet access or have any form of e-mail. In areas where technical controls cannot prevent virus infections, users should be trained to prevent them. User awareness training should include information about handling attachments or downloads from unknown sources and unrequested attachments from known sources. Users should be told to never test an executable by executing it. All instances of suspect software should be reported immediately to the security administrator.
Operations Security Concepts |
397 |
Antivirus software should be deployed on multiple levels of a network. All traffic—including internal, inbound, and outbound—should be scanned for viruses. A virus scanning tool should be present on all border connection points, on all servers, and on all clients. Installing products from different vendors on each of these three arenas will provide a more thorough and foolproof scanning gauntlet.
Never install more than one virus scanning tool on a single system. It will cause an unrecoverable system failure in most cases.
Endeavor to have 100-percent virus-free servers and 100-percent virus-free backups. To accomplish the former, you must scan every single bit of data before it is allowed into or onto a server for processing or storage. To accomplish the latter, you must scan every bit of data before it is stored onto the backup media. Having virus-free systems and backups will enable you to recover from a virus infection in an efficient and timely manner.
In addition to using a multilevel or concentric circle antivirus strategy, you must maintain the system. A concentric circle strategy basically consists of multiple layers of antivirus scanning throughout the environment to ensure that all current data and backups are free from viruses. Regular updates to the virus signature and definitions database should be performed. However, distribution of updates should occur only after verifying that the update is benign. It is possible for virus lists and engine updates to crash a system.
Maintain vigilance by joining notification newsletters, mailing lists, and vendor sites. When a new virus epidemic breaks out, take appropriate action by shutting down your e-mail service or Internet connectivity (if at all possible) until a solution/repair/inoculation is available.
Operations Security Concepts
The Operations Security domain is a broad collection of many concepts that are both distinct and interrelated, including operational assurance, backup maintenance, changes in location, privileges, trusted recovery, configuration and change management control, due care and due diligence, privacy, security, and operations controls. The following sections highlight these important day-to-day issues that affect company operations by discussing them in relation to maintaining security.
Operational Assurance and Life Cycle Assurance
Assurance is the degree of confidence you can place in the satisfaction of security needs of a computer, network, solution, and so on. It is based on how well a specific system complies with stated security needs and how well it upholds the security services it provides. Assurance was discussed in Chapter 12, “Principles of Security Models,” but there is another element of assurance that applies to the Operation Security domain.
398 Chapter 13 Administrative Management
The Trusted Computer System Evaluation Criteria (TCSEC) is used to assign a level of assurance to systems. TCSEC, or the Orange Book, also defines two additional types or levels of assurance: operational assurance and life cycle assurance. As you are aware, TCSEC was replaced by Common Criteria in December 2000. It is, however, important to be aware of TCSEC-related material simply as a means to convey concepts and theories about security evaluation. Thus, you don’t need to know the complete details of these two assurance levels, but there are a few specific issues that you should be familiar with.
Operational assurance focuses on the basic features and architecture of a system that lend themselves to supporting security. There are five requirements or elements of operation assurance:
System architecture
System integrity
Covert channel analysis
Trusted facility management
Trusted recovery
Life cycle assurance focuses on the controls and standards that are necessary for designing, building, and maintaining a system. The following are the four requirements or elements of life cycle assurance:
Security testing
Design specification and testing
Configuration management
Trusted distribution
Backup Maintenance
Backing up critical information is a key part of maintaining the availability and integrity of data. Systems fail for various reasons, such as hardware failure, physical damage, software corruption, and malicious destruction from intrusions and attacks. Having a reliable backup is the best form of insurance that the data on the affected system is not permanently lost. Backups are an essential part of maintaining operations security and are discussed in Chapter 16, “Disaster Recovery Planning.”
Changes in Workstation/Location
Changes in a user’s workstation or in their physical location within an organization can be used as a means to improve or maintain security. Similar to job rotation, changing a user’s workstation prevents a user from altering the system or installing unapproved software because the next person to use the system would most likely be able to discover it. Having nonpermanent workstations encourages users to keep all materials stored on network servers where it can be easily protected, overseen, and audited. It also discourages the storage of personal information on the system as a whole. A periodic change in the physical location of a user’s workspace can also be a deterrent to collusion because they are less likely to be able to convince employees with whom they’re not familiar to perform unauthorized or illegal activities.
Operations Security Concepts |
399 |
Need-to-Know and the Principle of Least Privilege
Need-to-know and the principle of least privilege are two standard axioms of high-security environments. A user must have a need-to-know to gain access to data or resources. Even if that user has an equal or greater security classification than the requested information, if they do not have a need-to-know, they are denied access. A need-to-know is the requirement to have access to, knowledge about, or possession of data or a resource to perform specific work tasks. The principle of least privilege is the notion that users should be granted the least amount of access to the secure environment as possible for them to be able to complete their work tasks.
Privileged Operations Functions
Privileged operations functions are activities that require special access or privileges to perform within a secured IT environment. In most cases, these functions are restricted to administrators and system operators. Maintaining privileged control over these functions is an essential part of sustaining the system’s security. Many of these functions could be easily exploited to violate the confidentiality, integrity, or availability of the system’s assets.
The following list includes some examples of privileged operations functions:
Using operating system control commands
Configuring interfaces
Accessing audit logs
Managing user accounts
Configuring security mechanism controls
Running script/task automation tools
Backing up and restoring the system
Controlling communication
Using database recovery tools and log files
Controlling system reboots
Managing privileged access is an important part of keeping security under control. In addition to restricting privileged operations functions, you should also employ separation of duties. Separation of duties ensures that no single person has total control over a system’s or environment’s security mechanisms. This is necessary to ensure that no single person can compromise the system as a whole. It can also be called a form of split knowledge. In deployment, separation of duties is enforced by dividing the topand mid-level administrative capabilities and functions among multiple trusted users.
Further control and restriction of privileged capabilities can be implemented by using two-man controls and rotation of duties. Two-man controls is the configuration of privileged activities so that they require two administrators to work in conjunction in order to complete the task. The necessity of two operators also gives you the benefits of peer review and reduced likelihood of collusion and fraud. Rotation of duties is the security control that involves switching several privileged security or operational roles among several users on a regular basis. For example, if an
400 Chapter 13 Administrative Management
organization has divided its administrative activities into six distinct roles or job descriptions, then six or seven people need to be cross-trained for those distinct roles. Each person would work in a specific role for two to three months, and then everyone in this group would be switched or rotated to a new role. When the organization has more than the necessary minimum number of trained administrators, every rotation leaves out one person, who can take some vacation time and serve as a fill-in when necessary. The rotation of duties security control provides for peer review, reduces collusion and fraud, and provides for cross-training. Cross-training makes your environment less dependent on any single individual.
Trusted Recovery
For a secured system, trusted recovery is recovering securely from operation failures or system crashes. The purpose of trusted recovery is to provide assurance that after a failure or crash, the rebooted system is no less secure than it was before the failure or crash. You must address two elements of the process to implement a trusted recovery solution. The first element is failure preparation. In most cases, this is simply the deployment of a reliable backup solution that keeps a current backup of all data. A reliable backup solution also implies that there is a means by which data on the backup media can be restored in a protected and efficient manner. The second element is the process of system recovery. The system should be forced to reboot into a single-user nonprivileged state. This means that the system should reboot so that a normal user account can be used to log in and that the system does not grant unauthorized access to users. System recovery also includes the restoration of all affected files and services active or in use on the system at the time of the failure or crash. Any missing or damaged files are restored, any changes to classification labels are corrected, and the settings on all security critical files is verified.
Trusted recovery is a security mechanism discussed in the Common Criteria. The Common Criteria defines three types or hierarchical levels of trusted recovery:
Manual Recovery An administrator is required to manually perform the actions necessary to implement a secured or trusted recovery after a failure or system crash.
Automated Recovery The system itself is able to perform trusted recovery activities to restore a system, but only against a single failure.
Automated Recovery without Undue Loss The system itself is able to perform trusted recovery activities to restore a system. This level of trusted recovery allows for additional steps to provide verification and protection of classified objects. These additional protection mechanisms may include restoring corrupted files, rebuilding data from transaction logs, and verifying the integrity of key system and security components.
Configuration and Change Management Control
Once a system has been properly secured, it is important to keep that security intact. Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to systematically manage change. Typically, this involves extensive logging, auditing, and monitoring