This site is 100% ad supported. Please add an exception to adblock for this site.

Security+ Domain 5.0


undefined, object
copy deck
Physical Security
Involves protecting systems from bodily contact - controlling access to hardware and software. It also prevents ability to access data directly and create additional security threats by changing account or configuration settings. Also, environmental conditions (floods, fires, etc).
Designing Security
Important to strike a balance between the cost of security and the potential loss; you are better able to determine its non-monetary or potential value by determining the difficulty in replacing it; look at the importance of the equipment as well as its monetary value.
Where should servers, secondary routers, and switches be stored?
They should be stored in cabinets, closets or rooms that are locked, have limited access, air-conditioned, and have other protective measures in place to safeguard equipment.
Access Control
Physical security is needed to manage who can and cannot enter sensitive areas. Access logs require anyone entering a secure area to sign in before entering. Video cameras, electronic surveillance, alarms, motion detectors, body heat detectors, and weight sensors can also monitor those granted access to sensitive areas.
Power-on Password
Requires anyone who starts the computer to enter a password before the OS loads.
BIOS Password
Prevents unauthorized persons from accessing the setup software and making changes to the computer. Setting this password also prevents malicious users from configuring Power-on and BIOS passwords.
Physical Barriers
Windows should be locked and alarmed. Air vents can also provide a route into a room, so any large vents should be bolted shut with grates. Make sure that the walls, ceiling and floor are secure.
Workstation Security
Many portable computers and workstations have a lock slot on the back panel. Disk locks can be used to prevent unauthorized persons from using floppy disks, CD burners, etc.
Uses the physical attributes of a person to determine whether access should be given (fingerprints, voice patterns, facial characteristics, retina or iris scans).
Social Engineering
Understanding of human behavior - hackers misrepresent themselves or trick a person into revealing information. Best way to prevent is through education
Environment Security
Temperature, humidity, airflow, electrical interference, and electrostatic discharge (ESD).
Chip (socket) Creep
Expansion and contraction that occurs in mother boards and other circuit boards as the result of temperature increases and decreases.
Electrostatic Discharge - Dry conditions create an atmosphere that allows static electricity to build up. If humidity level is too high, it can also cause ESD because water particles that conduct electricity can condense and stick to hardware components. Keep humidity levels between 70-90%.
Wireless Cells
If antennas are placed too close to exterior walls, wireless transmissions can leak outside of an office - move them away from walls (center of office floor is best); shielding can also be used to prevent wireless transmissions from escaping.
Location Security
Environmental factors surrounding the building must be considered - geographical locations will vary, and so will the security plan - always consider where equipment is place. Servers and other vital equipment should be raised off the floor to prevent flood damage; always ensure that the location is sasfe from accident.
Noise - EMI and RFI interference; to prevent data corruption from EMI and RFI, computers and other equipment should be kep away from electrical equipment, magnets, and other sources. Higher grades of cabling should be used (STP).
Cabling Security
Cable should not be run along the outside of walls or open areas where people may come into contact with it; cable should be contained within tubing or some other protective covering that will prevent accidental or malicious actions from occuring.
Fire Suppression
Water sprinklers are not an option in server rooms or other areas storing devices; when choosing fire suppression systems, it's important to choose one that will put out a fire, but not destoy equipment - referred to as clean agent fire extinguishing systems.
Clean agents (fire suppression)
Halon 1301 (no longer used - damages ozone); Inergen (IG-541); HFC-227ea; FE-13, CO2 Systems.
Computer Forensics
Application of computer skills and investigation techniques for the purpose of acquiring evidence (collecting, examining, preserving, and presenting evidence that is stored or transmitted in an electronic format.
First security issue that should be dealt with is promoting awareness. Users of a system are the first to notice and report problems.
Incident Response Team
Members should be experienced in handling issues relating to unauthorized access, denial, or disruptions of service, viruses, unauthorized changes to systems or data, critical system failures, or attempts to breach the policies and/or security of an organization.
What should be done while waiting for the incident response team?
The scence should be vacated, and any technologies involved should be left as they were. Users should also document what they observed when the incident occurred, and list anyone who was in the area.
Contingency Plan
Addresses how a company should handle intrusions and other incidents. Should also address how the company will continue to function during the investigation. Backup equipment may be used to replace servers and other devices so that employees can still perform their jobs.
4 Basic components of forensics
Evidence must be Collected, Examined, Preserved, and Presented.
Documentation provides a clear understanding of what occurred to obtain the evidence, and what the evidence represents. Information should include: date, time, conversations pertinent to investigation, tasks that were performed to obtain evidence, names of those present or who assisted, and anything else relevent to forensic prodecures.
3 major roles of investigation
First responder, investigator, and crime scene technician.
Chain of Custody
Documents who handled or possessed evidence during the course of the investigation and every time that evidence is transferred to someone else's possession.
Evidence Log
Document that inventories all evidence collected in a case. It includes a description of each piece of evidence, serial numbers, identifying marks or numbers, and other information that is required by policy or local law.
What should be collected first at a crime scene?
Volatile data should be collected first - it's data that may be lost once power is lost.
Forensically Sterile
Disks used to copy data has no other data on it and no viruses or defects.
What volatile information should be collected?
Use command line functions: netstat, ipconfig, and arp -a and doument this volatile data.
Special Software for recovering data (SafeBack)
SafeBack - capable of duplicating individual partitions or entire disks of virtually any size, and the image files can be transferred to SCSI tape units or almost any other magnetic storage media. SafeBack contains CRC functions and uses timestamps. No compression or translation is used in creating images (to avoid legal concerns).
Special Software for recovering data (EnCase)
Friendly graphical interface software used to backup partitions.
Special Software for recovering data (ProDiscover)
Creates bitstream copies saved as compressed image files on the forensic workstation - ability to recover deleted files from slack space.
Risk Identification
Process of ascertaining what threats pose a risk to a company so that it can be dealt with accordingly. Each business must identify the risks they may be in danger of confronting. Disasters can be naturally occurring or the result of accidents and malfunctions.
Asset Identification
Assets should be inventoried as part of the risk management process - hardware, software installations (both commercial and in-house), data (databases, financial spreadsheets, crucial documents). Tagging and inventorying assets allows you to identify what assets are at risk, so that you can develop plans to protect, recover, and replace them. Also can be used to make insurance claims.
Value of Assets
Cost of replacement must be determined and used in calculations. The weight of the asset is based upon the impact a loss will have on the company - value is on a scale of 1 to 10 (10 highest).
Risk Assessment
Research must be performed to determine the likelihood of risks within a locality or with certain resources. By determining this, you can determine what is known as ARO.
Annualized Rate of Occurrance - likelihood of risks occuring within a year. Acquired through: police departments, insurance companies, news agencies, computer incident monitoring organizations, and online resources. Once the ARO is calculated for a risk, it can be compared to the monetary loss associated with an asset.
Single Loss Expectancy - monetary loss including the price of new equipment, hourly wages of person replacing equipment, cost of employees unable to perform their work, etc.
Annual Loss Expectancy - ARO X SLE = ALE (Assessment must be done on how much needs to be budgeted to handle the probability of the event occurring.
Determining Annual Loss
1) What is the ARO for the risk; 2) calculate the SLE for this risk; 3) using the formula ARO X SLE = ALE; 4) Determine whether it's beneficial in terms of monetary value to add new security measures, or anti-virus software, etc.
Threat Identification
Goal is to manage risks, so that the problems resulting from them will be minimized. The cost of providing too much security may be more expensive that the value of the asset. Rule of thumb is to decide which risks are acceptable.
Transferring Potential Loss
Examples: Moving to a more secure location, insurance policies, leasing of equipment.
Identifying vulnerabilities that exist can lessen the possibility that a threat will occur by taking measures to remove the weakness from a system (physical security, software patches, fixes and upgrades).
Privilege Management
Administration and control of the resources and data available to users and groups in an organization. Determines whether a specific user could print to a particular printer, use a special program, or access files in specified directories.
Policy and Procedures
Policy: used to address concerns and identify risks (example is physical security); Procedures: series of steps that inform someone how to perform a task and/or deal with a problem (example is retore backed up data).
What does create policies and procedures document?
It documents answers to the following: who, what, where, why, when and how. Who and where: specify person or departments affected; what: details what's being addressed; when: time policy comes into effect and expiration date; why: purpose of policy (background issues); how: procedure needed to make it work.
Restricted Access Policies
Important that each user only receive minimum access required to do their job - usually requires some investigation.
Workstation Security Policy
Permissible to store non-work related files; install programs or change settings; alter display; modify protocol settings; install a malicious or virus-infected program; install games. This policy should also address how workstations will be configured when initially put into use.
Physical Security Policies
Should also address physical security: servers and other vital equipment should be locked in a secure room; locks, biometric authentication, etc.
Acceptable Use Policies
Establishes guidelines on the appropriate use of technology - outlines what types of activities are permissible when using computer or network; what an organization considers proper; restricts users from making threatening, racist, sexist or offensive comments; restricts types of Web sites and email employees are allowed to access.
Hostile Work Environment
Conduct of employees, management, or non-employees becomes a hindrance to an employee's job performance.
What's the best way to enforce an acceptable use policy?
Audits should be conducted on a regular basis, inclusive of audits od data stored in personal directories and local hard drives and audits firewall and system logs to determine what has been accessed. Email as well.
Due Care
Level of care that a reasonable person would exercise in a given situation - is used to address problems of negligence. Due care may appear as a policy or concept mentioned in other policies of an organization.
Privacy Policy
Commonly state that an organization has the right to inspect the data stored on company equipment. This allows an organization to perform audits on the data stored on hard disks of workstations, laptops, and network servers (unauthorized software, email, web site data).
Separation of Duties
Ensures that tasks are assigned to personnel in a manner that no single employee can control a process from beginning to end. Common occurance in secure environments and involves each person having a different job - less chance of leak, and each person can become an expert in their job.
Need to Know
People only being given the information or access to data that they need to perform their jobs - prevents data leaks; non-disclosure agreement is a formal agreement between employee and company.
Strong Passwords
Minimum 8 characters long: lower and upper case letters, numbers and special characters. Passwords should be changed after a set period of time (45 to 90 days) and can't be reused until they've been changed a certain number of times.
Multifaceted Security System
SecureID tokens are small components that can fit on a key ring and be carried by the user in their pocket - has digital display that shows a number that changes at regular intervals. This device is used in conjunction with a username and password.
Administrator Passwords
Should be limits on who knows the password to this account - it should also be written down, sealed in an envelope, and stored in a safe.
Service Level Agreement - agreements between clients and service providers that outline what services will be supplied, what is expected from the service, and who'll fix it - contract. To enforce SLA, penalties or financial incentives may be specified.
Internal SLA
May specify that all equipment must be purchased through the IT department; may also be used to specify the services the organization expects the IT staff to provide.
Data Disposal & Destruction
A degausser (powerful magnet that erases all data from magnetic media) can be used to erase hard disks; hard disks can also be physically scarred or destroyed. Documents should be shredded.
Bulk Demagnetizer
Another name for a degausser, which is used to destroy data on magnetic media (hard disks, floppy disks, and backup tapes).
HR Policy
May be responsible for issuing ID cards and key cards, so HR must work closely with IT department. HR performs such tasks as hiring, firing, retirement, etc - needs to contact IT department to establish/remove network account, username and password/privileges.
Code of Ethics
Statement of mission and values, which outlines the organization's perspective on principles and beliefs that employees are expected to follow.
What the difference between use policy and code of ethics?
Code of ethics outlines the ethical behavior expected from employees (racism, sexism, etc.) - explains the type of person a company expects you to be; Use Policy addresses the same issues, but also addresses how they relate to equipment and technologies. Example: Code of Ethics may say racism is not tolerated, while the Use Policy would address sending racist jokes via email.
Incident Response Policy
Provides a clear understanding of what decisive actions will be taken, who will be responsible for investigating and dealing with problems.
Single Sign-on
Allow a user to sign in from one computer, be authenticated by the network, and use resources and data from any server to which they have access (Novell: NDS), (Microsoft: Active Directory).
Centralized Security
Refers to the location of servers, which are are located in a single room. This allows administrators to visit one location to perform security related tasks such as back-ups, fixing filed hardware, upgrading system software, or dealing with incidents that are adverse to security.
Decentralized Security
Location of servers and hardware devices is spread out. The advantage of this is fault tolerance, but disadvantages are security and maintenance of system.
Process of monitoring and examining items to determine if problems exist (logs, data, and other sources can assistt in determining if there are lapses in security).
Audits can be used to monitor privileges to resources and data, and to reveal incorrect security settings (incorrect permissions, changes to accounts, restarts, and shutdowns), virus detection.
Auditing logon and logoff failures can provide an indication that someone is atempting to hack their way into a system using a particular account or set of accounts.
Monitoring the escalating use of accounts or the irregular hours that accounts are being used can also indicate intrusions - determine if additional servers, services, or resources are required on a network.
Military strength - every account and object is associated with groups and roles that control their level of security and access. MAC provides granular level of security.
Less stringent that MAC, provides access on the basis of users and groups. DAC allows access to data to be granted and denied at the discretion of the data owner.
Education and Documentation
Vital part of any secure system. Knowledge users can be an important line of defense, as they will be better able to avoid making mistakes that jeopardize security.
User Awareness
Involves taking steps to make users conscious of and responsive to security issues, rules, and practices.
Primary method of promoting user awareness and improving the skills and abilities of employees. Added benefit of lowering support costs, as users who are able to fix simple problems will not be as likely to call the help desk.
Online Resources
Policies, procedures, and other documention should be available through the network, as it will provide an easy, accessible, and controllable method of disseminating information.
Standards and Guidelines
Another term used to describe the policies and procedures used in an organization. Standards are levels of excellence that an organization expects its members to live up to; Guidelines offer instructions on how members can achieve these standards.
System Architecture
Documentation about a system architecture should be created to provide information on the system, its layout and design, and any of the subsystems used to create it. It provides a reference that can be used in the future when problems occur and/or changes are made.
Documentation of system architecture examples
Software, hardware, protocols etc. Components that make up design (routers, servers, firewalls). Server: processor, motherboard, BIOS, components installed, asset tags and serial numbers, protocol information, administrative passwords.
Change Documentation
Provides information of changes that have been made to a syste, and often provides back out steps that show how to restore the system to its previous state.
Give automated information on events that have occurred, including accounts that were used to log on, activities performed by users and by the system, and problems that transpired.
Provide a record of devices and software making up a network - provide a record that can be used to determine which computers require upgrades, which are old and need to be removed from service, and other common tasks.
System of classification should be explained through a corporate policy, which defines the terms used and what they mean. Levels: public or unclassified, classified, management only, department specific, private or confidential, high security levels, and not to be copied.
Retention / Storage
Retention policy clearly states when stored data is to be removed. Length of time data is stored can be dictated by legal requirements or corporate decision-making. Retention and storage documentation is necessary to keep track of data, so that it can be determined what data should be removed and/or destroyed once a specific date is reached.
When the retention period is reached, data needs to be destroyed. Standard methods of physically destroying magnetic media: acid pulverization, and incineration. Keep a log of what items have been destroyed and when and how the destruction was accomplished.
Disaster Recovery
Plan used to identify such potental threats or terrorism, fire, flooding, and other incidents, and provide guidance on how to deal with such events.
Fundamental part of any disaster recovery plan - copied to a type of media that can be stored in a separate location. Type of media will depend on the amount being copied: DAT (digital audio tape); DLT (digital linear tape), computer disks (CD-R, CD-RW) or floppy disks.
Backup Types
Full backup: backs up all data in a single job (all data, system files, and software) - archive bit is changed; Incremental - backs up all data that was changed since the last backup. Differential - backs up all data that has changed since the last full backup; Copy Backup - makes a full backup but doesn't change the archive.
Rotation Schemes
Rotating between different sets of tapes, data is not always being backed up to the same tapes, and previous set is always available locations.
Grandfather, Father, and Son - Full backup is considered Father, while the daily backup is considered the Son, Grandfather is an additional full backup that is performed monthly and stored offsite.
Alternate Sites
Hot Site, Warm Site, and Cold Site
Disaster Recovery Plan
Provides procesures for recovering from a disaster after it occurs.
Risk Analysis
Should be performed to determine what is at risk when a disaster occurs. Loss of data, loss of software and hardware, and loss of personnel.
Business Continuity
Process that identifies key functions of an organization, threats nost likely to endanger them, and creates processes and procedures that ensure these functions will not be interrupted.
Business Recovery Plan
Addresses how business functions will resume after a disaster at an alternate site.
Business Resumption Plan
Addresses how critical systems and key functions of a business will be maintained.
To continue doing normal business functions, administrators need to implement equipment that will provide these services when the utility companies cannot.
Uninterruptible Power Supply - Power supplies that can switch over to a batter backup
High Availability
Provided through redundant systems and fault tolerance. Redundancy is often found in networks, multiple links are used to connect sites on a wide area network.
Point of Presence
Access point to the Internet, therefore having multiple points of presence will allow access to the Internet if one goes down.
Disk Striping - 2 or more disks
RAID 0+1
Disk Striping with Mirroring - Combined feature of RAID 0 and RAID 1.
Mirror or Duplexing
Disk Striping With Parity - 3 or more disks.
Is RAID hardware or software?
RAID is available through hardware of software - can support hot swapping.

Deck Info