CASP ? 91-120

Conduct a vulnerability assessment to determine the security posture of the new devices and the application.

Benchmark other organization’s that already encountered this type of situation and apply all relevant learning’s and industry best practices.

Work with the business to understand and classify the risk associated with the full lifecycle of the hardware and software deployment.

Develop a standard image for the new devices and migrate to a web application to eliminate locally resident data.

Schedule weekly vulnerability assessments

Implement continuous log monitoring

Scan computers weekly against the baseline

Require monthly reports showing compliance with configuration and updates

Develop a memorandum of understanding on what the MSS is responsible to provide.

Create internal metrics to track MSS performance.

Establish a mutually agreed upon service level agreement.

Issue a RFP to ensure the MSS follows guidelines.

Require each person joining the company’s social networking initiative to accept a nondisclosure agreement.

Establish a specific set of trained people that can release information on the organization’s behalf.

Require a confidential statement be attached to all information released to the social networking sites.

Establish a social media usage policy and provide training to all marketing employees.

The excessive time it will take to merge the company’s information systems.

Countries may have different legal or regulatory requirements.

Company A might not have adequate staffing to conduct these reviews.

The companies must consolidate security policies during the merger.

Establish VLANs for each virtual guest's NIC on the virtual switch.

Enable virtual switch layer 2 security precautions.

Only access hosts through a secure management interface.

Distribute guests to hosts by application role or trust zone.

Restrict physical and network access to the host console.

Avoid the risk

Transfer the risk

Accept the risk

Mitigate the risk

{(Confidentiality, Moderate), (Integrity, Moderate), (Availability, Moderate)}

{(Confidentiality, High), (Integrity, Low), (Availability, Low)}

{(Confidentiality, High), (Integrity, Moderate), (Availability, Low)}

{(Confidentiality, Moderate), (Integrity, Moderate), (Availability, Low)}

Mandatory vacation

Non-disclosure

Job rotation

Least privilege

Each of the servers used the same EV certificate.

The servers used a wildcard certificate.

The web server was the CA for the domain.

Revoking a certificate can only be done at the domain level.

Encrypted with a one-time password.

Stored on separate physical hosts.

Moved to the cloud.

Scanned for vulnerabilities regularly.

Separation of duties.

Mandatory vacation.

Non-disclosure agreement.

Least privilege.

Implement a unified IPv6 addressing scheme on the entire network.

Conduct a penetration test of Company B’s network.

Perform a vulnerability assessment on Company B’s network.

Perform a peer code review on Company B’s application.

Migrate the system to IPv6.

Migrate the system to RSH.

Move the system to a secure VLAN.

Use LDAPs for authentication.

Memorandum of Understanding

Interconnection Security Agreement

Operating Level Agreement

Service Level Agreement

Transfer the risks to another internal department, who have more resources to accept the risk.

Accept the risks and log acceptance in the risk register. Once the risks have been accepted close them out.

Transfer the initial risks by outsourcing payment processing to a third party service provider.

Mitigate the risks by hiring additional IT staff with the appropriate experience and certifications.

A system and network scan to determine if all of the systems are secure.

Implement a firewall/DMZ system between the networks.

Develop a risk analysis for the merged networks.

Conduct a complete review of the security posture of the acquired corporation.

Apply standard security policy settings to the devices.

Set up an access control system to isolate the devices from the network.

Integrate the tablets into standard remote access systems.

Develop the use case for the devices and perform a risk analysis.

A symmetric key

A PKI ticket

An X.509 certificate

An assertion ticket

Have a replacement employee run the same applications as the vacationing employee.

Have a replacement employee perform tasks in a different order from the vacationing employee.

Have a replacement employee perform the job from a different workstation than the vacationing employee.

Have a replacement employee run several daily scripts developed by the vacationing employee.

Inappropriate administrator access

Malicious code

Internal business fraud

Regulatory compliance

Create a separate SSID and WEP key to support the legacy clients and enable detection of rogue APs.

Create a separate SSID and WEP key on a new network segment and only allow required communication paths.

Create a separate SSID and require the legacy clients to connect to the wireless network using certificate-based 802.1x.

Create a separate SSID and require the use of dynamic WEP keys.

Require the use of an unprivileged account, and a second shared account only for administrative purposes.

Require role-based security on primary role, and only provide access to secondary roles on a case-by-case basis.

Require separation of duties ensuring no single administrator has access to all systems.

Require on-going auditing of administrative activities, and evaluate against risk-based metrics.

Key company-key.{ algorithm hmac-rc4; secret "Hdue8du9jdknkhdoLksdlkeYEIks83K="; };

Key company-key.{ algorithm hmac-md5; secret "Hdue8du9jdknkhdoLksdlkeYEIks83K="; key company-key.{ algorithm hmac-md5; secret "Hdue8du9jdknkhdoLksdlkeYEIks83K="; }; allow transfer { 192.168.10.53; }

Key company-key.{ algorithm hmac-md5; secret "Hdue8du9jdknkhdoLksdlkeYEIks83K="; }; allow transfer { 192.168.20.53; }

Key company-key.{ algorithm hmac-rc4; secret "Hdue8du9jdknkhdoLksdlkeYEIks83K="; }; allow transfer { 192.168.10.53; } algorithm hmac-rc4; secret "Hdue8du9jdknkhdoLksdlkeYEIks83K="; }; allow transfer { 192.168.10.53; }

Transport encryption

Authentication hashing

Digital signature

Legal mail hold

TSIG code signing

3DES - SHA

DES - MD5

Camellia - SHA

RC4 - MD5

Kerberos

NTLM

RADIUS

TACACS+

TLS

HMAC

Camellia

What hardware and software would work best for securing the network?

What corporate assets need to be protected?

What are the business needs of the organization?

What outside threats are most likely to compromise network security?

What is the budget for this project?

What time and resources are needed to carry out the security plan?

SystemsEngineering. Decomposing requirements Development: Secure coding standards Testing. Code stability Project Management: Stakeholder engagement Security: Secure transport Networks: Functional validation

SystemsEngineering. Decomposing requirements Development: Code stability Testing. Functional validation Project Management: Stakeholder engagement Security: Secure coding standards Networks: Secure transport

SystemsEngineering. Functional validation Development: Stakeholder engagement Testing. Code stability Project Management: Decomposing requirements Security: Secure coding standards Networks: Secure transport

SystemsEngineering. Decomposing requirements Development: Stakeholder engagement Testing. Code stability Project Management: Functional validation Security: Secure coding standards Networks: Secure transport

Line by line code review and simulation; uncovers hidden vulnerabilities and allows for behavior to be observed with minimal risk.

Technical exchange meetings with the application’s vendor; vendors have more in depth knowledge of the product.

Pilot trial; minimizes the impact to the enterprise while still providing services to enterprise users.

Full deployment with crippled features; allows for large scale testing and observation of the applications security profile.