CASP ? 121-150

Application sandboxing

Input validation

Penetration testing

Code reviews

Install the new solution, migrate to the new solution, and test the new solution.

Purchase the new solution, test the new solution, and migrate to the new solution.

Decommission the old solution, install the new solution, and test the new solution.

Test the new solution, migrate to the new solution, and decommission the old solution.

Ensure that those producing solution artifacts are reminded at the next team meeting that quality is important.

Introduce a peer review process that is mandatory before a document can be officially made final.

Introduce a peer review and presentation process that includes a review board with representation from relevant disciplines.

Ensure that appropriate representation from each relevant discipline approves of the solution documents before official approval.

Data User

Data Owner

Business Owner

Data Custodian

LUN masking

Deduplication

Multipathing

Snapshots

Enable RADIUS and end point security on Company B’s network devices.

Enable LDAP authentication on Company A’s network devices.

Enable LDAP/TLS authentication on Company A’s network devices.

Enable 802.1x on Company B’s network devices.

Visibility on the traffic between the virtual machines can impact confidentiality

NIC utilization can exceed 50 percent and impact availability

Shared virtual switches can negatively impact the integrity of network packets

Additional overhead from network bridging can affect availability

The hypervisor host does not have hardware acceleration enabled and does not allow DEP.

The virus scanner on the VM changes file extensions of all programs downloaded via P2P to prevent execution.

The virtual machine is configured to require administrator rights to execute all programs.

The virus is trying to access a virtual device which the hypervisor is configured to restrict.

The existing SAN may be read-only.

The existing SAN used LUN masking.

The new SAN is not FCoE based.

The data may not be in a usable format.

1. Deploy an HTTP interceptor on the switch span port; 2. Adjust the external facing NIDS; 3. Reconfigure the firewall ACLs to block the all traffic above port 2000; 4. Verify the proxy server is configured correctly and hardened; 5. Review the logs weekly in the future.

1. Deploy a protocol analyzer on the switch span port; 2. Adjust the internal HIDS; 3. Reconfigure the firewall ACLs to block outbound HTTP traffic; 4. Reboot the proxy server; 5. Continue to monitor the network.

1. Deploy a protocol analyzer on the switch span port; 2. Adjust the external facing IPS; 3. Reconfigure the firewall ACLs to block unnecessary ports; 4. Verify the proxy server is configured correctly and hardened; 5. Continue to monitor the network.

1. Deploy a network fuzzer on the switch span port; 2. Adjust the external facing IPS; 3. Reconfigure the proxy server to block the attacks; 4. Verify the firewall is configured correctly and hardened.

Raise the issue to the Chief Executive Officer (CEO) to escalate the decision to senior management with the recommendation to continue the outsourcing of all IT services.

Calculate the time to deploy and support the in-sourced systems accounting for the staff shortage and compare the costs to the ROI costs minus outsourcing costs. Present the document numbers to management for a final decision.

Perform a detailed cost benefit analysis of outsourcing vs. in-sourcing the IT systems and review the system documentation to assess the ROI of in-sourcing. Select COTS products to eliminate development time to meet the ROI goals.

Arrange a meeting between the project manager and the senior security administrator to review the requirements and determine how critical all the requirements are.

An employee copying gigabytes of personal video files from the employee’s personal laptop to their company desktop to share files.

An employee connecting their personal laptop to use a non-company endorsed accounting application that the employee used at a previous company.

An employee using a corporate FTP application to transfer customer lists and other proprietary files to an external computer and selling them to a competitor.

An employee accidentally infecting the network with a virus by connecting a USB drive to the employee’s personal laptop.

Risks: Data leakage, lost data on destroyed mobile devices, smaller network attack surface, prohibitive telecommunications costs Mitigations: Device Encryptions, lock screens, certificate based authentication, corporate telecom plans

Risks: Confidentiality leaks through cell conversations, availability of remote corporate data, integrity of data stored on the devices Mitigations: Cellular privacy extensions, mobile VPN clients, over-the-air backups.

Risks: Data exfiltration, loss of data via stolen mobile devices, increased data leakage at the network edge Mitigations: Remote data wipe capabilities, implementing corporate security on personally owned devices

Risks: Theft of mobile devices, unsanctioned applications, minimal device storage, call quality Mitigations: GPS tracking, centralized approved application deployment, over-the-air backups, QoS implementation

Decommissioning the existing network smoothly, implementing maintenance and operations procedures for the new network in advance, and ensuring compliance with applicable regulations and laws.

Interoperability with the Security Administration Remote Access protocol, integrity of the data at rest, overall network availability, and compliance with corporate and government regulations and policies.

Resistance of the new network design to DDoS attacks, ability to ensure confidentiality of all data in transit, security of change management processes and procedures, and resilience of the firewalls to power fluctuations.

Decommissioning plan for the new network, proper disposal protocols for the existing network equipment, transitioning operations to the new network on day one, and ensuring compliance with corporate data retention policies.

Ensuring smooth transition of maintenance resources to support the new network, updating all whole disk encryption keys to be compatible with IPv6, and maximizing profits for bank shareholders.

The system shall send a status message to a network monitoring console every five seconds while in an error state and the system should email the administrator when the number of input errors exceeds five.

The system shall alert the administrator upon the loss of network communications and when error flags are thrown.

The system shall email the administrator when processing deviates from expected conditions and the system shall send a heartbeat message to a monitoring console every second while in normal operations.

The system shall email the administrator when an error condition is detected and a flag is thrown and the system shall send an email to the administrator when network communications are disrupted.

The PHP module is written to transfer data from the customer zone to the management zone, and then from the management zone to the backend zone.

The iptables configuration is not configured correctly to permit zone to zone communications between the customer and backend zones.

The PHP module was installed in the management zone, but is trying to call a routine in the customer zone to transfer data directly to a MySQL database in the backend zone.

The ipfilters configuration is configured to disallow loopback traffic between the physical NICs associated with each zone.

Malware originating from Company XYZ’s network

Co-mingling of company networks

Lack of an IPSec connection between the two networks

Loss of proprietary plant information

Directly establish another separate service contract with the sub-contractor to limit the risk exposure and legal implications.

Ensure the consulting firm has service agreements with the sub-contractor; if the agreement does not exist, exit the contract when possible.

Log it as a risk in the business risk register and pass the risk to the consulting firm for acceptance and responsibility.

Terminate the contract immediately and bring the security department in-house again to reduce legal and regulatory exposure.

Preventative controls are useful before an event occurs, detective controls are useful during an event, and corrective controls are useful after an event has occurred. A combination of controls can be used.

Corrective controls are more costly to implement, but are only needed for real attacks or high value assets; therefore, controls should only be put in place after a real attack has occurred.

Detective controls are less costly to implement than preventative controls; therefore, they should be encouraged wherever possible. Corrective controls are used during an event or security incident. Preventative controls are hard to achieve in practice due to current market offerings.

Always advise the use of preventative controls as this will prevent security incidents from occurring in the first place. Detective and corrective controls are redundant compensating controls and are not required if preventative controls are implemented.

Explain how customer data is gathered, used, disclosed, and managed.

Remind staff of the company’s data handling policy and have staff sign an NDA.

Focus on explaining the “how” and “why” customer data is being collected.

Republish the data classification and the confidentiality policy.

Limit source ports on the firewall to specific IP addresses.

Add an explicit deny-all and log rule as the final entry of the firewall rulebase.

Implement stateful UDP filtering on UDP ports above 1024.

Configure the firewall to use IPv6 by default.

Employees publishing negative information and stories about company management on social network sites and blogs.

An employee remotely configuring the email server at a relative’s company during work hours.

Employees posting negative comments about the company from personal phones and PDAs.

External parties cloning some of the company’s externally facing web pages and creating lookalike sites.

Modify the SRC and DST ports of ACL 1

Modify the SRC IP of ACL 1 to 0.0.0.0/32

Modify the ACTION of ACL 2 to Permit

Modify the PROTO of ACL 1 to TCP

Install a dual port HBA on the SAN, create a LUN on the server, and enable deduplication and data snapshots.

Install a multipath LUN on the server with deduplication, and enable LUN masking on the SAN.

Install 2 LUNs on the server, cluster HBAs on the SAN, and enable multipath and data deduplication.

Install a dual port HBA in the server; create a LUN on the SAN, and enable LUN masking and multipath.

RED ZONE. none ORANGE ZONE. WAF YELLOW ZONE. SPAM Filter GREEN ZONE. none

RED ZONE. Virus Scanner, SPAM Filter ORANGE ZONE. NIPS YELLOW ZONE. NIPS GREEN ZONE. NIPS

RED ZONE. WAF, Virus Scanner ORANGE ZONE. NIPS YELLOW ZONE. NIPS GREEN ZONE. SPAM Filter

RED ZONE. NIPS ORANGE ZONE. WAF YELLOW ZONE. Virus Scanner, SPAM Filter GREEN ZONE. none