CASP ? 211-240

Concern: Passwords are stored in plain text. Correction: Require a minimum of 8 alphanumeric characters and hash the password.

Concern: User IDs are also usernames, and could be enumerated, thereby disclosing sensitive account information. Correction: Require user IDs to be more complex by using alphanumeric characters and hash the UserIDs.

Concern: User IDs are confidential private information. Correction: Require encryption of user IDs.

Concern: More than four digits within a credit card number are stored. Correction: Only store the last four digits of a credit card to protect sensitive financial information.

Point to point VPNs for all corporate intranet users.

Cryptographic hashes of all data transferred between services.

Service to service authentication for all workflows.

Two-factor authentication and signed code

To ensure the security of the network is documented prior to customer delivery

To document the source of all functional requirements applicable to the network

To facilitate the creation of performance testing metrics and test plans

To allow certifiers to verify the network meets applicable security requirements

Increased customer data availability

Increased customer data confidentiality

Increased security through provisioning

Increased security through data integrity

The security administrator should review the IDS logs to determine the source of the attack and the attack vector used to compromise the web server.

The security administrator must correlate the external firewall logs with the intrusion detection system logs to determine what specific attack led to the web server compromise.

The security administrator must reconfigure the network and place the IDS between the SSL accelerator and the server farm to be able to determine the cause of future attacks.

The security administrator must correlate logs from all the devices in the network diagram to determine what specific attack led to the web server compromise.

Social engineering

Protocol analyzer

Port scanner

Grey box testing

Wireless network security may need to be increased to decrease access of mobile devices.

Physical security may need to be increased to deter or prevent theft of mobile devices.

Network security may need to be increased by reducing the number of available physical network jacks.

Wireless network security may need to be decreased to allow for increased access of mobile devices.

LUN masking

Data injection

Data fragmentation

Moving the HBA

Creation and secure destruction of mail accounts, emails, and calendar items

Information classification, vendor selection, and the RFP process

Data provisioning, processing, in transit, at rest, and de-provisioning

Securing virtual environments, appliances, and equipment that handle email

Service oriented architecture (SOA)

Federated identities

Object request broker (ORB)

Enterprise service bus (ESB)

The de-perimeterized model should be kept as this is major industry trend and other companies are following this direction. Advise that the issues being faced are standard business as usual concerns in a modern IT environment.

Update the policy to disallow non-company end-point devices on the corporate network. Develop security-focused standard operating environments (SOEs) for all required operating systems and ensure the needs of each business unit are met.

The de-perimeterized model should be kept but update company policies to state that noncompany end-points require full disk encryption, anti-virus software, and regular patching.

Update the policy to disallow non-company end-point devices on the corporate network. Allow only one type of outsourced SOE to all users as this will be easier to provision, secure, and will save money on operating costs.

Inspect a previous architectural document. Based on the historical decisions made, consult the architectural control and pattern library within the organization and select the controls that appear to best fit this new architectural need.

Implement controls based on the system needs. Perform a risk analysis of the system. For any remaining risks, perform continuous monitoring.

Classify information types used within the system into levels of confidentiality, integrity, and availability. Determine minimum required security controls. Conduct a risk analysis. Decide on which security controls to implement.

Perform a risk analysis of the system. Avoid extreme risks. Mitigate high risks. Transfer medium risks and accept low risks. Perform continuous monitoring to ensure that the system remains at an adequate security posture.

The third party should be contractually obliged to perform adequate security activities, and evidence of those activities should be confirmed by the company prior to launch.

Outsourcing is a valid option to increase time-to-market. If a security incident occurs, it is not of great concern as the reputational damage will be the third party’s responsibility.

The company should never outsource any part of the business that could cause a security or privacy incident. It could lead to legal and compliance issues.

If the third party has an acceptable record to date on security compliance and is provably faster and cheaper, then it makes sense to outsource in this specific situation.

Disallow the use of web-based meetings as this could lead to vulnerable client-side components being installed, or a malicious third party gaining read-write control over an internal workstation.

Hire an outside consultant firm to perform both a quantitative and a qualitative risk-based assessment. Based on the outcomes, if any risks are identified then do not allow web-based meetings. If no risks are identified then go forward and allow for these meetings to occur.

Allow the use of web-based meetings, but put controls in place to ensure that the use of these meetings is logged and tracked.

Evaluate several meeting providers. Ensure that client-side components do not introduce undue security risks. Ensure that the read-write desktop mode can either be prevented or strongly audited.

CISO immediately in an exception report.

Users of the new web application system.

The vendor who supplied the web application system.

Team lead in a weekly report.

The company’s software lifecycle management improved the security of the application.

There are no vulnerabilities in the application.

The company should deploy a web application firewall to ensure extra security.

There are no known vulnerabilities at this time.

Require the managed service provider to implement additional data separation.

Require encrypted communications when accessing email.

Enable data loss protection to minimize emailing PII and confidential data.

Establish an acceptable use policy and incident response policy.

Establish return on investment as the main criteria for selection.

Require encrypted coRun a cost/benefit analysis based on the data received from the RFP.mmunications when accessing email.

Enable data loss protection toEvaluate each platform based on the total cost of ownership. minimize emailing PII and confidential data.

Establish an acDevelop a service level agreement to ensure the selected NIPS meets all performance requirements.ceptable use policy and incident response policy.

Conduct monthly audits to verify that application modifications do not introduce new vulnerabilities.

Implement a peer code review requirement prior to releasing code into production.

Follow secure coding practices to minimize the likelihood of creating vulnerable applications.

Establish cross-functional planning and testing requirements for software development activities.

Application firewall and NIPS

Edge firewall and HIDS

ACLs and anti-virus

Host firewall and WAF

Session hijacking

Cross-site script

SQL injection

Buffer overflow

Network Administrator, Database Administrator, Programmers

Network Administrator, Emergency Response Team, Human Resources

Finance Officer, Human Resources, Security Administrator

Database Administrator, Facilities Manager, Physical Security Manager

Interconnection Security Agreement

Memorandum of Understanding

Business Partnership Agreement

Non-Disclosure Agreement

NIPS in the production zone, HIPS in the application zone, and anti-virus / anti-malware across all Windows hosts.

NIPS in the production zone, NIDS in the application zone, HIPS in the core network, and antivirus / anti-malware across all hosts.

HIPS in the production zone, NIPS in the application zone, and HIPS in the core network.

NIDS in the production zone, HIDS in the application zone, and anti-virus / anti-malware across all hosts.

Employee identity badges and physical access controls to ensure only staff are allowed onsite.

A training program that is consistent, ongoing, and relevant.

Access controls to prevent end users from gaining access to confidential data.

Access controls for computer systems and networks with two-factor authentication.

A formal letter from the company’s president approving the seizure of the workstation.

A formal training and awareness program on information security for all company managers.

A screen displayed at log in that informs users of the employer’s rights to seize, search, and monitor company devices.

A printout of an activity log, showing that the employee has been spending substantial time on non-work related websites.

Create security metrics that provide information on response times and requirements to determine the best place to focus time and money.

Conduct a loss analysis to determine which systems to focus time and money towards increasing security.

Implement a knowledge management process accessible to the help desk and finance departments to estimate cost and prioritize remediation.

Develop an incident response team, require training for incident remediation, and provide incident reporting and tracking metrics.

Loss of physical control of the servers

Distribution of the job to multiple data centers

Network transmission of cryptographic keys

Data scraped from the hardware platforms