CISSP-operations Security

Information classifi cation refers to the practice of diff erentiating
between diff erent types of information assets and providing some guidance as to how classifi ed information will need to be protected. Vulnerability scans can
be used to map out the computing ecosystem. Th reat modeling is used to identify
threats and vulnerabilities. Confi guration management can be used to determine
the software baseline. Page 554.

Reporting is also fundamental to successful security operations.
It can take a variety of forms depending on the intended audience. Technical
reporting tends to be designed for technical specialists or managers with direct
responsibility for service delivery. Management reporting will provide summaries
of multiple systems as well as key metrics for each of the services covered by the
report. Executive dashboards are intended for the executive who is interested in seeing
only the highlights across multiple services, and provide simple summaries of
current state, usually in a highly visual form such as charts and graphs. Page 561.

A cold spare is a spare component that is not powered up but is a
duplicate of the primary component that can be inserted into the system if needed.
Warm spares are those that are already inserted in the system but do not receive
power unless they are required. Hot spares stay powered on and waiting to be called
upon as needed. Archives are data backups stored for historical purposes. To ensure
constant redundancy and fault-tolerance, hot spare is the best option. Page 545.

Insiders (employees, contractors, etc.) can have access to
information that they should not be allowed to and in the absence of auditing
(logging) their actions can go unnoticed. Encryption can provide controls over
unauthorized disclosure. External attacker (hacker or cracker) activity and malware
usually raise alerts on intrusion detection systems (IDS). Auditors may have the
need and authorization for the disclosure of sensitive information and this access is
often monitored. Page 543.

False-positives occur when the IDS or IPS identifi es something
as an attack, but it is in fact normal traffi c. False-negatives occur when it failed to
interpret something as an attack when it should have. In these cases, intrusion
systems must be carefully “tuned” to ensure that these are kept to a minimum.
Page 564.

Clipping levels are used to ensure that only needed logs are
collected. Th is is mainly used, because even on a single system, logs can get to be
very large. An example of a clipping level is that only failed access attempts are
logged. Page 562.

Fail-safe mechanisms focuses on failing with a minimum of
harm to personnel while fail-secure focuses on failing in a controlled manner to
block access while the systems is in an inconsistent state. For example, data center
door systems will fail safe to ensure that personnel can escape the area when the
electrical power fails. A fail-secure door would prevent personnel from using the
door at all, which could put personnel in jeopardy. Fail-open and fail-closed are fail
safe mechanisms. Page 545.

Security event management (SEM) solutions are intended to
provide a common platform for log collection, collation, and analysis in real-time
to allow for more eff ective and effi cient response. Log management systems are
similar in that, they also collect logs and provide the ability to report against them,
although their focus tends to be on the historical analysis of log information, rather
than real-time analysis. Th ey may be combined with SEM solutions to provide
both historical and real-time functions. Evidence collections for admissibility in
court and pattern discernment are not real-time functions. Page 563.

Optical media such as CDs and DVD must be physically
destroyed to make sure that there is no residual data that can be disclosed. Since the
media mentioned in this context is a read-only media (burn-once) DVD, the information
on it cannot be overwritten or deleted. Degaussing can reduce or remove
data remanence in magnetic nonoptical media. Page 567.

Prior to deploying updates to production servers, make certain
that a full system backup is conducted. In the regrettable event of a system crash,
due to the update, the server and data can be recovered without a signifi cant loss
of data. Additionally, if the update involved propriety code, it will be necessary to
provide a copy of the server or application image to the media librarian. Th e presence
or absence of full disclosure information is good to have but not a requirement
as the patching process will have to be a risk-based decision as it applies to the
organization. Documentation of the patching process is the last step in patch management
processes. Independent third-party assessments are not usually related to
attesting patch validity. Page 574.

Information classifi cation also includes the processes and
procedures to declassify information. For example, declassifi cation may be used to
downgrade the sensitivity of information. Over the course of time, information
once considered sensitive may decline in value or criticality. In these instances,
declassifi cation eff orts should be implemented to ensure that excessive protection
controls are not used for nonsensitive information. When declassifying information,
marking, handling, and storage requirements will likely be reduced.
Organizations should have declassifi cation practices well documented for use by
individuals assigned with the task. Information may still be needed and so it cannot
be destroyed, degaussed, or deleted. Page 555.

While placing users into groups and roles can yield in increased
security, ease of programmatic access, or automation, the main reason as to why
this is done is for the ease of user administration. Effi cient management of users
requires the assignment of individual accounts into groups or roles. Groups and
roles allow rights and privileges to be assigned to groups or a role as opposed to
individual accounts. Individual user accounts can then be assigned to one or more
groups depending on the access and privileges they require. Page 556.

Access to facilities should be limited to named individuals
with a requirement for physical access following the principle of least privilege.
Individuals who do not require frequent physical access to physical systems should
not receive access to the facility. If occasional access is required, then temporary
access should be granted and revoked when it is no longer required. It is recommended
that you are familiar with the other principles mentioned. Page 552.

While the operations staff may be able to detect the attack and
in some cases the attackers, there is very little that the operations staff can do to stop
them. All actions taken by the operations staff as they respond to handle the security
incident must follow established protocols and documented, but this is not their
primary objective. The affected systems must only be shut off after necessary data
or evidence that will be admissible in court is collected. Th e best answer choice is
that the operations staff must maintain operational resilience; i.e., there is minimum
disruption to the organization’s activities. Page 542

In a RAID 0 confi guration, fi les are written in stripes across
multiple disks without the use of parity information. Th is technique allows for fast
reading and writing to disk since all of the disks can typically be accessed in parallel.
However, without the parity information, it is not possible to recover from a
hard drive failure. Th is technique does not provide redundancy and should not be
used for systems with high availability requirements. It is important that you are
familiar with all of the RAID confi gurations and when to use which confi guration.
Page 547.

Ring protection can be used to enforce boundary control between
kernel functions and end-user controls. Anti-malware software is used to protect against
malicious software. Maintenance hooks are coding constructs written by the software
developer for troubleshooting and impersonation purposes, but can be a potential backdoor
for malicious software. Trusted paths provide trustworthy interfaces into privileged
user functions and are intended to provide a way to ensure that any communications
over that path cannot be intercepted or corrupted. Page 544.

Full backup would not be possible since the backup window is
not long ago for all the data to be backed up. Additionally, it is less likely that the
backup window can be increased to allow for a full backup, which is both time consuming
and costly from a storage perspective. In an incremental backup, only the
fi les that changed since the last backup will be backed up. In a diff erential backup,
only the fi les that changed since the last full backup will be backed up. In general,
diff erentials require more space than incremental backups while incremental backups
are faster to perform. On the other hand, restoring data from incremental
backups requires more time than diff erential backups. To restore from incremental
backups, the last full backup and all of the incremental backups performed are
combined. In contrast, restoring from a diff erential backup requires only the last
full backup and the latest diff erential. Page 549.

While incident management is concerned primarily with managing
an adverse event, problem management is concerned with tracking that event
back to a root cause and addressing the underlying problem. Maintaining system
integrity is accomplished through the process of change control management.
Confi guration management is a process of identifying and documenting hardware
components, software, and the associated settings. Page 570.

Data mirroring is a RAID technique that duplicates all disk
writes from one disk to another to create two identical drives. Database shadowing
is the technique in which updates are shadowed in multiple locations. It is like
copying the entire database on to a remote location. Backups are to be conducted
on a regular basis and are useful in recovering information or a system in the event
of a disaster. Archiving is the storage of data that is not in continual use for historical
purposes. Page 549.

Clearances are a useful tool for determining the trustworthiness
of an individual and the likelihood of their compliance with organization policy.
Job rank, tile, or role may be tied to a clearance level, but this may not always
be the case. Partnership with the security team does not necessarily mean that the
individual complies or will comply with the organization’s policy. Page 560.