It seems logical that any business, whether a commercial enterprise or a not-for-proﬁt business, would understand that building a secure organization is important to long- term success. When a business implements and maintains a strong security posture, it can take advantage of numerous beneﬁts. An organization that can demonstrate an infra- structure protected by robust security mechanisms can potentially see a reduction in insurance premiums. A secure organization can use its security program as a marketing tool, demonstrating to clients that it values their business so much that it takes a very aggressive stance on protecting their information. Most importantly, a secure organization will not have to spend time and money identifying security breaches and responding to the results of those breaches. As of December 2011, according to the National Con- ference of State Legislatures, 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands enacted legislation requiring notiﬁcation of security breaches involving personal information. In 2011, 14 states expanded the scope of this legislation.1 Security breaches can cost an organization signiﬁcantly through a tarnished reputation, lost business, and legal fees. Numerous regulations such as the Health Insurance Portability and Accountability Act, the Gramm-LeacheBliley Act, and the SarbaneseOxley Act require businesses to maintain the security of information. Despite the beneﬁts of maintaining a secure organization and the potentially devastating consequences of not doing so, many organizations have poor security mechanisms, implementations, policies, and culture.
- OBSTACLES TO SECURITY In attempting to build a secure organization, we should take a close look at the obstacles that make it challenging to build a totally secure organization.
Security Is Inconvenient By its very nature, security is inconvenient, and the more robust the security mechanisms are, the more inconvenient the process becomes. Employees in an organization have a job to do; they want to get to work right away. Most security mechanisms, from passwords to multifactor authentication, are seen as roadblocks to productivity. One of the current trends in security is to add whole-disk encryption to laptop computers. Although this is a high- ly recommended security process, it adds a second login step before a computer user can actually start working. Even if the step adds only 1 min to the login process, over the course of a year this results in 4 h of lost productivity. Some would argue that this lost productivity is balanced by the added level of security. Across a large organiza- tion, however, this lost productivity could prove signiﬁcant. To gain a full appreciation of the frustration caused by security measures, we have only to watch the Trans- portation Security Administration lines at any airport. Simply watch the frustration build as a particular item is run through the scanner for a third time while a passenger is running late to board his ﬂight. Security implementations are based on a sliding scale; one end of the scale is total security and total inconvenience, and the other is total insecurity and complete ease of use. When we implement any security mechanism, it should be placed on the scale where the level of security and ease of use match the acceptable level of risk for the organization.
- COMPUTERS ARE POWERFUL AND COMPLEX Home computers have become storehouses of personal materials. Our computers now contain wedding videos, scanned family photos, music libraries, movie collections, and ﬁnancial and medical records. Because computers
contain such familiar objects, we have forgotten that computers are powerful and complex devices. It was not long ago that computers as powerful as our desktop and laptop computers would have ﬁlled one or more large rooms. In addition, today’s computers present a “user- friendly” face to the world. Most people are unfamiliar with the way computers truly function and what goes on “behind the scenes.” Things such as the Windows Registry, ports, and services are completely unknown to most users and are poorly understood by many computer industry professionals. For example, many individuals still believe that a Windows login password protects data on a com- puter. On the contrary: Someone can simply take the hard drive out of the computer, install it as a slave drive in another computer, or place it in a universal serial bus (USB) drive enclosure, and all of the data will be readily accessible.
Computer Users Are Unsophisticated Many computer users believe that because they are skilled at generating spreadsheets, word processing documents, and presentations, they know everything about computers. These “power users” have moved beyond application basics, but many still do not understand even basic security concepts. Many users will indiscriminately install software and visit questionable websites even though these actions could violate company policies. The “bad guys” (people who want to steal information from or wreak havoc on computers systems) have also identiﬁed the average user as a weak link in the security chain. As companies began investing more money in perimeter defenses, attackers looked to the path of least resistance. They send malware as attachments to email, asking recipients to open the attach- ment. Despite being told not to open attachments from unknown senders or simply not to open attachments at all, employees consistently violate this policy, wreaking havoc on their networks. The “I Love You Virus” spread rapidly in this manner. More recently, phishing scams have been effective in convincing individuals to provide personal online banking and credit card information. Why would an attacker struggle to break through an organization’s defenses when end users are more than willing to provide the keys to bank accounts? Addressing the threat caused by untrained and unwary end users is a signiﬁcant part of any security program.
Computers Created Without a Thought to Security During the development of personal computers (PCs), no thought was given to security. Early PCs were simple affairs that had limited computing power and no keyboards, and were programmed by ﬂipping a series of switches.
They were developed almost as curiosities. Even as they became more advanced and complex, all effort was focused on developing greater sophistication and capabilities; no one thought they would have security issues. We only have to look at some of the early computers, such as the Ber- keley Enterprises Geniac, the Heathkit EC-1, and the MITS Altair 8800, to understand why security was not an issue back then.2 The development of computers was focused on what they could do, not how they could be attacked. As computers began to be interconnected, the driving force was to provide the ability to share information, certainly not to protect it. Initially, the Internet was designed for military applications, but eventually it migrated to colleges and universities, the principal tenet of which is the sharing of knowledge.
- CURRENT TREND IS TO SHARE, NOT PROTECT Even now, despite the stories of compromised data, people still want to share their data with everyone. Web-based applications are making this easier to do than simply attaching a ﬁle to an email. Social networking sites such as Omemo provide the ability to share material: “Store your ﬁles online, share your stuff and browse what other users store in the world’s largest multimedia library: The Omemo peer-to-peer virtual hard-drive.”3 In addition, many online data storage sites such as DropSend4 and FilesAnywhere5 provide the ability to share ﬁles. These sites can allow proprietary data to leave an organization by bypassing security mechanisms, exposing them to the possibility of unwanted review and distribution.
Data Accessible From Anywhere As though employees’ desire to share data is not enough of a threat to proprietary information, many business pro- fessionals want access to data from anywhere they work, on a variety of devices. To be productive, employees now request access to data and contact information on their laptops, desktops, home computers, and mobile devices. Therefore, information technology (IT) departments must now provide the ability to sync data with numerous systems. And if the IT department cannot or will not pro- vide this capability, employees now have the power to take matters into their own hands by using online services. In addition to the previously mentioned online ﬁle- sharing sites, numerous online ﬁle storage sites exist
(some sites offer both services). These storage sites are “springing up” everywhere, based on the desire to have access to data from absolutely everywhere. The latest operating systems from Microsoft and Apple supported this concept on a home network level when they created Homegroups6 and AirDrop, respectively. Homegroups allow users to share speciﬁc volumes or folders across a network, whereas AirDrop allows users to share ﬁles between Macs without using an established network.
Looking for a fast way to share ﬁles with people nearby? With AirDrop, you can send ﬁles to anyone around you wirelesslydno Wi-Fi network required. And no compli- cated setup or special settings. Just click the AirDrop icon in the Finder sidebar, and your Mac automatically dis- covers other AirDrop users within about 30 feet of you. To share a ﬁle, simply drag it to someone’s name. Once accepted, the fully encrypted ﬁle transfers directly to that person’s Downloads folder.7 Employees always seem to want the same capabilities they have at home while in the workplace. This desire stems from the desire to work quickly and efﬁciently, with as few impediments in place as possible. Many computer users appreciate the simplicity with which they can access ﬁles while at home; they expect the same capabilities in the workplace. Currently, the best-known ﬁle storage site is Dropbox.8 To date, Dropbox provides 2 GB of free storage and soft- ware for Windows, Mac, Linux, and mobile devices, including iPhone, iPad, Blackberry, and Android. This matches their slogan, “Your ﬁles everywhere you are.” However, you do not need to install the application on your computer; there is a Web interface that allows you to up- load new ﬁles and access stored ﬁles. From an accessibility perspective, this is truly amazing. From a security perspective, it is a little unnerving. Some security pro- fessionals will not consider this an issue because they can simply “blacklist” the Dropbox website and prevent users from installing software. However, if one thinks about this, what is to stop someone from storing material on one of these sites while using a home or library computer? In addition, Dropbox is not the only “game in town.” There are dozens of these sites; some are obscure, and new ones are created periodically. Table 2.1 identiﬁes sites that have been identiﬁed as of this writing (and there are likely more in existence). Some familiar tools also offer ﬁle storage capabilities. Google’s free email service, Gmail, is a great tool that provides a robust service for free. What few people realize
is that Gmail provides more than 7 GB of storage that can also be used to store ﬁles, not just email. The shell exten- sion, Gmail Drive,9 provides access to your Gmail storage by means of a “drive” on your desktop. Fig. 2.1 shows the Gmail Drive login screen. This ability to transfer data easily outside the control of a company makes securing an orga- nization’s data that much more difﬁcult. There is more to these sites than simply losing control of data. These are third-party sites and anything can happen. As an example
in summer 2011, Dropbox had a security issue that allowed people to log into any account without using a password. Another issue is that the longevity of these sites is not guaranteed. For example, Xdrive, a popular online storage service created in 1999 and purchased by AOL in 2005 (allegedly for US$30 million), shut down on January 12, 2009. What happens to the data that are on systems that are no longer in service?
- SECURITY IS NOT ABOUT HARDWARE AND SOFTWARE Many businesses believe that if they purchase enough equipment, they can create a secure infrastructure. Firewalls, intrusion detection systems, antivirus programs, and two- factor authentication products are some of the tools avail- able to assist in protecting a network and its data. It is important to keep in mind that no product or combination of products will create a secure organization by itself. Security isa process;there isnotoolthatyou can “set and forget.” All security products are only as secure as the people who conﬁgure and maintain them. The purchasing and imple- mentation of security products should be only a percentage of the security budget. Employees tasked with maintaining the security devices should be provided with enough time, training, and equipment to support the products properly. Unfortunately, in many organizations security activities take a back seat to support activities. Highly skilled security professionals are often tasked with help-desk requests such as resetting forgotten passwords, ﬁxing jammed printers, and setting up new employee workstations.
The Bad Guys Are Very Sophisticated At one time the computer hacker was portrayed as a lone teenager with poor social skills who would break into systems, often for nothing more than bragging rights. As ecommerce has evolved, however, so has the proﬁle of the hacker. Now that vast collections of credit card numbers and intellectual property can be harvested, organized hacker groups such as Anonymous have been formed to operate as businesses. A document released in 2008 spells it out clearly: “Cybercrime companies that work much like real- world companies are starting to appear and are steadily growing, thanks to the proﬁts they turn. Forget individual hackers or groups of hackers with common goals. Hierar- chical cybercrime organizations where each cybercriminal has his or her own role and reward system is what you and your company should be worried about.”10
State-sponsored hacking, which was discussed in security circles for years, received mainstream attention when a Chinese “how-to” hacking video was identiﬁed and discussed in the media.11 Now that organizations are being attacked by highly motivated and skilled groups of hackers, creating a secure infrastructure is mandatory.
Management Sees Security as a Drain on the Bottom Line For most organizations, the cost of creating a strong security posture is seen as a necessary evil, similar to purchasing insurance. Organizations do not want to spend the money on it, but the risks of not making the purchase outweigh the costs. Because of this attitude, it is extremely challenging to create a secure organization. The attitude is enforced because requests for security tools are often sup- ported by documents providing the average cost of a security incident instead of showing more concrete beneﬁts of a strong security posture. The problem is exacerbated by the fact that IT professionals speak a language that is different from that of management. IT professionals are generally focused on technology, period. Management is focused on revenue. Concepts such as proﬁtability, asset depreciation, return on investment, realization, and total cost of ownership are the mainstays of management. These are alien concepts to most IT professionals. Realistically speaking, though, it would be helpful if management would take steps to learn some fundamentals of IT and if IT professionals took the initiative and learned some fundamental business concepts. Learning these con- cepts is beneﬁcial to the organization because the technical infrastructure can then be implemented in a cost-effective manner, and they are beneﬁcial from a career develop- ment perspective for IT professionals. A Google search of“business skills for IT professionals” will identify numerous educational programs that might prove helpful. For those who do not have the time or inclination to attend a class, some useful materials can be found online. One such document, provided by the Government Chief Information Ofﬁce of New South Wales, is A Guide for Government Agencies Calculating Return on Security Investment.12 Although it is extremely technical, another often-cited document is Cost-Beneﬁt Analysis for Network Intrusion Detection Systems, by Huaqiang Wei, Deb Frinke, Olivia Carter, and Chris Ritter.13
Regardless of the approach that is taken, it is important to remember that any tangible cost savings or revenue generation should be used when requesting new security products, tools, or policies. Security professionals often overlook the value of keeping Web portals open for employees. A database that is used by a sales staff to enter contracts or purchases or to check inventory will help generate more revenue if it has no downtime. A database that is not accessible or has been hacked is useless for generating revenue. Strong security can be used to gain a competitive advantage in the marketplace. Having secured systems that are accessible 24 h/day, 7 days a week, means that an organization can reach and communicate with its clients and prospective clients more efﬁciently. An organization that becomes recognized as a good custodian of client records and information can incorporate its security record as part of its branding. This is no different from a car company being recognized for its safety record. In dis- cussions of cars and safety, for example, Volvo is always the ﬁrst manufacturer mentioned.14 What must be avoided is the “sky is falling” mentality. There are indeed numerous threats to a network, but we need to be realistic in allocating resources to protect against these threats. As of this writing, the National Vulnerability Database sponsored by the National Institute of Standards and Technology (NIST) lists 49,679 common vulnerabilities and exposures and publishes 14 new vul- nerabilities per day.15 In addition, the media are ﬁlled with stories of stolen laptops, credit card numbers, and identi- ties. The volume of threats to a network can be mind numbing. It is important to approach management with “probable threats” as opposed to “describable threats.” Probable threats are those that are most likely to have an impact on your business and the ones most likely to get the attention of management. Perhaps the best approach is to recognize that manage- ment, including the board of directors, is required to exhibit a duty of care in protecting it assets that is comparable to that of other organizations in the industry. When a security breach or incident occurs, being able to demonstrate the high level of security within the organization can signiﬁ- cantly reduce exposure to lawsuits, ﬁnes, and bad press. Thegoalofanydiscussionwithmanagementistoconvince it that in the highly technical and interconnected world inwhichwelive,havingasecurenetworkandinfrastructureis a “nonnegotiable requirement of doing business.”14 An excellentresourceforbothITprofessionalsandexecutivesthat can provide insight into these issues is computer emergency11
response team’s (CERT) technical report, Governing for EnterpriseSecurity.16
- TEN STEPS TO BUILDING A SECURE ORGANIZATION Having identiﬁed some of the challenges to building a secure organization, let us now look at 10 ways to build a secure organization successfully. The following steps will put a business in a robust security posture.
Evaluate the Risks and Threats In attempting to build a secure organization, where should you start? One commonly held belief is that you should initially identify your assets and allocate security resources based on the value of each asset. Although this approach might prove effective, it can lead to some signiﬁcant vul- nerabilities. An infrastructure asset might not hold a high value, for example, but it should be protected with the same effort as a high-value asset. If not, it could be an entry point into your network and provide access to valuable data. Another approach is to begin by evaluating the threats posed to your organization and your data.
Threats Based on the Infrastructure Model The ﬁrst place to start is to identify risks based on an organization’s infrastructure model. What infrastructure is in place that is necessary to support the operational needs of the business? A small business that operates out of one ofﬁce has reduced risks, as opposed to an organization that operates out of numerous facilities, includes a mobile workforce using a variety of handheld devices, and offers products or services through a Web-based interface. An organization that has a large number of telecommuters must take steps to protect its proprietary information that could potentially reside on personally owned computers outside company control. An organization that has widely dispersed and disparate systems will have more risk potential than a centrally located one that uses uniform systems.
Threats Based on the Business Itself Are there any speciﬁc threats for your particular business? Have high-level executives been accused of inappropriate activities whereby stockholders or employees would have incentive to attack the business? Are there any individuals who have a vendetta against the company for real or imagined slights or accidents? Does the community have a
history of antagonism against the organization? A risk management or security team should be asking these questions on a regular basis to evaluate the risks in real time. This part of the security process is often overlooked because of the focus on daily workload.
Threats Based on Industry Businesses belonging to particular industries are targeted more frequently and more aggressively than are those in other industries. Financial institutions and online retailers are targeted because “that’s where the money is.” Pharmaceutical manufacturers could be targeted to steal intellectual property, but they also could be targeted by special interest groups, such as those that do not believe in testing drugs on live animals or that have spiritual beliefs opposing a particular product. Identifying some of these threats requires active involvement in industry-speciﬁc trade groups in which businesses share information regarding recent attacks or threats they have identiﬁed.
Global Threats Businesses are often so narrowly focused on their local sphere of inﬂuence that they forget that by having a network connected to the Internet, they are now connected to the rest of the world. If a piece of malware identiﬁed on the other side of the globe targets the identical software used in your organization, you can be sure that you will eventually be impacted by this malware. In addition, if extremist groups in other countries are targeting your speciﬁc industry, you will also be targeted. Once threats and risks are identiﬁed, you can take one of four steps: l Ignore the risk. This is never an acceptable response. This is simply burying your head in the sand and hoping the problem will go away, the business equivalent of not wearing a helmet when riding a motorcycle. l Accept the risk. When the cost to remove the risk is greater than the risk itself, an organization will often decide simply to accept the risk. This is a viable option as long as the organization has spent the time required to evaluate the risk. l Transfer the risk. Organizations with limited staff or other resources could decide to transfer the risk. One method of transferring the risk is to purchase special- ized insurance targeted at a speciﬁc risk. l Mitigate the risk. Most organizations mitigate risk by applying the appropriate resources to minimize the risks posed to their network and systems. For organizations that would like to identify and quantify the risks to their network and information assets, CERT provides a free suite of tools to assist with the16
project. Operationally, Critical Threat, Asset, and Vulner- ability Evaluation (OCTAVE) provides risk-based assess- ment for security assessments and planning.17 There are three versions of OCTAVE: the original OCTAVE, designed for large organizations (more than 300 employees); OCTAVE-S (100 people or fewer); and OCTAVE-Allegro, which is a streamlined version of the tools and focuses speciﬁcally on information assets. Another risk assessment tool that might prove helpful is the Risk Management Framework (RMF) developed by Educause/Internet 2.18 Targeted at institutions of higher learning, the approach could be applied to other industries. Another framework that might prove helpful was devel- oped by the NIST. This is also referred to as the RMF and includes six steps as part of the process.19 Tracking speciﬁc threats to speciﬁc operating systems, products, and applications can be time-consuming. Visiting the National Vulnerability Database and manually search- ing for speciﬁc issues would not necessarily be an effective use of time. Fortunately, the Center for Education and Research in Information Assurance and Security at Purdue University has a tool called Cassandra that can be conﬁg- ured to notify you of speciﬁc threats to your particular products and applications.
Beware of Common Misconceptions In addressing the security needs of an organization, pro- fessionals often succumb to some common misconceptions. Perhaps the most popular one is that the business is obscure, unsophisticated, or boring, simply not a target for malicious activity. Businesses must understand that any network that is connected to the Internet is a potential target regardless of the type of business. Attackers will attempt to gain access to a network and its systems for several reasons. The ﬁrst reason is to look around to see what they can ﬁnd. Regardless of the type of business, personnel information will more than likely be stored on one of the systems. This includes Social Security numbers and other personal information. This type of information is a targetdalways. Another possibility is that the attacker will modify the information he or she ﬁnds or simply reconﬁgure the systems to behave abnormally. This type of attacker is not interested in ﬁnancial gain; he is simply the technology version of teenagers who soap windows, egg cars, and cover property with toilet paper. He attacks because he ﬁnds it entertaining to do so. In addition, these attackers
could use the systems to store stolen “property” such as child pornography or credit card numbers. If a system is not secure, attackers can store these types of materials on your system and gain access to them at their leisure. The ﬁnal possibility is that an attacker will use the hacked systems to mount attacks on other unprotected networks and systems. Computers can be used to mount denial of service attacks, operate as “command and control systems” for a bot network, relay spam, or spread malicious software. Put simply, no computer or network is immune from attack. Another common misconception is that an organization is immune from problems caused by employees, essentially saying, “We trust all our employees, so we don’t have to focus our energies on protecting our assets from them.” Although this is common for small businesses in which the owners know everyone, it also occurs in larger organiza- tions in which companies believe they hire only “professionals.” It is important to remember that no matter how well job candidates present themselves, a business can never know everything about an employee’s past. For this reason it is important for businesses to conduct preem- ployment background checks on all employees. Further- more, it is important to conduct these background checks properly and completely. Many employers trust this task to an online solution that promises to conduct a complete background check on an individual for a minimal fee. Many of these sites play on individuals’ lack of understanding of how some of these online databases are generated. These sites might not have access to the records of all jurisdictions, because many jurisdictions either do not make their records available online or do not provide them to these databases. In addi- tion, many of the records are entered by minimum wage data-entry clerks whose accuracy is not always 100%. Background checks should be conducted by organiza- tions that have the resources at their disposal to obtain court records directly from the courthouses where the records are generated and stored. Some ﬁrms have a team of “runners” who visit the courthouses daily to pull records; others have a network of contacts who can visit the courts for them. Look for organizations that are active members of the Na- tional Association of Professional Background Screeners.20 Members of this organization are committed to providing accurate and professional results. Perhaps more important, they can provide counseling regarding the proper approach to take and interpret the results of a background check. If your organization does not conduct background checks, there are several ﬁrms that might be of assistance: Accurate Background, Inc., of Lake Forest, California21
Credential Check, Inc., of Troy, Michigan22; and Validity Screening Solutions in Overland Park, Kansas.23 The websites of these companies provide informational resources to guide you in the process. (Note: For businesses outside the United States or for US businesses with loca- tions overseas, the process might be more difﬁcult because privacy laws could prevent a complete background check from being conducted. The ﬁrms we mention here should be able to provide guidance regarding international privacy laws.) Another misconception is that a preemployment back- ground check is all that is needed. Some erroneously believe that once a person is employed, he or she is “safe” and no longer can pose a threat. However, people’s lives and fortunes can change during the course of employment. Financial pressures can cause otherwise law-abiding citi- zens to take risks they never would have thought possible. Drug and alcohol dependency can alter people’s behavior as well. For these and other reasons, it is a good idea to perform an additional background check when an employee is promoted to a position of higher responsibility and trust. If this new position involves handling ﬁnancial responsibilities, the background check should include a credit check. Although these steps might sound intrusive, which is sometimes a reason cited not to conduct these types of checks, they can also be beneﬁcial to the employee as well as the employer. If a problem is identiﬁed during the check, the employer can often offer assistance to help the employee get through a tough time. Financial counseling and substance abuse counseling often can turn a potentially problematic employee into a loyal and dedicated one. Yet another common misconception involves IT pro- fessionals. Many businesses pay their IT staff fairly high salaries because they understand that having a properly functioning technical infrastructure is important for the continued success of the company. Because the staff is adept at setting up and maintaining systems and networks, there is a general assumption that they know “everything there is to know about computers.” It is important to recognize that although an individual might be knowl- edgeable and technologically sophisticated, no one knows everything about computers. Because members of man- agement do not understand technology, they are not in a good position to judge a person’s depth of knowledge and experience in the ﬁeld. Decisions are often based on the certiﬁcations a person has achieved during his or her career. Although certiﬁcations can be used to determine a person’s level of competency, too much weight is given to them. Many certiﬁcations require nothing more than some time and dedication to study and pass a certiﬁcation test. Some
training companies also offer boot camps that guarantee a person will pass the certiﬁcation test. It is possible for people to become certiﬁed without having real-world experience with the operating systems, applications, or hardware addressed by the certiﬁcation. When judging a person’s competency, look at his or her experience level and background ﬁrst, and if the person has achieved cer- tiﬁcations in addition to having signiﬁcant real-world experience, the certiﬁcation probably reﬂects the employee’s true capabilities. The IT staff does a great deal to perpetuate the image that it knows everything about computers. One reason why people become involved in the IT ﬁeld in the ﬁrst place is because they have an opportunity to try new things and overcome new challenges. This is why when an IT pro- fessional is asked whether she knows how to do something, she will always respond “Yes.” In reality, the real answer should be, “No, but I’ll ﬁgure it out.” Although they can frequently ﬁgure things out, when it comes to security we must keep in mind that it is a specialized area, and imple- menting a strong security posture requires signiﬁcant training and experience.
Provide Security Training for Information Technology Staff: Now and Forever Just as implementing a robust, secure environment is a dynamic process, creating a highly skilled staff of security professionals is a dynamic process. Even though an orga- nization’s technical infrastructure might not change frequently, new vulnerabilities are being discovered and new attacks are being launched on a regular basis. In addition, few organizations have a stagnant infrastructure; employees are constantly requesting new software and more technologies are added in an effort to improve efﬁ- ciencies. Each new addition likely adds additional security vulnerabilities. It is important for the IT staff to be prepared to identify and respond to new threats and vulnerabilities. It is rec- ommended that those interested in gaining a deep security understanding start with a vendor-neutral program. A vendor-neutral program is one that focuses on concepts rather than speciﬁc products. The SysAdmin, Audit, Network, Security (SANS) Institute offers two introductory programs: Intro to Information Security (Security 301),24 a 5-day class designed for people just starting out in the security ﬁeld, and the SANS Security Essentials Bootcamp (Security 401),25 a 6-day class designed for people with some security experience. Each class is also available as a
self-study program, and each can be used to prepare for a speciﬁc certiﬁcation. Another option is to start with a program that follows the CompTia Securityþcertiﬁcation requirements, such as the Global Knowledge Essentials of Information Security.26 Some colleges offer similar programs. Once a person has a good fundamental background in security, he should undergo vendor-speciﬁc training to apply the concepts learned to speciﬁc applications and security devices employed in the work environment. A great resource for keeping up with current trends in security is to become actively involved in a security-related trade organization. The key concept hereisactively involved. Many professionals join organizations so that they can add an item to the “professional afﬁliations” section of their resume. Becoming actively involved means attending meetings on a regular basis and serving on a committee or in a position on the executive board. Although this seems like a daunting time commitment, the beneﬁt is that the profes- sional develops a network of resources that can be available to provide insight, serve as a sounding board, or provide assistance when a problem arises. Participating in these as- sociations is a cost-effective way to get up to speed with current security trends and issues. Here are some organiza- tions27 that can prove helpful: l ASISInternational,thelargestsecurity-relatedorganization intheworld,focusesprimarilyonphysicalsecuritybuthas started addressing computer security as well l ISACA, formerly the Information Systems Audit and Control Association l High Technology Crime Investigation Association (HTCIA) l Information Systems Security Association (ISSA) l InfraGard, a joint public and private organization spon- sored by the Federal Bureau of Investigation (FBI) In addition to monthly meetings, many local chapters of these organizations sponsor regional conferences that are usually reasonably priced and attract nationally recognized experts. Arguably one of the best ways to determine whether an employee has a strong grasp of information security con- cepts is whether she can achieve the Certiﬁed Information Systems Security Professional (CISSP) certiﬁcation. Can- didates for this certiﬁcation are tested on their under- standing of the following 10 knowledge domains: l access control l application security
l business continuity and disaster recovery planning l cryptography l information security and risk management l legal regulations, compliance, and investigations l operations security l physical (environmental) security l security architecture and design l telecommunications and network security What makes this certiﬁcation so valuable is that the candidate must have a minimum of 5 years of professional experience in the information security ﬁeld or 4 years of experience and a college degree. To maintain certiﬁcation, a certiﬁed individual is required to attend 120 h of continuing professional education during the 3-year certi- ﬁcation cycle. This ensures that those holding the CISSP credential are staying up to date with current trends in security. CISSP certiﬁcation is maintained by the Internet Systems Consortium.28
Think “Outside the Box” For most businesses, the threat to their intellectual assets and technical infrastructure comes from the “bad guys” sitting outside their organizations, trying to break in. These organizations establish strong perimeter defenses, essen- tially “boxing in” their assets. However, internal employees have access to proprietary information to do their jobs, and they often disseminate this information to areas where it is no longer under the control of the employer. This dissem- ination of data is generally not performed with any malicious intent, but simply for employees to have access to data so that they can perform their job responsibilities more efﬁciently. However, this becomes a problem when an employee leaves and the organization takes no steps to collect or control their proprietary information in the possession of their now exemployee. One of the most overlooked threats to intellectual property is the innocuous and now ubiquitous USB ﬂash drive. These devices, which are the size of a tube of lipstick, are the modern-day ﬂoppy disk in terms of portable data storage. They are a convenient way to transfer data between computers. However, the difference between these devices and a ﬂoppy disk is that USB ﬂash drives can store a large amount of data. A 16-GB USB ﬂash drive has the same storage capacity as more than 10,000 ﬂoppy disks! As of this writing, a 16-GB USB ﬂash drive can be purchased for less than $15. Businesses should keep in mind that as time goes by, the capacity of these devices will increase and the price will decrease, making them attractive to employees.
These devices are not the only threat to data. Because other devices can be connected to the computer through the USB port, digital cameras, MP3 players, and external hard drives can be used to remove data from a computer and the network to which it is connected. Most people recognize that external hard drives pose a threat, but they may not recognize other devices as a threat. Cameras and music players are designed to store images and music, but to a computer they are simply additional mass storage devices. It is difﬁcult for people to understand that an iPod can carry word-processing documents, databases, and spreadsheets as well as music. Fortunately, Microsoft Windows tracks the devices that are connected to a system in a Registry key, HKEY_Local_Machine\System\ ControlSet00x\Enum\USBStor. It might prove interesting to look in this key on your own computer to see what types of devices have been connected. Fig. 2.2 shows a wide array of devices that have been connected to a system that includes USB ﬂash drives, a digital camera, and several external hard drives. Windows Vista has an additional key that tracks connected devices: HKEY_Local_Machine\Software\ Microsoft\Windows Portable Devices\Devices.29 (Note: Analyzing the Registry is a great way to investigate the activities of computer users. For many, however, the Registry is tough to navigate and interpret. If you are interested in understanding more about the Registry, you might want to download and play with Harlan Carvey’s RegRipper.30) Another threat to information that carries data outside the walls of the organization is the plethora of handheld devices currently in use. Many of these devices have the ability to send and receive email as well as create, store, and transmit word-processing, spreadsheet, and PDF ﬁles. Although most employers will not purchase these devices
for their employees, they are more than happy to allow their employees to sync their personally owned devices with their corporate computers. Client contact information, business plans, and other materials can easily be copied from a system. Some businesses think that they have this threat under control because they provide their employees with corporate-owned devices and they can collect these devices when employees leave their employment. The only problem with this attitude is that employees can easily copy data from the devices to their home computers before the devices are returned. Because of the threat of portable data storage devices and handheld devices, it is important for an organization to establish policies outlining the acceptable use of these devices as well as implement an enterprise-grade solution to control how, when, or if data can be copied to them. Filling all USB ports with epoxy is a cheap solution, but it is not really effective. Fortunately, several products can protect against this type of data leak. DeviceWall from Frontrange Solutions31 and GFI Endpoint Security32 are two popular ones.
DOXing With the interest and ability to store data on third-party systems, it becomes increasingly necessary for security professionals to make “thinking outside the box” a part of their set of skills. Although it does not seem that security professionals should be concerned with data being stored on systems other than their own, the fact that materials critical and conﬁdential to business are stored on third-party systems means that the success or proﬁtability of a business requires that this information be secured. In addition to data leaving an organization on thumb drives or to an external storage site, seemingly innocuous data can be collected from a variety of sources and can be used in a negative manner against an individual or orga- nization. This process is called DOXing and is deﬁned by the ProHackingTricks:
DOXing is a way of tracing someone or getting information about an individual using sources on the internet and social engineering techniques. Its term was derived fromd Documentsdas a matter of fact it’s the retrieval of Docu- ments on a person or an organization.33 DOXing is essentially high-tech dumpster diving, in which information is gathered from the Internet as opposed to a waste bin. Initially developed by the hacker group
Anonymous to harass law enforcement, the tactic was also employed by the Occupy Wall Street protesters. This technique is possible because individuals and organizations do not understand the signiﬁcance of data posted on social networking sites, blogs, corporate websites, and other online repositories. A single piece of information posted on a website may not in and of itself have signiﬁcance, but when combined with materials collected from a variety of sites, that small piece of information may help ﬁll in a complete (and possibly uncomplimentary) picture of a person or business. Whereas this process has been targeted at law enforcement, it is just a matter of time before it will be used against executives and corporations. Being aware of this threat and educating others are now a part of the security process.
Train Employees: Develop a Culture of Security One of the greatest security assets is a business’s own employees, but only if they have been properly trained to comply with security policies and to identify potential security problems. Many employees do not understand the signiﬁcance of various security policies and implementations. As mentioned previously, they consider these policies to be nothing more than an inconvenience. Gaining the support and allegiance of employees takes time, but it is time well spent. Begin by carefully explaining the reasons behind any security implementation. One of the reasons could be ensuring employee productivity, but focus primarily on the security issues. File sharing using LimeWire and Shareazza might keep employees away from work, but they can also open up holes in a ﬁrewall. Downloading and installing unapproved software can install malicious software that can infect user systems, causing computers to function slowly or not at all. Although most employees understand that opening unknown or unexpected email attachments can lead to a malware infection, most are unaware of the advanced capabilities of recent malicious code. “Advanced Persistent Threat,” or the ability for a system to remain infected despite the diligent use of antivirus programs, has become a major problem. Employees need to understand that indiscriminate Web surﬁng can result in “drive-by” installs of malware. Perhaps the most direct way to gain employee support is to let employees know that the money needed to respond to attacks andﬁx problems initiated by users is money that is then not available for raises and promotions. Letting employees know that they now have some “skin in the game” is one way to get them involved in security efforts. If a budget is set aside to respond to security problems and employees help stay well within the budget, the difference between the money spent and the actual
budget could be divided among employees as a bonus. Not only would employees be more likely to speak up if they noticed network or system slowdowns, they would prob- ably be more likely to confront strangers wandering through the facility. Another mechanism that can be used to gain security allies is to provide advice regarding the proper security mechanisms for securing home computers. Although some might not see this as directly beneﬁting the company, keep in mind that many employees have corporate data on their home computers. This advice can come from periodic live presentations (offer refreshments and attendance will be higher) or from a periodic newsletter that is either mailed or emailed to employees’ personal addresses. The goal of these activities is to encourage employees to approach management or the security team voluntarily. When this begins to happen on a regular basis, you will have expanded the capabilities of your security team and created a much more secure organization. The security expert Roberta Bragg used to tell a story of one of her clients who took this concept to a high level. The client provided the company mail clerk with a Wi-Fi hot- spot detector and promised him a free steak dinner for every unauthorized wireless access point he could ﬁnd on the premises. The mail clerk was happy to have the opportunity to earn three free steak dinners.
Identify and Use Built-in Security Features of the Operating System and Applications Many organizations and systems administrators state that they cannot create a secure organization because they have limited resources and simply do not have the funds to purchase robust security tools. This is a ridiculous approach to security because all operating systems and many applications include security mechanisms that require no organizational resources other than time to identify and conﬁgure these tools. For Microsoft Windows operating systems, a terriﬁc resource is the online Microsoft TechNet Library.34 Under the Solutions Accelerators link, you can ﬁnd security resources for all recent Microsoft products. An example of the tools available is the Microsoft Security Compliance Manager. Fig. 2.3 shows the initial screen for this product. TechNet is a great resource and can provide insight into managing numerous security issues, from Microsoft Ofﬁce 2007 to security risk management. These documents can assist in implementing the built-in security features of Microsoft Windows products. Assistance is needed in identifying many of these capabilities because they are often hidden from view and are turned off by default.
One of the biggest current concerns in an organization is data leaks, which are ways in which conﬁdential informa- tion can leave an organization despite robust perimeter security. As mentioned previously, USB ﬂash drives are one cause of data leaks; another is the recovery of data found in the unallocated clusters of a computer’s hard drive. Unallocated clusters, or free space, as it is commonly called, is the area of a hard drive where the operating system and applications dump their artifacts or residual data. Although these data are not viewable through the graphical user interface (GUI), the data can easily be identiﬁed (and sometimes recovered) using a hex editor such as WinHex35 or one of several commercially available computer forensics programs. Fig. 2.4 shows the contents of unallocated clusters being displayed by EnCase Forensic. If a computer is stolen or donated, it is possible that someone could access the data located in unallocated clusters. For this reason, many people struggle to ﬁnd an appropriate “disk-scrubbing” utility. Many such commer- cial utilities exist, but one is built into Microsoft Windows operating systems. The command-line program cipher.exe is designed to display or alter the encryption of directories
(ﬁles) stored on new technology ﬁle system partitions. Few people know about this command; even fewer are familiar with the /w switch. Here is a description of the switch from the program’s Help ﬁle:
Removes data from available unused disk space on the entire volume. If this option is chosen, all other options are ignored. The directory speciﬁed can be anywhere in a local volume. If it is a mount point or points to a directory in another volume, the data on that volume will be removed. To use Cipher, click Start j and type cmd in the“ Search Programs and Files” Bod. When the cmd.exe window opens, type cipher/w:folder, where folder is any folder in the volume that you want to clean, and then press Enter. Fig. 2.5 shows Cipher wiping a folder. For more on secure ﬁle deletion issues, see the author’s white paper in the SANS reading room, “Secure ﬁle dele- tion: Fact or ﬁction?”36 Another source of data leaks is the personal and editing information that can be associated with Microsoft Ofﬁce ﬁles. In Microsoft Word 2003 you can conﬁgure the application to remove personal information on save and to
are man-made and can fail or be compromised. As with any other aspect of technology, one should never rely on simply one product or tool. Enabling logging on your systems is one way to put your organization in a position to identify problem areas. The problem is determining what should be logged. There are some security standards that can help with this determination. One of these standards is the Payment Card Industry Data Security Standard (PCI DSS).38 Requirement 10 of the PCI DSS states that orga- nizations must “track and monitor access to network resources and cardholder data.” If you simply substitute conﬁdential information for the phrase cardholder data, this requirement is an excellent approach to a log man- agement program. Requirement 10 is reproduced here: Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environ- ments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difﬁcult without system activity logs: 1. Establish a process for linking all access to system com- ponents (especially access done with administrative privileges such as root) to each individual user. 2. Implement automated audit trails for all system compo- nents to reconstruct the following events: l all individual user accesses to cardholder data
l all actions taken by any individual with root or administrative privileges l access to all audit trails l invalid logical access attempts l use of identiﬁcation and authentication mechanisms l initialization of the audit logs l creation and deletion of system-level objects 3. Record at least the following audit trail entries for all system components for each event: l user identiﬁcation l type of event l date and time l success or failure indication l origination of event l identity or name of affected data, system component, or resource 4. Synchronize all critical system clocks and times. 5. Secure audit trails so that they cannot be altered: l Limit viewing of audit trails to those with a job- related need. l Protect audit trail ﬁles from unauthorized modiﬁcations. l Promptly back up audit trail ﬁles to a centralized log server or media that are difﬁcult to alter. l Copy logs for wireless networks onto a log server on the internal local area network. l Use ﬁle integrity monitoring and change detection software on logs to ensure that existing log data
cannot be changed without generating alerts (although new data being added should not cause an alert). 6. Review logs for all system components at least daily. Log reviews must include servers that perform security functions such as intrusion detection system and authentication, authorization, and accounting protocol servers (for example, RADIUS). Note: Log harvesting, parsing, and alerting tools may be used to achieve compliance. 7. Retain audit trail history for at least 1 year, with a min- imum of 3 months’ online availability. Item 6 looks overwhelming because few organizations have the timetoreview log ﬁles manually.Fortunately, there are tools that will collect and parse log ﬁles from a variety of sources. All of these tools have the ability to notify individuals of a particular event. One simple tool is the Kiwi Syslog Server39 for Microsoft Windows. Fig. 2.7 shows the conﬁguration screen for setting up email alerts in Kiwi. Additional log parsing tools include Microsoft’s Log Parser40 and Swatch for Unix.41 Commercial tools include
ArcSight Logger,42 GFI EventsManager,43 and LogRhythm.44 An even more detailed approach to monitoring your systems is to install a packet-capturing tool on your network so that you can analyze and capture trafﬁc in real time. One tool that can be helpful is Wireshark, which is “an award-winning network protocol analyzer developed by an international team of networking experts.”45 Wire- shark is based on the original packet capture tool, Ethereal. Analyzing network trafﬁc is not a trivial task and requires some training, but it is perhaps the most accurate way to determine what is happening on your network. Fig. 2.8 shows Wireshark monitoring the trafﬁc on a wireless interface.
Hire a Third Party to Audit Security Regardless of how talented your staff is, there is always the possibility that they overlooked something or inadvertently misconﬁgured a device or setting. For this reason it is important to bring in an extra set of “eyes, ears, and h
Although some IT professionals will become paranoid about having a third party review their work, intelligent staff members will recognize that a security review by outsiders can be a great learning opportunity. The advan- tage of having a third party review your systems is that the outsiders have experience in reviewing a wide range of systems, applications, and devices in a variety of industries. They will know what works well and what might work but will cause problems in the future. They are also more likely to be up to speed on new vulnerabilities and the latest product updates. Why? Because this is all they do. They are not encumbered by administrative duties, internal politics, and help desk requests. They will be more objective than in-house staff, and they will be in a position to make recommendations after their analysis. The third-party analysis should involve a two-pronged approach: They should identify how the network appears to attackers and how secure the system is if attackers make it past the perimeter defenses. You do not want to have “Tootsie Pop security” (a hard crunchy shell with a soft center). The external review, often called a penetration test, can be accomplished in several ways; the ﬁrst is a no knowledge approach, in which the consultants are provided with absolutely no information regarding the network and systems before their analysis. Although this is a realistic approach, it can be time-consuming and expensive. Using this approach, consultants must use publicly available
information to start enumerating systems for testing. A partial knowledge analysis is more efﬁcient and less expensive. If provided with a network topology diagram and a list of registered Internet Protocol addresses, third- party reviewers can complete the review more quickly and the results can be addressed in a much more timely fashion. Once the penetration test is complete, a review of the internal network can be initiated. The audit of the internal network will identify open shares, unpatched systems, open ports, weak passwords, rogue systems, and many other issues.
Do Not Forget the Basics Many organizations spend a great deal of time and money addressing perimeter defenses and overlook some funda- mental security mechanisms, as described here.
Change Default Account Passwords Nearly all network devices come preconﬁgured with a passwordeusername combination. This combination is included with the setup materials and is documented in numerous locations. Often these devices are the gateways to the Internet or other internal networks. If these default passwords are not changed upon conﬁguration, it becomes a trivial matter for an attacker to get into these systems.
Hackers can ﬁnd password lists on the Internet,46 and vendors include default passwords in their online manuals. For example, Fig. 2.9 shows the default username and password for Netgear devices.
Use Robust Passwords With the increased processing power of our computers and password-cracking software such as the Passware prod- ucts47 and AccessData’s Password Recovery Toolkit,48 cracking passwords is fairly simple and straightforward. For this reason it is extremely important to create robust passwords. Complex passwords are hard for users to remember, though, so it is a challenge to create passwords that can be remembered without writing them down. One solution is to use the ﬁrst letter of each word in a phrase, such as “Ilike to eat imported cheese from Holland.” This
becomes IlteicfH, which is an eight-character password using upper- and lowercase letters. This can be made even more complex by substituting an exclamation point for the letter I and substituting the number 3 for the letter “e,” so that the password becomes !lt3icfH. This is a fairly robust password that can be remembered easily.
Close Unnecessary Ports Ports on a computer are logical access points for commu- nication over a network. Knowing what ports are open on your computers will allow you to understand the types of access points that exist. Well-known port numbers are 0e1023. Some easily recognized ports and what they are used for are: l Port 21: File Transfer Protocol l Port 23: Telnet l Port 25: Simple Mail Transfer Protocol l Port 53: Domain Name System l Port 80: Hypertext Transfer Protocol l Port 110: Post Ofﬁce Protocol
l Port 119: Network News Transfer Protocol Because open ports that are not necessary can be an entrance into your systems, and open ports that are open unexpectedly could be a sign of malicious software, iden- tifying open ports is an important security process. Several tools will allow you to identify open ports. The built-in command-line tool netstat will allow you to identify open ports and process IDs by using the following switches: l a displays all connections and listening ports l n displays addresses and port numbers in numerical form l displays the owning process ID associated with each connection (Note: In UNIX, netstat is also available but uses the following switches: atvp.) Other tools that can prove helpful are CurrPorts,49 a GUI tool that allows you to export the results in delimited format, and TCPView,50 a tool provided by Microsoft. Sample results are shown in Fig. 2.10.
Patch, Patch, Patch Nearly all operating systems have a mechanism for auto- matically checking for updates. This notiﬁcation system should be turned on. Although there is some debate as to whether updates should be installed automatically, systems administrators should at least be notiﬁed of updates. They
might not want to have them installed automatically, because patches and updates have been known to cause more problems than they solve. However, administrators should not wait too long before installing updates, because this can expose systems to attack unnecessarily. A simple tool that can help keep track of system updates is the Microsoft Baseline Security Analyzer,51 which also will examine other fundamental security conﬁgurations.
Use Administrator Accounts for Administrative Tasks A common security vulnerability is created when systems administrators conduct administrative or personal tasks while logged into their computers with administrator rights. Tasks such as checking email, surﬁng the Internet, and testing questionable software can expose the computer to malicious software. This means that the malicious software can run with administrator privileges, which can create serious problems. Administrators should log into their systems using a standard user account to prevent malicious software from gaining control of their computers.
Restrict Physical Access With a focus on technology, it is often easy to overlook nontechnical security mechanisms. If an intruder can gain physical access to a server or other infrastructure asset, the intruder will own the organization. Critical systems should
be kept in secure areas. A secure area is one that provides the ability to control access only to those who need access to the systems as part of their job responsibilities. A room that is kept locked using a key that is provided only to the systems administrator, with the only duplicate stored in a safe in the ofﬁce manager’s ofﬁce, is a good start. The room should have no windows that can open. In addition, the room should have no labels or signs identifying it as a server room or network operations center. The equipment should not be stored in a closet where other employees, custodians, or contractors can gain access. The validity of your security mechanisms should be reviewed during a third-party vulnerability assessment.
Do Not Forget Paper! With the advent of advanced technology, people have forgotten how information was stolen in the past: on paper. Managing paper documents is fairly straightforward. Locking ﬁle cabinets should be used, and locked, consis- tently. Extra copies of proprietary documents, document drafts, and expired internal communications are some of the materials that should be shredded. A policy should be created to tell employees what they should and should not do with printed documents. The following example of the theft of trade secrets underscores the importance of pro- tecting paper documents:
A company surveillance camera caught Coca-Cola employee Joya Williams at her desk looking through ﬁles and “stufﬁng documents into bags,” Nahmias and FBI ofﬁcials said. Then in June, an undercover FBI agent met at the Atlanta airport with another of the defendants, handing him $30,000 in a yellow Girl Scout Cookie box in exchange for an Armani bag containing conﬁdential Coca-Cola documents and a sample of a product the company was developing, ofﬁcials said.52 The steps to achieving security mentioned in this chapter are only the beginning. They should provide some insight into where to start building a secure organization. Finally, let us brieﬂy look at the process of building and assessing the security controls in organizational informa- tion systems, including the activities carried out by orga- nizations and assessors to prepare for security control assessments; the development of security assessment plans; the conduct of security control assessments and the anal- ysis, documentation, and reporting of assessment results; and postassessment report analysis and follow-on activities carried out by organizations.
- PREPARING FOR THE BUILDING OF SECURITY CONTROL ASSESSMENTS Conducting security control assessments in today’s complex environment of sophisticated IT infrastructures and high- visibility, mission-critical applications can be difﬁcult, chal- lenging,andresource-intensive.Successrequirescooperation andcollaborationamongallpartieswithavestedinterestinthe organization’s information security posture, including infor- mation system owners, common control providers, autho- rizing ofﬁcials, chief information ofﬁcers, senior information security ofﬁcers, and chief executive ofﬁcers/heads of de- partments. Establishing an appropriate set of expectations before, during, and after the assessment is paramount to achieving an acceptable outcome: that is, producing infor- mation necessary to help the authorizing ofﬁcial make a credible, risk-based decision regarding whether to place the information system into operation or continue its operation. Thorough preparation by the organization and the assessors is an important aspect of conducting effective security control assessments. Preparatory activities address a range of issues relating to the cost, schedule, and per- formance of the assessment (see checklist: “An Agenda for Action for Preparatory Activities”).
- SUMMARY In preparation for the assessment of security controls, this chapter covered how necessary background information is assembled and made available to the assessors or assess- ment team to build a secure organization. To the extent necessary to support the speciﬁc assessment, the organi- zation identiﬁes and arranges access to: l elements of the organization responsible for developing, documenting, disseminating, reviewing, and updating all security policies and associated procedures for implementing policy-compliant controls; l the security policies for the information system and any associated implementing procedures; l individuals or groups responsible for the development, implementation, operation, and maintenance of security controls; l any materials (security plans, records, schedules, assess- ment reports, after-action reports, agreements, and authorization packages) associated with the implemen- tation and operation of security controls; l the objects to be assessed. The availability of essential documentation and access to key organizational personnel and the information system being assessed are paramount to a successful assessment of the security controls. When building secure organizations, one must consider both the technical expertise and the level of in- dependence required in selecting security control
assessors. Organizations must ensure that security control assessors possess the required skills and technical exper- tise to carry out assessments of system-speciﬁc, hybrid, and common controls successfully. This includes knowl- edge of and experience with the speciﬁc hardware, soft- ware, and ﬁrmware components employed by the organization. An independent assessor is any individual or group capable of conducting an impartial assessment of security controls employed within or inherited by an in- formation system. Impartiality implies that assessors are free from any perceived or actual conﬂicts of interest with respect to the development, operation, and/or management of the
information sysIndependent security control assessment services can be obtained from other elements within the organization or can be contracted to a public or private sector entity outside the organization. In special situations (for example, when the organization that owns the information system is small or the organizational structure requires the security control assessment to be accomplished by individuals that are in the developmental, operational, and/or management chain of the system owner), inde- pendence in the assessment process can be achieved by ensuring that the assessment results are carefully reviewed and analyzed by an independent team of experts to vali- date the completeness, consistency, and veracity of the results. Finally, let us move on to the real interactive part of this chapter: review questions/exercises, hands-on projects, case projects, and an optional team case project. The answers and/or solutions by chapter can be found in the Online Instructor’s Solutions Manual.em or the determination of the effective- ness of security control. The authorizing ofﬁcial or designated representative determines the required level of independence for security control assessors based on the results of the security categorization process for the in- formation system and the ultimate risk to organizational operations and assets, individuals, and other organiza- tions. The authorizing ofﬁcial determines whether the level of assessor independence is sufﬁcient to provide conﬁdence that the assessment results produced are sound and can be used to make a risk-based decision regarding whether to place the information system into operation or continue its operation.
Published @ September 29, 2021 8:03 am