CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [252]
This solution requires that you take the following steps:
■ Create, maintain, and use a written security policy.
■ Make informed technology choices.
■ Make your best effort to secure your OS using IT technology.
■ Deploy multiple overlapping layers of defense.
■ Consider protection for confidentiality, integrity, and availability.
■ Implement stronger authentication to support realistic accountability.
■ Secure your personnel through training.
■ Secure the physical environment.
■ Watch for the inevitable security breach attempt.
■ Be prepared to respond to incidents.
■ Maintain that security is a never-ending process.
■ Keep in mind that protections should prevent, then deter, then deny, then detect, then delay.
In the sections that follow, these and many other security concepts are explored and their application discussed.
Access Control Issues
Access control is the scheme or mechanism used to control who is granted access to what within the environment as a whole. You should recall that there are three primary options for this: Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC). What is the access control scheme used in your work environment?
If you don’t already know what scheme is used at your office, think about it before asking your network administrator (NA) or security administrator (SA). First, does the office use standard, off-the-shelf operating systems for both client and servers, such as Microsoft, Linux, and Apple? If so, then it is more likely you work in a DAC environment. Second, do you work in an environment where clearances and classifications are used? If so, that is a direct indication of MAC. If you are a private sector company, then the answer is probably DAC. If you are a government agency or even a government contractor, then the answer is probably MAC.
You might discover that few, if any, environments are completely RBAC based. When RBAC is used at all, it is for those areas of the organization that have a high rate and frequency of staff changes.
If you think you’ve figured it out, take the time to verify your conclusion. Then discuss with the NA or SA why that specific scheme is used. You might learn some unique perspectives on your organization or discover how the company’s decision-making process works.
Accountability Concerns
Accountability is the process of holding individuals responsible for their actions. In the IT world, we want to hold employees accountable for the actions of their user accounts. In order to do this, the entire accountability process must be supportable in a court of law. The ultimate test of how well your security works is if you are able to criminally prosecute someone because of your organization’s strong accountability infrastructure. That infrastructure must be able to be explained and proven to a jury so that there remains no reasonable doubt about its reliability. If a defense attorney can reveal a weakness in your accountability infrastructure, then the evidence of a user account performing illegal actions may not be sufficient to prove that a specific human was controlling that user account at that time.
There are five steps of accountability:
1. Identification
2. Authentication
3. Authorization
4. Auditing
5. Accountability
Among the items in this list, authorization stands out as appearing repeatedly throughout this appendix because so many mechanisms and methodologies exist that govern the processes granting and restricting access to resources.
Auditing
An excellent security principle for you to follow to protect your assets is to lock everything down and then watch them as if they were not locked down. If you secure every asset to the best of your abilities, using your available technologies and your available budget, and then watch for the inevitable breach or attempt to breach, you make your deployed security even better. Locking down an asset and then