This section covers some of the foundational items for security operations. Many of these concepts apply to several other sections on the exam. You should have a very firm grasp of these topics so that you can navigate them effectively throughout the other sections.
- Need-to-know and least privilege. Access should be given based on a need to know. For example, a system
administrator who is asked to disable a user account doesn’t need to know that the user was terminated, and a systems architect who is asked to evaluate an IT inventory list doesn’t need to know that his company is considering acquiring another company. The principle of least privilege means giving users the fewest privileges they need to perform their job tasks; entitlements are granted only after a specific privilege is deemed necessary. It is a good practice and almost always a recommend practice. Two other concepts are important here:
- Aggregation. The combining of multiple things into a single unit is often used in role-based access control.
- Transitive trust. From a Microsoft Active Directory perspective, a root or parent domain automatically trusts all child domains. Because of the transitivity, all child domains also trust each other. Transitivity makes it simpler to have trusts. But it is important to be careful. Consider outside of Active Directory: If Chris trusts Terry and Pat trusts Terry, should Chris trust Pat? Probably not. In high-security environments, it isn’t uncommon to see non-transitive trusts used, depending on the configuration and requirements.
- Separation of duties and responsibilities. Separation of duties refers to the process of separating certain tasks and operations so that a single person doesn’t control all them. For example, you might dictate that one person is the security administrator and another is the email administrator. Each has administrative access to only their area. You might have one administrator responsible for authentication and another responsible for authorization. The goal with separation of duties is to make it more difficult to cause harm to the organization (via destructive actions or data loss, for example). With separation of duties, it is often necessary to have two or more people working together (colluding) to cause harm to the organization. Separation of duties is not always practical, though. For example, in a small company, you might only have one person doing all the IT work, or one person doing all the accounting work. In such cases, you can rely on compensating controls or external auditing to minimize risk.
- Privileged account management. A special privilege is a right not commonly given to people. For example, certain IT staff might be able to change other users’ passwords or restore a system backup, and only certain accounting staff can sign company checks. Actions taken using special privileges should be closely monitored. For example, each user password reset should be recorded in a security log along with pertinent information about the task:
date and time, source computer, the account that had its password changed, the user account that performed the change, and the status of the change (success or failure). For high-security environments, you should consider a monitoring solution that offers screen captures or screen recording in addition to the text log.
- Job rotation. Job rotation is the act of moving people between jobs or duties. For example, an accountant might move from payroll to accounts payable and then to accounts receivable. The goal of job rotation is to reduce the length of one person being in a certain job (or handling a certain set of responsibilities) for too long, which minimizes the chances of errors or malicious actions going undetected. Job rotation can also be used to cross-train members of teams to minimize the impact of an unexpected leave of absence.
- Information lifecycle. Information lifecycle is made up of the following phases:
- Collect data. Data is gathered from sources such as log files and inbound email, and when users produce data such as a new spreadsheet.
- Use data. Users read, edit and share data.
- Retain data (optional). Data is archived for the time required by the company’s data retention policies.For example, some companies retain all email data for 7 years by archiving the data to long-term storage until the retention period has elapsed.
- Legal hold (occasional). A legal hold requires you to maintain one or more copies of specified data in an unalterable form during a legal scenario (such as a lawsuit) or an audit or government investigation. A legal hold is often narrow; for example, you might have to put a legal hold on all email to or from the accounts payable department. In most cases, a legal hold is invisible to users and administrators who are not involved in placing the hold. Delete data. The default delete action in most operating systems is not secure: The data is marked as deleted, but it still resides on the disks and can be easily recovered with off-the-shelf software. To have an effective information lifecycle, you must use secure deletion techniques such as disk wiping (for example, by overwriting the data multiple times), degaussing and physical destruction (shredding a disk).
- Service-level agreements (SLAs). An SLA is an agreement between a provider (which could be an internal department) and the business that defines when a service provided by the department is acceptable. For example, the email team might have an SLA that dictates that they will provide 99.9% uptime each month or that spam email will represent 5% or less of the email in user mailboxes. SLAs can help teams design appropriate solutions. For example, if an SLA requires 99.9% uptime, a team might focus on high availability and site resiliency. Sometimes, especially with service providers, not adhering to SLAs can result in financial penalties. For example, an internet service provider (ISP) might have to reduce its monthly connection charges if it does not meet its SLA.
For solution, online support and query.