Exam Objectives Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts.

Q.

 

My company is considering purchasing a software product that claims to be able to give us a security policy in relatively short order. If we purchase this product, what quality can we expect from the resulting security policy and will it be worth the cost of the product?

A.  Most software products on the market today that help create security policies are based on templates. Because of this, the resulting security policy may end up missing vital components that are important to your organization. However, this does not mean that the product is not worth the cost. Consider the amount of time it would take your company to get to the point where you have a basic security policy based on a high quality template. The cost of those resources may far outweigh the cost of the product. And since security policies are different for each organization anyway, you can use the resulting policy as a baseline for further edits and growth.

Q.

 

I work as a security analyst for a large company and would like to start doing my own technical security assessments throughout the year to measure changes in the system and also locate areas of concern. I know I need to have a third party come in for "official" assessments, but is it still prudent for me to conduct my own assessments as well?

A.  Conducting your own assessments throughout the year helps a security team maintain visibility into the security problems that plague the organization. It is not ethically wrong to assess your own work, unless those assessments are the basis for SLAs or QoS statements. To be ethical, all "official" statements about the security of your organization should be based on the assessments performed by impartial third parties.

Q.

 

I currently work for a company that does some custom development of applications used in the normal operations of our business. Our developers have had root access to the operational servers for years now and I am afraid that it is an embedded process that will be difficult to break. Should I risk an internal "civil war" so that I can remove the developer root accounts or is it safe to assume that since the process has been going on so long that it is safe?

A.  This is actually a common question and it crops up most often in relation to large hosting providers or Internet service providers that write applications to support customers. Once developers have root access to operational servers, it is difficult to get back. Perhaps a staged approach would better fit your organization. A notification and approval process could be put into place to ensure that everyone knows when a developer has logged into an operational system, as root, to make changes. Consider making this part of your change control management program. Once the organization has become comfortable with this process, you might be able to move closer to your goals of completely removing the root accounts themselves.

Q.

 

This book is not the first place that I have seen data classification labels mentioned and I can plainly see the importance it has in some industries. But I am having a difficult time realizing the value it can have in my own organization. We do not deal in information that is highly classified or could reasonably be considered "highly sensitive." Should I still consider implementing a program like this and will it impact our security if we avoid this process altogether?

A.  Data classification labels are difficult to grasp for commercial firms. They seem to make so much sense in the military or federal government arena. The thing you really need to consider here is what information within the organization is important to the completion of the company's mission and what impact the unauthorized release of that information would have on the company. Also keep in mind that you do not need to think in terms of Top Secret, Secret, and so on. Consider using labels that make more sense to your organization. Data classification labels are about controlling information dissemination and identifying the information on the system that is most critical to protect from unauthorized disclosure.

Q.

 

My company currently has virus protection software installed and it automatically updates every workstation and server. I know it protects against e-mail viruses and viruses attached to files, but do these types of software also protect against Trojans or logic bombs?

A.  Antivirus software can protect against most viruses and Trojans, assuming the signatures are up-to-date. Unfortunately, logic bombs are another story. Because of the nature of logic bombs, they are not normally detectable by automated software. Each system operates differently and any logic bombs written for that system will be specific to that system.

Q.

 

I understand the importance of auditing as it relates to accountability, but our servers generate a huge number of log entries. If we really went through all the logs every day, we would never have time to do any other security work at my company. Is there a better way to do this?

A.  Audit logs can be quite large. There are some companies that have released software that will monitor the logs on the servers so that you do not have to do it yourself. Most call themselves host intrusion detection products and will also monitor the computer ports and services. Most of your work will be on the front end of installing these products. You will have to set up "triggers" within the product that will alert you when it notices something fishy in the logs. And the products are typically very configurable, allowing you to enter your own strings to watch for. It may take a lot of time and effort to build a process that will trim down the amount of data being received into a manageable amount, but it will be worth the trouble once you have finished the job. There are also some software products on the market that will take all of the logs from various sources (firewall, VPN, syslog, eventlog, SNMP, and many others) and perform some analyses to better enable the systems or operations personnel to find relevant information.



SSCP Systems Security Certified Practitioner Study Guide
SSCP Study Guide and DVD Training System
ISBN: 1931836809
EAN: 2147483647
Year: 2003
Pages: 135

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net