501 ch 9 implementing controls to protect assets

Proprietary & Confidential
@GoCyberSec | January, 2020
Chapter 9
Implementing Controls to
Protect Assets
CompTIA Security +

Introduction
• Implementing defense in depth
• Comparing physical security controls
• Adding redundancy and fault tolerance
• Protecting data with backups
• Comparing business continuity elements

Implementing Defense in Depth
• Layered security
• Control diversity
• Vendor diversity

Physical Security Controls
• Perimeter
• Building
• Secure work areas
• Server and network rooms
• Hardware (such as cable locks)
• Airgap

Threat Assessment
• Signs
• Door access systems
– Cipher locks
– Proximity cards
– Biometrics

• Tailgating and mantraps
• Security guards

• Cameras and video surveillance (CCTV)
• Fencing, lighting, and alarms
• Barricades
• Bollards

• Hardware locks
• Doors
• Cable locks
• Locked cabinets
• Safes

Asset Management
• Tracking valuable asset throughout their life cycle
–Reduce Vulnerabilities
• Architecture and Design weaknesses
• System sprawl and Undocumented assets

Environmental Controls
HVAC systems
• Higher-tonnage HVAC systems provide more cooling capacity
–Keeps server rooms at lower operating temperatures
–Results in fewer failures and longer MTBF times
• Temperature control systems
–Help ensure a relatively constant temperature
• Humidity controls
–Reduce the potential for ESD damage
–Reduce damage from condensation

• Hot and cold aisles
–Regulate the cooling

• HVAC systems
–Should be integrated with the fire alarm systems
–Have dampers or the ability to be turned off in the event of a fire
• Extinguish fire
–Remove the heat
–Remove the oxygen
–Remove the fuel
–Disrupt chain reaction

Shielding
• Shielded cables
–Protects against EMI and RFI
–Prevent someone from capturing network traffic
• EMI shielding
–Prevents outside interference sources from corrupting data
–Prevents data from emanating outside the cable
• Protected distribution of cabling
• Faraday cage

Redundancy and Fault Tolerance
• Single point of failure
–Any component whose failure results in the failure of an entire
system
• Remove single points of failure with
–RAID (disk)
–Failover clustering (server)
–UPS and generators (power)
• Single points of failure are often overlooked until a disaster occurs

Disk Redundancies
• Inexpensive
• Adds fault tolerance and increases availability
• Hardware RAID more efficient than software RAID

Disk Redundancies
• RAID-0 (striping) no redundancy
–Two or more disks
• RAID-1 (Mirroring) uses two disks as a mirror
–Two disks
• RAID-5 can survive failure of one disk
–Three or more disks
• RAID-6 can survive failure of two disks
–Four or more disks
• RAID-10 combines RAID-1 and RAID-0
–Even number of disks

Server Redundancy
• Failover clusters for high availability
• Remove a server as a single point of failure

Server Redundancy
• Load balancing for high availability
• Round-robin
• Affinity

Disk Redundancies
• UPS
–Provides short-term fault tolerance for power
–Can protect against power fluctuations
• Generators provide long-term fault tolerance for power

Protecting Data with Backups
• Full backups
–Fastest recovery time
• Differential backup
–Backs up all the data that has changed since the last full or is
different since the last full backup
• Incremental backup
–Backs up all the data that has changed since the previous
backup

• Snapshot backup
• Testing backups
• Test restores
– Best way to test the integrity of backup data
– Full test restore
• Verifies a backup can be recovered in its entirety
• Partial test restore
– Verifies that individual files can be restored

• Protecting backups
–Label clearly to identify the data
–Use physical security prevent unauthorized access
–Protect it during location transfers
• Copy should be stored in separate location
• Destroy when no longer needed
–Degauss the media, shred or burn the media, or scrub with
software to overwrite data

• Geographic considerations
–Off-site backups
–Distance
–Location selection
–Legal implications
–Data sovereignty

Backup Policies and Plans
• Data to backup
• Off-site backups
• Label media
• Testing
• Retention requirements
• Frequency of backups
• Protect backups
• Disposing of media

Business Continuity Elements
• Protect against disasters and outages
–Fires
–Attacks
–Power outages
–Data loss from any cause
–Hardware and software failures
–Natural disasters, such as hurricanes, floods, tornadoes, and
earthquakes

Business Continuity Elements
• Business impact analysis (BIA) identifies:
–Systems and components that are essential to the
organization’s success (must continue to operate)
–Maximum downtime limits for these systems and components
–Scenarios that can impact these systems and components
–Potential losses from an incident
–Assets to include in recovery plans

Business Impact Analysis
• Impact
• Privacy impact
• Privacy threshold assessment
–Identifies PII
–Typically uses a simple questionnaire
• Privacy impact assessment
–Do if system holds/processes PII
–Identifies risks related to PII, such as data loss

Business Impact Analysis
• Recovery Time Objective (RTO)
–Identifies maximum amount of time it should take to restore a
system after an outage
–Derived from maximum allowable outage time identified in the
BIA
• Recovery Point Objective (RPO)
–Refers to the amount of data an organization can afford to lose

Risk Metrics
• Mean time between failures (MTBF)
–Provides a measure of a system’s reliability
–Usually represented in hours
–MTBF indicates the device can be repaired
• Mean time to recover or mean time to repair (MTTR)
–The time it takes to restore a failed system
–Often specified in contracts as a target

Continuity of Operations Sites
• Provides an alternate location for operations after a critical outage
• Most common sites are hot, cold, and warm sites
• Hot site
–Includes personnel, equipment, software, and communications
capabilities of the primary site
–All the data is up to date
–Can take over for a failed site within an hour
–Most effective disaster recovery
solution for an alternate site
–Most expensive to maintain

• Cold site
–Has power and connectivity needed for COOP activation, but
little else
–Least expensive and hardest to test
• Warm site
–Compromise between a hot site and a cold site
• Mobile site
–Do not have dedicated locations
–Can provide temporary support during a disaster.

• Mirrored site
–Identical to the primary location
–Provide 100 percent availability
• Order of restoration
–Return least critical functions first

Disaster Recovery Plan (DRP)
• Part of BCP
• Includes a hierarchical list of critical systems
• Prioritizes services to restore after an outage
• Testing validates a DRP
• Recovered systems tested before returning to operation
–Can include a comparison to baselines

BCP and DRP Testing
• Validate BCPs and DRPs through testing
• Tabletop exercises
–Discussion-based only
–Typically performed in a classroom or conference setting
• Functional exercises
–Hands-on exercises
–Test backups, server restoration, and server redundancy

Chapter 9 Summary
• Implementing defense in depth
• Comparing physical security controls
• Adding redundancy and fault tolerance
• Protecting data with backups
• Comparing business continuity elements

501 ch 9 implementing controls to protect assets

More Related Content

What's hot (20)

Similar to 501 ch 9 implementing controls to protect assets (20)

More from gocybersec (13)

Recently uploaded (20)

501 ch 9 implementing controls to protect assets

Editor's Notes