CertiGuide to Security+  9  Chapter 5:  Operational/Organizational Security (Domain 5.0; 15%)

Getting Ready for Chapter 5 - Questions 1 5.0  Operational/Organizational Security

1. Separation of duties is valuable in deterring fraud .

Explanation: Separation of duties is considered valuable in deterring fraud since fraud can occur if an opportunity exists, due to combinations of various jobs related capabilities being performed by one person. Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set. The most commonly used examples are the separate transactions needed to initiate a payment and to authorize a payment. No single individual should be capable of executing both transactions. In order for fraud to occur, multiple people would have to collaborate in pulling it off -- difficult, because while one person can generally keep a secret, with two people, secrets typically don't stay secret for long.

2. Enforcing minimum privileges for general system users can be easily achieved through the use of RBAC .

Explanation: Ensuring least privilege requires identifying what the user's job is, determining the minimum set of privileges required to perform that job, and restricting the user to a domain with those privileges and nothing more. By denying to subjects transactions that are not necessary for the performance of their duties, those denied privileges couldn't be used to circumvent the organizational security policy. Although the concept of least privilege currently exists within the context of the TCSEC, requirements restrict those privileges of the system administrator. Through the use of RBAC (role based access control), enforced minimum privileges for general system users can be easily achieved.

3. All logs are kept on archive for a period of time. It is retention policies which determine this period of time.

Explanation: All logs collected are used in the active and passive monitoring process. All logs are kept on archive for a period of time, called a retention period. This period of time will be determined by your company policies. This allows the use of logs for regular audits, and annual audits if retention is longer then a year. Logs must be secured to prevent modification, deletion, and destruction.

Administrator preference is often used to determine certain things like how long logs are retained. But since these decisions can affect the ability of the company to go back and research potential security issues, it is a corporate issue that should be governed by a deliberate policy statement.

4. How often should logging be performed? Always

Explanation: Usually logging is done 24 hours per day, 7 days per week, on all available systems and services except during the maintenance window where some of the systems and services may not be available while maintenance is being performed.

If you only perform logging at certain times, then any activities taking place at other times won't be logged, and can't be used for auditing or forensic activities at a later date. This makes your network more vulnerable to undetected intrusions and thus a more attractive target for attackers.

5. Which of the following are potential firewall problems that should be logged?

A. Reboots

B. Proxies restarted

C. Changes to the configuration file.

D. No Answer is Correct

Explanation: The following firewall problems should be logged:

• Reboot of the firewall.
  
  
• Proxies that cannot start (e.g. Within the firewall).
  
  
• Proxies or other important services that have died or restarted.
  
  
• Changes to firewall configuration file.
  
  
• A configuration or system error while firewall is running.

A reboot or proxy restart signals a potential reliability issue, or a cracker restarting the firewall after configuration changes or an attempted attack. Changes to the configuration file may be made under legitimate circumstances (by the network administrator) or might indicate an intrusion by unauthorized individuals. Similarly, system and configuration errors might indicate intrusion attempts, or reliability problems.

Getting Ready for Chapter 5 - Questions 1 5.0  Operational/Organizational Security