1. CIST 1601 Information Security Fundamentals
Chapter 9 Security Administration
Collected and Compiled
By JD Willard
MCSE, MCSA, Network+,
Microsoft IT Academy Administrator
Computer Information Systems Instructor
Albany Technical College

2. Understanding Security Management
The process of security management includes managing strategic policies, departmental policies, technology issues, and personnel issues.
You must understand the best practices of security management and change documentation, and you must ensure that people are informed when changes need to be made.
Enforcement of policies, procedures, and standards is essential for effective sustainability of security efforts. The saying “Inspect what you expect” is relevant in this situation.

3. Understanding Security Management
Drafting Best Practices and Documentation
The term best practices refers to a set of recommendations about a practice or process, and to the essential elements of an effective security management effort.
Using Policies and Procedures
Policies and procedures set expectation levels within the organization to help keep things moving forward. Your organization should minimally have policies and procedures that define information and storage, information destruction, security, use of company resources, backups, configuration management, logs and inventories, system architecture, change documentation, and user management.

4. Understanding Security Management
Information Classification and Notification Policies
Information classification policies define how information is classified.
Information classification involves determining whether information is for internal use only or for public distribution or anywhere in between.
An organization’s information classification policy will define requirements for the classification and security of data and hardware resources based on their relative level of sensitivity.
Notification policies specify who should be contacted when information classifications need to be verified, when information is updated, and when changes are performed.

5. Understanding Security Management
Information Retention and Storage Policies
Information retention and storage policies define how information is stored and for how long it should be retained or stored. They dictate what information must be archived and how long those archives must be kept.
The organization should change and adjust a data-retention policy when and as needed (with emphasis on when and as needed).
The organization should have a legal hold policy in place, have an understanding of statutory and regulatory document retention requirements, understand the varying statutes of limitations, and have a records-retention and destruction schedule.
If an organization is sued by a former employee for wrongful termination, the department may be compelled during the discovery phase of the suit to produce all documents related to that individual’s work performance. This used to mean the records and copies of any written correspondence (memos, letters, and so on) concerning the performance of that employee. All data is subject to discovery regardless of storage format or location.

6. Understanding Security Management
Information Destruction Policies
Information destruction policies specify the manner in which data should be destroyed when it is no longer needed.
Log files, physical records, security evaluations, and other operational documentation should be managed within an organization’s retention and destruction policies. These should include specifications for access authorization, term of retention, and requirements for disposal.
Erasing files on a computer does not mean that the information is automatically always removed from disk. You should use a utility to completely wipe the disk clean, and destroy all information.
A low-level format of a drive will prevent information from being recovered as it rewrites every single location back to its factory state, whether it contains data or not. A high-level format only deletes the File allocation table, but does not destroy data.
The only way to guarantee that data and applications on a disk drive are unreadable is to perform a low-level initialization of the storage media. This process is also referred to as disk wiping.
The BIOS chip contains the software that tells the processor how to interact with the rest of the hardware in the computer. The removal and replacement of the computer battery will often cause the loss of values stored in the BIOS.
One of the things that falls beneath the BIOS control is the complimentary metal oxide semiconductor . The CMOS chip holds settings such as the date, time, hard drive configuration, memory, and any passwords you assign at the base level.

7. Understanding Security Management
Security Policy
A security policy defines what controls are required to implement and maintain the security of systems, users, and networks. This policy should be used as a guide in system implementations and evaluations.
Use Policy
An acceptable use policy defines how users are allowed to employ company software and hardware. For example, are users allowed to store personal files on company computers? Are employees allowed to play network games on breaks? Are employees allowed to “surf the Web” after hours?
An acceptable use policy provides details that specify what users may do with their network access, including and instant messaging usage for personal purposes, limitations on access times, the use of cell phones, the use of USB devices, and the storage space available to each user. USB ports should be disabled to prevent users from copying files to thumb/flash drives.

8. Understanding Security Management
Backup Policy
A backup policy of the organization has a two-fold purpose: It should define what information needs to be backed up, and how the identified information is backed up. This policy works in conjunction with the information retention and storage policies.
Configuration Management Policies
The configuration management policy is concerned with how systems are configured and what software can be installed on systems.
Configuration management policies specify procedures that define how hardware and software systems are modified, upgraded and retired.

9. Understanding Security Management
Logs and Inventories
Logging is the process of collecting data to be used for monitoring and auditing purposes.
Logging procedures and evaluation are an important part of keeping your network safe. However, before you can configure logging, it is essential to identify what is typical behavior for your network.
Systems logs inform you on what is occurring on system. Logs can be used to ensure that required tasks are being performed regularly, and can also be used to track the assets of the organization.
When choosing what to log, be sure you choose carefully. Standards should be implemented for the types of events you want to log based on business, technical, and regulatory requirements, and the threats the organization faces.
It is equally important to log and audit both failed and successful logon events because both may reveal unauthorized access or an unexpected escalation of access rights.
Logs take up disk space and use system resources. They also have to be read; and if you log too much, will bog down the system, and it will take a long time to weed through the log files to determine what is important.
To improve performance, logs should be stored on a non-system striped or striped/mirrored disk volume or on a standalone computer. If allowable, encrypt the log files.
Inventories can be used to verify the existence and availability of physical assets and software assets. You should perform regular inventories of classified information.

10. Understanding Security Management
System Architecture
System architecture refers to hardware and software infrastructure of your systems. System architecture documents contain information on system architecture and configuration including operating system configuration, hardware configuration, network configuration, and applications information for each system.
Change Documentation Change Management 3:25
Change documentation involves keeping records about how your network or organization changes over time.
A change management policy specifies details about system changes such as the files being replaced, the configuration being changed, and the machines or operating systems affected.
User Management
Procedures for user management identify authorization, access, and methods used to monitor access of organizational computer systems.
User management procedures need to address hiring, termination, and reclassification of employee access. Reporting, notification procedures, and responsibility are also key components of these procedures.

11. Understanding Security Management
Allocating Resources
Resource allocation refers to the staffing, technology, and budget needed to implement an effective security environment.
Defining Responsibility
Managers would derive the most benefit from a high-level explanation of security threats and issues.
Users need to know how to follow the policies and why they are important.
Developers and network administrators need specific and focused information on how to better secure networks and applications.
Members of the security team, as well as other members of the organization, must be clear about reporting paths and authority.

12. Understanding Security Management
Minimizing Mistakes
Accidents happen, incidents occur, and humans make mistakes. Mistakes can be minimized if strong preventive measures are considered as part of the process. Such measures include training, awareness, and careful reviews of processes and policies.
IT staff, including network administrators, must be kept up-to-date on industry trends, measures, exploits, and countermeasures to deal with threats.
Enforcing the Policies and Procedures
When an incident or a security violation happens, swift and decisive action must be taken, including additional training, disciplinary action, or other measures. You should make sure everyone involved in information processing is aware of the organization’s policies and procedures.

13. Simplifying Security Administration
Password Policy
Password policies are used for domain accounts or local user accounts. They determine settings for passwords, such as enforcement and lifetimes.
 Good password policies include making the password length at least eight characters; requiring the use of uppercase and lowercase letters, numbers, and special characters; requiring users to change passwords every 60 to 90 days; and setting the server to not allow users to use the same password over and over again.
Enforce password history
Password history allows you to configure how many new passwords must be created before an old one can be reused. This setting enhances security by allowing the administrators to ensure that old passwords are not being reused continually. Passwords that are used repeatedly are sometimes referred to as rotating passwords.
Maximum password age
Password age allows you to configure the minimum or maximum number of days before a user is required to change the user’s password. It is a good security practice to enforce a password age of 60 to 90 days. Some companies force users to change their passwords monthly or quarterly. This interval should be determined based on how critical the information is and on how frequently passwords are used.
Minimum password length
This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.

14. Simplifying Security Administration
Password Policy continued
Password must meet complexity requirements
Automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details.
Password complexity is the most important setting to ensure password strength. Password complexity allows you to configure which characters should be required in a password to reduce the possibility of dictionary or brute force attacks. A typical password complexity policy would force the user to incorporate numbers, letters, and special characters. Both uppercase and lowercase letters can be required. A password that uses a good mix, such as Ba1e$23q, is more secure than a password that only implements parts of these requirements, such as My32birthday, NewYears06, and John$59.
 Account lockout policy
Account lockout policy allows you to configure the number of invalid logon attempts that can occur before an account is locked. Usually this password lockout policy also allows you to configure the number of days that the account remains in this state. In some cases, you may want to configure the account lockout policy so that an administrator must be contacted to enable the account again.
Best practices for failed logon attempts is to lock out after three to five bad logon attempts.

15. Simplifying Security Administration
Common Logical Access Control Methods/Topics
Logical access controls are used in addition to physical security controls to limit access to data. This helps ensure the integrity of information, preserve the confidentiality of data, and maintain the availability of information.
Roles, groups, location, time of day, and transaction type can all be used to restrict access to resources. Regardless of the criteria used, access administration can be simplified by grouping objects and subjects.
Roles are based upon a subject’s job within the company. The roles are only granted those rights and privileges needed to complete job assignments.
Groups are created to incorporate users that need the same access permissions into one common entity. When these users need access to a resource, the permission is granted to the entire group. Using groups simplifies access control administration. Users should be placed in groups and managed by membership in those groups.
Locations can be used to restrict user access to resources by limiting the location from which a subject can log on. A Microsoft Windows domain can restrict user access to the domain by limiting the computer from which a user can log on to the domain. This is done by entering the computer name from which the user can access the domain to the user’s account properties.
Transaction type is a commonly used access restriction method in databases. Subjects are given access permissions based on transaction types. For example, a user may be allowed to view employee compensation, but not allowed to edit it.

16. Simplifying Security Administration
Common Logical Access Control Methods/Topics continued
Access control lists (ACLs)
Access control lists (ACLs) hold permissions for users and groups. In Microsoft operating systems, each ACL has one or more access control entries (ACEs). These are descriptors that contain the name of a user, group, or role. The access privileges are stated in a string of bits called an access mask. Generally, the object owner or the system administrator creates the ACL for an object.
Account Expiration
Account expiration is an access control practice used for allowing passwords to expire on all accounts on a regular basis. This includes accounts not used after a certain period of time such as contractor accounts. It is also used for protecting against brute-force password-guessing attacks.
The expiration attribute of the user account specifies when an account expires. This setting may be used under the same conditions as the time-of-day restrictions.
Domain Password Policy
The domain password policy identifies who can reset the password of a user object. (See previous slide)

17. Simplifying Security Administration
Common Logical Access Control Methods/Topics continued
Group Policies
Group policies allow you to automatically implement restrictions on operating system components.
When group policy configures these settings, keep in mind that you can have only one domain account policy. The policy is applied at the root of the domain and becomes the policy for any system that is a member of the domain in Windows. Domain password policies affect all users in the domain. The effectiveness of these policies depends on how and where they are applied.
If the computer is a workgroup member rather than a domain member, only the local policy is applied.
GPOs can be associated with or linked to sites, domains, or organizational units. Because Group Policy is so powerful, various levels of administrative roles can be appointed. These include creating, modifying, and linking policies.
Logical Tokens
Logical tokens are similar in content to certificates. They contain the rights and access privileges of the token bearer.
Password Policy
(See previous slide)
Time-of-day restrictions
Time of day can be used to restrict user access to resources by limiting the days and times during which a user is authorized to work. A Microsoft Windows user account can be edited to allow only certain login times.
You can assign time-of-day restrictions as a means to ensure that employees are using computers only during specified hours. This setting is useful for organizations where users require supervision, security certification requires it, or employees are mainly temporary or shift workers.
Usernames and passwords
Consistency is crucial when defining policies related to usernames and passwords. The more standardization you can apply, the more secure the system can become.

18. Understanding Security Awareness and Education
A user-oriented security-awareness program should include issues of policy, responsibilities, and the importance of security such as the security management policy, the use policy, and account and password criteria.
Using Communication and Awareness
Communication and awareness help ensure that information is conveyed to the appropriate people in a timely manner. Most users aren’t aware of current security threats. If you set a process in place to concisely and clearly explain what is happening and what is being done to correct current threats, you’ll probably find acceptance of your efforts to be much higher.
Communication methods that have proven to be effective for disseminating information include internal security websites, news servers, and e‑mails.

19. Understanding Security Awareness and Education
Security Policy Training and Procedures 2:10
Providing Education
The purpose of security education should be an effort that assists users in understanding threats aimed at the organization and its assets, prevention mechanisms, and enforcement.
 When providing security education, you should customize your programs to specifically address different roles within the organization:
The organization as a whole
Management
Technical staff
All employees should be aware of the security measures and resources that deal with security breaches.
Managers would be more concerned with enforcing security policies and procedures, knowing which departments are impacted by which security policies, and the precise mechanisms at hand to deal with loss of productivity issues.
Technical staff needs to be well educated on the different security methodologies and the various systems that can be implemented to control and enforce security.

20. Staying on Top of Security
Operating systems updates
Make sure all scheduled maintenance, updates, and service packs are installed on all the systems in your environment.
Windows Update Services is your friend.
Application updates   
Make sure all applications are kept to the most current levels.
Older software might contain vulnerabilities that weren’t detected until after the software was released. New software may have recently discovered vulnerabilities as well as yet-to-be-discovered ones.
Check for updates regularly and apply them the same as you would for operating systems.
Most vendors, as soon as a problem or issue arises, their customers with the problem and the proposed solution(s). This solution is also the fastest speed of delivery for any type of information.

21. Staying on Top of Security
Network device updates   
Most newer network devices can provide high levels of security, or they can be configured to block certain types of traffic and IP addresses.
Make sure logs are reviewed and access control lists (ACLs) are updated.
Network devices should have their BIOS updated when the updates become available.
Cisco, 3Com, and other network manufacturers regularly offer network updates. These devices are your front line of defense. Keep them up-to-date.
Policies and procedures   
Be aware of any changes in your organization and in the industry that make existing policies out-of-date.
Periodically review your documentation to verify that your policies are still effective and current.
Personal development   
Keep yourself current. Stay abreast of current trends in the industry, new threats, and other issues that might affect your business.
Attend seminars and subscribe to relevant periodicals. Professional societies and associations provide knowledge about an industry and its trends.
Build a list of people who you can call for advice or assistance when you encounter an unusual problem or situation.

22. Staying on Top of Security
Websites
Currently, the most effective way to prevent an attacker from exploiting software is to keep the manufacturer’s latest patches and service packs applied and to monitor the Web for newly discovered vulnerabilities.
Center for Education and Research in Information Assurance and Security (CERIAS)
News and information on technology threats. The website is
CERT Coordination Center   
Provides Internet security expertise. Information about current threats and best practices in security. The website is
Steps to take to recover after your computer has been compromised;
Computer Security Institute    
Offers national conferences, membership publications, and information on computer security issues. The website is
European Institute for Computer Anti-Virus Research (EICAR)
Concerned with information security issues. The website is
LinuxSecurity   
The latest news and articles related to Linux security issues can be found here. The website is

23. Staying on Top of Security
McAfee Corporation   
McAfee is a leading provider of antivirus software. The website is
National Institute of Standards and Technology (NIST) Control Types 3:55
Governmental agency involved in the creation and use of standards. NIST has an organization specifically addressed to computer issues: the Computer Security Response Center (CSRC). The CSRC/NIST maintains a database of current vulnerabilities and other useful information. The website is
National Security Institute (NSI)
Information on many aspects of physical and information security. The website is
SANS Institute   
SANS offers seminars, research, and other information relating to the security field. The website is
Security Focus   
General news and information on security topics of all sorts are archived here. The website is
Symantec Corporation   
Symantec is a leading provider of antivirus software. Its website lists current threats, provides research abilities, and gives information about information security. The website is

24. Staying on Top of Security
Trade Publications
2600: The Hacker Quarterly   
This interesting little magazine provides tips and information on computer security issues. The website is
CertCities   
CertCities is an online magazine that covers the broad field of certification. The website is
CIO   
A monthly publication that specializes in IT management issues and periodically offers security-related articles that tend to be high level. The website is

25. Staying on Top of Security
Trade Publications continued
CSO Magazine   
Amonthly magazine that focuses on issues of interest to security executives. The website is
Hackin9   
A bimonthly publication aimed at those with an interest in “hard core IT security”. The website is
Information Security Magazine   
A monthly publication that focuses on computer security issues. The website is
InformationWeek   
Addresses management and other IT issues. The website is
InfoWorld   
Deals with PC issues from an IT management perspective. Offers regular articles on security and related topics. The website is

26. Regulating Privacy and Security
Compliance, Best Practices, and Standards 3:50
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA was enacted in 1996 to ensure privacy of personal medical information. HIPAA is also known as the Kennedy-Kassebaum Act.  
HIPAA covers three areas—confidentiality, privacy, and security of patient records—and it’s being implemented in phases to make the transition easier.
The primary emphasis of HIPAA is on administration simplification through improved efficiency in healthcare delivery. This simplification is achieved by standardizing electronic data interchange and protecting the confidentiality and security of health data.
After deployment, HIPAA preempts state laws, unless the state law is more stringent.

27. Regulating Privacy and Security
The Gramm-Leach-Bliley Act of 1999
The Gramm-Leach-Bliley Act, also know as the Financial Modernization Act, requires financial institutions to develop privacy notices and to notify customers that they are entitled to privacy.
The act:
Prohibits banks from releasing information to nonaffiliated third parties without permission.
Requires banks to explain to individual consumers information-sharing policies. Customers have the ability to “opt out” of sharing agreements.
Prohibits institutions from sharing account information for marketing purposes.
Prohibits the gathering of information about customers using false or fraudulent methods.
The law went into effect in July 2001.

28. Regulating Privacy and Security
The Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act was introduced into law in 1986 to address issues of fraud and abuse that weren’t well covered under existing statutes. The law was updated in 1994, in 1996, and again in 2001.
This act gives federal authorities, primarily the FBI, the ability to prosecute hackers, spammers, and others as terrorists.
The law is primarily intended to protect government and financial computer systems from intrusion. Technically, if a governmental system, such as an Internet server, were used in the commission of the crime, virtually any computer user who could be shown to have any knowledge or part in the crime could be prosecuted.
The law is comprehensive and allows for stiff penalties, fines, and imprisonment of up to 10 years for convictions under this statute.

29. Regulating Privacy and Security
The Family Educational Rights and Privacy Act
The Family Educational Rights and Privacy Act (FERPA) dictates that educational institutions may not release information to unauthorized parties without the express permission of the student or, in the case of a minor, the parents of the student.
This act also requires that educational institutions must disclose any records kept on a student when demanded by that student.
It jeopardizes the federal funding of schools by government agencies if any violations occur.

30. Regulating Privacy and Security
The Computer Security Act of 1987
The Computer Security Act requires federal agencies to identify and protect computer systems that contain sensitive information.
This law requires agencies that keep sensitive information to conduct regular training and audits, and to implement procedures to protect privacy.
The Cyberspace Electronic Security Act
The Cyberspace Electronic Security Act (CESA) gives law enforcement the right to gain access to encryption keys and cryptography methods.
The initial version of this act allowed federal law enforcement agencies to secretly use monitoring, electronic capturing equipment, and other technologies to access and obtain information.
These provisions were later stricken from the act, although federal law enforcement agencies were given a large amount of latitude to conduct investigations relating to electronic information.
This act is generating a lot of discussion about what capabilities should be allowed to law enforcement in the detection of criminal activity.

31. Regulating Privacy and Security
The Cyber Security Enhancement Act
The Cyber Security Enhancement Act of 2002 allows federal agencies relatively easy access to ISPs and other data-transmission facilities to monitor communications of individuals suspected of committing computer crimes using the Internet.
The act is also known as Section 225 of the Homeland Security Act of 2002.
The Patriot Act
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001 was passed partially because of the World Trade Center attack on September 11, 2001.
This law gives the U.S. government extreme latitude in pursuing criminals who commit terrorist acts. The definition of a terrorist act is broad.
The law provides for relief to victims of terrorism as well as the ability to conduct virtually any type of surveillance of a suspected terrorist.
This act is currently under revision, and it will probably be expanded.

32. The End