CHAPTER 6
Local Host Security in the Real World
The following challenges provide contextual reference points for the concepts you will learn in Part II. Because you have not yet read the chapters in Part II, the challenges in this chapter are designed to introduce you to the local host scenarios you’ll face in the real world.
In this chapter, you’ll learn to:
- Apply applicable categories and sub-categories of the NIST Cyber Security Framework’s “Identify” function to a specific scenario to document the network’s assets and their possible vulnerabilities.
- Use applicable categories and sub-categories of the “Protect” function to generate specific policies and actions that can be used to secure the network’s assets for the specified scenario.
- Apply applicable categories and sub-categories of the “Detect” function to identify technologies, policies, practices, and strategies that can be used to monitor the network in the scenario to determine whether security events are occurring.
- Apply applicable categories and sub-categories of the “Respond” function to create an incident response plan to cover specific security events associated with the scenario presented.
- Apply applicable categories and sub-categories of the NIST Cyber Security Framework “Recover” function to the scenario to implement solutions for recovering from specific cyber events.
Security Challenges
This chapter will kickstart your thought processes for what you are about to learn in Part II. Instead of simply trying to absorb all of the information you’re about to learn in these chapters, you’ll begin here by gaining a better understanding of the real-world relevance of that information.
In Chapter 10, you will return to these scenarios and apply what you learned in Chapters 7, 8, and 9. You will also compare your observations to those of the professional security specialists who have provided their observations and solutions for these scenarios.
Computing Device Security Scenario 1
You have been assigned to develop a local security policy and the configuration specifications for the desktop computers used by in-house employees at your firm. These PCs are mounted in special openings under the desk in each cubicle.
The computers are physically identical, and they all run the same operating system. However, they may have different types of job-specific company software installed, as shown in Figure 6.1. These computers are equipped with the following:
- Detachable keyboards and mice
- Six built-in USB connection ports
- Separate video display monitors
- UTP local area network connection ports
- Microsoft Windows 7 Professional operating systems
- Microsoft Office 2013 software
- Dual built-in DVD disc drives
FIGURE 6.1 Corporate Desktop PC From the information provided in this first scenario, consider the National Institute of Standards and Technology (NIST) functions detailed in this section and then write your observations as they relate to each category. Create an inventory of physical and software assets associated with the user computers described here. Identify potential pathways that could provide unauthorized personnel with access to the physical and software assets associated with these computers (NIST ID.AM-1, 2; ID.RA-1). Describe how to go about managing the identities and credentials of authorized users at the local level (NIST PR.AC-1, 2, 4; PR.PT-1, 3). Using the computers and environment identified at the outset of this section, how might you determine whether someone was attempting to gain access to the computers described or the software and intellectual property stored on them (NIST DE.CM-1,4; DE.AE-1,2,3,4)? Which types of systems must be in place to identify occurrences of physical security breaches (NIST DE.CM-2, 3)? Describe how to respond to a suspected security breach of one or more local host units (NIST RS.RP-1; RS.CO-2, 3, 4, 5; RS.AN-1, 2, 3; RS.MI-1, 2, 3; RS.IM-2). List the policies and steps that should be put into place to recover from actions that might be taken to access, damage, or destroy the assets described in this scenario (NIST RC.RP-1). Which items might a recovery plan include if local host security is breached (NIST RC.CO-1, 2, 3)?
Risk Assessment 1
Identify
Protect
Detect
Respond
Recover
Computing Device Security Scenario 2
Because you did such an outstanding job of creating the security policies and configurations for the company’s desktop computers, you have been asked to produce the same type of materials for the notebook computers used by the organization’s sales people.
These computers typically contain product information the sales people need to do their jobs when they are meeting with customers. As such, confidential company and customer information (such as proprietary price lists for different customers, customer contact and purchase history information, confidential communications between the sales person and the customers, as well as with company supervisory personnel, and information about products under development but not yet announced) is stored on these devices.
Obviously, these computers are portable PCs that work in the office and at different locations on the road. As depicted in Figure 6.2, these computers are equipped with the following:
- Built-in keyboards and displays
- Two built-in USB connection ports
- UTP local area network connection ports
- Microsoft Windows 7 Professional operating systems
- Microsoft Office 2013 software
- Dual SD card reader slots
- Built-in wireless networking capabilities
- External VGA display connection ports
- Built-in DVD disc drives
FIGURE 6.2 Notebook PC From the information provided in the second scenario, consider the NIST functions detailed in this section and then write your observations as they relate to each category. Create an inventory of physical devices and systems associated with the user computers described here (NIST ID.AM-1). Create an inventory of software used on the company notebook computers (NIST ID.AM-2). Map the organization’s communications and data flow with these portable computers (NIST ID.AM-3). Describe the risks associated with the environment and the computing devices described in this scenario. Create a risk assessment of identified asset vulnerabilities (NIST ID.RA-1, 2, 3, 4, 5). For the equipment package described, determine which assets must be in place to mitigate the risks identified previously (NIST PR.AC, AT, DS, IP, and PT). Describe how to manage the identities and credentials for the authorized users of these computers (NIST PR.AC-1). Create a plan to determine how remote access will be provided and protected when the mobile devices are used away from the corporate facilities (NIST PR.AC-3). Describe how data on the mobile computers will be secured as well as how it will be protected when communicated to and from the devices (NIST PR.DS-1, 2). Establish a security plan to monitor these information systems to identify cybersecurity events and verify the effectiveness of protective measures (NIST DE.CM-1-8; DE.AE-1-5). Which types of systems must be in place to monitor remote communications from these devices to detect potential cybersecurity events (NIST DE.CM-1)? Which types of systems must be in place to monitor personnel activity to detect potential cybersecurity threats (NIST DE.CM-3)? Create a plan to ensure that response processes and procedures are in place to provide timely responses to detected cybersecurity events (NIST RS.RP-1; RS.AN-1). Considering the information kept on these mobile host devices, which type of response plan might be necessary if security is breached on one of the systems (NIST RS.CO-4, 5)? Which steps should be put into place to recover from actions intended to access, damage, or destroy the assets you’ve identified (NIST RC.RP-1)?
Risk Assessment 2
Identify
Protect
Detect
Respond
Recover
Summary
Record your observations for risk assessments presented in this chapter. In Chapter 10, you will compare these original thoughts and observations with those you will generate after reading Chapters 7, 8, and 9. You’ll also be able to compare your answers to those of professional security specialists.