Chapter 15, IT Policy Compliance and Compliance Technologies
This lesson covers chapter 15. It discusses the basic
elements in our environment and implementing compliance with
Objectives important to this lesson:
Baseline elements for IT security
Automating security policy compliance
Compliance technologies and solutions
Baseline Elements for IT Security
page 427, we are given a definition of a security baseline: a set
configurations to achieve a specific security objective. This is
general enough that it applies to any hardware or software we
to apply security policies. It also means that we could have a
for one policy or a baseline that serves several policies.
The text gives us an example. The organization in question
make a policy about hardening
systems that sets specific protocols
to be loaded on boot (others will not
be loaded), specific ports
will be open for traffic (all others will not
be open) and the administrator
on the device must be renamed to the operational standard of the
organization. This information would be a modification made after
standard build, described below.
The text points out that this sort of baseline would give
intrusion detection devices information they need. It would be
abnormal, and probably unacceptable, to have packets on the
that use a protocol or are bound for a port that the baseline has
The text continues with this idea, noting that an IDS should
be watching for other baseline deviations, such as the baseline
performance measurement you may make on a server:
disk (hard drive)
Abnormal activity in these factors may just be deviations
caused by increased business activity, but they may indicate an
on the server. An administrator should look for causes when
On page 428, the text describes using a baseline
image as the starting point for any workstation. You may need to
create a separate image for each different model of computer your organization
uses, which includes the operating system,
standard software, and configuration settings for
those elements. An image is typically stored as an ISO file,
which is single large file that is an archive of everything on an optical
disc. In some cases, the image file is stored or published as a series
of discs. The text mentions the Symantec product Ghost,
which is a commonly used product for creating hardware/software images.
The links above go to an article about ISO files, and a Symantec page
about Ghost. This link goes to a page that recommends alternatives
Image files are a common starting point. The text mentions
that the image must be updated periodically to include patches
to programs and the
operating system. Until the new image contains those patches, management of patches is
done through group policies
Automating security policy compliance
The text discusses several systems that may be used to detect
or manage changes in baseline settings. They are not used
but their use is recommended. The first three are Microsoft
Security Analyzer (MBSA)
used to scan for problems based on known problems described in
download from Microsoft.
Systems Management Server
(SMS) and Systems
Center Configuration Manager(SCCM)
- Both of these products can scan for problems and deploy software to
nodes on a network. SCCM is
the more recent of the two products, and it has more features and capabilities,
including deploying operating systems across a network..
The other products, listed on page 432, may be used to manage
workstations running Windows, UNIX, or Linux.
one of a family of scanning products; downloads for Windows, Mac
- a free scanning product;
downloads for Windows, Mac OS X, Linux, FreeBSD, OpenBSD,
Solaris, and other operating systems
- a large suite of related products for multiple operating
On page 435, the text sells us on using tools to automate
tedious tasks that administrators would otherwise have to perform.
Why tie up an expensive employee for hours if the job can be
or coded, and pushed to every station that needs the new
As noted above, SCCM can
used to push changes to a workstation in a Windows network. So can
The text shows us an example on page 437. Workstations in three
separate parts of the organization are placed in three different
Organizational Units in Active Directory. A Group Policy could be
configured for each of those units to push software, patches,
configuration, or other changes needed by the workstations in any
The text recommends testing the security of our environment
with some kind of penetration
a test that evaluates whether we are at risk to known techniques
Compliance Technologies and Solutions
The text lists five technologies that may be used to automate
compliance with policies.
- This is another set of rules and principles that are loved by
accountants, and might be used to create policies and controls.
not a technological tool, so I do not see why it is in this
Security Content Automation Protocol (SCAP)
- A protocol developed by
NIST that supports tools and methods fo sharing common
Simple Network Management Protocol (SNMP)
has been used to manage network devices for many years. A
security flaw in early versions was that commands sent to
to include acommunity
aprefixthat gave the
permission to manage the device. The problem was that thedefaultstrings were
(If the video below starts at the beginning, skip ahead to 6
and 35 seconds.)
Message integrity. authentication of
senders, and encryption
were added in version 3
of SNMP. Obviously, Star Fleet was using an earlier version at
of this encounter.
The text tells us that this is a set of standards for the
web based tools, developed by the Distributed Management Task
The link in this bullet point leads to their site. So, not
tool as much as some standards for how tools should work.
- A digital signature is something that can accompany a file
(such as a
download) that offers proof of the file's source and integrity.
text describes using a digital signature in a Public
Key Infrastructure (PKI)
setting. In the example in the
book, a company creates its own public
and private key pair.
practice, these keys may be created by a Certificate
instead. Since the text does not
explain it, a brief review (or introduction if you have never
is a system that uses two encryption/decryption keys. A person
company must have two keys in this system: apublickey and aprivatekey. They are
that whatever isencrypted
The owner of the keys gives thepublickey toanyonewho wants it,
but keeps theprivatekeysafefrom anyone
encryptionon a web site
connect to a vendor's web site. I obtain the vendor's public
making the secure connection. My browser encrypts my credit
with the vendor's public key and sends the ciphertext to the
the vendor's private key is secure, the vendor is the only one
decrypt the data sent through the public key.
example in the text, a company creates a public/private
two, the company sends a request to a CA (e.g. Verisign)
digital certificate. The request includes the public key.
public key is not necessary if the CA created the key set
confirms that the request is valid. They create a digital
certificate that confirms the public key enclosed in the
the actual public key for that company. You will see why
in a moment.
four, the company creates a file
that is going to have a digital signature.
five, the company creates a hash
for the file. This will be a unique string of hex
six, the company encrypts the hash with their private
key. This creates a string
of characters that can only be decrypted with the
key. This encrypted
hash is the digital
why do this? Someone who downloads the file also downloads
signature. They obtain the certificate either from the
company or from
the CA, which is better. The downloader hashes the file,
the signature with the public key from the certificate. The
the signature should match the hash the downloader
generated. If we
trust the certificate, the public key in it could only
message that was encrypted with the private key of the
vendor. Since we
have now proven that the encrypted hash was from the vendor,
hashes match then the file must be as the vendor meant it to
The lesson ends with a series of suggestions for compliance
This is not a bad summary for the last few chapters.
Create a security policy.
Create a baseline that applies to the policy. This could be
an image for a workstation, or it could be the most frequent or
behavior of employees.
Watch for changes in rules, regulations, and laws. Update
policy as needed.
Audit your systems, make sure they are working, and change
them if they are not.
Automate checks and services where possible.
Control the changes that need to be made.
Week 9, Assignment 1:
Complete the Review Questions posted for this chapter in the
Review for Test 3, questions 22 through 30.
Pick one of the case studies at the end of the
Analyze the problem and the proposed solutions in the
text. Are there any problems the solution would cause?
Recommend any additional or alternate solution you
think applies to this case.