Information Security is a discipline to protect assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability, or CIA for short, support business processes, and create and deliver values. All of the following hinder or enforce the security objective of integrity, except which one?
A. A recipient denied having received a message
B. A disgruntled employee deleted confidential files
C. A middle man poisoned a DNS
D. A sender signed an email with digital signature
You are working for an IC design house. Confidentiality of customer privacy and research and development data is the most concern. Jack, as a disgruntled security administrator, received a new job offer from a company and notified the human resources department of resignation one week before. The HR staff considers it is an unfriendly leave. As a security professional, which of the following will you least likely suggest?
A. Terminate his access to systems immediately
B. Assign him to a restricted area during the notice of resignation
C. Require him to prepare handover documentation
D. Remove him from the offices and ask him to stay home
As management is a systematic approach to achieve a goal or goals, I define vulnerability management based on definitions from the Wikipedia and NIST CSRC Glossary and extend them as follows:
Vulnerability management is the cyclical practice of identifying, classifying, prioritizing, remediating, and validating vulnerabilities in an information system, system security procedures, internal controls, or implementation to mitigate risk.
Vulnerability Management is the “cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating” software vulnerabilities. (Wikipedia)
For example, vulnerability management is “an ISCM capability that identifies vulnerabilities [Common Vulnerabilities and Exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.” (NIST CSRC Glossary)
In a broader sense, vulnerability is a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” (NIST CSRC Glossary)
Internal security controls are hardware, firmware, or software features within an information system that restrict access to resources to only authorized subjects. (NIST CSRC Glossary)
According to NIST SP 800-41 R1, a firewall is a device or program that controls the flow of network traffic between networks or hosts that employ differing security postures.
Firewall Interfaces and Zones
A firewall comprises a couple of network interfaces that can be configured or assigned to zones. A security zone or zone for short is a collection of firewall interfaces that share the same security requirements. Traffic between zones is controlled by firewall policies.
A firewall interface connected to the internet is typically assigned to a zone named untrustedor public; one connected to the internal network is assigned to a trustedzone. The zone with security requirements between those of the untrusted zone and the trusted zone is called the demilitarized zone (DMZ).
The zone name doesn’t matter, but the firewall policies do. The networks connected to a firewall interface are not necessarily secure or trusted just because you name the zone as “trusted” to which the interface is connected. The security is enforced by firewall policies.
A firewall connected to the internet and internal networks may lead to serious consequences once it is compromised. The attacker who compromised the firewall has complete access to the internal networks.
As a result, some organizations may add another firewall as an extra tier or layer to mitigate the single point of failure in the previous case. If the first tier firewall is compromised, there exists second-tier protection. It’s a strategy of layered defense or defense-in-depth.
Firewalls and Applications
It’s not uncommon to implement a tiered-architecture of firewalls to support the multi-tiered application architecture (presentation, business logic, and data/persistence tier). In the context of application architecture, a layer is a logical concern while a tier is a physical concern. An application can be divided into a couple of logical subsystems, modules, or logical layers, but it can be deployed to several servers or physical tiers.
Layer vs Tier
IMO, the diagram from the Sybex CISSP Study Guide (OSG), as follows, implies that the OSG treats the number of tiers as the number of zones protected by firewalls (excluding the untrusted zone).
You are a member of the program of business continuity management system (BCMS) and sitting in a meeting. After the discussion, there are some findings of your company. A plant in Taiwan manufactures sports towels and markets around the world; another plant in Vietnam primarily makes shoes for a worldwide label that mandates your company shall fulfill its purchase orders without interruption. Based on the findings, which of the following activity should be conducted first?
A. Conduct business impact analysis (BIA)
B. Determine the scope
C. Assess risk in terms of products and services and related resources
D. Identify strategies and solutions
You are a member of the program of business continuity management system (BCMS) and sitting in a meeting with the agenda of determining the scope of the BCMS. Which of the following activity is least likely to be conducted?
A. SWOT analysis
B. Cost-benefit analysis
C. Stakeholder or interested party analysis