Scribd
Upload
18 views33 pages

G1 ImplementingControls

Chapter 9 discusses the implementation of controls to protect assets, focusing on physical security measures, redundancy, fault tolerance, and data backup strategies. It outlines various security controls, including access systems, environmental controls, and disaster recovery planning. The chapter emphasizes the importance of business continuity elements and the need for effective testing of backup and recovery plans.

Uploaded by

GUESH
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
18 views33 pages

G1 ImplementingControls

Chapter 9 discusses the implementation of controls to protect assets, focusing on physical security measures, redundancy, fault tolerance, and data backup strategies. It outlines various security controls, including access systems, environmental controls, and disaster recovery planning. The chapter emphasizes the importance of business continuity elements and the need for effective testing of backup and recovery plans.

Uploaded by

GUESH
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 33

Chapter 9

Implementing Controls
to Protect Assets

CompTIA Security+
Get Certified Get Ahead
By Darril Gibson

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Introduction
• Comparing Physical Security Controls

• Adding Redundancy and Fault Tolerance

• Protecting Data with Backups

• Comparing Business Continuity Elements

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Physical Security Controls
• Perimeter

• Buildings

• Secure work areas

• Server rooms

• Hardware (such as cable locks)


GetCertifiedGetAhead.com © 2021 YCDA, LLC
Physical Security Controls
• Door access systems
– Proximity cards

• Locks
– Physical locks
– Physical cipher locks
– Biometric locks
– Cable locks
GetCertifiedGetAhead.com © 2021 YCDA, LLC
Physical Security Controls
• Tailgating and access control vestibules

• Security guards

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Physical Security Controls
• Personnel
– Two-person integrity

• Cameras

• Fencing, lighting, and alarms

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Sensors
• Motion detection
• Noise detection
• Temperature
• Moisture detection
• Proximity reader
• Cards

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Physical Security Controls
• Barricades
– Bollards

• Signage

• Drones

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Asset Management
• Architecture weaknesses

• Design weaknesses

• System sprawl

• Undocumented assets

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Diversity
• Defense in depth
– Also known as layered security

• Vendor diversity

• Technology diversity

• Control diversity

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Secure Areas
• Air gap

• Vaults

• Faraday Cage

• Safes

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Environmental Controls
• Hot and cold aisles
– Regulate the cooling

Cold Aisle Server Server Cold Aisle Server


Server
Cabinet Cabinet Cabinet
Cabinet

Hot Aisle

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Physical Attacks
• Malicious Universal Serial Bus (USB) cable

• Malicious flash drive

• Card skimming

• Card cloning

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Redundancy and Fault Tolerance
• Single point of failure
– Any component whose failure results in the failure of an entire
system

• Remove single points of failure with


– RAID (disk)
– Failover clustering (server)
– UPS and generators (power)
– Personnel

• Single points of failure are often overlooked until a disaster


occurs
GetCertifiedGetAhead.com © 2021 YCDA, LLC
Disk Redundancies
• Inexpensive

• Adds fault tolerance and increases availability

• Hardware RAID more efficient than software


RAID

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Disk Redundancies
• RAID-0 no redundancy
– Two or more disks
• RAID-1 uses two disks as a mirror
– Two disks
• RAID-5 can survive failure of one disk
– Three or more disks
• RAID-6 can survive failure of two disks
– Four or more disks
• RAID-10 combines RAID-1 and RAID-0
– Even number of disks
GetCertifiedGetAhead.com © 2021 YCDA, LLC
Load Balancers
• Active/active load balancer
– Affinity

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Load Balancers
• Active/passive load balancer

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Power Redundancies
• UPS
– Provides short-term fault tolerance for power
– Can protect against power fluctuations

• Dual supply

• Generators provide long-term fault tolerance for


power

• Managed power distribution units


GetCertifiedGetAhead.com © 2021 YCDA, LLC
Protecting Data with Backups
• Backup media
– Network-attached storage (NAS)
– Storage area network (SAN)
– Cloud

• Online backups

• Offline backups
GetCertifiedGetAhead.com © 2021 YCDA, LLC
Backups Types
• Full backups
– Fastest recovery time
• Differential backup
– Backs up all the data that has changed since the
last full or differential backup
• Incremental backup
– Backs up all the data that has changed since the
last full or incremental backup

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Protecting Data with Backups
• Snapshot backup

• Image backup

• Copy backup

• Testing backup

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Geographic Considerations
• Off-site storages
• Distance
• Location selection
• Legal implications
• Data sovereignty

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Business Continuity Elements
• Protect against disasters and outages
– Fires
– Attacks
– Power outages
– Data loss from any cause
– Hardware and software failures
– Natural disasters, such as hurricanes, floods,
tornadoes, and earthquakes

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Business Continuity Elements
• Business impact analysis (BIA) identifies:
– Systems and components that are essential to the
organization’s success (must continue to operate)
– Maximum downtime limits for these systems and
components
– Scenarios that can impact these systems and
components
– Potential losses from an incident
– Assets to include in recovery plans
GetCertifiedGetAhead.com © 2021 YCDA, LLC
Business Continuity Elements
• Impact
• Recovery Time Objective (RTO)
– Identifies maximum amount of time it should take
to restore a system after an outage
– Derived from maximum allowable outage time
identified in the BIA
• Recovery Point Objective (RPO)
– Refers to the amount of data an organization can
afford to lose
GetCertifiedGetAhead.com © 2021 YCDA, LLC
Risk Metrics
• Mean time between failures (MTBF)
– Provides a measure of a system’s reliability
– Usually represented in hours
– MTBF indicates the device can be repaired

• Mean time to recover or mean time to repair


(MTTR)
– The time it takes to restore a failed system
– Often specified in contracts as a target
GetCertifiedGetAhead.com © 2021 YCDA, LLC
Continuity of Operations Sites
• Provides an alternate location for operations after a critical
outage
• Most common sites are hot, cold, and warm sites

• Hot site
– Includes personnel, equipment, software, and communications
capabilities of the primary site
– All the data is up to date
– Can take over for a failed site within an hour
– Most effective disaster recovery
solution for an alternate site
– Most expensive to maintain
GetCertifiedGetAhead.com © 2021 YCDA, LLC
Continuity of Operations Sites
• Cold site
– Has power and connectivity needed for COOP
activation, but little else
– Least expensive and hardest to test
• Warm site
– Compromise between a
hot site and a cold site
• Order of restoration
– Return least critical functions first
GetCertifiedGetAhead.com © 2021 YCDA, LLC
Disaster Recovery Plan (DRP)
• Part of BCP
• Includes a hierarchical list of critical systems
• Prioritizes services to restore after an outage
• Testing validates a DRP
• Recovered systems tested before returning to
operation
– Can include a comparison to baselines

GetCertifiedGetAhead.com © 2021 YCDA, LLC


Disaster Recovery Plan (DRP)
• Phases
– Activate the disaster recovery plan
– Implement contingencies
– Recover critical systems
– Test recovered systems
– After-action report
• Includes a review to identify any lessons learned
• May include an update of the plan

GetCertifiedGetAhead.com © 2021 YCDA, LLC


BCP and DRP Testing
• Validate BCPs and DRPs through testing
• Tabletop exercises
– Discussion-based only
– Typically performed in a classroom or conference
setting

• Simulations
– simple simulations to full-blown tests
GetCertifiedGetAhead.com © 2021 YCDA, LLC
Chapter 9 Summary
• Comparing Physical Security Controls

• Adding Redundancy and Fault Tolerance

• Protecting Data with Backups

• Comparing Business Continuity Elements

• Check out the free online resources


GetCertifiedGetAhead.com © 2021 YCDA, LLC

You might also like