课程: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

Developing security baselines

课程: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

开始一个月试用 购买团队方案

Developing security baselines

- [Narrator] Most cybersecurity teams are responsible for maintaining the security of literally thousands of devices, ranging from laptops and tablets, to routers and firewalls. The sheer number of these systems makes it impossible to manually configure each of them to operate in a secure manner. Security baselines provide enterprises with an effective way to specify the minimum standards for computing systems and efficiently apply them across deployed devices. Many organizations begin their security standardization efforts by developing a baseline standard that sets forth the minimum standards that apply to all devices regardless of their purpose, operating system or the types of data that they contain. For example, a baseline security standard might require that a named individual is responsible for the security of each device. That the device is protected against unauthorized access attempts. That it doesn't jeopardize the confidentiality, integrity, or availability of other systems or the data those systems contain. That the device remains under the positive control of trained system administrators. And that all activities on the device comply with data security requirements. Now those requirements sound pretty generic, don't they? Well, that's actually the point of the baseline security standard. It sets forth a clear set of minimum requirements that apply to every device in the enterprise. They're especially useful during the countless times that security teams come across a new type of device that's joining the network. Even if they don't have specific guidance in place for that device, they can turn to the security baseline to determine the generic controls that should be in place. Baselines can also dive into deeper detail, breaking out different requirements for different classes of systems and information. An organization might organize their security baseline controls based upon the highest classification of information stored, process or transmitted by a system. For example, the security baseline might require that all data storage devices be encrypted when they're used to store highly sensitive information. In addition to baseline requirements, organizations often create specific security standards for the operating systems, mobile devices, network devices, appliances, and other systems commonly used in their environments. These standards describe how the organization will specifically achieve the baseline requirements on a particular system type. For example, the baseline security standard for a Windows system might require that the systems host firewall be enabled with all ports blocked other than those specifically required for business purposes and documented in a network access approval. Security baselines often require hundreds or thousands of individual security settings on a particular device. If administrators tried to configure those systems manually, they quickly find it an almost impossible task. There are simply too many settings and too many systems to configure. Fortunately, automation technologies are available to rapidly deploy configuration templates across large numbers of systems. For example, administrators can create a standard configuration template for all end user Windows systems, and then apply that template across all those systems through the use of group policy objects and active directory. Once administrators set baseline requirements and deploy those baselines across the enterprise, they should continue to monitor systems for compliance with the baseline. Users might accidentally adjust settings. Administrators may make errors in group policies. Attackers might undermine security, or any one of a number of other activities might cause deviations from the baseline. Automated monitoring solutions allow administrators to rapidly check thousands of systems against the baseline and identify any deviations that require investigation.

内容