Previous Page
Next Page

Certification Summary

This chapter covered two last objectives of Part I of the Sun Certified Security Administrator for Solaris examination. We discussed the process-based approach to security, including its life cycle; security awareness; applications, network, and physical security; as well as evaluation standards. The aim of the exam objectives covered in this chapter is to test your understanding of the security process life cycle approach. As mentioned previously, the topics covered in Part I of this guide are general security concepts that are universally applicable, even though particulars of their implementation may vary.

Two-Minute Drill

Here are some of the key points from the certification objectives in Chapter 3.

Identify the Security Life Cycle and Describe Best Security Practices

  • A security policy is a high-level document or set of documents that identifies the particular information assets of the organization, stipulates who owns them, indicates how they may or may not be used, and sets requirements for their use along with sanctions for misuse.

  • The security life cycle process is intended to prevent, detect, respond, and deter—and repeat the cycle again, keeping in mind the lessons learned.

  • Preventive controls include firewalls, logical and physical access control systems, and security procedures that are devised to prevent the occurrence of violations of security policy.

  • Detection controls include network and host intrusion detection systems, physical movement and intrusion detection systems and alarms, and cryptographic checksums on transmitted information (to detect unauthorized modifications).

  • Incident response is a subdiscipline of information security; it is the formal set of defined and approved actions based on the information security policy and best practices that are to be taken in response to a security incident.

  • Deterrent controls include good information security management, regular audits, security-aware staff, well-administered systems, good employee morale, and security certifications.

  • Security-aware employees are the best partners of the organization and its information security efforts, while staff that have no idea about security practices or simply don't care are not partners at all. One doesn't need determined adversaries to suffer a security breach—a clueless insider who doesn't understand the consequences may expose the organization to risks that could otherwise have been avoided.

  • Security policies are one of the mechanisms that define and convey the information security requirements of the organization's management to the staff of the organization.

  • Security procedures are developed within the organization by subject-matter specialists with assistance of security professionals and/or information systems auditors. Procedures may be application-specific and/or version-specific and need to be kept current with the organization's latest information systems environment. System and security administrators play a key role in developing and enforcing security procedures.

  • Security guidelines are nonbinding recommendations dealing with how to develop, define, and enforce security policies and procedures.

  • Security standards are mandatory either because they are dictated by the security policy, law, or regulations or because the entity in question has decided to adhere to the standard.

  • Physical security addresses the physical vulnerabilities, threats, and countermeasures used to control risks associated with physical destruction; unauthorized access; loss due to theft, fire, natural disasters (floods, earthquakes, tornados), or environmental issues (air conditioning, ventilation, humidity control); and all associated issues.

  • Although Sun Certified Security Administrator certification candidates are not required to have Sun Certified System or Network Administrator certifications, they are expected to be familiar with subjects covered by their exam objectives and have at least six months of experience administering Solaris systems.

Describe the Benefits of Evaluation Standards

  • Evaluation standards provide a common framework for developers, users, and evaluators to define, evaluate, and compare security functionality and assurance levels of different products, from operating systems to smart cards.

  • Although formal evaluation of systems is a complex and expensive process, it is justified for high-security environments such as military, government, and financial.

  • The result of evaluation is an evaluation assurance level assigned to the evaluated system which indicates the level of assurance or trust, which in turn depends on how the system was designed, implemented, and evaluated.

  • The Solaris operating system has been evaluated to EAL4.

Self Test

The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully, because there might be more than one correct answer. Choose all correct answers for each question.

Identify the Security Life Cycle and Describe Best Security Practices

1. 

Why is a process life cycle–based approach to information security management appropriate?

  1. Because it is the only existing approach

  2. Because it is a good practice

  3. Because it takes into account the changing environment

  4. Because it is business-oriented

  5. All of the above

B, C, and D. A process life cycle based approach to information security management is appropriate because it takes into account changing information systems environments, it is business-oriented, and it is considered a good practice. A is incorrect because the process life cycle-based approach is not the only existing approach to information security management.

2. 

Security life cycle includes which of the following?

  1. Preventive controls

  2. Detection

  3. Controls that deter potential attackers

  4. Incident response

  5. All of the above

E. All of the answers are correct. The security life cycle process consists of prevention, detection, response, and deterrence.

3. 

Why is detection an important part of the security process?

  1. Because it shows which preventive controls work and which don't.

  2. Because it serves as a quality/reliability control.

  3. Because no usable preventive control is perfect.

  4. Detection is not necessary in low-security environments.

  5. All of the above

A, B, and C. Detection is an important part of the security process because it shows whether preventive controls work or not, because it serves as a quality and reliability control, and because no usable preventive control is perfect D is incorrect because the security level of the environment has no bearing on the need for detective controls..

4. 

What is the purpose of deterrent controls?

  1. To back up detective controls

  2. To prevent attacks from happening

  3. To discourage attackers

  4. To compensate for preventive controls

  5. All of the above

C. Deterrent controls are created to discourage potential attackers. Deterrent controls may potentially be confused with preventive controls, and although both types of controls aim to preclude security violations from happening, they try to do so at different times. A and B are incorrect because deterrent controls are not a backup for detective controls and they do not necessarily prevent attacks from happening. D is incorrect because, while preventive security controls try to prevent a breach of security after the adversary has decided to attack but before the attack has succeeded, deterrent controls try to discourage the attacker from attacking in the first place by demonstrating that the attack is not going to succeed and even if it does, it will be detected and dealt with.

5. 

Why is incident response capability necessary?

  1. Because any organization may have a security incident

  2. Because detection is useless without response

  3. Because it is required by law

  4. Because correct reaction to a security incident is important

  5. All of the above

A, B, and D. Computer security incidents are occurring at an ever-increasing rate; therefore, we must be prepared to respond to and investigate computer security incidents. C is incorrect because incident response is not necessarily always required by law; however, depending on the jurisdiction of company policy or industry compliancy, incident response capability may be required.

6. 

Why should security awareness training be an ongoing concern?

  1. Because security risks and vulnerabilities change and evolve

  2. Because people need to refresh their knowledge periodically

  3. Because an organization's information systems change over time

  4. Because people may become complacent with time

  5. All of the above

E. All answers are correct. To address all of these concerns, security awareness training should be held regularly.

7. 

Documents that set high-level goals, requirements, and priorities are called

  1. Guidelines

  2. Procedures

  3. Standards

  4. Policies

  5. All of the above

D. Security policies are set by management and are high-level in nature. They specify what should and should not happen, without going into detail on how to reach these goals. Security policies should be sufficiently specific to convey their meaning and objectives unambiguously, but at the same time general enough not to require modification every month or after introduction of a new system or application in the organization. A, B, and C are incorrect because guidelines are recommendations for consideration, procedures are detailed step-by-step instructions, and standards are general in nature.

8. 

Documents that are usually technical, detailed, and implement security policies are called:

  1. Guidelines

  2. Normative acts

  3. Procedures

  4. Standards

  5. All of the above

C. Security procedures are developed by subject-matter specialists within the organization with the assistance of security professionals and/or information systems auditors. Because security procedures are often highly specific and technical in nature, they should be developed by those who appreciate these considerations. A, B, and D are incorrect because guidelines, normative acts, and standards only influence procedures.

9. 

Nonbinding recommendations on how to develop, define, and enforce security policies and procedures are known as:

  1. Standards

  2. Auditing regulations

  3. Guidelines

  4. Control objectives

  5. All of the above

C. Security guidelines are nonbinding recommendations that deal with how to develop, define, and enforce security policies and procedures. Although guidelines are nonbinding, it is customary to require explanation from those who choose not to follow them. A, B, and D are incorrect because standards, auditing regulations, and control objectives are not non-binding recommendations.

10. 

When are information security standards compulsory?

  1. When required by law

  2. When adopted by the organization

  3. Always

  4. When required for certification or accreditation

  5. All of the above

A, B, and D. Unlike guidelines, security standards are mandatory either because they are dictated by the security policy, law, or regulations or because the entity in question has decided to adhere to the standard. C is incorrect because information security standards are not always compulsory.

11. 

Physical security includes which of the following?

  1. Location of facilities

  2. Building materials

  3. Humidity, ventilation, and air conditioning

  4. Fire detection and suppression systems

  5. All of the above

E. All answers are correct. Physical security includes all aspects mentioned as well as physical access control and monitoring.

12. 

System firmware affects the overall security of the system?

  1. True

  2. False

  3. Only on SPARC systems

  4. On all systems except SPARC systems

  5. All of the above

A. Although particulars may vary, a system's firmware affects the overall security of the system. B is incorrect because the statement is true. C and D are incorrect because firmware on any platform may affect the overall security of the system.

13. 

What is the difference between SSL/TLS and IPSEC?

  1. IPSEC is a transport layer and SSL/TLS is a network layer technology.

  2. SSL/TLS is a transport layer and IPSEC is a network layer technology.

  3. IPSEC secures only the network layer and SSL/TLS secures all layers.

  4. SSL/TLS provides only confidentiality and not integrity protection.

  5. All of the above

B. SSL/TLS is a transport layer and IPSEC is a network layer technology. A, C, and D are incorrect because both SSL/TLS and IPSEC provide confidentiality and integrity protection to all layers above them.

Answers

1. 

þ B, C, and D. A process life cycle–based approach to information security management is appropriate because it takes into account changing information systems environments, it is business-oriented, and it is considered a good practice.

ý A is incorrect because the process life cycle-based approach is not the only existing approach to information security management.

2. 

þ E. All of the answers are correct. The security life cycle process consists of prevention, detection, response, and deterrence.

3. 

þ A, B, and C. Detection is an important part of the security process because it shows whether preventive controls work or not, because it serves as a quality and reliability control, and because no usable preventive control is perfect

ý D is incorrect because the security level of the environment has no bearing on the need for detective controls..

4. 

þ C. Deterrent controls are created to discourage potential attackers. Deterrent controls may potentially be confused with preventive controls, and although both types of controls aim to preclude security violations from happening, they try to do so at different times.

ý A and B are incorrect because deterrent controls are not a backup for detective controls and they do not necessarily prevent attacks from happening. D is incorrect because, while preventive security controls try to prevent a breach of security after the adversary has decided to attack but before the attack has succeeded, deterrent controls try to discourage the attacker from attacking in the first place by demonstrating that the attack is not going to succeed and even if it does, it will be detected and dealt with.

5. 

þ A, B, and D. Computer security incidents are occurring at an ever-increasing rate; therefore, we must be prepared to respond to and investigate computer security incidents.

ý C is incorrect because incident response is not necessarily always required by law; however, depending on the jurisdiction of company policy or industry compliancy, incident response capability may be required.

6. 

þ E. All answers are correct. To address all of these concerns, security awareness training should be held regularly.

7. 

þ D. Security policies are set by management and are high-level in nature. They specify what should and should not happen, without going into detail on how to reach these goals. Security policies should be sufficiently specific to convey their meaning and objectives unambiguously, but at the same time general enough not to require modification every month or after introduction of a new system or application in the organization.

ý A, B, and C are incorrect because guidelines are recommendations for consideration, procedures are detailed step-by-step instructions, and standards are general in nature.

8. 

þ C. Security procedures are developed by subject-matter specialists within the organization with the assistance of security professionals and/or information systems auditors. Because security procedures are often highly specific and technical in nature, they should be developed by those who appreciate these considerations.

ý A, B, and D are incorrect because guidelines, normative acts, and standards only influence procedures.

9. 

þ C. Security guidelines are nonbinding recommendations that deal with how to develop, define, and enforce security policies and procedures. Although guidelines are nonbinding, it is customary to require explanation from those who choose not to follow them.

ý A, B, and D are incorrect because standards, auditing regulations, and control objectives are not non-binding recommendations.

10. 

þ A, B, and D. Unlike guidelines, security standards are mandatory either because they are dictated by the security policy, law, or regulations or because the entity in question has decided to adhere to the standard.

ý C is incorrect because information security standards are not always compulsory.

11. 

þ E. All answers are correct. Physical security includes all aspects mentioned as well as physical access control and monitoring.

12. 

þ A. Although particulars may vary, a system's firmware affects the overall security of the system.

ý B is incorrect because the statement is true. C and D are incorrect because firmware on any platform may affect the overall security of the system.

13. 

þ B. SSL/TLS is a transport layer and IPSEC is a network layer technology.

ý A, C, and D are incorrect because both SSL/TLS and IPSEC provide confidentiality and integrity protection to all layers above them.

Describe the Benefits of Evaluation Standards

14. 

What is the purpose of Common Criteria certification?

  1. To increase security of certified operating systems

  2. To offer cost-effective systems certification

  3. To provide comparability between the results of independent security evaluations

  4. To guarantee security of evaluated systems

  5. All of the above

C. The purpose of Common Criteria is to provide comparability between the results of independent security evaluations of IT systems. A, B, and D are incorrect because evaluated systems are not necessarily more secure than other systems, evaluation usually is an expensive service, and evaluation doesn't guarantee security of evaluated systems.

15. 

What is the highest evaluation assurance level under Common Criteria that may be reached using commonly accepted best practices in systems/software development?

  1. EAL7

  2. EAL5

  3. EAL4

  4. EAL3

  5. All of the above

C. EAL4 is considered to be the highest practical level of assurance that may be gained using good commercial development practices. A and B are incorrect because higher levels (EAL5 7) require special development methodologies and procedures that are expensive and not common place. D is incorrect of course because it is a lower level of assurance than EAL4.

16. 

What is a Common Criteria Protection Profile (PP)?

  1. It rates the strength of security of evaluated systems.

  2. It specifies a system's assurance evaluation level.

  3. It is a Common Criteria assessment scheme.

  4. It is a set of requirements and definitions against which systems are evaluated.

  5. All of the above

D. A Protection Profile (PP) is a set of requirements and definitions against which systems are evaluated and awarded evaluation assurance levels (EALs). Because different systems in different environments have distinct security requirements, different protection profiles are in existence. A, B, and C are incorrect because PPs do not rate the strength of security of evaluated systems, do not specify systems' assurance evaluation levels, and are not a Common Criteria assessment scheme.

17. 

Which of the following security domains are covered by ISO 17799?

  1. Security policy

  2. Access control

  3. Physical security

  4. Solaris security

  5. All of the above

A, B, and C. ISO 17799 is a Code of Practice for Information Security Management and does not cover any specific products or systems such as Solaris. D is incorrect because ISO 17799 does not cover the Solaris operating environment specifically but is an information security management standard.

18. 

Which of the following statements are true?

  1. Certification is the technical evaluation of systems.

  2. Certification is done by an organization's management.

  3. Accreditation is the formal acceptance of the system and its risks.

  4. Certification requires accreditation.

  5. All of the above

A and C. Certification is a technical evaluation conducted by independent and qualified third parties. Certification does not require accreditation. It is a basis for accreditation, but the responsibility for the accredited system lies mainly with the management of the organization that accredits the system. B is incorrect because certification is a technical evaluation conducted by third parties. D is incorrect because certification does not require accreditation.

Answers

14. 

þ C. The purpose of Common Criteria is to provide comparability between the results of independent security evaluations of IT systems.

ý A, B, and D are incorrect because evaluated systems are not necessarily more secure than other systems, evaluation usually is an expensive service, and evaluation doesn't guarantee security of evaluated systems.

15. 

þ C. EAL4 is considered to be the highest practical level of assurance that may be gained using good commercial development practices.

ý A and B are incorrect because higher levels (EAL5–7) require special development methodologies and procedures that are expensive and not common place. D is incorrect of course because it is a lower level of assurance than EAL4.

16. 

þ D. A Protection Profile (PP) is a set of requirements and definitions against which systems are evaluated and awarded evaluation assurance levels (EALs). Because different systems in different environments have distinct security requirements, different protection profiles are in existence.

ý A, B, and C are incorrect because PPs do not rate the strength of security of evaluated systems, do not specify systems' assurance evaluation levels, and are not a Common Criteria assessment scheme.

17. 

þ A, B, and C. ISO 17799 is a Code of Practice for Information Security Management and does not cover any specific products or systems such as Solaris.

ý D is incorrect because ISO 17799 does not cover the Solaris operating environment specifically but is an information security management standard.

18. 

þ A and C. Certification is a technical evaluation conducted by independent and qualified third parties. Certification does not require accreditation. It is a basis for accreditation, but the responsibility for the accredited system lies mainly with the management of the organization that accredits the system.

ý B is incorrect because certification is a technical evaluation conducted by third parties. D is incorrect because certification does not require accreditation.

Previous Page
Next Page