Does the security policy meet business needs? Does an existing policy on Web sites, for example, cover the use of SSL to protect customer data? How about the security of that data once it is in the organization’s database? Are there policies that cover all aspects of the business’s operations? Are there, for example, policies to cover access to the Internet by employees or policies that cover the use of privately owned Personal Digital Assistants (PDAs) for storage of company, customer, or patient data?

Do the written policies follow the definition of a policy, or are they precise in defining exact implementation details or technology choices? There was concern, for example, that HIPAA regulations would specify the use of digital signatures on the transport of any patient or healthcare data and would specify what technologies and equipment should be used for enforcement. The bill did not do either. While HIPAA is a U.S. federal law and not a security policy, analyzing the law’s effects on healthcare organizations offers some of the same challenges as evaluating the effects of security policy on an organization, and a wealth of commentary can be found on the law to assist you in determining whether your analysis is in tune with experts in the field of law and information security.

How can the policy be enforced using technology? Policy should be written without undue consideration to what is technically possible. However, an analysis of the policy should result in a precise statement on what can and cannot be enforced with the technology currently in place, what additional technology might be purchased to fulfill the technical enforcement of the policy, the cost of purchasing additional technology for enforcement, and alternatives to the policy that can be recommended.

Is one security policy more important than another security policy? Is a policy that restricts user access to the Internet more or less important than a policy that requires customer data to be encrypted? Remember to evaluate whether the need for encryption is high because of risk of attack or whether encryption is being used for some other reason. For example, some have suggested that encrypting customer data may protect a company from having to follow the demands of a California law that requires a report be given to California customers if an attack is successful against your organization. You might determine that encryption is overkill given the nature of the information you are protecting and the layers of company infrastructure that would have to be penetrated to successfully attack it. You might, therefore, recommend a policy change or prioritize implementation differently when you understand the policy’s driver.

Always insist on a clear and complete statement of the cost that security adds to any project. Whether the cost is prepared by vendors, internal IT staff, management, or the security designer, it must be complete.

Look at security solutions that reduce cost. Are there security technologies suitable for this project that can reduce overall cost and thus improve profitability? An example of such technologies is the use of Secure Sockets Layer (SSL) encryption accelerator cards in e-commerce projects. People rarely doubt the need for secure servers to protect the transmission of sensitive customer or partner financial information during an e-commerce transaction. However, SSL encryption does reduce the number of transactions that can be processed per minute. Slowing the processing of monetary transactions is not a good thing, but removing SSL encryption is not an acceptable solution. SSL-encryption accelerator cards are the answer. Although these cards add cost to a security project, they pay for themselves because they allow the number of possible SSL-encrypted transactions to increase and provide the required care of customer information as it traverses the Internet.

Look for security technologies that, if not employed, absolutely will result in the failure of the project or will result in large, unnecessary expenses. No one today can imagine running an e-mail gateway without antivirus protection. However, it was not long ago that the purchase of such products was seen only as an expense that might be useful. Many organizations learned the hard way that not providing and frequently updating antivirus protection on both the gateway and the end-user machine leads to business interruptions and larger expenses than the cost of providing protection in the first place.

Look for other tangential business drivers that, if not analyzed, can lead to increased expense. For example, confidentiality and integrity—or perhaps the lack of confidentiality and integrity—are becoming increasingly larger legal issues. Ignorance of relevant laws and regulations is not an excuse not to follow them. Potentially large fines and lawsuits can be the result of failure to follow current laws. Another example is that although designing and deploying security can be expensive and require significant expertise, the lack of security can cost even more. The hard costs of the security design—such as costs for equipment, training, and so on—should always be a part of the project cost-benefit analysis. In some cases, it can be shown that adding security reduces the cost of doing business.

Homeland Security Act of 2002 (Provision Computer Security Enhancement Act). This act provides increased surveillance powers for law enforcement agencies, including surveillance conducted on the Internet. The act includes provisions to make it easier for federal agencies to obtain customer information from Internet service providers (ISPs).

USA Patriot Act. This act was established to deter and punish acts of terrorism. The act includes a directive for the U.S. Secret Service to develop a national network or electronic crime task force; amends the federal criminal code to allow wire, oral, and electronic communications when the case includes terrorism offenses, chemical weapons, and computer fraud and abuse; amends federal criminal code to include surveillance and interception of computer trespassing; and amends federal criminal code to include wiretaps to intercept teleconferences. In one famous case quoted to support passage of the act, a hacker stole teleconference services from a company and used them to plan and execute hacking attacks. Law enforcement agencies could not get authority to tap into the teleconferencing session. The act now gives investigators the ability to request that authority. The act also extends definitions to include cable companies, who, during the passage of earlier bills, were not providing Internet access services but who now are.

California law SB 1836. This law is an amendment to the California Information Practices Act that says if you do business with residents of California, have their unencrypted information in your databases, and are then hacked, you must notify each of those California residents that their personal information might have been compromised. This law is a California law that affects every state in the U.S. XK0-002 70-536 70-284

The initial and ongoing cost of security The real and perceived cost of security will always be a driving factor in the implementation of security.

Legal requirements for security Legal requirements affect implementation of security and other IT operational aspects, and the impact of these legal requirements is increasing. Deciding how much security is necessary and convincing management to accept the recommendation is not an easy chore. However, current and proposed laws support the design and development of sound security practices. Consequently, legal requirements often can be an ally to security designers rather than a burden.

The impact security decisions will have on end users For purposes of considering the effect of security on end users, end user is defined as an individual who uses a system to obtain, manage, or distribute information but is not limited to employees who work directly for the company. Customers who access their banking or other information via the Internet, partners who cross gateways to access shared information, and public use of company Web sites are all examples of end users relying on information systems. Security designers must consider the impact that security policies will have on end users. For example, changing the password policy to require the use of symbols, letters, and numbers in password, when users were not required to do so before, can greatly upset a large number of users. If users are not warned that such a change is coming and told what they need to do to, the uproar and complaints can affect productivity and even force a roll-back to a less secure password policy.

How security will mitigate risk Risk is often defined as the probability of suffering a loss. Risk management involves identifying risk and deciding what to do about it. Even if a risk cannot be eliminated, it can be addressed. Mitigation of risk is one the goals of information security.

In addition to these common business drivers, the IT department has business drivers of its own to consider:

Maintaining interoperability The best security design might not be implemented because it failed to take into account the nature of all operating systems and applications that are part of the organization’s network.

Achieving security maintainability goals Any operations design must achieve certain maintainability goals, and this is even more important with security designs. Security devices and procedures that are not maintained will eventually become ineffective.

Addressing scalability needs Many security designs can be implemented in a test network or small business with great success, but are impractical or fail when rolled out across more extensive systems. While you can’t always forecast system growth, you can evaluate a security design in light of the environment it will be deployed in and simply assume moderate growth over time. 117-202 70-620 MB2-632 70-293

Client (Respond Only). When this policy is configured, the computer will use IPSec only if its communication partner requests that such a connection be established. The client itself will not request that IPSec be used.

Server (Request Security). When this policy is configured, the computer will request that its communication partner use IPSec. If the communication partner is unable to service this request, communication will continue in an insecure manner.

Secure Server (Require Security). When this policy is configured, the computer will communicate only with partners that support IPSec.

On top of this set of IPSec policies, specific policies can be created that are more specific. These policies can be restricted to specific hosts, subnets, and protocols. Custom policies can also be deployed by means of GPOs or local policy. 70-640 70-647 70-270 70-291

IPSec is considered by many to be the future of communication. Without IPSec, transmissions across a network are unencrypted. Such transmissions can be intercepted by packet sniffing utilities. This could potentially lead to valuable information falling into the hands of unauthorized parties. With IPSec, even if communication is intercepted, it cannot be read because the content is encrypted

Security templates can be edited in two ways. The first is by using the Security Template snap-in of the Microsoft Management Console. This method is the simplest way to edit the templates because it displays them in a form that is similar to that of the Group Policy Editor. Because security templates are stored in text file format, you can also edit security templates by using a text editor such as Notepad. This method is far more complicated and requires detailed knowledge of the security template syntax. Unless there is a compelling reason to do so, use the Security Template snap-in, because editing by using Notepad might lead to inadvertent errors in a template which, when applied, could make a system insecure.

After a security template is created, it must be deployed before it can have any influence on the security configuration of a system. Security templates are generally deployed by importing them into a Group Policy object. Once they have been imported into a Group Policy object, that Group Policy object can then be applied to sites, domains, and organizational units. Security templates can also be deployed by importing them into local Group Policy objects on standalone systems that are not a part of the domain. This can be done by editing the local Group Policy object (gpedit.msc) or by importing the template using the secedit command.

The principles involved in deploying a security template across a domain are similar to the principles involved in deploying Group Policy objects. In general, deployment should be as specific as possible. Grouping target systems into organizational units or sites is far preferable to deploying GPOs with security templates applied at the domain level. This way only the systems that are the targets of these policies will have to process them, and systems for which the policies are not relevant will not be delayed. The more Group Policy settings that are applied within a domain to all machines, the longer those machines take during startup and logon to process all of the policies to reach a final configuration.

One of the advantages to using security templates to configure the security settings in Group Policy objects is that they provide a documented point of reference for determining what went wrong when unexpected results appear. The security configuration and analysis tool can be used to look into the expected results. An administrator can also diagnose where what was planned diverged from what actually happened. One of the most common problems that occurs when security settings are applied is that the rules of Group Policy inheritance are forgotten. Policies applied at the organizational unit level override those applied at the domain level, which in turn override those applied at the site level, which finally override those that are applied locally. This gets even more complicated when policies are applied with the “no override” and “block inheritance” settings. Understanding how these options work is the key to diagnosing problems that occur in the application of security templates.  HP0-M23  000-938   000-100  000-960  000-995  190-805  HP0-S16

 Group Policy controls almost every aspect of the operation of a computer running Windows Server 2003, from the software installed to disk quotas and the appearance of the desktop. Of interest to the candidate for this exam is the Security Settings node located under Windows Settings in the Computer Configuration section of Group Policy Objects. The security settings node hosts almost all of the Windows Server 2003 security policies. Event logs, restricted groups, system services, and file system and registry permissions can be configured from this node.

How these policies are configured depends on the types of services the server to which they are applied is hosting. Although a domain controller and an Internet Information Services system will have many policy settings in common, there will be several policies, unique to the role of the server, that must be configured differently. Understanding the differences between the needs of each server is a critical part of performing well on this particular exam objective.

Security templates are text files that store configurations for all of the policies found under the security settings node. Security templates are the recommended way to make changes to Group Policy security settings. This is because templates are easily stored and provide a built-in record of the changes that have been made to Group Policy. Security templates can be created and edited in several ways. The easiest way to create and edit security templates is to use the Security Templates snap-in that can be added to any custom Microsoft Management Console (MMC). Performing this task by using the Security Templates snap-in enables you to use a simple visual interface to configure security. Creating and editing templates can also be performed by using a text editor such as Notepad.

After the security templates have been created, they need to be deployed. Deployment is generally done by putting the servers that will be the targets of the Group Policy object (GPO) into a separate organizational unit (OU), creating a new GPO, importing the template to the GPO, and then applying the GPO to the newly created OU. Security templates can also be imported and applied individually to servers at the local policy level.

Security templates are not the complete security solution for Windows Server 2003 or Microsoft Windows XP Professional. There are many Group Policy options that cannot be configured by using security templates. When a situation arises for which a policy must be set, and that cannot be done by using a template, these changes have to either be configured manually, if the system to which they are being applied does not fall under the influence of Group Policy, or have an appropriate policy applied if they do.  642-504  70-638  922-094  351-050

Cryptography and Encryption
Cryptography is essential for the secure exchange of information across intranets, extranets, and the Internet. From a technical point of view, cryptography is the science of protecting data by mathematically transforming it into an unreadable format, otherwise known as encryption. To a business, cryptography is a means to reduce the likelihood of a costly security compromise by providing authentication, confidentiality, and data integrity.
Network encryption comes in two main varieties: shared key encryption and public key encryption. Shared key encryption requires both the sender and the recipient of an encrypted message to have a shared secret-a password that can be used to encrypt and decrypt the message. Shared key encryption is easy to understand, but it is difficult to implement on a large scale. After all, to allow secure communication between 1,000 employees at a company would require about 1 million passwords to be exchanged, because any two users who wanted to communicate would need to exchange a unique password.
For example, if Sam wants to send an encrypted electronic message to Toby, Sam first walks over to Toby and whispers a password in his ear. Then, when Toby receives the electronic message, Toby decrypts it with the password. As long as nobody else knows the password, Sam can be sure that the contents of the message are private.
The second common network encryption mechanism is public key encryption, also known as asymmetric key encryption. Public key encryption uses one key to encrypt a message, and a second, related key to decrypt the message. These two keys form a key pair. One of these keys is kept private, and the other key can be shared publicly (hence the name, public key encryption).
For example, if Sam wants to send an encrypted message to Toby, Sam uses Toby’s public key to encrypt the message. When Toby receives the message, Toby uses his private key to decrypt it. Only Toby’s private key can be used to decrypt a message encrypted with his public key, so Sam can be sure that nobody else was able to view the contents of the message.
There’s another interesting way to use public key encryption: digital signatures. If Sam wants to prove to Toby that Sam, and not somebody else, sent the message, Sam can use Sam’s own private key to encrypt the message. After Toby receives it, Toby needs to use Sam’s public key to decrypt the message. If it decrypts properly, Toby can be certain that Sam’s private key was used to encrypt it and that the message hadn’t changed since Sam sent it. Of course, encryption takes a great deal of processing power, so Sam would probably choose to encrypt a short hash of the message instead of the entire message, and append the hash onto the end of the message. That would be sufficient to prove that Sam sent the message and that it hadn’t been modified in transit. NS0-201 70-643 70-631

Security Alert Earlier versions of Windows have several widely exploited vulnerabilities, and will almost certainly be exploited during the setup process if connected to the Internet. 352-001 70-290 70-536

Security Alert Not all attacks originate from the Internet. Worms and viruses might have infected computers on the local area network, and will be scanning computers inside the firewall for vulnerabilities. Therefore, you must still take measures to protect computers while installing the operating system, even if they are only connected to a private network.

MBSA is a powerful tool that you can use to assess the patch levels on your network. If and when a computer fails to install an update, MBSA can detect it. If there are rogue computers on your network that are not participating in your patching infrastructure, MBSA can find them. You can even schedule MBSA to scan your network for unpatched computers at night, so you can review the reports in the morning without waiting for the scan to occur.

MBSACLI
Scanning a large network should be done on a regular basis to find computers that have not been properly updated. However, scanning a large network is a time-consuming process. While the MBSA console is the most efficient way to interactively scan a network, the Microsoft Baseline Security Analyzer command-line interface (MBSACLI) provides a way to script an analysis. By using scripts, you can schedule scanning to occur automatically, without your intervention. In this way, you can have MBSACLI generate a report that you can refer to on demand.

Security Alert It’s convenient to schedule MBSACLI scans after business hours so you don’t consume network resources during working hours; however, if you do this, you won’t scan computers that users take home with them. It’s a good idea to schedule scans at various times during the day.

Another good reason to schedule scans by using MBSACLI is to scan from multiple points on your network. For example, if your organization has five remote offices, it is more efficient to scan each remote office by using a computer located in that office. This improves performance, reduces the bandwidth used on your wide area network, and allows you to scan computers even if a perimeter firewall blocks the ports that MBSACLI uses to scan.

MBSACLI runs in one of two modes: MBSA and HFNetChk. MBSA mode provides similar functionality to that of the graphical MBSA console. HFNetChk mode provides backward compatibility with earlier versions of the tool, and also provides additional functionality not supported in MBSA mode. Some of the additional features provided by HFNetChk mode are connecting to network resources as another user, specifying an XML data source, and scanning a set of computers specified in a text file. HFNetChk mode scans only for missing updates; it will not scan for other types of vulnerabilities, such as weak configuration settings. 640-801 70-291 1D0-510 MB6-508