Skip to content

Page015

Learn by Example

Real-World Least Privilege

A large healthcare provider had a 60-member IT staff responsible for 4000 systems running Microsoft Windows. The company did not employ least privilege: the entire IT staff was granted Windows Domain Administrator access. Staff with such access included help desk personnel, backup administrators, and many others. All 60 domain administrators had super-user privileges on all 4000 windows systems.

This level of privilege was excessive and led to problems. Operator errors led to violation of CIA. Because so many could do so much, damage to the environment was prevalent. Data was lost; unauthorized changes were made; systems crashed, and it was difficult to pinpoint the causes.

A new security officer was hired, and one of his first tasks was to enforce least privilege. Role-based accounts were created: a help desk role that allowed access to the ticketing system, a backup role that allowed backups and restoration, and so on. The domain administrator list was whittled down to a handful of authorized personnel.

Many former domain administrators complained about loss of super-user authorization, but everyone got enough access to do their job. The improvements were immediate and impressive: unauthorized changes virtually stopped and system crashes became far less common. Operators still made mistakes, but those mistakes were far less costly.

Subjects and Objects

A subject is an active entity on a data system. Most examples of subjects involve people accessing data files. However, computer programs can be subjects as well. A Dynamic Link Library file or a Perl script that updates database files with new information is also a subject.

An object is any passive data within the system. Objects can range from documents on physical paper, to database tables to text files. The important thing to remember about objects is that they are passive within the system. They do not manipulate other objects.

There is one tricky example of subjects and objects that is important to understand. For example, if you are running iexplore.exe (Internet Explorer browser on a Microsoft Windows system), it is a subject while running in memory. When the browser is not running in memory, the file iexplore.exe is an object on the filesystem.

Exam Warning
Keep all examples on the CISSP® exam simple by determining whether they fall into the definition of a subject or an object.

Defense-in-Depth

Defense-in-Depth (also called layered defenses) applies multiple safeguards (also called controls: measures taken to reduce risk) to protect an asset. Any single security control may fail; by deploying multiple controls, you improve the confidentiality, integrity, and availability of your data.

Learn by Example

Defense-in-Depth Malware Protection

A 12,000-employee company received 250,000 Internet emails per day. The vast majority of these emails were malicious, ranging from time- and resource-wasting spam to malware such as worms and viruses. Attackers changed tactics frequently, always trying to evade safeguards designed to keep the spam and malware out.

The company deployed preventive defense-in-depth controls for Internet email-based malware protection. One set of UNIX mail servers filtered the incoming Internet email, each running two different auto-updating antivirus/antimalware solutions by two different major vendors. Mail that scanned clean was then forwarded to an internal Microsoft Exchange mail server, which ran yet another vendor’s antivirus software. Mail that passed that scan could reach a user’s client, which ran a fourth vendor’s antivirus software. The client desktops and laptops were also fully patched.

Despite those safeguards, a small percentage of malware successfully evaded four different antivirus checks and infected the users’ client systems. Fortunately, the company deployed additional defense-in-depth controls, such as Intrusion Detection Systems (IDSs), incident handling policies, and a CIRT (Computer Incident Response Team) to handle incidents. These defensive measures successfully identified infected client systems, allowing for timely response.

All controls can fail, and sometimes multiple controls will fail. Deploying a range of different defense-in-depth safeguards in your organization lowers the chance that all controls will fail.