Security Posture – CompTIA Security+ SY0-401: 3.6

You can’t build a security policy unless you know how to plan, monitor, and remediate security issues. In this video, you’ll learn some best-practices for baselining, watching, and resolving security problems.

<< Previous Video: Physical Port SecurityNext: Reporting >>

When you’re building out a security posture, it has to be based on something. So one of the first things you’ll do is build an initial baseline of what you would like your security to be. This often takes a lot of planning and a lot of thought. You have to look at the requirements that you have, the things that you need to protect.

There’s generally a minimum level of protection you’re thinking about for the data and the systems that you have in place. Windows systems, Linux systems, different databases, they may all have different requirements. And so you may be setting different baselines depending on the type of system. You also have to think about some of the legal requirements you have and some of the compliance requirements you have.

If you’re a medical organization, there’s a series of requirements that are defined in HIPAA that you must comply with. There may be financial requirements. The Sarbanes-Oxley compliance requirements that you have may require that you keep certain amount of data private, certain amount of data segmented off, and that you’re keeping it for a certain amount of time. You also have to think about how you’re going to watch this baseline over time.

When you install a new application, when you install a new patch, it may affect what you need as a minimum requirement for the security of those devices. Sometimes installing these patches creates other security holes. So you may not want to install certain patches because of that issue.

But if you don’t install that patch, other things may be a problem later on. And we need to mitigate that. It’s a balancing act. It’s a very complex balancing act we have to think about, but it’s one that we have to keep our eyes open and maintain these systems through the entire life cycle of that application and the entire life cycle of that operating system.

If you’re plugged into the different security blogs, you’re watching some of the announcement areas where you can gain information about vulnerabilities, then you see new vulnerabilities come out every day. For different applications, different operating systems, there’s constant, constant motion there. And so you have to keep up with what’s going on. You have to also continuously monitor your systems and make sure that they are constantly up to date, that you are modifying and updating them. And you have to make sure that whatever you do on those systems, whether you are changing a patch, maybe you’re adding a different configuration, that you’re keeping an eye on how that changes the security posture of those systems.

The National Institute of Standards and Technology has created a document here in the December 2010 time frame. This was in draft form. So you may want to go out and see what the latest version of this. But this is a document for continuous monitoring for federal information systems in organizations. And although this is focused on the United States federal organizations, you may also want to look at it if you’re not in a federal organization, because there may be some very good information in here on best practices on what you should do to continuously monitor your systems.

If you’ve created these baselines, you’re constantly monitoring them and then you realize one of your systems does not match what we consider to be a baseline for the security of that system, you have to decide what process you want to take. And generally, it’s something called remediation. Maybe we’re taking those systems and they only have access to a very special remediation network.

So if a system plugs into the network and it doesn’t have the latest antivirus signatures, we’re going to make sure they can’t access anything on the network. We’re going to put them in a special network automatically. And that network would only have access to download the latest antivirus patches, maybe make sure they’ve got the latest operating system patches, but have them put in a place in the network where they cannot cause a problem.

That becomes very important if we’re trying to maintain this particular security posture. And once they get the patch installed, once they get the latest version of antivirus updates, we’ll, of course, constantly monitor that system. And when that computer’s now up to date with the minimum security baseline, they now gain the normal access that they would have to the network.

A lot of this can be automated through 802.1x. We’ve talked often about network access control. And I almost always with network access control, there’s a section of the network just for remediation. And that’s where we’d want to have all of those security tools available so that the user finds that the disk encryption is not enabled on their computer or the antivirus is not up to date.

They’d go to one particular place on the network and still have the access to be able to fix the problem first. You want to be sure that every system on your network is running that particular baseline so that you can be absolutely sure that your security posture is the one that you want for your organization.