Dr. Bhavani ThuraisinghamThe University of Texas at Dallas (UTD)

Introduction to Cyber Security(Applications, Physical, Legal,

Business Continuity, Operations)

Data and Applications Development Security

• System Lifecycle Security• Applications Security Issues• Database Security

Secure Systems Development Policies• Organizations require more secure development• Security climate has changes

Organizational Standards• Systems Security Engineering-Capability Maturity Model

Integration (SSE-CMMI)• Web Application Security Consortium (WASC)• Build Security in (BSI)• International Organization for Standardization (ISO)/

International Electro-Technical Commission (IEC 27034)

Software Configuration Management (SCM)

• Versioning• Technology• Protection of code• Protection of project

– Scope-creep Vs. Statement of work

• Process integrity

System Lifecycle• Project• Management-based methodology• Capability maturity model integration• SLC vs. SDLC

– System lifecycle– System development lifecycle

Project Management Controls• Complexity of systems and projects• Controls built into software

Secure Development Environment• “We need security? Then we’ll use SSL.”• “We need strong authentication? PKI will solve all our

problems.”• “We use a secret/military-grade encryption.”• “We had a hacking contest and no one broke it.”• “We have an excellent firewall.”• “We’ll add it later; let’s have the features first.”

Secure Development: Physical• Protect source code

– From tampering– Pirating– Accidental loss– Protection against attacks

Personnel Security• Hiring controls• Changes in employment• Protection of privacy from employees

– Privacy impact rating

Separation of Test Datafrom Production

• Never test on a production system• Never use real data

Software Development Methods• Waterfall• Spiral method• Clean-room• Structured Programming

Development

• Iterative development• Joint analysis development• Prototyping

Software Development Methods (cont.)

• Modified prototype model• Exploratory model• Rapid application

development• Reuse model

• Computer aided software engineering

• Component-based development

• Extreme programming• Agile development

Programming Language ExamplesInterpreted

• REXX• PostScript• Perl• Ruby• Python

Compiled• Fortran• COBOL• BASIC• Pascal• C• Ada• C++• Java• C#• Visual Basic

Program Utilities• Assembler• Compiler• Interpreter

Secure Coding Issues• Buffer overflow• SQL injections• Cross-site scripting XSS• Dangling pointer• Invalid hyperlink• Secure web applications• JavaScript attacks vs. sandbox• Application Programming Interface (API)• Open Source

Application Security Principles• Validate all input and output• Fail secure (closed)• Fail safe• Make it simple• Defense in depth• Only as secure as your weakest link

Object-oriented Programming• OOP concepts

– Classes– Objects– Message– Inheritance– Polymorphism– Polyinstantiation (term came from security)

Applications Security Issues• Building security in• Adding defense-in-depth

Transaction Processing• Transaction

– Integrity– Availability– Confidentiality

Malware and Attack Types• Injection• Input manipulation / malicious file execution• Brouthentication management• Cryptographic• Denial of service• Hijacking• Information disclosure• Infrastructure• Mis-configuration• Race condition

Malware• Keystroke logging• Adware and spyware• SPAM• Phishing• Botnets• Remote access Trojan• URL manipulation• Maintenance hooks• Privileged programs

Distributed Programming• Distributed Component Object Model (DCOM)• Simple Object Access Protocol (SOAP)• Common Object-Request Broker Architecture (CORBA)• Enterprise Java Beans (EJB)

Database Management Systems (DBMS) Models

• Hierarchical DBMS– Stores records in a single table– Parent/child relationships– Limited to a single tree– Difficult to link branches

Relational DBMS Model• Most frequently used model• Data are structured in tables• Columns are “variables” (attributes)• Rows contain the specific instances (records) or data

Data Warehouse• Consolidated view of enterprise data• Data mart• Designed to support decision making through data mining

Knowledge Discovery in Databases (KDD)

• Methods of identifying patterns in data• KDD and AI techniques

– Probabilistic models– Statistical approach– Classification approach– Deviation and trend analysis– Neural networks– Expert system approach– Hybrid approach

Database Security Issues• Inference• Aggregation• Unauthorized access• Improper modification of data• Metadata

• Query attacks• Bypass attacks• Interception of data• Web security• Data contamination• Polyinstantiation• Data mining

Database Controls• Access controls• Grants• Cascading permissions• Lock controls• Backup and recovery

View-based Access Controls• Constrained views• Sensitive data is hidden from unauthorized users• Controls located in the front-end application (user interface)

Transaction Controls• Content-based access control• Commit statement• Three-phase commit• Database rollback• Journal / logs• Error controls

The ACID Test• Atomicity• Consistency• Isolation• Durability

Application and Database Languages: Security Issues

• Poorly designed• More privileges than necessary• DBA account use• Lack of audit• Input validation

Database Interface Languages• Structured Query Language (SQL)• Open Database Connectivity (ODBC)• Extensible Markup Language (XML)• Object Linking and Embedding (OLE)• Active X Data Object (ADO)

Legal, Regulations, Complianceand

Investigations• International Legal Issues• Incident Management• Forensic Investigation• Compliance

Jurisdiction• Law, economics, beliefs and politics• Sovereignty of nations

International Cooperation• Initiatives related to international cooperation in dealing with

computer crime• The Council of Europe (CoE) Cybercrime Convention

Computer Crime vs. Traditional CrimeTraditional Crime

• Violent• Property• Public Order

Computer Crime• Real Property• Virtual Property

Intellectual Property Protection• Organizations must protect intellectual property (IP)

– Theft– Loss– Corporate espionage– Improper duplication

• Intellectual property must have value– Organization must demonstrate actions to protect IP

Intellectual Property: Patent• Definition• Advantages

Intellectual Property: Trademark• Purpose of a trademark• Characteristics of a trademark

– Word– Name– Symbol– Color– Sound– Product shape

Intellectual Property: Copyright• Covers the expression of ideas

– Writings– Recordings– Computer programs

• Weaker than patent protection

Intellectual Property: Trade Secrets• Must be confidential• Protection of trade secret

Import and Export Law• Strong encryption• No terrorist states

Liability• Legal responsibility• Penalties• Negligence and liability

Negligence• Acting without care• Due care

Transborder Data Flow• Political boundaries

– Privacy– Investigations– Jurisdiction

Personally Identifiable Information (PII)• Identify or locate• Not anonymous• Global effort

Privacy Laws and Regulations• Rights and obligations of:

– Individuals– Organizations

International Privacy• Organization for Economic Co-operation and Development

(OECD)• 8 core principles

Privacy Law Examples• Health Insurance Portability and Accountability Act (HIPAA)• Personal Information Protection and Electronics Document Act

(PIPEDA)• European Union Data Protection Directive

Employee Privacy• Employee monitoring

– Authorized usage policies– Internet usage– Email– Telephone

• Training

Incident Management

• Prepare, sustain, improve• Protect infrastructure• Prepare, detect respond

Collection of Digital Evidence• Volatile and fragile• Short life span• Collect quickly• By order of volatility• Document, document, document!

Chain of Custody for Evidence• Who• What • When• Where• How

Investigation Process• Identify suspects• Identify witnesses• Identify system• Identify team• Search warrants

Investigation Techniques• Ownership and possession analysis• Means, opportunity and motives (MOM)

Behavior of Computer Criminals• Computer criminals have specific MO’s

– Hacking software / tools– Types of systems or networks attacked, etc.– Signature behaviors

• MO and signature behaviors• Profiling

Interviewing vs. Interrogation• General gathering• Cooperation• Seek truth

• Specific aim• Hostile• Dangerous

Evidence: Hearsay• Hearsay

– Second hand evidence– Normally not admissible

• Business records exception– Computer generated information– Process of creation description

Reporting and Documentation• Law• Court proceedings• Policy• Regulations

Communication About the Incident• Public disclosure• Authorized personnel only

Computer Forensics: Evidence

• Potential evidence• Evidence and legal system

Computer Forensics• Key components

– Crime scenes– Digital evidence– Guidelines

Computer Forensics: Evidence• Identification of evidence• Collection of evidence

– Use appropriate collection techniques– Reduce contamination– Protect scene– Maintain the chain of custody and authentication

Computer Forensics: Evidence• Scientific methods for analysis

– Characteristics of the evidence– Comparison of evidence

• Presentation of findings– Interpretation and analysis– Format appropriate for the intended audience

Forensic Evidence Procedure• Receive media• Disk write blocker• Bit for bit image• Cryptographic checksum• Store the source drive

Forensic Evidence Analysis Procedure• Recent activity• Keyword search• Slack space• Documented

Media Analysis• Recognizing operating system artifacts• File system• Timeline analysis• Searching data

Software Analysis• What it does• What files it creates

Network Analysis• Data on the wire• Ports• Traffic hiding

Compliance• Knowing legislation• Following legislation

Regulatory Environment Examples• Sarbanes-Oxley (SOX))• Gramm-Leach-Bliley Act (GLBA)• Basel II

Compliance Audit• Audit = a formal written examination of controls• Auditor role = 3rd party evaluator• Continuous auditing = automation

Audit Report Format• Introduction

– Background– Audit perspective– Scope and objectives

• Executive summary• Internal audit opinion• Detail report including auditee responses• Appendix• Exhibits

Key Performance Indicators (KPI)• Illegal software• Privacy• Security related incidents

Physical (Environmental) Security

• Site and Facility Design Criteria• Perimeter Security • Building and Inside Security• Secure Operational Area

Site Location Considerations• Emergency services• Hazards/ threats• Adjacency

Threats to Physical Security• National / environmental• Utility systems• Human-made/ political events

Threat Sources and ControlsThreat

• Theft• Espionage• Dumpster diving• Social engineering• Shoulder surfing• HVAC access

Controls• Locks• Background checks• Disposal procedures• Awareness• Screen filters• Motion sensors in

ventilation ducts

Perimeter and BuildingBoundary Protections

• First line of defense• Protective barriers

– Natural– Structural

Fences• Federal, state or local codes may apply• Parking should not be allowed near fences

Controlled Access Points• Gates are the minimum necessary layer• Bollards

Perimeter Intrusion Detection Systems• Detect unauthorized access into an area

– Electronic ‘eyes’

• Note that some perimeters IDSs can function inside the perimeter as well.

Types of Lighting• Continuous lighting• Trip lighting• Standby lighting• Emergency exit lighting• Emergency egress lighting

Access and Visitor Logs and More Rigorous forms of Logging

ABC CompanyEntrance:___________________ Date:________________

Name Institution Name of Person VisitingTime In Time

Out

Closed Circuit Television (CCTV)• CCTV Capability Requirements

– Detection– Recognition– Identification

• Mixing Capabilities• Virtual CCTV Systems

Guards and Guard Stations• Guards

– Deterrent– Possible liability

• Guard stations

Doors• Isolation of critical areas• Lighting of doorways• Contact devices• Guidelines

Building Entry Point Protection• Locks• Lock components

– Body– Strike– Strike plates– Key– Cylinder

Types of Locks• Something you have – Keyed• Something you know – Combinations• Something you are - Biometric

Lock Attacks• Lock picking• Lock bumping

Lock Controls• Lock and key control system• Key control procedures• Change combinations• Fail

– Soft– Secure– Safe

Other Electronic Physical Controls• Card access• Biometric access methods

Windows and Entry Points• Standard plate glass• Tempered glass• Acrylic materials• Polycarbonate windows• Entry points

Intrusion Detection Systems (IDS)• Closed circuit television• Sensors and monitors

Escorts and Visitor Control• Visitor access control best practices

– Picture identity– Photographs– Enclosed area– Authorized escort

Access Logs• Computerized log• Closed circuit TV

Equipment Room• Perimeter enclosure• Controls• Policy

Data Processing Facility• Small devices threat• Server room• Mainframes• Storage

Communications and Power• Wireless access points• Network access control• Utility and power rooms

Work Area• Operators• System administrators• Restricted work areas

Equipment Protection• Inventory• Locks and tracing equipment• Data encryption• Disabling I/O ports

Environmental Controls

System• Electric power• HVAC• Water / plumbing• Gas• Refrigeration

Threat• Loss of power• Overheating• Flood / dripping• Explosion• Leakage

Fire Protection• Prevention – reduce causes• Detection – alert occupants• Suppression – contain or extinguish

Materials and Suppression Agents

Type Suppression Agents

Common combustibles Water, foam, dry chemicals

Combustible liquids Inert gas, CO2, foam, dry chemicals

Electrical Inert gas, CO2, dry chemicals

Combustible metals Dry powders

Cooking media (fats) Wet chemicals

Flooding Area Coverage• Water – sprinkler systems• Gas – Halon/CO2/Argon systems• Best practices for systems• Portable extinguishers

Types of Electrical Power Faults• Complete loss of power• Power degradation• Interference (noise)• Grounding

Loss of Electrical Power• UPS• Generators• Goals of power• Power controls

Heating Ventilation Air Condition (HVAC)

• Location• Positive pressure• Maintenance

Other Infrastructure Threats• Gas leakage• Water threats

Key Performance Indicators• # of physical security incidents detected• # of false positives for biometrics

Business Continuityand Disaster Recovery Planning

• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management

Sources of Information• Disaster Recovery Institute International• Business Continuity Institute• ISO 25999• ISO 27001, Section 10• NIST SP 800-34

ISO 25999: Business Continuity Management

• Risk management• Disaster recovery• Facilities management• Supply chain management• Quality management

• Health and safety• Knowledge management• Emergency management• Security• Crisis communications and

PR

Overview of BCP• Direct benefits• Indirect benefits• Overlap with Risk Management• BCM vs. BCP vs. COOP

The Enterprise BCP• DRP

– Backup strategies– Emergency procedures– Contracts and provisioning

• BIA– Reciprocal agreements– Alternate sites

• Incident response planning– Succession Plan– Incidence Response Team

The Enterprise BCP (cont.)• Risk analysis

– Safeguards / countermeasures– Insurance plan

• Corporate communication plan– User awareness training– Media/stakeholder relations plan

The Business Continuity Life Cycle• Analyze the business• Assess the risks• Develop the BC strategy• Develop the BC plan• Rehearse the plan

BC Project Phases• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management

Reflecting Organizational Context• Policy is the driver• Aligned with requirements• Provides direction and focus• Use Business Impact Analysis• Identify inputs• Outcomes and deliverables• Reviewed annually

Policy• Organizational authority• Policy document• Program scope• Resources• Outsourcing

Policy contents• Framework• Tools and techniques• Policy contents• Change is infrequent

Outsourced Activities• You are still responsible• Resilience in outsourcing• Supplier continuity

Scope and Choices• Limit scope• Ensure clarity of scope• Strategy, Return on Investment (ROI), and SWOT (Strengths,

Weaknesses, Opportunities, Threats)• Review yearly

Program Management• Assigning responsibilities• Initiating BCP in the organization• Project management• Ongoing management• Documentation• Incident readiness and response

Documentation• Review current BCP if available• Documentation may not equal capability• Staff must be trained to use any necessary software• Types of documentation• Review as directed by policy

Initiating BCP• Awareness, data, implementation• Staff and budget• Result must be a long-term, sustainable program• Review progress monthly

Incident Readiness & Response• Planners become leaders• Be prepared• Triage• Incident management• Success = Return to Operations• Immediate lessons learned

Key Indicators of Success• Senior management commitment• Policy content• BCP Resources• Project management• Documentation

Understanding the Organization• Business Impact Analysis (BIA)

– Benefits– Objectives

• Evaluating Threats (Risk Assessment)• Emergency Assessment• Indicators of Critical Business Functions

Business Impact Analysis• Identifies, quantifies and qualifies loss• Scope and support required• Documents impact and dependencies• MTD, RPO• Business impact analysis process• Workshops, questionnaires, interviews• Business justifications for budget

Maximum Tolerable Period of DisruptionItem Required recovery time

following a disaster

Non-essential 30 days

Normal 7 days

Important 72 hours

Urgent 24 hours

Critical/Essential Minutes to hours

Estimating Continuity Requirements• Total budget for disaster recovery• Identification of necessary resources• Outcomes feed BCP strategy selection• Reviewed with BIA

Evaluating Threats (Risk Assessment)• Risk equation + time element• Risk = Threat impact * probability• Prioritize key processes and assets• Outcomes

Key Indicators or Success• Corporate governance• BIA practice• Risk assessment practice

Determining Business Continuity Strategy

• High-level strategies• RTO < MTPD• Separation distance• Resilience• Address specific business types

Determining Strategy• Determining BC strategies• Strategy options• Activity continuity options• Resource-level consolidation

Activity Continuity Options• Selecting recovery tactics• Reliability• Extent of planning• Cost/benefit analysis• Outcome

Recovery AlternativesAlternative Description Readiness Cost

Multiple processing/ mirrored site

Fully redundant identical equipment

and data

Highest level of availability and readiness

Highest

Mobile site/trailer Designed, self-contained IT and communications

Variable drive time; load data and test systems

High

Hot site Fully provisioned IT and office, HVAC, infrastructure and communications

Short time to load data, test systems. May be yours or

vendor staff

High

Warm site Partially IT equipped, some office, data and voice, infrastructure

Days of weeks. Need equipment, data communications

Moderate

Cold site Minimal infrastructure, HVAC

Weeks or more. Need all IT, office equipment and

communications

Lowest

Processing AgreementsAgreement Description Consideration

Reciprocal or Mutual Aid Two or more organizations agree to recover critical operations for each other.

Technology upgrades/ obsolescence or business growth. Security and access by partner users

Contingency Alternate arrangements if primary provider is interrupted, i.e. voice or data communications

Providers may share paths or lease from each other. Question them.

Service Bureau Agreement with application service provider to process critical business functions.

Evaluate their loading geography and ask about backup mode.

Resource Level Consolidation• Consolidation plan• Availability of solutions• Consolidate, approve, implement• Methods and techniques• Outcomes and deliverables

Business Continuity Plan• Master plan• Modular in design• Executive endorsement• Review quarterly

Business Continuity Plan Contents• When team will be activated• Means by which the team will be activated• Places to meet• Action plans/task list created

• Responsibilities of the team or of specific individuals– Liaising with Emergency Services (fire, police ambulance)– Receiving or seeking information from response teams– Reporting information to the Incident Management Team– Mobilizing third party suppliers of salvage and recovery services– Allocating available resources to recovery teams– Invocation / mobilization instructions

Business Continuity Plan Contents

Developing and Implementing Response

• Incident response structure• Emergency response procedures• Personnel notification• Communications• Restoration

Implementing Incident Management Plan

• Rapid response is critical• Crisis management• Steps to develop an Incident Management Plan• Action plans

Incident Response Structure

• Strategic• Tactical• Operational

Key Indicators of Success• Development and acceptance of Recovery Strategies and

Business Continuity Plans

Disaster Recovery• Salvage• Separate function and team• Facility restoration • System recovery

Testing the Program• Find the flaws• Outsourcing• Timetable for tests• Test design process

Testing TypesTypes Process Participants Frequency Complexity

Desk Check Check the contents of the plan, aid in

maintenance.

AuthorOften LOW

Walk-through

Check interaction and roles of participants.

Author and main people

Simulation Includes: business plans, buildings, communications

Main people and auditors

Parallel testing

Moves work to another site. Recreates the

existing work from the displaced site.

Everyone at location

Full Shuts down and relocates all work

Everyone at both locations Rare HIGH

Embedding BCP• Assessing level of awareness and training• Developing BCP within the Culture• Monitoring cultural change

Test BCP Arrangements• Test, rehearsal, exercise• Combine all plan activities• Stringency, realism and minimal exposure• Contents of a test• Outcomes

Maintaining BCP Arrangements• Ready and embedded• Triggered by change management• Owners keep information current• Documented• Review as needed

Reviewing BCP Arrangements• Audit• Independent BCP audit opinion• As directed by audit policy

Factors for Success• Supported by senior management• Everyone is aware• Everyone is invested• Consensus

Assessing the Level of Awarenessand Training

• Where are we now• What does the policy state• Current vs. desired levels• Training framework in place

Developing a BCP Within the Organization’s Culture

• Training, education, awareness• Well-implemented policy• Design• Delivery planning• Delivery• Cost effective delivery• Higher awareness

Operations Security• Protection and Control of Data Processing Resources

– Media Management– Backups and Recovery– Change Control

• Privileged Entity Control

Control Categories• Preventive• Detective• Corrective• Deterrent• Recovery• Directive• Compensating

Application-related Controls• Transaction• Input• Processing• Output• Test• Supervision / balancing• Job-flow• Logging• Licensing

Operations Security Focus Areas• Auditors• Support staff• Vendors• Security• Programmers• Operators• Engineers• Administrators

Facility Support Systems• The support systems in centralized and decentralized operation

centers must be protected– Hardware– Software– Storage media– Cabling– Physical security

Facility Support Systems (cont.)• Fire protection• HVAC• Electrical power goals

Facility Support Systems (cont.)• Water• Communications• Alarm systems

Media Management• Storage• Encryption• Retrieval• Disposal

Object Reuse• Securely reassigned• Disclosure• Contamination• Recoverability

Clearing of Magnetic Media• Overwriting• Degaussing• Physical destruction

Media Management Practices• Sensitive Media Controls

– Destroying– Marking– Labeling– Handling– Storing– Declassifying

Misuse Prevention

Threats Countermeasures

Personal use Acceptable use policy, workstation controls, web content filtering, email filtering

Theft of media Appropriate media controls

Fraud Balancing of input/output reports, separation of duties, verification of information

Sniffers Encryption

Records Management• Consideration for records management program development• Guidelines for developing a records management program• Records retention

Adequate Software & Data Backup• Operations controls ensure adequate backups of:

– Data– Operating systems– Applications– Transactions– Configurations– Reports

• Backups must be tested• Alternate site recovery plan

Fault Tolerance• Hardware failure is planned for• System recognizes a failure• Automatic corrective action• Standby systems

– Cold – configured, not on, lost connections– Warm – On, some lost data or transactions (TRX)– Hot – ready – failover

RAID – Redundant Array of Independent Discs

• Hardware-based• Software-based• Hot spare

RAID Level 0• Two or more disks• No redundancy• Performance only

RAID Level 1• Exact copy (or mirror)• Two or more disks• Fault tolerant• 200% cost

RAID Level 2• Striping of data with error correcting codes (ECC)• Requires more disks than RAID 3/4/5• Not used, not commercially viable

RAID Level 3• Byte level stripes• 1 drive for parity• All other drives are for data

RAID Level 4• Block level stripes• 1 drive for parity• All other drives are for data

RAID Level 5• Block level stripes• Data and parity interleaved amongst all drives• The most popular RAID implementation

RAID Level 6• Block level stripes• All drives used for data AND parity• 2 parity types• Higher cost• More fault tolerant than RAID implementations 2 - 5

RAID Level 0+1• Mirroring and striping• Higher cost• Higher speed

RAID Level 10• Mirroring and striping• Higher cost• Higher speed

Redundant Array of Independent Tapes (RAIT)

• Using tapes not disk• Rea-time mirroring

Hot Spares• Waiting for disaster• Global• Dedicated

Backup Types• File image• System image• Data mirroring• Electronic vaulting• Remote journaling• Database shadowing• Redundant servers• Standby services

System Recovery – Trusted Recovery• Correct implementation• Failures don’t compromise a system’s secure operation

Types of Trusted Recovery• System reboot• Emergency system restart• System cold start

Fail Secure• Cause little or no harm to personnel• System remains secure

Operational Incident Handling• First line of defense• Logging, tracking and analysis of incidents• Escalation and notification

Incident Response TeamBenefits

• Protection of assets• Profitability• Regulations• Avoiding downstream

damage• Limit exposure

Priorities• Life safety• Labeled data• Communication• Reduce disruption

Contingency Plans• Business continuity plans and procedures

– Power failure– System failure– Denial of service– Intrusions– Tampering– Communication– Production delay– I/O errors

Change Control Management• Business and technology balance• Defines

– Process of changes– Ownership of changes

• Changes are reviewed for impact on security

Change Control Committee Responsibilities

Management• Business impact• Regulations• Risk management• Approval• Accreditation

Technical• Request process• Functional impact• Access control• Testing• Rollback• Certification

Change Control Procedures• Request• Impact assessment• Approval• Build/test• Implement• Monitor

Configuration Management Elements• Hardware inventory• Hardware configuration chart• Software• Firmware• Documentation requirements• Testing

Patch Management• Knowledge of patches• Testing• Deployment• Zero-day challenges

Protection of Operational Files• Library Maintenance

– Backups– Source code– Object code– Configuration files

• Librarian

Operator Privileges• Data input and output• Data maintenance• Labeling• Inventory

Administrator Privileges• Systems administrators• Network administrators• Audit highly-privileged accounts

Security Administrator Privileges• Security administration include:

– Policy• Development• Implementation• Maintenance and compliance

– Vulnerability assessments– Incident response

Control Over Privileged Entities• Review of access rights• Supervision• Monitoring/audit