CISSP考试指南笔记:7.6 预防和检测
CISSP考试指南笔记:7.6 预防和检测
The steps of this generalized process are described here:
- Understand the risk.
- Use the right controls.
- Use the controls correctly.
- Manage your configuration.
- Assess your operation.
Continuous Monitoring
NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” defines information security continuous monitoring as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”
the whole point of continuous monitoring is to determine if the controls remain effective at reducing risk to acceptable levels.
Finally, continuous monitoring involves deciding how to respond to the findings.
The metrics and measurements provide data that must be analyzed in order to make it actionable.
Continuous monitoring is a deliberate process. You decide what information you need, then collect and analyze it at a set frequency, and then you make business decisions with that information. Properly implemented, this process is a powerful tool in your prevention kit.
Firewalls
Once you have this control-risk pairing done, you can look at your network and decide where are the best places to locate firewalls to mitigate those risks.
The operational challenge is to both accurately track the current sets of rules and have a process to identify rules that must be added, modified, or deleted.
Finally, you need a plan to routinely assess the effectiveness of your firewall defenses.
Intrusion Detection and Prevention Systems
the main difference between an IDS and an IPS is that an IDS will only detect and report suspected intrusions, while an IPS will detect, report, and stop suspected intrusions.
The placement of network sensors is critical with IDSs/IPSs just as it is with firewalls.
False positives—that is, detecting intrusions when none happened—can lead to fatigue and desensitizing the personnel who need to examine each of these alerts.
false negatives are events that the system incorrectly classifies as benign, delaying the response until the intrusion is detected through some other means.
Perhaps the most important step toward reducing errors is to baseline the system.Baselining is the process of establishing the normal patterns of behavior for a given network or system.