What is a good way to determine and designate who should be responsible for server oversight and processes and how can we make sure access is secure and relevant?
When determining who is responsible for server oversight/processes, you generally need to figure out who the stakeholders that are relevant are. This could be system admins, IT managers, developers, or others. To make sure access is secure and relevant, you need to make sure that group and user policies are in place on the server as well as proper access controls. To make sure that access is relevant, you need to conduct auditing and monitoring and regularly check on required access for user groups to ensure least privilege is kept.
Why do you think companies often fail to harden their
clients adequately? I actually pulled this question directly from Corporate Computer Security chapter 7.
The compliance of organizations in the United States with NIST Special Publication 800-123 can vary significantly based on factors like industry, size, regulatory requirements, budget constraints, and cybersecurity maturity. The guidelines are often adopted by private sector organizations, with higher compliance levels in highly regulated industries. Smaller organizations may struggle due to budget constraints, expertise, or competing priorities. To assess compliance levels, recent surveys, reports, or studies from cybersecurity firms can be consulted.
I think the guide is a solid outline for maintaining a security baseline. It gave the outline/definition of numerous IT terms, it also outlined rules that must be followed. With every new software that gets installed, many new issues can come along, and the guide makes sure that when an action is done, it’s done properly by the right person to make the process as efficient as possible.
I do it the old school way, I write everything out as a read through the chapters. I don’t read every single word, I skim through all the material several times and is very time consuming, as far as retaining all this information, I don’t, bits and pieces stick, then when the professor goes over it, Light bulbs start to go off. In reality I feel like putting this into tangible use is the best for retainment, just like anything else. Overall, I don’t have a direct answer as it is something you learn as you go and build over time. YouTube is my go-to when I’m lost or if I need a summary on a subject as I have found this very useful.
A good patch management system begins with comprehensive inventory and vulnerability assessments, identifying critical systems and prioritizing patches based on risk. It establishes clear policies and procedures for patch deployment, including testing in non-production environments before rollout. Automation tools streamline patch distribution and ensure timely updates. Regular monitoring and reporting track patch status, compliance, and effectiveness. Collaboration between IT, security teams, and stakeholders ensures alignment with business objectives and regulatory requirements. Continuous evaluation and improvement, incorporating feedback and lessons learned, ensure the patch management system remains adaptive and resilient against emerging threats.
Hi Jeff, I like your question, I’m not an auditor I’m more on the Cyberdefense side but I think in the future I’ll be going for the CISSP. For now, I’m concentrating on landing my first cyber job and if plans don’t change that is what I’ll focus on
Hashem, The appropriate team size for managing your servers depends on various factors. For instance, a small business with a few servers might require the expertise of only one NIST-savvy administrator. On the other hand, a large company with hundreds of servers might need a dedicated team. The team size also depends on the level of control you desire and how complex your needs are. In general, the more servers you have, the stricter the requirements, and the more control you want, the larger the team you’ll likely need.
What strategies can we employ to balance security demands and operational requirements while minimizing any potential disruptions to systems functionality?
As a system administrator, you have hardened a web server. To ensure maximum security, NIST 800-123 advises turning off unnecessary services. What are the risks associated with running additional services beyond what is required for the server to function?
You run the risk of your server committing resources to those unnecessary services that could be used somewhere else. Sometimes running a service you don’t need can cause problems as it may clash with another service that isn’t needed. This also can pose a security threat when unnecessary services are tuned on.
Hi Nicholas, there are various means of hardening a host against cyber attacks. Here are some good options I found, especially towards more active threats:
Regular backups
Ensure secure configurations are in place with no default passwords in use
Minimize applications and services running
Regularly install new patches
Ensure group and user policies and permissions are in place and regularly tested
Data encryption
Firewalls
When hardening a host, usually multiple layers of protection that are not related to each other need to be in place. Why should these layers not have any relation?
Andrew Young says
What is a good way to determine and designate who should be responsible for server oversight and processes and how can we make sure access is secure and relevant?
Kenneth Saltisky says
Hi Andrew,
When determining who is responsible for server oversight/processes, you generally need to figure out who the stakeholders that are relevant are. This could be system admins, IT managers, developers, or others. To make sure access is secure and relevant, you need to make sure that group and user policies are in place on the server as well as proper access controls. To make sure that access is relevant, you need to conduct auditing and monitoring and regularly check on required access for user groups to ensure least privilege is kept.
Ikenna Alajemba says
Why do you think companies often fail to harden their
clients adequately? I actually pulled this question directly from Corporate Computer Security chapter 7.
Michael Obiukwu says
How well do organizations in the United States comply with NIST special publication 800-123?
Chidiebere Okafor says
The compliance of organizations in the United States with NIST Special Publication 800-123 can vary significantly based on factors like industry, size, regulatory requirements, budget constraints, and cybersecurity maturity. The guidelines are often adopted by private sector organizations, with higher compliance levels in highly regulated industries. Smaller organizations may struggle due to budget constraints, expertise, or competing priorities. To assess compliance levels, recent surveys, reports, or studies from cybersecurity firms can be consulted.
Chidiebere Okafor says
How does the guide address the challenges of maintaining a security baseline for servers?
Hashem Alsharif says
I think the guide is a solid outline for maintaining a security baseline. It gave the outline/definition of numerous IT terms, it also outlined rules that must be followed. With every new software that gets installed, many new issues can come along, and the guide makes sure that when an action is done, it’s done properly by the right person to make the process as efficient as possible.
Erskine Payton says
Can someone share with me what your study techniques are? Do you have any tips or tricks that helps you to retain the information?
Jeffrey Sullivan says
I do it the old school way, I write everything out as a read through the chapters. I don’t read every single word, I skim through all the material several times and is very time consuming, as far as retaining all this information, I don’t, bits and pieces stick, then when the professor goes over it, Light bulbs start to go off. In reality I feel like putting this into tangible use is the best for retainment, just like anything else. Overall, I don’t have a direct answer as it is something you learn as you go and build over time. YouTube is my go-to when I’m lost or if I need a summary on a subject as I have found this very useful.
Erskine Payton says
Thanks Jeff, this helps! I appreciate you sharing.
Mariam Hazali says
How can organizations formulate a good patch management system
Ikenna Alajemba says
A good patch management system begins with comprehensive inventory and vulnerability assessments, identifying critical systems and prioritizing patches based on risk. It establishes clear policies and procedures for patch deployment, including testing in non-production environments before rollout. Automation tools streamline patch distribution and ensure timely updates. Regular monitoring and reporting track patch status, compliance, and effectiveness. Collaboration between IT, security teams, and stakeholders ensures alignment with business objectives and regulatory requirements. Continuous evaluation and improvement, incorporating feedback and lessons learned, ensure the patch management system remains adaptive and resilient against emerging threats.
Jeffrey Sullivan says
Are you going for the CISSP, CISA or something else? Why?
I’m going CISA as I know I would be a great auditor once I get into a company and want to eventually get the CISSP.
Mariam Hazali says
Hi Jeff, I like your question, I’m not an auditor I’m more on the Cyberdefense side but I think in the future I’ll be going for the CISSP. For now, I’m concentrating on landing my first cyber job and if plans don’t change that is what I’ll focus on
Jeffrey Sullivan says
Awesome, good luck. Keep in touch
Alex Ruiz says
In your opinion what specific measures or techniques do you believe are most effective but hard to implement in a large company?
Samuel Omotosho says
The chapter explains shoulder surfing and physical keyloggers. Can somebody tell more regarding different sorts of password threats?
Hashem Alsharif says
To give a rough estimate, how many employees would there be on a team that are focused on maintaining servers in accordance with NIST SP 800-123?
Kelly Conger says
Hashem, The appropriate team size for managing your servers depends on various factors. For instance, a small business with a few servers might require the expertise of only one NIST-savvy administrator. On the other hand, a large company with hundreds of servers might need a dedicated team. The team size also depends on the level of control you desire and how complex your needs are. In general, the more servers you have, the stricter the requirements, and the more control you want, the larger the team you’ll likely need.
Akintunde Akinmusire says
What strategies can we employ to balance security demands and operational requirements while minimizing any potential disruptions to systems functionality?
Kelly Conger says
As a system administrator, you have hardened a web server. To ensure maximum security, NIST 800-123 advises turning off unnecessary services. What are the risks associated with running additional services beyond what is required for the server to function?
Erskine Payton says
Hi Kelly,
You run the risk of your server committing resources to those unnecessary services that could be used somewhere else. Sometimes running a service you don’t need can cause problems as it may clash with another service that isn’t needed. This also can pose a security threat when unnecessary services are tuned on.
Nicholas Nirenberg says
What do you think are some effective strategies for hardening a host against cyber attacks?
Kenneth Saltisky says
Hi Nicholas, there are various means of hardening a host against cyber attacks. Here are some good options I found, especially towards more active threats:
Regular backups
Ensure secure configurations are in place with no default passwords in use
Minimize applications and services running
Regularly install new patches
Ensure group and user policies and permissions are in place and regularly tested
Data encryption
Firewalls
Kenneth Saltisky says
When hardening a host, usually multiple layers of protection that are not related to each other need to be in place. Why should these layers not have any relation?