Page 1396 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1396

entire host system. An example of such failure response is seen in the
               Windows operating system (OS) with the appearance of the infamous

               Blue Screen of Death (BSOD), indicating the occurrence of a STOP
               error. A STOP error occurs when an undesirable activity occurs in
               spite of the OS’s efforts to prevent it. This could include an application
               gaining direct access to hardware, an attempt to bypass a security
               access check, or one process interfering with the memory space of
               another. Once one of these conditions occurs, the environment is no
               longer trustworthy. So, rather than continuing to support an

               unreliable and insecure operating environment, the OS initiates a
               STOP error as its fail-secure response.

               Once a fail-secure operation occurs, the programmer should consider
               the activities that occur afterward. The options are to remain in a fail-
               secure state or to automatically reboot the system. The former option
               requires an administrator to manually reboot the system and oversee
               the process. This action can be enforced by using a boot password. The

               latter option does not require human intervention for the system to
               restore itself to a functioning state, but it has its own unique issues.
               For example, it must restrict the system to reboot into a nonprivileged
               state. In other words, the system should not reboot and perform an
               automatic logon; instead, it should prompt the user for authorized

               access credentials.



                             In limited circumstances, it may be appropriate to

                  implement a fail-open failure state. This is sometimes appropriate
                  for lower-layer components of a multilayered security system. Fail-
                  open systems should be used with extreme caution. Before

                  deploying a system using this failure mode, clearly validate the
                  business requirement for this move. If it is justified, ensure that
                  adequate alternative controls are in place to protect the
                  organization’s resources should the system fail. It’s extremely rare
                  that you’d want all your security controls to use a fail-open
                  approach.



               Even when security is properly designed and embedded in software,
   1391   1392   1393   1394   1395   1396   1397   1398   1399   1400   1401