Page 596 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 596

entry into a distributed environment. For example, modems attached
               to a desktop machine that’s also attached to an organization’s network

               can make that network vulnerable to dial-in attacks. There is also a
               risk that wireless adapters on client systems can be used to create open
               networks. Likewise, users who download data from the internet
               increase the risk of infecting their own and other systems with
               malicious code, Trojan horses, and so forth. Desktops, laptops, tablets,
               mobile phones, and workstations—and associated disks or other
               storage devices—may not be secure from physical intrusion or theft.

               Finally, when data resides only on client machines, it may not be
               secured with a proper backup (it’s often the case that although servers
               are backed up routinely, the same is not true for client computers).

               You should see that the foregoing litany of potential vulnerabilities in
               distributed architectures means that such environments require
               numerous safeguards to implement appropriate security and to ensure
               that such vulnerabilities are eliminated, mitigated, or remedied.

               Clients must be subjected to policies that impose safeguards on their
               contents and their users’ activities. These include the following:

                    Email must be screened so that it cannot become a vector for
                    infection by malicious software; email should also be subject to
                    policies that govern appropriate use and limit potential liability.

                    Download/upload policies must be created so that incoming and

                    outgoing data is screened and suspect materials blocked.

                    Systems must be subject to robust access controls, which may
                    include multifactor authentication and/or biometrics to restrict
                    access to end-user devices and to prevent unauthorized access to
                    servers and services.

                    Restricted user-interface mechanisms and database management
                    systems should be installed, and their use required, to restrict and
                    manage access to critical information so users have minimal but

                    necessary access to sensitive resources.

                    File encryption may be appropriate for files and data stored on
                    client machines (indeed, drive-level encryption is a good idea for
                    laptops and other mobile computing gear that is subject to loss or
   591   592   593   594   595   596   597   598   599   600   601