• Recent
  • Tags
  • Popular
  • Search
Skins
  • Light
  • Default
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Quartz
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Slate
  • Solar
  • Superhero
  • Vapor
Collapse

CISSP -- should client-base systems ALWAYS use drive encryption?

Scheduled Pinned Locked Moved Security
5 Posts 3 Posters 231 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D Offline
    D Offline
    Doug Campbell
    wrote on last edited by
    #1

    I got the following question on a practice test.

    You have identified several instances where attacks against client systems were not prevented or detected at the client level because no controls were deployed to prevent the attack. Data was stolen from some devices. An entire branch office was infected with malware and viruses and required several days recovery time, which meant lost revenue. Finally, you recently discovered that several client systems have non- licensed versions of OSs installed. You must ensure that the appropriate controls are deployed to mitigate these risks.

    Which of the following policies and controls should you deploy for the client systems based on their identified risks? (Choose all that apply.)
    A) Deploy anti-malware and antivirus software on all client systems.
    B) Deploy firewall and host-based intrusion detection systems on the client systems.
    C) Deploy only licensed, supported operating systems.
    D) Use drive encryption on all client system hard drives.

    I choose A, B, and C. But the Kaplan folks say it is all of the options. I see nothing in the scenario that indicates drive encryption would have helped prevent the loss or disclosure of data.

    The book Kaplan references, CISSP Cert Guide (4th Edition), does have a section on client-based systems that says:

    "
    Security architecture for client systems should include policies and controls
    that cover the following areas:
    <<..snip..>>

    • Using drive encryption such as BitLocker to protect the data on the
      hard drives.
      "

    But I find no similar declaration in CISSP Official Study Guide 9th Edition. How should I treat this for the CISSP exam?

    1 Reply Last reply
  • R Offline
    R Offline
    Robin Abernathy
    wrote on last edited by
    #2

    The key statement in the scenario that points to drive encryption is: "Data was stolen from some devices." If data is stolen from a client device, the only way to protect the data on the client device is to implement "at rest" encryption on the client systems. So yes "Use drive encryption on all client system hard drives" is a correct answer, too.

    I would also suggest that you read the explanation as it should fully address all of the possible answers and why they are or are not correct.

    Hope this helps.

    ~Robin

    1 Reply Last reply
  • D Offline
    D Offline
    Doug Campbell
    wrote on last edited by
    #3

    Thanks Robin!

    The answer provided by Kaplan was "You should deploy all of the listed policies and controls for the client systems based on their identified risks. These risks are identified in the second paragraph of the scenario." This was completely unhelpful to me.

    My thinking is if I have drive encryption enabled on a device and someone gains unauthorized remote access to my device, they have access to the file system (it seems they did because they stole data), the use of drive encryption doesn't secure anything.

    Drive encryption would only have helped if a device was stolen while powered down. I don't see any information in the question to indicate that the client machines were stolen just that they were compromised in some way.

    Let me express it this way and see if this is a better way to think of the answer. We know "data was stolen from some devices" but we don't know how. Maybe it was a remote attack so we suggest answer B. But maybe it was because someone broke into the offices and access the devices directly or access the devices at another time when they were not being used but were somehow unsecured. So in that later case we would answer D. I guess that approach doesn't end up making an assumption of how data was stolen but just tries to match the countermeasures with possible scenarios.

    Is that approach better for answering these questions?

    Thanks!

    1 Reply Last reply
  • Anthony Sequeira 0A Offline
    Anthony Sequeira 0A Offline
    Anthony Sequeira 0
    wrote on last edited by
    #4

    Hi Doug! Yeah - it seems like you got caught up with a bit of overthinking here. "Data was stolen from some devices." Disk encryption COULD have helped. I think getting concerned about the type of access breach is the overthink.

    Also, just a note on disk encryption based on your comment - "Drive encryption would only have helped if a device was stolen while powered down."

    If I am using full disk encryption and lock my machine when I head to the break room (part of our clean desk policy), if someone steals my laptop, the machine is still protected with disk encryption. :-)

    Warmest regards,

    Anthony J. Sequeira, CCIE #15626
    Edutainer
    ACI Learning

    1 Reply Last reply
  • D Offline
    D Offline
    Doug Campbell
    wrote on last edited by
    #5

    Yes on that last point except if there is some sort of opportunity to perform an extraction of the keys through a more invasive approach. Pretty unlikely in most scenarios but I didn't want to leave out the possibility.

    Thanks!

    1 Reply Last reply

  • Login
  • Don't have an account? Register
  • Login or register to search.
  • First post
    Last post
0
  • Recent
  • Tags
  • Popular
  • Search
  • Login
  • Don't have an account? Register
  • Login or register to search.