2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	760/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 756 757 758 759 760 761 762 763 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Trusted Recovery
Trusted recovery provides assurances that after a failure or crash, the system is just as
secure as it was before the failure or crash occurred. Depending on the failure, the recovery
may be automated or require manual intervention by an administrator. However, in either
case systems can be designed to ensure that they support trusted recovery.
Systems can be designed so that they fail in a fail-secure state or a fail-open state. A
fail-
secure
system will default to a secure state in the event of a failure, blocking all access. A
fail-open
system will fail in an open state, granting all access. The choice is dependent on
whether security or availability is more important after a failure.
For example, fi rewalls provide a signifi cant amount of security by controlling access in
and out of a network. They are confi gured with an implicit deny philosophy and only allow
traffi c that is explicitly allowed based on a rule. Firewalls are typically designed to be fail
secure, supporting the implicit deny philosophy. If a fi rewall fails, all traffi c is blocked.
Although this eliminates availability of communication through the fi rewall, it is secure.
In contrast, if availability of traffi c is more important than security, the fi rewall can be
confi gured to fail into a fail-open state, allowing all traffi c through. This wouldn’t be
secure, but the network would not lose availability of traffi c.
In the context of physical security with electrical hardware locks, the terms
fail-safe
and
fail-secure
are used. Specifically, a fail-safe electrical lock will
be unlocked when power is removed, but a fail-secure electrical lock
will be locked when power is removed. For example, emergency exit
doors will be configured to be fail safe so that personnel are not locked
inside during a fire or other emergency. In this case, safety is a primary
concern if a failure occurs. In contrast, a bank vault will likely be configured
to be fail secure so that it remains locked if power is removed because
security is the primary concern with a bank vault door.
Two elements of the recovery process are addressed to implement a trusted solution. The
fi rst element is failure preparation. This includes system resilience and fault-tolerant meth-
ods in addition to a reliable backup solution. The second element is the process of system
recovery. The system should be forced to reboot into a single-user, nonprivileged state.

Understand System Resilience and Fault Tolerance
817
This means that the system should reboot so that a normal user account can be used to log
in and that the system does not grant unauthorized access to users. System recovery also
includes the restoration of all affected files and services actively in use on the system at the
time of the failure or crash. Any missing or damaged files are restored, any changes to clas-
sification labels are corrected, and settings on all security critical files are then verified.
The Common Criteria (introduced in Chapter 8, “Principles of Security Models, Design,
and Capabilities”) includes a section on trusted recovery that is relevant to system resilience
and fault tolerance. Specifically, it defines four types of trusted recovery:

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 756 757 758 759 760 761 762 763 ... 881