SY0-501 Section 4.5- Compare and contrast alternative methods to mitigate security risks in static environments.

Environments

SCADA (supervisory control and data acquisition) refers to equipment often used to manage automated factory equipment, dams, power generators, and similar equipment. The Security+ exam does not heavily emphasize this, because the security measures will depend on the device. However, the infamous Stuxnet virus targeted specific SCADA equipment, so the need for SCADA security is not simply hypothetical.

Embedded systems (such as printers, smart TVs, and HVAC controls) have their own security needs. Most modern printers, even midrange printers, have hard drives, RAM, and an operating system. That means they have specific vulnerabilities. Some advanced HVAC control systems and smart TVs also have sophisticated operations that are vulnerable to attack. Even game consoles can be vulnerable to viruses. Like SCADA, the specifics of mitigating risk will depend on the device, but the Security+ exam will expect you to be aware that these devices have security risks.

Smartphones are probably a more obvious security risk. All of those issues obviously apply to smart phones. But specific phones, such as Android and IOS, will have their own security issue that have to be addressed.

Mainframes usually do not present significant security risks; they tend to be more stable and less susceptible to attacks. However, that does not mean they are invulnerable. You should examine the mainframe your organization uses and see what steps are appropriate for that system. A new and emerging issue is that of in-vehicle computing systems. Automobiles tend to have sophisticated systems, such as computers complete with hard drives and GPS. There have already been preliminary security tests showing that these systems can be breached. Much like SCADA, the specifics will depend on the implementation. The Security+ test will ask you about the concept in a general way.

Methods

Some generalized methods can be used to mitigate the security risks to any network. One of the most basic is the combination of network segmentation and security layers. These are very closely related subjects. Network segmentation means dividing your network into segments. Ideally the connection points between each segment (routers) will also implement security features such as a firewall and intrusion detection system. This means that a breach of one segment of your network does not jeopardize the entire network. It is only logical to segment your network based on security layers, or zones based on security needs. The most obvious example is an external zone (called a demilitarized zone [DMZ]) for publicly accessible resources like a web server, and an internal zone for your actual corporate network. You can use as many zones as are needed, each with a different (but appropriate) level of security.

Network protection can be enhanced with some simple techniques. Application firewalls are usually better protection for database servers or web servers than are other types of firewalls. Application firewalls, in addition to packet filtering, filter specific application- related content. For example, a web server might use an application firewall to filter common SQL injection attacks. It is just as important to make sure firmware updates are applied. Firmware version control is closely related to updating the firmware. You need to be sure that each device is using the appropriate version of firmware. You may even need to manually update devices with critical updates. Certain viruses specifically target the firmware in routers and switches. This risk is mitigated by firmware version control.

One very important technique is controlling redundancy and diversity. Although this may sound complex, it simply means two things. The first is implementing more than one of each security control. If you have an intrusion detection system in your DMZ, you may want to have another in your network. Diversity means using different controls of the same type. For example, if you use the Cisco IDS on your perimeter, you may wish to use SNORT IDS inside your network. The reasoning is that if an attack thwarts one of your IDSs, it may not evade both. This concept applies to all security controls. Wrappers are a related topic. This technique involves wrapping sensitive systems with a specific control, such as having your sensitive data servers in their own network segment with their own firewall, IDS, and antivirus protection. A variety of specialized systems have security issues specific to those systems. You must mitigate the risk on each of these systems.