CISSP Devices – Bk1D5T1St3

Many types of devices exist within a system. Desktop computers, laptops, tablets, key-boards, mice, microphones, speakers, and phones are all devices that people in many organizations use every day. Networks are made up of routers, switches, hubs, servers, and cables (even if these are located at a remote location and accessed through the cloud).

Similarly, archives and storage are made up of discs, tapes, or other hardware (again, even if these are located and accessed remotely). These are all devices.

Just as a significant concern with regard to systems was availability, the availability of the devices that make up those systems ranks as a very high concern as well. Yet, because devices exist in the world of tangible things, you must also worry about how uncontrolled access or damage to the things can interfere with the system.

Uncontrolled access to a disk drive, for example, may allow an adversary to copy the data (which can compromise confidentiality) or to change it undetected (which compromises its integrity). A person could also destroy the device’s drive with heat, hyperactivity, or (if direct physical access is gained) even a hammer. If data on such an accessed device hasn’t been sufficiently backed up, that poses both an integrity problem and an access problem. Theft of portable devices poses a serious confidentiality concern. Some organizations try to offset the risk of theft by using remote wipe, forced encryption, and similar measures. Such measures are designed to enforce confidentiality, although this is sometimes at the expense of availability if you don’t have the right credentials.

Uncontrolled access to a printer may run it out of ink or paper. Similarly, failed access control of almost any device may lead to an exhaustion of its resources. Fortunately, this availability issue is mitigated by the practice of mobile device management (MDM), which has grown in response to the difficulty of controlling access to physical devices. We will explore further IAM measures relating to mobile devices throughout this chapter, beginning with our extended view of facilities in the following sections.