CISSP Guide to Security Essentials, Ch4

1
Operations Security
CISSP Guide to Security Essentials Chapter 7
2
Objectives

• Applying security concepts to computer and
  business operations
• Records management security controls
• Backups
• Anti-virus software and other anti-malware
  controls

3
Objectives (cont.)

• Remote access
• Administrative management and control of
  information security
• Resource protection
• Incident management

4
Objectives (cont.)

• High availability architectures
• Vulnerability management
• Change management and configuration management
• Operations attacks and countermeasures

5
Applying Security Operations Concepts
6
Security Operations Concepts

• Need to know
• Least privilege
• Separation of duties
• Job rotation
• Monitoring of special privileges

7
Security Operations Concepts (cont.)

• Records management controls
• Backups
• Anti-virus and anti-malware
• Remote access

8
Flow of Control

• From chapter 1
• Policy
• Guidelines
• Processes
• Procedures
• Recordkeeping

9
Need to Know

• Individual personnel should have access to only
  the information that they require in order to
  perform their stated duties
• Independent of security clearance
• This reduces risk, but can be an administrative
  burden

10
Least Privilege

• Users should have the fewest or lowest number of
  privileges required to accomplish their duties
• Independent of security clearance

11
Separation of Duties

• High-value or high-risk tasks require two or more
  different individuals to complete
• Examples
• Open a bank vault
• Issue an arrest warrant
• Provision a privileged-access computer account
• Change a firewall rule

12
Job Rotation

• Move individual workers through a range of job
  assignments
• Reduces monotony, risk
• Reduces likelihood that employees will perform
  inappropriate or illegal actions if they fear
  being caught when next job rotation occurs

13
Monitoring of Special Privileges

• Privileged users have more power
• Mistakes have greater impact
• Record activities
• Network administrator
• System administrator
• Database administrator
• Application administrator

14
Records Management Controls

• Data classification
• Access management
• Records retention
• Backups
• Data destruction

15
Data Classification

• Establish sensitivity levels
• Establish handling procedures for each level
• Creation, storage, transmittal, destruction

16
Access Management

• Policies, procedures, and controls that determine
  how information is accessed and by whom
• User account provisioning
• Privilege management
• Password management
• Review of access rights
• Secure log on

17
Records Retention

• Policies that specify how long different types of
  records must be retained (minimums and maximums)
• Manage risks related to business records
• Risk of compromise of sensitive information
• Risk of loss of important information
• E-Discovery
• Regulation

18
Backups

• Protection against loss due to malfunctions,
  failures, mistakes, and disasters
• Activities
• Data restoration
• Protection of backup media
• Off-site storage of backup media

19
Data Restoration

• Periodic testing to ensure that data that is
  backed up can be restored
• Same computer
• Different computer
• Best way to prove that backups are being
  performed properly

20
Protection of Backup Media

• Backup media contains sensitive information
• Requires same level of control as original
  information
• Keep in locked cabinets
• Least privilege and need to know

21
Offsite Storage of Backup Media

• Reduce risk of loss of backup media in the event
  of a disaster that destroys data center
• Fire, flood, sabotage
• Factors
• Distance from business location
• Security of transportation
• Security of storage center
• Resilience of storage center against disasters

22
Data Destruction

• Purpose ensure that discarded information is
  truly destroyed and not salvageable by either
  employees or outsiders

23
Data Destruction (cont.)

• Once information has reached the end of its
  need, its destruction needs to be carried out in
  a manner that is proportional to its sensitivity
• Degaussing
• Shredding
• Wiping

24
Anti-virus and Anti-malware

• Effects of uncontrolled malware
• Loss of business information
• Disclosure or compromise of business information
• Corruption of business information
• Disruption of business information processing
• Inability to access business information
• Loss of productivity
• Apply defense in depth to protect assets
• Central anti-malware management

25
Remote Access

• Connectivity to a network or system from a
  location away from the network or system,
  usually from a location apart from the
  organizations premises
• Usually through a VPN

26
Remote Access (cont.)

• Improves productivity by permitting employees to
  access business information from any location
• Risk mitigation
• Encryption, strong authentication, anti-malware,
  firewall

27
iClicker Questions
28
Which security operation concept does "User
Account Control" implement?

1. Need to know
2. Least privilege
3. Separation of duties
4. Anti-virus and anti-malware
5. Remote access

29
What security concept makes confidential
information less likely to leak out, but can make
normal business slow and complex?

1. Need to know
2. Least privilege
3. Separation of duties
4. Job rotation
5. Monitoring of special privileges

30
Which security concept includes labeling files as
"confidential" or "unclassified"?

1. Need to know
2. Least privilege
3. Monitoring of special privileges
4. Records management controls
5. Backups

31
When an administrator shuts down a server, this
box appears, asking why the server is being shut
down. Which security principle does this
implement?

1. Need to know
2. Least privilege
3. Separation of duties
4. Job rotation
5. Monitoring of special privileges

32
Administrative Management and Control
33
ISO 27001

• Widely accepted model for top-down security
  management
• Define scope and boundaries
• Establish a security policy
• Risk assessments
• Establish control objectives and activities
• Security awareness and training
• Allocate resources
• Internal audits
• Monitor and review the security program
• Enact continual improvement

34
Types of Controls

• Technical
• Such as firewalls and antivirus software
• Physical
• Locks, guards, etc.
• Administrative
• Such as policies and audits
• See link Ch 7a for a good discussion, and link
  CISSP 12 for good whitepapers on all ten CISSP
  domains

35
Categories of Controls

• Detective
• Deterrent
• Preventive
• Corrective
• Recovery
• Compensating

36
Employing Resource Protection
37
Resource Protection

• Facilities
• Water and sewage
• Electricity
• Fire alarms and suppression
• Environmental controls
• Communications
• Security controls

38
Resource Protection (cont.)

• Hardware
• Servers
• Workstations
• Network devices
• Wireless networks
• Printers, copiers
• Cabling

39
Resource Protection (cont.)

• Software requires control and management
• Licensing
• Access control
• Source code (preventing disclosure)
• Intellectual property
• Security
• Source code control
• Software development lifecycle

40
Resource Protection (cont.)

• Documentation
• May contain trade secrets and sensitive
  information
• Processes, procedures, and instructions
• Version control
• Access control

41
Incident Management
42
Incident

• An Incident is
• An unexpected event that results in an
  interruption of normal operations
• A Security Incident is
• An event in which security policy has been
  violated
• OR
• Unauthorized access to a system or information
• OR
• An event that prevents legitimate access to a
  system or information

43
Incident Management

• Incident declaration
• Triage
• Investigation
• Analysis
• Containment
• Recovery
• Debriefing
• See chapter 6 for details

44
High Availability Architectures
45
Fault Tolerance

• Makes devices less prone to failure
• Multiple power supplies
• Multiple network interfaces
• Multiple processor units
• RAID (Redundant Array of Inexpensive /
  Independent Disks)

46
Clustering

• A group of two or more servers that operate
  functionally as a single logical server
• Active-active mode
• Active-passive mode
• Failover when active status is transferred
• Geo-cluster servers located at great distances
  from one another

47
Replication

• Data changes are transmitted to a counterpart
  storage system
• An adjunct to clustering, makes current data
  available to all cluster nodes

48
Business Continuity Management

• A management activity where analysis is performed
  to better understand the risks associated with
  potential disaster scenarios, and the steps that
  can be taken to reduce the impact of a disaster
  should one occur

49
Vulnerability Management
50
Vulnerability Management

• Penetration testing
• Application scanning
• Patch management
• Code reviews

51
Penetration Testing

• A scan of many or all TCP / IP ports on one or
  more target systems
• Followed by locating and exploiting
  vulnerabilities
• Mimics the actions of a hacker who scans a system
  or network for active, exploitable ports and
  services

52
Application Scanning

• The process of performing security tests on an
  application (usually, but not always, a
  web-based application) in order to find
  vulnerabilities in the application code itself

53
The new OWASP Top Ten (2010 rc1)
http//www.owasp.org/index.php/Top_10
54
Code Reviews

• Manual and automated inspections of software
  source code
• Examine and validate approved changes
• Detection of inappropriate changes, unsafe code,
  security issues

55
Patch Management

• The process usually assisted with management
  tools to manage the installation of patches on
  target systems
• Reduces risks associated with malware, hacking
  attacks that exploit weaknesses
• Don't just put on all available patches
• Analyze and test them first and only put on the
  ones that pass a risk analysis

56
Change Management
57
Change Management

• Prepare the change
• Circulate and review the change
• Discuss and agree to the change
• Perform the change
• Recordkeeping

58
Configuration Management
59
Configuration Management

• Configuration of hardware, software components
• Configuration management database (CMDB)
• Automated tools

60
Operations Attacks and Countermeasures
61
Attacks on Operations

• Social engineering
• Sabotage
• Theft and Disappearance
• Extortion
• Bypass
• Circumventing security measures
• Denial of service

62
iClicker Questions
63
The Army banned all use of USB flash drives.
What category of control was this?

1. Technical
2. Physical
3. Administrative
4. Detective
5. Corrective

64
What type of control is a burglar alarm?

1. Detective
2. Deterrent
3. Preventive
4. Corrective
5. Recovery

65
After a security incident is declared, a security
officer interviews employees in the affected
department to quickly identify clues that may
help understand what happened. Which process is
being performed?

1. Triage
2. Investigation
3. Analysis
4. Containment
5. Recovery

66
A data entry worker threatened to post
confidential medical records on the Internet and
demanded money. What sort of attack was that?

1. Social engineering
2. Sabotage
3. Theft and Disappearance
4. Extortion
5. Bypass

67
This license plate is intended to protect the
driver from automated ticketing cameras. What
vulnerability would make this possible?

1. Injection
2. XSS
3. CSRF
4. Insecure cryptography
5. Unvalidated redirects