2. Question…
Operations Security seeks to primarily protect against
which of the following?
A. Object reuse
B. Facility disaster
C. Compromising emanations
D. Asset threats
3. Question…
Operations Security seeks to primarily protect against
which of the following?
A. Object reuse
B. Facility disaster
C. Compromising emanations
D. Asset threats
4. Punch Line
• Primarily concerned with the protection and control of
information processing assets
6. Domain Introduction
• Mixture of all the domains…
• Core goal of Operations Security?
– Availability
• Are others important?
– Surely, they are!
• The domain is divided into following sections:
– Privileged Entity Controls
– Resource Protection
– Continuity of Operations
– Change Control Management
7. Points to ponder
• What is the state of being free from danger or injury?
• What are the opposite terms for the following?
– Availability
– Integrity
– Confidentiality
9. Introduction
• Privileged Entity Controls are the mechanisms that give
privileged access to…
– Hardware
– Software
– Data
• Where do the controls that permit privileged functions
usually reside?
10. Privileged Entity Controls
• Account Management
• System Accounts
• System Operators
• Ordinary Users
• System Administrators
• Security Administrators
11. Account Management
• Involves life-cycle process for every account in a system
• Primarily four types of accounts…
– Root
– Service
– Privileged user
– Ordinary user
• Accounts not needed should be disabled or deleted!
12. Account Management (2)
• Efficient management requires assignment of individual
accounts into groups or roles
– What is a group account?
• Group management involves assigning a user account to
one or multiple groups
– Each group is given a set of permissions to access objects
within a system!
13. System Accounts
• Dedicated accounts to provide a variety of system
services using autonomous processes
– Services are background processes that run in their own
security context
– DBMS contain number of these accounts
14. System Operators
• Work in data center environments where mainframe
systems are used
– Given elevated privileges
• Which can lead to circumvention of security policy!
• Use of these privileges should be monitored through audit log
• Responsibilities assigned to operators include…
– Implementing the initial program load
– Monitoring execution of the system
– Volume mounting
15. System Operators (2)
– Controlling job flow
– Bypass label processing
– Renaming and relabeling resources
– Reassignment of ports
16.
17. Ordinary Users
• Given restrictive system privileges!
• Allowed access that require minimum privileges to run
• Work in client/server architecture environment
• Should not be allowed to monitor system execution
• Should not be allowed to reassign ports
• Should not be allowed the re-labeling of the resources
18. System Administrators
• Manage system operations and maintenance
• Ensure system is functioning properly for system users
• Privileges assigned to trained and authorized individuals
• Privileges to affect critical operations such as setting…
– Time, Boot sequence, System logs and Passwords
19. Security Administrators
• Oversee the security operations of a system
• Security operations include:
– Account management
– Assignment of file sensitive labels
– System security settings
– Audit data review
– Provide a check and balance of the power assigned to
System Administrators
• Through auditing and reviewing the activities
20. Security Administrator Functions
• File Sensitivity Labels
• Clearances
• System Security Characteristics
• Passwords
• Audit Data Analysis and Management
21. File Sensitivity Labels
• Implemented to control access to information
• Allow privileges or deny access to a file
• Prevent data from being written to an area on the system
with a lower sensitivity
22. Clearances
• Assigned according to trustworthiness and the level of
access needed for sensitive information
• Ensure proper level of clearance has been assigned prior
to providing access
23. System Security Characteristics
• Define the security settings of systems and applications…
– Network devices
– Database Management Systems
• Improper configuration can impact the proper operation
of the system or network!
24. Passwords
• Password distribution is an important function
• Trusted distribution channels needed to avoid a
compromise
• Types of passwords?
25. Audit Data Analysis and Management
• Auditing information can be obtained from
– Servers, Workstations, Databases, Firewalls, etc…
• Tools used must detect unauthorized activity or attacks
• Auditing mechanism must support organizational policy
• Auditing can affect the system availability…
– Consume CPU time, Network bandwidth, Storage Space!
• Keep in mind the log retaining issues
– Regulations
26.
27. Question…
What setup should an administrator use for regularly
testing the strength of user passwords?
A. A networked workstation so that the live password database can
easily be accessed by the cracking program.
B. A networked workstation so the password database can easily be
copied locally and processed by the cracking program.
C. A standalone workstation on which the password database is copied
and processed by the cracking program.
D. A password-cracking program is unethical; therefore it should not be
used.
28. Question…
What setup should an administrator use for regularly
testing the strength of user passwords?
A. A networked workstation so that the live password database can
easily be accessed by the cracking program.
B. A networked workstation so the password database can easily be
copied locally and processed by the cracking program.
C. A standalone workstation on which the password database is copied
and processed by the cracking program.
D. A password-cracking program is unethical; therefore it should not be
used.
30. Introduction
• Resource protection includes…
– Facilities
– Hardware
– Software
– Documentation
– Threats to Operations
– Control Methods
– Data and Media Control
– Disposal Control
31. Facilities
• Use systems and controls to sustain the IT operation
environment
– Fire detection and suppression systems
– HVAC
– Water and sewage systems
– Reliable power supply and distribution system
– Power line conditioners
– Telecommunication systems
– Access control and intrusion detection systems
32. Hardware
• Appropriate physical security needed to ensure CIA…
– Concept of least privilege
– Restricted access
– Escorting a visitor
– Protecting workstations
– Protecting the printing devices
– Authorized access to firewalls
– Limited access to…
• Routers, Switches etc
– Periodic inspection of network cables
33. Hardware (2)
– Use of strong encryption in wireless communication
• WPA over WEP
34. Software
• Preventing copyright infringements
• Preventing illegal duplication and distribution of software
– Periodic inventory scans
• Software escrow
– Need?
• Proper SDLC procedures
• Proper testing and version control
– Separation of duties
• Protecting the Operating System passwords
• Protecting the Audit Logs
35. Documentation
• Ensuring the protection of documentation related to…
– Network design
– Vulnerabilities
– Proprietary methods
• Proprietary information Trade secrets
– Source code
• All important documentation should be controlled and
catalogued!
36. Threats to Operations
• Disclosure of sensitive information
– Confidentiality
• Corruption/modification of processes
– Integrity
• Theft / Removal of resources
– Confidentiality, Integrity, Availability
• Destruction of resources
– Availability
• Interruption of resources
– Availability
37.
38. Control Methods
• Input / Output Control
• Equipment Control
• Support System Control
• Personnel Control
• Antivirus Management
39. Input / Output Control
• Input…
– Time-stamping, Authentication, Logging
– Audit trails
• Record of data entered into the system
• Record of the data edited
• Output…
– Release sensitive data after signing it
– Empty report should contain "No Output"
– Information storage area must be protected
40. Equipment Control
• Regular monitoring, maintenance
• Penetration test should be conducted
• Use encryption for data communication
• Remote maintenance should be restricted
• Third party maintenance should be supervised
• Data center should have minimal exposure from
environmental threats
• Restricted access to secure room where operational
components are located
– Keep log of equipment moving in and out of restricted
room!
41.
42. Personnel Control
• Security awareness training
• Background checks and screening
• Separation of duties
• Job rotation
• Accountability through logging and monitoring
– Need to know basis
– The principle of least privilege
• Mandatory vacation!
44. Data and Media Control
• Data
– Backup data
– Encrypt sensitive data
• Media
– Use a media library/librarian
– Marking
– Logging
– Integrity verification
– Physical Access Protection
– Transmittal
– Disposition
45. Disposal Control
• Initiates at the end of life cycle of a system
• Ensure that regulations do not require to keep specific
data for a period of time
• Prevent dumpster diving
• Properly erasing data from media
– Degaussing
– Zeroization
– Physical destruction
46. Degaussing
• Data is stored on magnetic media by the representation
of the polarization of the atoms
• Degaussing changes this polarization (magnetic
alignment) by using a type of large magnet to bring it
back to its original flux
47. Zeroization
• Purging (Overwriting) existing data with '1s' and '0s‘…
– Single pass - Data area is overwritten once with '1' or '0'
– DoD Method - The data area is overwritten with '0s' then
'1s' and then once with pseudo random data
– NSA erasure algorithm - Data is overwritten seven times
with '0' pattern then with '1' and so on…
– Gutmann Method - The data is overwritten 35 times!
48. Physical Destruction
• Best method for papers and read only media
– There are highly specialized recovery programs to recover
data after disk wiping
49. Question
What is the main issue with media reuse?
A. Degaussing
B. Data remanence
C. Media destruction
D. Purging
50. Question
What is the main issue with media reuse?
A. Degaussing
B. Data remanence
C. Media destruction
D. Purging
54. Full Backup
• All files are backed up
• Fastest restoration process
• Takes the longest to perform backup
55. Incremental Backup
• Backs up files that have changed since last backup
• Backups can be performed quickly
• Restoration takes longer
56. Differential Backup
• Backs up files that have changed since last full backup
• For restoration, full backup is restored and then
differential backup is restored
58. Hierarchical Storage Management
• Uses hard disk and optical or tape jukebox technology to
offer continuous online backup functionality
• Files are moved along a hierarchy of storage devices to
less expensive form storage based on rules tied to the
frequency of data access
• Transparent to users
59. Disk Mirroring
• Exact same data is written to two or more hard disks
• Uses one disk controller
– Controller is the single point of failure
60. Disk Duplexing
• Exact same data is written to two or more hard disks
• Backup device has more than one disk controller
61. RAID
• Level 0
– Striping
• No fault tolerance
– High performance
• Level 1
– Mirroring
• Level 2
– Data strip over all drives at the bit level
– Parity = Yes
– Requires 39 disks (Not Practical)
62. RAID (2)
• Level 3
– Byte level parity
– All parity data is on one disk
• Level 4
– Block level parity
• Level 5
– Parity = Yes
– Parity over all disks!
67. Storage Area Network
• Several distinct storage systems that connected together
to create a backup network
• High speed sub-network of shared storage devices
• Transparent to user
68. Hardware
• Redundant and backup components
– Hot spares / Cold spares
• Multiple power supplies
• Fail over devices
– Router, Firewalls etc
• Standby services
69. Communications
• Redundant communication links
– Multiple lines between distributed resources
• Backup communication links include...
– Local Phone company
– Long distance carriers
– Competitive telecommunication carriers
– Broadband through telephone lines
– Broadband over cable modems
– Wireless metropolitan area networks
– Satellite links
70. Facilities
• Continuous well regulated power
– Redundant feeds, Power line regulators
– Back up power sources
• UPS, Generators
• Proper humidity and temperature level
– 40% to 60%
– 70° to 74° F
• Physical Security
– Access controls, Intrusion detection systems, Guards etc.
• Well documented contingency plans
71.
72. Operational Controls
• Development and enforcement of SOPs
– System start up
– Error conditions and how to handle them?
– System shutdown
– Restoring the system from backup media
• Boot up sequence (C:, A:, D:) should not be available to
reconfigure
• Writing activities to system logs should not be bypassed
73. Operational Controls (2)
• Output should not be able to be rerouted
• Fail secure (Fail closed)
• Fail safe (Fail open)
• Recovery action…
– Warm reboot (Controlled, Automatic)
– Emergency system restart (Uncontrolled, Automatic)
– System cold start (Uncontrolled, Manual)
74. Problem Management
• Problem = Unknown cause of one or more incidents
• Known error = Successfully diagnosed problem
– For which a solution or work around has been identified!
• Problem tracking and reporting
• Advantages:
– Lowering impact
– Reducing failures
– Preventing from reoccurring
75. Problem Management (2)
• Problems to be investigated…
– Any incident different from standard procedures
– Unexplainable, Randomly occurring process
– Any processing anomalies
• Examples…
– System component failure
– Power failure
– Telecommunication failure
76. Problem Management (3)
• Examples
– Tampering
– Production delay
– Input / Output errors
– Spam
– Phishing
– Malware
– Spyware
– Denial of service
79. Introduction
• Change Control Management
– Change Control Process
– Configuration Management
– Contingency Planning
– Intrusion Response
– Operations Management
80. Change Control Management
• Authorizes changes to production systems, including
system and application software
• Changes to production system include...
– Implementation of new applications
– Modifications of existing applications
– Removing old applications
– Upgrading or patching system software
81. Change Control Process
• Request
• Impact assessment
• Approval/Disapproval
• Build
– Test
• Notification
• Implementation
• Monitoring
• Documentation
82. Configuration Management
• Performed after a change has been approved through a
change control process
• Ensures that the changes to production systems are done
properly
• Ensures that changes do not take place unintentionally or
unknowingly
• Documentation and maintenance of documents
pertaining to system and software changes
83. Contingency Planning
• Allows production environment to continue to operate
after disruption
• Coordinates backups and recovery plans
• Identifies mission critical functions and systems that
support them
• Identifies critical interdependencies
• Generates formal written recovery procedures
• Promotes proper training as well as testing of plans
84. Intrusion Response
• Audit trail monitoring
• Auditing event include…
– Monitoring and identifying system resource use
– Monitoring and analyzing network traffic and connections
– Monitoring and identifying user account and file access
– Scanning for malicious code
– Verifying file and data integrity
– Probing for system and network vulnerabilities
85. Operations Management
• Operation Management include reviewing…
– Implementation of vendor patches
– Operating logs
– Inventory
– Change control practices
– Incident reporting in Problem Management
– System/Audit logs
– Audits/Security reviews
87. Question 1
Critical data is?
A. Subject to classification by regulatory bodies or legislation
B. Data of high integrity
C. Always protected at the highest level
D. Instrumental for business operations
88. Question 1
Critical data is?
A. Subject to classification by regulatory bodies or legislation
B. Data of high integrity
C. Always protected at the highest level
D. Instrumental for business operations
89. Question 2
When an organization is determining which data is
sensitive, it must consider all of the following EXCEPT:
A. Expectations of customers
B. Legislation or regulations
C. Quantity of data
D. Age of the data
90. Question 2
When an organization is determining which data is
sensitive, it must consider all of the following EXCEPT:
A. Expectations of customers
B. Legislation or regulations
C. Quantity of data
D. Age of the data
91. Question 3
All of the following are examples of Preventative Control
EXCEPT?
A. Intrusion detection systems
B. Human resources policies
C. Anti-virus software
D. Fences
92. Question 3
All of the following are examples of Preventative Control
EXCEPT?
A. Intrusion detection systems
B. Human resources policies
C. Anti-virus software
D. Fences
93. Question 4
To speed up RAID disk access, an organization can:
A. Use larger hard drives
B. Stripe the data across several drives
C. Mirror critical drives
D. Disallow some queries
94. Question 4
To speed up RAID disk access, an organization can:
A. Use larger hard drives
B. Stripe the data across several drives
C. Mirror critical drives
D. Disallow some queries
95. Question 5
A timely review of system access audit records is an
example of which type of security function?
A. Avoidance
B. Deterrence
C. Prevention
D. Detection
96. Question 5
A timely review of system access audit records is an
example of which type of security function?
A. Avoidance
B. Deterrence
C. Prevention
D. Detection
97. Question 6
Which of the following is not a technique used for
monitoring?
A. Penetration testing
B. Intrusion detection
C. Violation processing (using clipping levels)
D. Countermeasures testing
98. Question 6
Which of the following is not a technique used for
monitoring?
A. Penetration testing
B. Intrusion detection
C. Violation processing (using clipping levels)
D. Countermeasures testing