SlideShare a Scribd company logo

8. operations security

Download as PPT, PDF
7
7wounders

This document discusses operations security principles and controls. It covers general security concepts like accountability, separation of duties, and least privilege. It then details various technical, physical, and administrative controls for securing hardware, software, data, communications, facilities, personnel, and operations. The goals are to prevent security issues, detect any violations, and enable recovery of systems and data if problems occur. Key areas covered include access controls, backup and disaster recovery, change management, and configuration management.

Technology
1 of 42
Operations Security 1
Operations Security  General security principles  Operations Security  Identify historical and real-time security events  Capture subsequent actions  Identify the key elements involved  The Controls  Alert appropriate authorities  Take appropriate corrective or recovery actions 2
Operations Security  The process of safeguarding information assets while the data is resident in the computer, storage media in transit through communication links, or otherwise associated with the data processing environment  Identifies the controls over hardware, media, and the operators and administrators with access privileges to these resources 3
General Security Principles  Accountability Authorization Logging  Separation of duties  Least privilege  Risk reduction  Layered defense  Redundancy 4
The Security Goals  Operations management  Problem management  Service level management  Performance and capacity management  Change management  Configuration management  Software control and distribution  Availability and continuity management  Security management 5
The Controls  Directive Controls (Administrative controls)  Intended to advise employees of the behavior expected of them during their interfaces with or use of the organization’s information systems  Preventive Controls  Physical, administrative, and technical measures intended to preclude actions violating policy or increasing risk to system resources  Detective Controls  The use of practices, processes, and tools that identify and possibly react to security violations 6
The Controls Cont…  Corrective Controls  Involve physical, administrative, and technical measures designed to react to detection of an incident in order to reduce or eliminate the opportunity for the unwanted event to recur  Recovery Controls  To restore the system or operation to a normal operating state 7
Hardware Controls  Include the physical protection of the equipment.  Surge Protectors, UPS  Configuration and maintenance logs  Problem Tracking 8
Software Controls  OS Controls  Restrict and Monitor  Changing computer system privileges or controls  Changing protective features or parameters affecting another user  Allocating resources  Halting the computing system  Controlling the allocation and sharing of system and data resources (e.g., memory, file space, CPU cycles, etc.)  Enforce the conditions of software licenses and respect software copyright requirements  All acquired software from any source — vendors, partners, freeware, etc. — must be examined for malicious code  Check software for backdoors and trapdoors 9
Operational controls  Either in a data center or a network environment, establish, document, and enforce operating procedures for all equipment and software  Recovery actions System reboot Emergency system restart System cold start  Types of recovery Manual recovery Automated recovery Automated recovery without undue loss Function recovery 10
Data and Media Controls  Backup  Electronic Vaulting Backup data is sent electronically to the selected recovery or backup storage location  Remote Journaling The same logging procedure used for a database management system to create the on-site journal is used to create a second journal at the off-site storage location  Database Shadowing The system creates updates to the production system, journals them, and sends them to the alternate computer 11
Data and Media Controls Cont…  Direct Access Storage Devices (DASDs)  Fault Tolerance  Network Data mirroring  Redundant Arrays of Independent Disks (RAID) Failure Resistant Disk Systems (FRDSs) – protect against data loss due to disk failure and its enhancement Failure Tolerant Disk Systems (FTDSs) - protect against loss of data access due to failure of any single component Disaster Tolerant Disk Systems (DTDSs) - consist of two or more independent zones, either of which provides access to stored data 12
RAID Levels  Level 0 -- Striped Disk Array without Fault Tolerance  Level 1 -- Mirroring and Duplexing  Level 2 -- Error-Correcting Coding  Level 3 -- Bit-Interleaved Parity  Level 4 -- Dedicated Parity Drive  Level 5 -- Block Interleaved Distributed Parity  Level 6 -- Independent Data Disks with Double Parity  Level 10 – A Stripe of Mirrors 13
Data and Media Controls Cont…  Store all media securely  Encrypt sensitive data  Track and control all media  Label media  Secure all data  Train users  Establish and train staff in media transport and transmittal procedures  Use a media library/librarian  Disposal controls  Object reuse controls  Access controls  Data classification controls 14
Telecommunications Equipment  Monitor for errors, inconsistencies, etc  Penetration tests should be conducted to ensure that communications controls  All communications equipment (e.g., bridges, routers, switches, etc.) should be located in secured facilities  Passwords and other sensitive information being communicated electronically should be encrypted 15
Support Systems Controls  Maintain an environmentally sound data center  Appropriate temperature  Humidity levels  Air quality  Procedures for the installation, monitoring, and maintenance of environmental support equipment 16
Physical Areas Controls  Minimize exposure to threats, such as fire, water, corrosive agents, smoke, and other potential hazards, from adjacent areas, explosion or shock, and unobserved unauthorized access  Guest or visitor log  Ensure appropriate accountability for an equipment in and out 17
Personnel Controls  Hiring process, Background Checks  Supervision of initial job training, ongoing training, and security awareness training  Least Privilege  Separation of duty  Mandatory Vacation  Programmers should not be allowed to have ongoing direct access to computers running production systems  Audit Trails  Vendor service personnel should be escorted 18
Change Control Management  A change is requested by completion of a change request form  A change request form is analyzed for validity  The ways the change could be implemented are analyzed  The costs associated with the changes are analyzed  The analysis and change recommendations are recorded  The change request is given to the change control board for final decision  Accepted changes are made and recorded  The change implementation is submitted to quality control for approval 19
The Problems  Powerful system utilities  Powerful system commands  Superzapping - system utility or application that bypasses all access controls and audit/logging functions to make updates to code or data  Direct control over hardware and software  Direct control over all files  Direct control over printers and output queues  Powerful Input/Output commands  Direct access to servers  Initial program load from console 20
The Problems Cont…  Initial program load - IPL from tape  Control over job schedule and execution  Control over all storage media  Bypass label processing  Re-labeling resources  Resetting date/time, passwords  Control of access ports/lines  Erroneous transactions (fraud)  Altering proper transactions  Adding improper transactions  Denial of service/Delays in operation  Personal use, Disclosure  Audit trail/log corruption/modification 21
Protected Resources  Password files  Application program libraries  Source code  Vendor software  Operating System  Libraries  Utilities  Directories  Address Tables  Proprietary packages  Communications HW/SW  Main storage  Disk & tape storage 22
Protected Resources Cont…  Processing equipment  Stand-alone computers and Printers  Sensitive/Critical data  Files  Programs  System utilities  System logs/audit trails  Violation reports  Backup files  Sensitive forms  Printouts  People 23
The Control  Accountability – Personnel reviews - Background checks – Password management • Personal • System • Maintenance – Trap door - system or application password included for ease of vendor maintenance – Logging of all activities • Protected/duplicated log 24
The Controls Cont…  Accountability – Problem reporting and change procedures • Reports, tracks, resolves problems affecting service – Reduce failures – Prevent recurrence – Reduce impact • Types - Performance/availability – Hardware/software – Environment – Procedures/Operations – Network – Safety/security 25
The Controls Cont…  Least Privilege – Granular access control over system commands – Individual access permissions – Hardware/Software elements & procedures to enable authorized access and prevent unauthorized access – Periodic review of access needed/granted  Separation of Duties – All changes require approval – Operational staff should not code or approve changes • Operating system OR Applications OR Job controls – Operational staff should not perform security duties • Security administration • Network administration • Application administration 26
Separation of Duties - Operator  Installing system software  Start up/Shut down  Backup/recovery  Mounting disks/tapes  Handling hardware  Adding/removing users (?) 27
Separation of Duties - Security  User activities  Setting clearances  Setting passwords  Setting other security characteristics  Changing profiles  Setting file sensitivity labels  Setting security characteristics of devices, communications channels  Reviewing audit data 28
The Problems  Physical access to the computer room and devices there – IS programmers – Cleaning/maintenance – Vendor support – Contract/Temp staff – Memory content modification – Microcode changes – Device shutdown  Shoulder surfing over Operator’s shoulder  Physical access to printouts - rerouting  Access to print queues  Access to printers 29
The Controls  Authentication & Least Privilege – Authorization for access to the facility – Closed shop - physical access controls limiting access to authorized personnel – Operations security - controls over resources - HW, media & operators with access – System high security - system and all peripherals are protected at level of highest security classification of any information housed by the system – Tempest - reception of electromagnetic emanations which can be analyzed to disclose sensitive or protected information 30
Environmental Contamination  Buildup of conductive particles, contaminants – Circuit boards, micro switches, sensors – Spontaneous combustion • National Fire Protection - US computer room fire every 10 min • 80% unknown causes (HW) – Causes equipment failure • Mass storage devices • Pass through disk drive filters • Read/write errors, disk crashes – Government/contractor installations • Max 100K parts per million in cubic foot of air • Data center particulates <= 0.5 microns (19.69 microinches) 31
The Controls Cont…  Software Asset Management – Operating/Backup software inventory – Backups • Generations • Off-site • Environmental control • Controlled & authorized access to backups – COTS Computer Off-the-Shelf Products – Maintenance accounts/passwords 32
The Controls Cont…  Trusted recovery procedures – Ensure security not breached during system crash and recovery – Requires backup – Reboot (Crash or power failure) – Recover file systems (Missing resource) – Restore files and databases (Inconsistent database) – Check security files (System compromise) 33
Trusted System Operations  Trusted computer base - HW/FW/SW protected by appropriate mechanisms at appropriate level of sensitivity/security to enforce security policy  Trusted facility management - supports separate operator and administrator roles (B2)  Clearly identify security admin functions  Definition - Integrity – formal declaration or certification of a product 34
Configuration Management  Controlling modifications to system HW/FW/ SW/Documentation  Ensure integrity and limiting non-approved changes  Baseline controls – policies – standards – procedures – responsibilities – requirements – impact assessments – software level maintenance 35
Configuration Management Cont…  Organized and consistent plan covering – description of physical/media controls – electronic transfer of software – communications software/protocols – encryption methods/devices – security features/limitations of software – hardware requirements/settings/protocols – system responsibilities/authorities – security roles/responsibilities – user needs (sensitivity, functionality) – audit information and process – risk assessment results 36
Vulnerabilities Summary  Improper access to system utilities  Improper access to information  Improper update of information  Improper destruction of information  Improper change to job schedule  Improper access to printed materials  Physical access to the computer room  Physical access to printouts  Access to print queues  Denial of service  Inability to recover from failures  Fraud 37
The Real World  Operations Controls – Organizations understaffed, wear too many hats – Separation of duties seldom complete – A single password is used by all operators – System commands are unrestricted on the console • OR are granted to all operations staff – Commands are not logged • OR logs are not reviewed – Emergency procedures and approvals poorly defined – Operations personnel may support system software • OR perform security functions 38
The Real World Cont…  Operations Controls – Most of IS and many users have access to facility – Printouts are laid out for pickup without oversight – Print queues are openly available to on-line users – Only some platforms are backed up – Backups are often stored on site • In computer room • OR In an office – No restrictions are placed on access to backups – Communications closets open 39
Media Controls  Tapes, disks, diskettes, cards, paper, optical  Volume labels required – Human/machine readable – Date created, created by – Date to destroy/retention period – Volume/file name, version – Classification  Audit trail  Separation of responsibility - librarian  Backup procedures 40
Definitions  Acceptance – Verification that performance & security requirements have been met  Accreditation – Formal acceptance of security adequacy, authorization for operation and acceptance of existing risk (QC)  Certification – Formal testing of security safeguards  Operational assurance – Verification that a system is operating according to its security requirements • Design & Development reviews • Formal modeling • Security architecture • ISO 9000 quality techniques  Assurance – Degree of confidence that the implemented security measures work as intended 41
? 42

Recommended

CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
Dhani Ahmad
 
Security architecture
Security architectureSecurity architecture
Security architecture
Duncan Unwin
 

Recommended

CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
Dhani Ahmad
 
Security architecture
Security architectureSecurity architecture
Security architecture
Duncan Unwin
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
Nada G.Youssef
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
Ivo Depoorter
 
Endpoint Security
Endpoint SecurityEndpoint Security
Endpoint Security
Ahmed Hashem El Fiky
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
Priyanka Aash
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
Christophe Foulon, CISSP
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
Vigilant Software
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
tschraider
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1
MLG College of Learning, Inc
 
Security models
Security models Security models
Security models
LJ PROJECTS
 
information security
information securityinformation security
information security
university of karachi
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
jayashri kolekar
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
Atlantic Training, LLC.
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Cyber+incident+response+ +generic+ransomware+playbook+v2.3
Cyber+incident+response+ +generic+ransomware+playbook+v2.3Cyber+incident+response+ +generic+ransomware+playbook+v2.3
Cyber+incident+response+ +generic+ransomware+playbook+v2.3
UnioGeek
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
4 Operations Security
4 Operations Security4 Operations Security
4 Operations Security
Alfred Ouyang
 
Multi-factor Information Security Risk in Information System
Multi-factor Information Security Risk in Information SystemMulti-factor Information Security Risk in Information System
Multi-factor Information Security Risk in Information System
tulipbiru64
 

More Related Content

What's hot

Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
tschraider
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 

What's hot (20)

Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
 
Endpoint Security
Endpoint SecurityEndpoint Security
Endpoint Security
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1
 
Security models
Security models Security models
Security models
 
information security
information securityinformation security
information security
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Cyber+incident+response+ +generic+ransomware+playbook+v2.3
Cyber+incident+response+ +generic+ransomware+playbook+v2.3Cyber+incident+response+ +generic+ransomware+playbook+v2.3
Cyber+incident+response+ +generic+ransomware+playbook+v2.3
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 

Viewers also liked

Information Security
Information SecurityInformation Security
Information Security
chenpingling
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security Presentation
Wajahat Rajab
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
R_Yanus
 

Viewers also liked (20)

4 Operations Security
4 Operations Security4 Operations Security
4 Operations Security
 
Multi-factor Information Security Risk in Information System
Multi-factor Information Security Risk in Information SystemMulti-factor Information Security Risk in Information System
Multi-factor Information Security Risk in Information System
 
Information security
Information securityInformation security
Information security
 
Information Security
Information SecurityInformation Security
Information Security
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security Presentation
 
Operational Security
Operational SecurityOperational Security
Operational Security
 
Windows PowerShell
Windows PowerShellWindows PowerShell
Windows PowerShell
 
A Scalable Client Authentication & Authorization Service for Container-Based ...
A Scalable Client Authentication & Authorization Service for Container-Based ...A Scalable Client Authentication & Authorization Service for Container-Based ...
A Scalable Client Authentication & Authorization Service for Container-Based ...
 
Trusted systems
Trusted systemsTrusted systems
Trusted systems
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)
 
PowerShell Technical Overview
PowerShell Technical OverviewPowerShell Technical Overview
PowerShell Technical Overview
 
Powershell Demo Presentation
Powershell Demo PresentationPowershell Demo Presentation
Powershell Demo Presentation
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
 
Data security authorization and access control
Data security authorization and access controlData security authorization and access control
Data security authorization and access control
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
 
Accountability in schools
Accountability in schoolsAccountability in schools
Accountability in schools
 
Introduction To Windows Power Shell
Introduction To Windows Power ShellIntroduction To Windows Power Shell
Introduction To Windows Power Shell
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
 
Administrative Accountability
Administrative Accountability Administrative Accountability
Administrative Accountability
 

Similar to 8. operations security

2. access control
2. access control2. access control
2. access control
7wounders
 
Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02
Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02
Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02
technext1
 
Critical Controls Of Cyber Defense
Critical Controls Of Cyber DefenseCritical Controls Of Cyber Defense
Critical Controls Of Cyber Defense
Rishu Mehra
 
Secure Financial Intelligence System
Secure Financial Intelligence SystemSecure Financial Intelligence System
Secure Financial Intelligence System
Joseph Yosi Margalit
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
7wounders
 
Ch10 Conducting Audits
Ch10 Conducting AuditsCh10 Conducting Audits
Ch10 Conducting Audits
Information Technology
 
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOvervChapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
EstelaJeffery653
 
Access control3
Access control3Access control3
Access control3
Awhydot
 
Access control3
Access control3Access control3
Access control3
Awhydot
 

Similar to 8. operations security (20)

2. access control
2. access control2. access control
2. access control
 
Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02
Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02
Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02
 
Critical Controls Of Cyber Defense
Critical Controls Of Cyber DefenseCritical Controls Of Cyber Defense
Critical Controls Of Cyber Defense
 
Secure Financial Intelligence System
Secure Financial Intelligence SystemSecure Financial Intelligence System
Secure Financial Intelligence System
 
OwnYIT CSAT + SIEM
OwnYIT CSAT + SIEMOwnYIT CSAT + SIEM
OwnYIT CSAT + SIEM
 
Effects of IT on internal controls
Effects of IT on internal controlsEffects of IT on internal controls
Effects of IT on internal controls
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
 
Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4
 
Security
SecuritySecurity
Security
 
3 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp013 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp01
 
Ch10 Conducting Audits
Ch10 Conducting AuditsCh10 Conducting Audits
Ch10 Conducting Audits
 
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOvervChapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
 
Access control3
Access control3Access control3
Access control3
 
Access control3
Access control3Access control3
Access control3
 
Chap05
Chap05Chap05
Chap05
 
Security and management
Security and managementSecurity and management
Security and management
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
Comp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesComp8 unit6b lecture_slides
Comp8 unit6b lecture_slides
 
Os unit 1(cont)
Os unit 1(cont)Os unit 1(cont)
Os unit 1(cont)
 
Csc 2313 (lecture 2)
Csc 2313 (lecture 2)Csc 2313 (lecture 2)
Csc 2313 (lecture 2)
 

More from 7wounders

10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics
7wounders
 
7. physical sec
7. physical sec7. physical sec
7. physical sec
7wounders
 
6. cryptography
6. cryptography6. cryptography
6. cryptography
7wounders
 
5. telecomm & network security
5. telecomm & network security5. telecomm & network security
5. telecomm & network security
7wounders
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
7wounders
 

More from 7wounders (6)

Cissp why
Cissp whyCissp why
Cissp why
 
10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics
 
7. physical sec
7. physical sec7. physical sec
7. physical sec
 
6. cryptography
6. cryptography6. cryptography
6. cryptography
 
5. telecomm & network security
5. telecomm & network security5. telecomm & network security
5. telecomm & network security
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 

Recently uploaded

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

8. operations security

  • 2. Operations Security  General security principles  Operations Security  Identify historical and real-time security events  Capture subsequent actions  Identify the key elements involved  The Controls  Alert appropriate authorities  Take appropriate corrective or recovery actions 2
  • 3. Operations Security  The process of safeguarding information assets while the data is resident in the computer, storage media in transit through communication links, or otherwise associated with the data processing environment  Identifies the controls over hardware, media, and the operators and administrators with access privileges to these resources 3
  • 4. General Security Principles  Accountability Authorization Logging  Separation of duties  Least privilege  Risk reduction  Layered defense  Redundancy 4
  • 5. The Security Goals  Operations management  Problem management  Service level management  Performance and capacity management  Change management  Configuration management  Software control and distribution  Availability and continuity management  Security management 5
  • 6. The Controls  Directive Controls (Administrative controls)  Intended to advise employees of the behavior expected of them during their interfaces with or use of the organization’s information systems  Preventive Controls  Physical, administrative, and technical measures intended to preclude actions violating policy or increasing risk to system resources  Detective Controls  The use of practices, processes, and tools that identify and possibly react to security violations 6
  • 7. The Controls Cont…  Corrective Controls  Involve physical, administrative, and technical measures designed to react to detection of an incident in order to reduce or eliminate the opportunity for the unwanted event to recur  Recovery Controls  To restore the system or operation to a normal operating state 7
  • 8. Hardware Controls  Include the physical protection of the equipment.  Surge Protectors, UPS  Configuration and maintenance logs  Problem Tracking 8
  • 9. Software Controls  OS Controls  Restrict and Monitor  Changing computer system privileges or controls  Changing protective features or parameters affecting another user  Allocating resources  Halting the computing system  Controlling the allocation and sharing of system and data resources (e.g., memory, file space, CPU cycles, etc.)  Enforce the conditions of software licenses and respect software copyright requirements  All acquired software from any source — vendors, partners, freeware, etc. — must be examined for malicious code  Check software for backdoors and trapdoors 9
  • 10. Operational controls  Either in a data center or a network environment, establish, document, and enforce operating procedures for all equipment and software  Recovery actions System reboot Emergency system restart System cold start  Types of recovery Manual recovery Automated recovery Automated recovery without undue loss Function recovery 10
  • 11. Data and Media Controls  Backup  Electronic Vaulting Backup data is sent electronically to the selected recovery or backup storage location  Remote Journaling The same logging procedure used for a database management system to create the on-site journal is used to create a second journal at the off-site storage location  Database Shadowing The system creates updates to the production system, journals them, and sends them to the alternate computer 11
  • 12. Data and Media Controls Cont…  Direct Access Storage Devices (DASDs)  Fault Tolerance  Network Data mirroring  Redundant Arrays of Independent Disks (RAID) Failure Resistant Disk Systems (FRDSs) – protect against data loss due to disk failure and its enhancement Failure Tolerant Disk Systems (FTDSs) - protect against loss of data access due to failure of any single component Disaster Tolerant Disk Systems (DTDSs) - consist of two or more independent zones, either of which provides access to stored data 12
  • 13. RAID Levels  Level 0 -- Striped Disk Array without Fault Tolerance  Level 1 -- Mirroring and Duplexing  Level 2 -- Error-Correcting Coding  Level 3 -- Bit-Interleaved Parity  Level 4 -- Dedicated Parity Drive  Level 5 -- Block Interleaved Distributed Parity  Level 6 -- Independent Data Disks with Double Parity  Level 10 – A Stripe of Mirrors 13
  • 14. Data and Media Controls Cont…  Store all media securely  Encrypt sensitive data  Track and control all media  Label media  Secure all data  Train users  Establish and train staff in media transport and transmittal procedures  Use a media library/librarian  Disposal controls  Object reuse controls  Access controls  Data classification controls 14
  • 15. Telecommunications Equipment  Monitor for errors, inconsistencies, etc  Penetration tests should be conducted to ensure that communications controls  All communications equipment (e.g., bridges, routers, switches, etc.) should be located in secured facilities  Passwords and other sensitive information being communicated electronically should be encrypted 15
  • 16. Support Systems Controls  Maintain an environmentally sound data center  Appropriate temperature  Humidity levels  Air quality  Procedures for the installation, monitoring, and maintenance of environmental support equipment 16
  • 17. Physical Areas Controls  Minimize exposure to threats, such as fire, water, corrosive agents, smoke, and other potential hazards, from adjacent areas, explosion or shock, and unobserved unauthorized access  Guest or visitor log  Ensure appropriate accountability for an equipment in and out 17
  • 18. Personnel Controls  Hiring process, Background Checks  Supervision of initial job training, ongoing training, and security awareness training  Least Privilege  Separation of duty  Mandatory Vacation  Programmers should not be allowed to have ongoing direct access to computers running production systems  Audit Trails  Vendor service personnel should be escorted 18
  • 19. Change Control Management  A change is requested by completion of a change request form  A change request form is analyzed for validity  The ways the change could be implemented are analyzed  The costs associated with the changes are analyzed  The analysis and change recommendations are recorded  The change request is given to the change control board for final decision  Accepted changes are made and recorded  The change implementation is submitted to quality control for approval 19
  • 20. The Problems  Powerful system utilities  Powerful system commands  Superzapping - system utility or application that bypasses all access controls and audit/logging functions to make updates to code or data  Direct control over hardware and software  Direct control over all files  Direct control over printers and output queues  Powerful Input/Output commands  Direct access to servers  Initial program load from console 20
  • 21. The Problems Cont…  Initial program load - IPL from tape  Control over job schedule and execution  Control over all storage media  Bypass label processing  Re-labeling resources  Resetting date/time, passwords  Control of access ports/lines  Erroneous transactions (fraud)  Altering proper transactions  Adding improper transactions  Denial of service/Delays in operation  Personal use, Disclosure  Audit trail/log corruption/modification 21
  • 22. Protected Resources  Password files  Application program libraries  Source code  Vendor software  Operating System  Libraries  Utilities  Directories  Address Tables  Proprietary packages  Communications HW/SW  Main storage  Disk & tape storage 22
  • 23. Protected Resources Cont…  Processing equipment  Stand-alone computers and Printers  Sensitive/Critical data  Files  Programs  System utilities  System logs/audit trails  Violation reports  Backup files  Sensitive forms  Printouts  People 23
  • 24. The Control  Accountability – Personnel reviews - Background checks – Password management • Personal • System • Maintenance – Trap door - system or application password included for ease of vendor maintenance – Logging of all activities • Protected/duplicated log 24
  • 25. The Controls Cont…  Accountability – Problem reporting and change procedures • Reports, tracks, resolves problems affecting service – Reduce failures – Prevent recurrence – Reduce impact • Types - Performance/availability – Hardware/software – Environment – Procedures/Operations – Network – Safety/security 25
  • 26. The Controls Cont…  Least Privilege – Granular access control over system commands – Individual access permissions – Hardware/Software elements & procedures to enable authorized access and prevent unauthorized access – Periodic review of access needed/granted  Separation of Duties – All changes require approval – Operational staff should not code or approve changes • Operating system OR Applications OR Job controls – Operational staff should not perform security duties • Security administration • Network administration • Application administration 26
  • 27. Separation of Duties - Operator  Installing system software  Start up/Shut down  Backup/recovery  Mounting disks/tapes  Handling hardware  Adding/removing users (?) 27
  • 28. Separation of Duties - Security  User activities  Setting clearances  Setting passwords  Setting other security characteristics  Changing profiles  Setting file sensitivity labels  Setting security characteristics of devices, communications channels  Reviewing audit data 28
  • 29. The Problems  Physical access to the computer room and devices there – IS programmers – Cleaning/maintenance – Vendor support – Contract/Temp staff – Memory content modification – Microcode changes – Device shutdown  Shoulder surfing over Operator’s shoulder  Physical access to printouts - rerouting  Access to print queues  Access to printers 29
  • 30. The Controls  Authentication & Least Privilege – Authorization for access to the facility – Closed shop - physical access controls limiting access to authorized personnel – Operations security - controls over resources - HW, media & operators with access – System high security - system and all peripherals are protected at level of highest security classification of any information housed by the system – Tempest - reception of electromagnetic emanations which can be analyzed to disclose sensitive or protected information 30
  • 31. Environmental Contamination  Buildup of conductive particles, contaminants – Circuit boards, micro switches, sensors – Spontaneous combustion • National Fire Protection - US computer room fire every 10 min • 80% unknown causes (HW) – Causes equipment failure • Mass storage devices • Pass through disk drive filters • Read/write errors, disk crashes – Government/contractor installations • Max 100K parts per million in cubic foot of air • Data center particulates <= 0.5 microns (19.69 microinches) 31
  • 32. The Controls Cont…  Software Asset Management – Operating/Backup software inventory – Backups • Generations • Off-site • Environmental control • Controlled & authorized access to backups – COTS Computer Off-the-Shelf Products – Maintenance accounts/passwords 32
  • 33. The Controls Cont…  Trusted recovery procedures – Ensure security not breached during system crash and recovery – Requires backup – Reboot (Crash or power failure) – Recover file systems (Missing resource) – Restore files and databases (Inconsistent database) – Check security files (System compromise) 33
  • 34. Trusted System Operations  Trusted computer base - HW/FW/SW protected by appropriate mechanisms at appropriate level of sensitivity/security to enforce security policy  Trusted facility management - supports separate operator and administrator roles (B2)  Clearly identify security admin functions  Definition - Integrity – formal declaration or certification of a product 34
  • 35. Configuration Management  Controlling modifications to system HW/FW/ SW/Documentation  Ensure integrity and limiting non-approved changes  Baseline controls – policies – standards – procedures – responsibilities – requirements – impact assessments – software level maintenance 35
  • 36. Configuration Management Cont…  Organized and consistent plan covering – description of physical/media controls – electronic transfer of software – communications software/protocols – encryption methods/devices – security features/limitations of software – hardware requirements/settings/protocols – system responsibilities/authorities – security roles/responsibilities – user needs (sensitivity, functionality) – audit information and process – risk assessment results 36
  • 37. Vulnerabilities Summary  Improper access to system utilities  Improper access to information  Improper update of information  Improper destruction of information  Improper change to job schedule  Improper access to printed materials  Physical access to the computer room  Physical access to printouts  Access to print queues  Denial of service  Inability to recover from failures  Fraud 37
  • 38. The Real World  Operations Controls – Organizations understaffed, wear too many hats – Separation of duties seldom complete – A single password is used by all operators – System commands are unrestricted on the console • OR are granted to all operations staff – Commands are not logged • OR logs are not reviewed – Emergency procedures and approvals poorly defined – Operations personnel may support system software • OR perform security functions 38
  • 39. The Real World Cont…  Operations Controls – Most of IS and many users have access to facility – Printouts are laid out for pickup without oversight – Print queues are openly available to on-line users – Only some platforms are backed up – Backups are often stored on site • In computer room • OR In an office – No restrictions are placed on access to backups – Communications closets open 39
  • 40. Media Controls  Tapes, disks, diskettes, cards, paper, optical  Volume labels required – Human/machine readable – Date created, created by – Date to destroy/retention period – Volume/file name, version – Classification  Audit trail  Separation of responsibility - librarian  Backup procedures 40
  • 41. Definitions  Acceptance – Verification that performance & security requirements have been met  Accreditation – Formal acceptance of security adequacy, authorization for operation and acceptance of existing risk (QC)  Certification – Formal testing of security safeguards  Operational assurance – Verification that a system is operating according to its security requirements • Design & Development reviews • Formal modeling • Security architecture • ISO 9000 quality techniques  Assurance – Degree of confidence that the implemented security measures work as intended 41
  • 42. ? 42

Editor's Notes

  1. Approach Interaction/Discussion Based upon security general security principles Overlap The topic categories are arbitrary Discussion will touch on the same areas multiple times First topic: Application system development
  2. Approach Interaction/Discussion Based upon security general security principles Accountability Authorization Logging Separation of duties Least privilege Risk reduction Layered defense Redundancy Overlap The topic categories are arbitrary Discussion will touch on the same areas multiple times First topic: Application system development