This document discusses operations security principles and controls. It covers general security concepts like accountability, separation of duties, and least privilege. It then details various technical, physical, and administrative controls for securing hardware, software, data, communications, facilities, personnel, and operations. The goals are to prevent security issues, detect any violations, and enable recovery of systems and data if problems occur. Key areas covered include access controls, backup and disaster recovery, change management, and configuration management.
2. Operations Security
General security principles
Operations Security
Identify historical and real-time security events
Capture subsequent actions
Identify the key elements involved
The Controls
Alert appropriate authorities
Take appropriate corrective or recovery actions
2
3. Operations Security
The process of safeguarding information assets
while the data is resident in the computer, storage
media in transit through communication links, or
otherwise associated with the data processing
environment
Identifies the controls over hardware, media, and
the operators and administrators with access
privileges to these resources
3
4. General Security Principles
Accountability
Authorization
Logging
Separation of duties
Least privilege
Risk reduction
Layered defense
Redundancy
4
5. The Security Goals
Operations management
Problem management
Service level management
Performance and capacity management
Change management
Configuration management
Software control and distribution
Availability and continuity management
Security management
5
6. The Controls
Directive Controls (Administrative controls)
Intended to advise employees of the behavior
expected of them during their interfaces with or use of
the organization’s information systems
Preventive Controls
Physical, administrative, and technical measures
intended to preclude actions violating policy or
increasing risk to system resources
Detective Controls
The use of practices, processes, and tools that
identify and possibly react to security violations
6
7. The Controls Cont…
Corrective Controls
Involve physical, administrative, and technical
measures designed to react to detection of an
incident in order to reduce or eliminate the opportunity
for the unwanted event to recur
Recovery Controls
To restore the system or operation to a normal
operating state
7
8. Hardware Controls
Include the physical protection of the equipment.
Surge Protectors, UPS
Configuration and maintenance logs
Problem Tracking
8
9. Software Controls
OS Controls
Restrict and Monitor
Changing computer system privileges or controls
Changing protective features or parameters affecting another
user
Allocating resources
Halting the computing system
Controlling the allocation and sharing of system and data
resources (e.g., memory, file space, CPU cycles, etc.)
Enforce the conditions of software licenses and respect
software copyright requirements
All acquired software from any source — vendors, partners,
freeware, etc. — must be examined for malicious code
Check software for backdoors and trapdoors
9
10. Operational controls
Either in a data center or a network environment,
establish, document, and enforce operating
procedures for all equipment and software
Recovery actions
System reboot
Emergency system restart
System cold start
Types of recovery
Manual recovery
Automated recovery
Automated recovery without undue loss
Function recovery
10
11. Data and Media Controls
Backup
Electronic Vaulting
Backup data is sent electronically to the selected
recovery or backup storage location
Remote Journaling
The same logging procedure used for a database
management system to create the on-site journal is
used to create a second journal at the off-site storage
location
Database Shadowing
The system creates updates to the production system,
journals them, and sends them to the alternate
computer
11
12. Data and Media Controls Cont…
Direct Access Storage Devices (DASDs)
Fault Tolerance
Network Data mirroring
Redundant Arrays of Independent Disks (RAID)
Failure Resistant Disk Systems (FRDSs) – protect
against data loss due to disk failure and its
enhancement
Failure Tolerant Disk Systems (FTDSs) - protect
against loss of data access due to failure of any single
component
Disaster Tolerant Disk Systems (DTDSs) - consist of
two or more independent zones, either of which
provides access to stored data
12
13. RAID Levels
Level 0 -- Striped Disk Array without Fault Tolerance
Level 1 -- Mirroring and Duplexing
Level 2 -- Error-Correcting Coding
Level 3 -- Bit-Interleaved Parity
Level 4 -- Dedicated Parity Drive
Level 5 -- Block Interleaved Distributed Parity
Level 6 -- Independent Data Disks with Double Parity
Level 10 – A Stripe of Mirrors
13
14. Data and Media Controls Cont…
Store all media securely
Encrypt sensitive data
Track and control all media
Label media
Secure all data
Train users
Establish and train staff in media transport and transmittal
procedures
Use a media library/librarian
Disposal controls
Object reuse controls
Access controls
Data classification controls
14
15. Telecommunications Equipment
Monitor for errors, inconsistencies, etc
Penetration tests should be conducted to ensure
that communications controls
All communications equipment (e.g., bridges,
routers, switches, etc.) should be located in secured
facilities
Passwords and other sensitive information being
communicated electronically should be encrypted
15
16. Support Systems Controls
Maintain an environmentally sound data center
Appropriate temperature
Humidity levels
Air quality
Procedures for the installation, monitoring, and
maintenance of environmental support equipment
16
17. Physical Areas Controls
Minimize exposure to threats, such as fire, water,
corrosive agents, smoke, and other potential
hazards, from adjacent areas, explosion or shock,
and unobserved unauthorized access
Guest or visitor log
Ensure appropriate accountability for an equipment
in and out
17
18. Personnel Controls
Hiring process, Background Checks
Supervision of initial job training, ongoing training,
and security awareness training
Least Privilege
Separation of duty
Mandatory Vacation
Programmers should not be allowed to have
ongoing direct access to computers running
production systems
Audit Trails
Vendor service personnel should be escorted
18
19. Change Control Management
A change is requested by completion of a change request
form
A change request form is analyzed for validity
The ways the change could be implemented are analyzed
The costs associated with the changes are analyzed
The analysis and change recommendations are recorded
The change request is given to the change control board for
final decision
Accepted changes are made and recorded
The change implementation is submitted to quality control for
approval
19
20. The Problems
Powerful system utilities
Powerful system commands
Superzapping - system utility or application that bypasses all
access controls and audit/logging functions to make updates to
code or data
Direct control over hardware and software
Direct control over all files
Direct control over printers and output queues
Powerful Input/Output commands
Direct access to servers
Initial program load from console
20
21. The Problems Cont…
Initial program load - IPL from tape
Control over job schedule and execution
Control over all storage media
Bypass label processing
Re-labeling resources
Resetting date/time, passwords
Control of access ports/lines
Erroneous transactions (fraud)
Altering proper transactions
Adding improper transactions
Denial of service/Delays in operation
Personal use, Disclosure
Audit trail/log corruption/modification
21
23. Protected Resources Cont…
Processing equipment
Stand-alone computers and Printers
Sensitive/Critical data
Files
Programs
System utilities
System logs/audit trails
Violation reports
Backup files
Sensitive forms
Printouts
People
23
24. The Control
Accountability
– Personnel reviews - Background checks
– Password management
• Personal
• System
• Maintenance
– Trap door - system or application password included
for ease of vendor maintenance
– Logging of all activities
• Protected/duplicated log
24
26. The Controls Cont…
Least Privilege
– Granular access control over system commands
– Individual access permissions
– Hardware/Software elements & procedures to enable
authorized access and prevent unauthorized access
– Periodic review of access needed/granted
Separation of Duties
– All changes require approval
– Operational staff should not code or approve changes
• Operating system OR Applications OR Job controls
– Operational staff should not perform security duties
• Security administration
• Network administration
• Application administration
26
27. Separation of Duties - Operator
Installing system software
Start up/Shut down
Backup/recovery
Mounting disks/tapes
Handling hardware
Adding/removing users (?)
27
28. Separation of Duties - Security
User activities
Setting clearances
Setting passwords
Setting other security characteristics
Changing profiles
Setting file sensitivity labels
Setting security characteristics of devices, communications
channels
Reviewing audit data
28
29. The Problems
Physical access to the computer room and devices there
– IS programmers
– Cleaning/maintenance
– Vendor support
– Contract/Temp staff
– Memory content modification
– Microcode changes
– Device shutdown
Shoulder surfing over Operator’s shoulder
Physical access to printouts - rerouting
Access to print queues
Access to printers
29
30. The Controls
Authentication & Least Privilege
– Authorization for access to the facility
– Closed shop - physical access controls limiting
access to authorized personnel
– Operations security - controls over resources - HW,
media & operators with access
– System high security - system and all peripherals are
protected at level of highest security classification of
any information housed by the system
– Tempest - reception of electromagnetic emanations
which can be analyzed to disclose sensitive or
protected information
30
31. Environmental Contamination
Buildup of conductive particles, contaminants
– Circuit boards, micro switches, sensors
– Spontaneous combustion
• National Fire Protection - US computer room fire every 10
min
• 80% unknown causes (HW)
– Causes equipment failure
• Mass storage devices
• Pass through disk drive filters
• Read/write errors, disk crashes
– Government/contractor installations
• Max 100K parts per million in cubic foot of air
• Data center particulates <= 0.5 microns (19.69 microinches)
31
33. The Controls Cont…
Trusted recovery procedures
– Ensure security not breached during system crash
and recovery
– Requires backup
– Reboot (Crash or power failure)
– Recover file systems (Missing resource)
– Restore files and databases (Inconsistent database)
– Check security files (System compromise)
33
34. Trusted System Operations
Trusted computer base - HW/FW/SW protected by
appropriate mechanisms at appropriate level of
sensitivity/security to enforce security policy
Trusted facility management - supports separate operator and
administrator roles (B2)
Clearly identify security admin functions
Definition - Integrity
– formal declaration or certification of a product
34
36. Configuration Management Cont…
Organized and consistent plan covering
– description of physical/media controls
– electronic transfer of software
– communications software/protocols
– encryption methods/devices
– security features/limitations of software
– hardware requirements/settings/protocols
– system responsibilities/authorities
– security roles/responsibilities
– user needs (sensitivity, functionality)
– audit information and process
– risk assessment results
36
37. Vulnerabilities Summary
Improper access to system utilities
Improper access to information
Improper update of information
Improper destruction of information
Improper change to job schedule
Improper access to printed materials
Physical access to the computer room
Physical access to printouts
Access to print queues
Denial of service
Inability to recover from failures
Fraud
37
38. The Real World
Operations Controls
– Organizations understaffed, wear too many hats
– Separation of duties seldom complete
– A single password is used by all operators
– System commands are unrestricted on the console
• OR are granted to all operations staff
– Commands are not logged
• OR logs are not reviewed
– Emergency procedures and approvals poorly
defined
– Operations personnel may support system software
• OR perform security functions
38
39. The Real World Cont…
Operations Controls
– Most of IS and many users have access to facility
– Printouts are laid out for pickup without oversight
– Print queues are openly available to on-line users
– Only some platforms are backed up
– Backups are often stored on site
• In computer room
• OR In an office
– No restrictions are placed on access to backups
– Communications closets open
39
40. Media Controls
Tapes, disks, diskettes, cards, paper, optical
Volume labels required
– Human/machine readable
– Date created, created by
– Date to destroy/retention period
– Volume/file name, version
– Classification
Audit trail
Separation of responsibility - librarian
Backup procedures
40
41. Definitions
Acceptance
– Verification that performance & security requirements have been met
Accreditation
– Formal acceptance of security adequacy, authorization for operation and
acceptance of existing risk (QC)
Certification
– Formal testing of security safeguards
Operational assurance
– Verification that a system is operating according to its security
requirements
• Design & Development reviews
• Formal modeling
• Security architecture
• ISO 9000 quality techniques
Assurance
– Degree of confidence that the implemented security measures work as
intended
41
Approach Interaction/Discussion Based upon security general security principles Overlap The topic categories are arbitrary Discussion will touch on the same areas multiple times First topic: Application system development
Approach Interaction/Discussion Based upon security general security principles Accountability Authorization Logging Separation of duties Least privilege Risk reduction Layered defense Redundancy Overlap The topic categories are arbitrary Discussion will touch on the same areas multiple times First topic: Application system development