Chapter 8: Communications and Operations Security

Security Program and PoliciesPrinciples and Practices

by Sari Stern Greene

Chapter 8: Communications and Operations Security

Copyright 2014 Pearson Education, Inc. 2

Objectives

❑ Author useful standard operating procedures❑ Implement change control processes❑ Understand the importance of patch management❑ Protect information systems against malware❑ Consider data backup and replication strategies❑ Recognize the security requirements of email and

email systems❑ Appreciate the value of log data and analysis❑ Evaluate service provider relationships❑ Write policies and procedures to support operational

and communications security


Standard Operating Procedures (SOPs)

❑ SOPs provide direction to improve communication, reduce training time, and improve work consistency

❑ SOPs should be documented to protect the company from the pitfalls of institutional knowledge■ If a business process is only known by one employee,

and that employee becomes unavailable, how is this process going to be performed successfully?


Standard Operating Procedures Cont.■ SOPs should be written in as simple a style

as possible for all to clearly understand the procedures

■ SOPs should include all steps of a given procedure

■ SOPs should not be overly detailed and should remain clear


Standard Operating Procedures Cont.■ If a procedure contains less than 10 steps, it

should be presented in step format■ If a procedure contains 10 steps or more, but

few decisions, it should be presented in a graphical format or a hierarchical format

■ If a procedure requires many decisions, then it should be presented as a flowchart


Standard Operating Procedures Cont.■ After a procedure has been researched,

documented, reviewed, and tested, it should be authorized by the process owner

■ The integrity of the SOP documents must be protected so that employees don’t follow instructions that have been maliciously tampered with


Standard Operating Procedures Cont.■ The change management process must be

defined so that the SOPs mirror the evolution of the business processes

■ All revisions of the SOP documents must be reviewed and approved by the process owner


Operational Change Control

■ Change control: Internal procedure by which only authorized changes are made to software, hardware, network access privileges, or business processes

■ Change control process ❑ Starts with a Request for Change (RFC)

❑ Description of the proposed change❑ Justification why the change should be implemented❑ Impact of not implementing the change❑ Alternatives❑ Cost ❑ Resource requirements and timeframe

❑ The change is then evaluated and if approved implemented


Operational Change Control Cont.

■ Change control plan❑ Developed after the change is approved❑ Components

■ Security review to ensure no new vulnerabilities are introduced■ Implementation instructions■ Rollback and/or recovery options■ Post implementation monitoring

■ Change must be communicated to all relevant parties❑ Two categories of messages

■ Messages about the change■ Messages how the change will impact employees

■ All actions should be documented throughout the implementation process


Why Is Patching Handled Differently■ Patch

❑ Software or code designed to fix a problem■ Security patching is the primary method of fixing

security vulnerabilities■ Patches need to be applied quickly ■ Patch management

❑ The process of scheduling, testing, approving, and applying security patches

❑ Patching could be unpredictable and disruptive❑ User should be notified of potential downtime

Malware Protection

■ Malware❑ Short for malicious software❑ Software designed to disrupt computer operation,

gather sensitive information, or gain unauthorized access to computer systems and mobile devices

❑ It can be bundled with other programs or self-replicated

❑ Typically requires user interaction


Malware Protection cont.

■ Malware categories❑ Virus❑ Worm❑ Trojans❑ Bots❑ Ransomware❑ Rootkits❑ Spyware/adware❑ Hybrid


How Is Malware Controlled

■ Prevention controls❑ Stop an attack before it occurs

■ Detection controls❑ Identify the presence of malware, alert the user,

and prevent the malware from carrying out its mission


What Is Antivirus Software?

■ Used to detect, contain, and in some cases eliminate malicious software

■ Most AV software employs two techniques❑ Signature-based recognition❑ Behavior-based (heuristic) recognition



Data Replication

■ Data Replication❑ The process of copying data to a second location that is available

for immediate or near-time use■ Data backup

❑ The process of copying and storing data that can be restored to its original location

■ Failure to back up threatens data availability and data integrity❑ Lost/corrupt data can also have a negative impact on the

company:■ Financially■ Legally■ PR-wise


Is There a Recommended Backup or Replication Strategy?

❑ The following aspects should be considered when the strategy is designed:■ Reliability■ Speed■ Simplicity■ Ease of use■ Security of the stored information

❑ Backed-up or replicated data should be stored at an off-site location in an environment secured from theft, the elements, and natural disasters


The Importance of Testing

❑ If the company relies on backup to protect data integrity and availability, then it needs to be sure that the information stored on the backup media is restorable in case of an incident

❑ Just as it is important that a backup would take place according to a set schedule, test restores should also be officially scheduled


Securing Messaging

❑ E-mail is, by default, an insecure way to transmit information

❑ Unless optional encryption is added to the e-mail solution, no confidential information should EVER be sent via e-mail

❑ Inherently, e-mail does not employ ANY encryption, and all information sent is sent in clear text


Securing Messaging Cont.

■ Employees should not commit any information to email that they would not feel comfortable writing on company letterhead

■ Employees must be trained to understand the risks and responsibilities associated with using e-mail as a business tool in a corporate environment



■ Documents sent as e-mail attachments might contain more information than the sender intended to share❑ Metadata

■ Details about a file that describes or identifies it, such as title, author name, subjects, and keywords

■ E-mail is an effective method of distributing malware❑ Can be embedded in an attachment❑ Sent as a hyperlink



■ Incoming attachments may contain a malicious payload:❑ Virus❑ Worm❑ Trojan❑ Other malicious scripts❑ Hoax

■ Users must be trained to be suspicious toward attachments

■ Access to personal email accounts should not be allowed from the corporate network



■ Common e-mail-related mistakes❑ Hitting the wrong button: using “reply all” as

opposed to “reply” or “forward” instead of “reply”❑ Sending an e-mail to the wrong e-mail address

because it is close to the intended recipient’s❑ Leaving an entire string of replies in an e-mail

forwarded to a third person who should not have been privy to some of the information discussed in earlier e-mails

■ Training users is paramount to e-mail security


Are E-Mail Servers at Risk?

■ Compromising the e-mail server❑ Relay abuse

■ Involves using the mail server to distribute spam and malware❑ A denial of service attack against an e-mail is an

attack against the availability of the service❑ The e-mail server should be set up so that it does not

allow an open relay of SMTP traffic. Failure do to so implies two issues:■ The e-mail server will be used by unscrupulous spammers■ The domain name used for e-mail purposes will be blacklisted

Activity Monitoring and Log Analysis■ Log: A record of the vents occurring within an

organization’s systems and networks■ Almost every device and application on the

network can log activity■ Log management

❑ Configuring the log sources, including log generation, storage, and security

❑ Performing analysis of log data❑ Initiating appropriate responses to identified events❑ Managing the long-term storage of log data


Analyzing Logs

■ Log analysis techniques❑ Correlation❑ Sequencing❑ Signature❑ Trend analysis


Service Provider Oversight

■ Service providers include vendors, contractors, business partners and affiliates who store, process, transmit, or access company information on company information systems

■ Service providers internal controls should meet or exceed those of the contracting organization

■ Due diligence is the process used to assess the adequacy of service providers

■ SSAE16 audit reports are the most widely accepted due diligence documentation



Summary■ Day-to-day activities can have a huge impact on the security of the

network and the data it contains. SOPs are important in providing a consistent framework across the company.

■ Change must be managed. Two mandatory components of a change management process are RFC documents and a change control plan.

■ Malware is becoming the tool of choice for criminals to exploit devices, operating systems, applications, and user vulnerabilities. Many types of malware exist and companies should protect against them.

■ Sound backup strategies should be developed, tested, authorized and implemented. E-mail, while being a fantastic business tool, is also a double-edge sword because of its inherent lack of built-in security and must be treated as such.

■ Operational security extends to service providers. Service provider controls should meet or exceed those of the company.

Chapter 8: Communications and Operations Security

Education

Transcript of Chapter 8: Communications and Operations Security