Chapter 8: Communications and Operations Security
-
Upload
nada-gyoussef -
Category
Education
-
view
77 -
download
1
Transcript of Chapter 8: Communications and Operations Security
Security Program and PoliciesPrinciples and Practices
by Sari Stern Greene
Chapter 8: Communications and Operations Security
Copyright 2014 Pearson Education, Inc. 2
Objectives
❑ Author useful standard operating procedures❑ Implement change control processes❑ Understand the importance of patch management❑ Protect information systems against malware❑ Consider data backup and replication strategies❑ Recognize the security requirements of email and
email systems❑ Appreciate the value of log data and analysis❑ Evaluate service provider relationships❑ Write policies and procedures to support operational
and communications security
Copyright 2014 Pearson Education, Inc. 3
Standard Operating Procedures (SOPs)
❑ SOPs provide direction to improve communication, reduce training time, and improve work consistency
❑ SOPs should be documented to protect the company from the pitfalls of institutional knowledge■ If a business process is only known by one employee,
and that employee becomes unavailable, how is this process going to be performed successfully?
Copyright 2014 Pearson Education, Inc. 4
Standard Operating Procedures Cont.■ SOPs should be written in as simple a style
as possible for all to clearly understand the procedures
■ SOPs should include all steps of a given procedure
■ SOPs should not be overly detailed and should remain clear
Copyright 2014 Pearson Education, Inc. 5
Standard Operating Procedures Cont.■ If a procedure contains less than 10 steps, it
should be presented in step format■ If a procedure contains 10 steps or more, but
few decisions, it should be presented in a graphical format or a hierarchical format
■ If a procedure requires many decisions, then it should be presented as a flowchart
Copyright 2014 Pearson Education, Inc. 6
Standard Operating Procedures Cont.■ After a procedure has been researched,
documented, reviewed, and tested, it should be authorized by the process owner
■ The integrity of the SOP documents must be protected so that employees don’t follow instructions that have been maliciously tampered with
Copyright 2014 Pearson Education, Inc. 7
Standard Operating Procedures Cont.■ The change management process must be
defined so that the SOPs mirror the evolution of the business processes
■ All revisions of the SOP documents must be reviewed and approved by the process owner
Copyright 2014 Pearson Education, Inc. 8
Operational Change Control
■ Change control: Internal procedure by which only authorized changes are made to software, hardware, network access privileges, or business processes
■ Change control process ❑ Starts with a Request for Change (RFC)
❑ Description of the proposed change❑ Justification why the change should be implemented❑ Impact of not implementing the change❑ Alternatives❑ Cost ❑ Resource requirements and timeframe
❑ The change is then evaluated and if approved implemented
Copyright 2014 Pearson Education, Inc. 9
Operational Change Control Cont.
■ Change control plan❑ Developed after the change is approved❑ Components
■ Security review to ensure no new vulnerabilities are introduced■ Implementation instructions■ Rollback and/or recovery options■ Post implementation monitoring
■ Change must be communicated to all relevant parties❑ Two categories of messages
■ Messages about the change■ Messages how the change will impact employees
■ All actions should be documented throughout the implementation process
Copyright 2014 Pearson Education, Inc. 10
Why Is Patching Handled Differently■ Patch
❑ Software or code designed to fix a problem■ Security patching is the primary method of fixing
security vulnerabilities■ Patches need to be applied quickly ■ Patch management
❑ The process of scheduling, testing, approving, and applying security patches
❑ Patching could be unpredictable and disruptive❑ User should be notified of potential downtime
Malware Protection
■ Malware❑ Short for malicious software❑ Software designed to disrupt computer operation,
gather sensitive information, or gain unauthorized access to computer systems and mobile devices
❑ It can be bundled with other programs or self-replicated
❑ Typically requires user interaction
Copyright 2014 Pearson Education, Inc. 11
Malware Protection cont.
■ Malware categories❑ Virus❑ Worm❑ Trojans❑ Bots❑ Ransomware❑ Rootkits❑ Spyware/adware❑ Hybrid
Copyright 2014 Pearson Education, Inc. 12
How Is Malware Controlled
■ Prevention controls❑ Stop an attack before it occurs
■ Detection controls❑ Identify the presence of malware, alert the user,
and prevent the malware from carrying out its mission
Copyright 2014 Pearson Education, Inc. 13
What Is Antivirus Software?
■ Used to detect, contain, and in some cases eliminate malicious software
■ Most AV software employs two techniques❑ Signature-based recognition❑ Behavior-based (heuristic) recognition
Copyright 2014 Pearson Education, Inc. 14
Copyright 2014 Pearson Education, Inc. 15
Data Replication
■ Data Replication❑ The process of copying data to a second location that is available
for immediate or near-time use■ Data backup
❑ The process of copying and storing data that can be restored to its original location
■ Failure to back up threatens data availability and data integrity❑ Lost/corrupt data can also have a negative impact on the
company:■ Financially■ Legally■ PR-wise
Copyright 2014 Pearson Education, Inc. 16
Is There a Recommended Backup or Replication Strategy?
❑ The following aspects should be considered when the strategy is designed:■ Reliability■ Speed■ Simplicity■ Ease of use■ Security of the stored information
❑ Backed-up or replicated data should be stored at an off-site location in an environment secured from theft, the elements, and natural disasters
Copyright 2014 Pearson Education, Inc. 17
The Importance of Testing
❑ If the company relies on backup to protect data integrity and availability, then it needs to be sure that the information stored on the backup media is restorable in case of an incident
❑ Just as it is important that a backup would take place according to a set schedule, test restores should also be officially scheduled
Copyright 2014 Pearson Education, Inc. 18
Securing Messaging
❑ E-mail is, by default, an insecure way to transmit information
❑ Unless optional encryption is added to the e-mail solution, no confidential information should EVER be sent via e-mail
❑ Inherently, e-mail does not employ ANY encryption, and all information sent is sent in clear text
Copyright 2014 Pearson Education, Inc. 19
Securing Messaging Cont.
■ Employees should not commit any information to email that they would not feel comfortable writing on company letterhead
■ Employees must be trained to understand the risks and responsibilities associated with using e-mail as a business tool in a corporate environment
Copyright 2014 Pearson Education, Inc. 20
Securing Messaging Cont.
■ Documents sent as e-mail attachments might contain more information than the sender intended to share❑ Metadata
■ Details about a file that describes or identifies it, such as title, author name, subjects, and keywords
■ E-mail is an effective method of distributing malware❑ Can be embedded in an attachment❑ Sent as a hyperlink
Copyright 2014 Pearson Education, Inc. 21
Securing Messaging Cont.
■ Incoming attachments may contain a malicious payload:❑ Virus❑ Worm❑ Trojan❑ Other malicious scripts❑ Hoax
■ Users must be trained to be suspicious toward attachments
■ Access to personal email accounts should not be allowed from the corporate network
Copyright 2014 Pearson Education, Inc. 22
Securing Messaging Cont.
■ Common e-mail-related mistakes❑ Hitting the wrong button: using “reply all” as
opposed to “reply” or “forward” instead of “reply”❑ Sending an e-mail to the wrong e-mail address
because it is close to the intended recipient’s❑ Leaving an entire string of replies in an e-mail
forwarded to a third person who should not have been privy to some of the information discussed in earlier e-mails
■ Training users is paramount to e-mail security
Copyright 2014 Pearson Education, Inc. 23
Are E-Mail Servers at Risk?
■ Compromising the e-mail server❑ Relay abuse
■ Involves using the mail server to distribute spam and malware❑ A denial of service attack against an e-mail is an
attack against the availability of the service❑ The e-mail server should be set up so that it does not
allow an open relay of SMTP traffic. Failure do to so implies two issues:■ The e-mail server will be used by unscrupulous spammers■ The domain name used for e-mail purposes will be blacklisted
Activity Monitoring and Log Analysis■ Log: A record of the vents occurring within an
organization’s systems and networks■ Almost every device and application on the
network can log activity■ Log management
❑ Configuring the log sources, including log generation, storage, and security
❑ Performing analysis of log data❑ Initiating appropriate responses to identified events❑ Managing the long-term storage of log data
Copyright 2014 Pearson Education, Inc. 24
Analyzing Logs
■ Log analysis techniques❑ Correlation❑ Sequencing❑ Signature❑ Trend analysis
Copyright 2014 Pearson Education, Inc. 25
Service Provider Oversight
■ Service providers include vendors, contractors, business partners and affiliates who store, process, transmit, or access company information on company information systems
■ Service providers internal controls should meet or exceed those of the contracting organization
■ Due diligence is the process used to assess the adequacy of service providers
■ SSAE16 audit reports are the most widely accepted due diligence documentation
Copyright 2014 Pearson Education, Inc. 26
Copyright 2014 Pearson Education, Inc. 27
Summary■ Day-to-day activities can have a huge impact on the security of the
network and the data it contains. SOPs are important in providing a consistent framework across the company.
■ Change must be managed. Two mandatory components of a change management process are RFC documents and a change control plan.
■ Malware is becoming the tool of choice for criminals to exploit devices, operating systems, applications, and user vulnerabilities. Many types of malware exist and companies should protect against them.
■ Sound backup strategies should be developed, tested, authorized and implemented. E-mail, while being a fantastic business tool, is also a double-edge sword because of its inherent lack of built-in security and must be treated as such.
■ Operational security extends to service providers. Service provider controls should meet or exceed those of the company.