Secure Sharing of Digital Evidence Bhavani Thuraisingham October 17, 2011.
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) Introduction to Cyber Security (...
-
Upload
blaze-booth -
Category
Documents
-
view
218 -
download
2
Transcript of Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) Introduction to Cyber Security (...
Dr. Bhavani ThuraisinghamThe University of Texas at Dallas (UTD)
Introduction to Cyber Security(Applications, Physical, Legal,
Business Continuity, Operations)
Data and Applications Development Security
• System Lifecycle Security• Applications Security Issues• Database Security
Secure Systems Development Policies• Organizations require more secure development• Security climate has changes
Organizational Standards• Systems Security Engineering-Capability Maturity Model
Integration (SSE-CMMI)• Web Application Security Consortium (WASC)• Build Security in (BSI)• International Organization for Standardization (ISO)/
International Electro-Technical Commission (IEC 27034)
Software Configuration Management (SCM)
• Versioning• Technology• Protection of code• Protection of project
– Scope-creep Vs. Statement of work
• Process integrity
System Lifecycle• Project• Management-based methodology• Capability maturity model integration• SLC vs. SDLC
– System lifecycle– System development lifecycle
Project Management Controls• Complexity of systems and projects• Controls built into software
Secure Development Environment• “We need security? Then we’ll use SSL.”• “We need strong authentication? PKI will solve all our
problems.”• “We use a secret/military-grade encryption.”• “We had a hacking contest and no one broke it.”• “We have an excellent firewall.”• “We’ll add it later; let’s have the features first.”
Secure Development: Physical• Protect source code
– From tampering– Pirating– Accidental loss– Protection against attacks
Personnel Security• Hiring controls• Changes in employment• Protection of privacy from employees
– Privacy impact rating
Separation of Test Datafrom Production
• Never test on a production system• Never use real data
Software Development Methods• Waterfall• Spiral method• Clean-room• Structured Programming
Development
• Iterative development• Joint analysis development• Prototyping
Software Development Methods (cont.)
• Modified prototype model• Exploratory model• Rapid application
development• Reuse model
• Computer aided software engineering
• Component-based development
• Extreme programming• Agile development
Programming Language ExamplesInterpreted
• REXX• PostScript• Perl• Ruby• Python
Compiled• Fortran• COBOL• BASIC• Pascal• C• Ada• C++• Java• C#• Visual Basic
Program Utilities• Assembler• Compiler• Interpreter
Secure Coding Issues• Buffer overflow• SQL injections• Cross-site scripting XSS• Dangling pointer• Invalid hyperlink• Secure web applications• JavaScript attacks vs. sandbox• Application Programming Interface (API)• Open Source
Application Security Principles• Validate all input and output• Fail secure (closed)• Fail safe• Make it simple• Defense in depth• Only as secure as your weakest link
Object-oriented Programming• OOP concepts
– Classes– Objects– Message– Inheritance– Polymorphism– Polyinstantiation (term came from security)
Applications Security Issues• Building security in• Adding defense-in-depth
Transaction Processing• Transaction
– Integrity– Availability– Confidentiality
Malware and Attack Types• Injection• Input manipulation / malicious file execution• Brouthentication management• Cryptographic• Denial of service• Hijacking• Information disclosure• Infrastructure• Mis-configuration• Race condition
Malware• Keystroke logging• Adware and spyware• SPAM• Phishing• Botnets• Remote access Trojan• URL manipulation• Maintenance hooks• Privileged programs
Distributed Programming• Distributed Component Object Model (DCOM)• Simple Object Access Protocol (SOAP)• Common Object-Request Broker Architecture (CORBA)• Enterprise Java Beans (EJB)
Database Management Systems (DBMS) Models
• Hierarchical DBMS– Stores records in a single table– Parent/child relationships– Limited to a single tree– Difficult to link branches
Relational DBMS Model• Most frequently used model• Data are structured in tables• Columns are “variables” (attributes)• Rows contain the specific instances (records) or data
Data Warehouse• Consolidated view of enterprise data• Data mart• Designed to support decision making through data mining
Knowledge Discovery in Databases (KDD)
• Methods of identifying patterns in data• KDD and AI techniques
– Probabilistic models– Statistical approach– Classification approach– Deviation and trend analysis– Neural networks– Expert system approach– Hybrid approach
Database Security Issues• Inference• Aggregation• Unauthorized access• Improper modification of data• Metadata
• Query attacks• Bypass attacks• Interception of data• Web security• Data contamination• Polyinstantiation• Data mining
Database Controls• Access controls• Grants• Cascading permissions• Lock controls• Backup and recovery
View-based Access Controls• Constrained views• Sensitive data is hidden from unauthorized users• Controls located in the front-end application (user interface)
Transaction Controls• Content-based access control• Commit statement• Three-phase commit• Database rollback• Journal / logs• Error controls
The ACID Test• Atomicity• Consistency• Isolation• Durability
Application and Database Languages: Security Issues
• Poorly designed• More privileges than necessary• DBA account use• Lack of audit• Input validation
Database Interface Languages• Structured Query Language (SQL)• Open Database Connectivity (ODBC)• Extensible Markup Language (XML)• Object Linking and Embedding (OLE)• Active X Data Object (ADO)
Legal, Regulations, Complianceand
Investigations• International Legal Issues• Incident Management• Forensic Investigation• Compliance
Jurisdiction• Law, economics, beliefs and politics• Sovereignty of nations
International Cooperation• Initiatives related to international cooperation in dealing with
computer crime• The Council of Europe (CoE) Cybercrime Convention
Computer Crime vs. Traditional CrimeTraditional Crime
• Violent• Property• Public Order
Computer Crime• Real Property• Virtual Property
Intellectual Property Protection• Organizations must protect intellectual property (IP)
– Theft– Loss– Corporate espionage– Improper duplication
• Intellectual property must have value– Organization must demonstrate actions to protect IP
Intellectual Property: Patent• Definition• Advantages
Intellectual Property: Trademark• Purpose of a trademark• Characteristics of a trademark
– Word– Name– Symbol– Color– Sound– Product shape
Intellectual Property: Copyright• Covers the expression of ideas
– Writings– Recordings– Computer programs
• Weaker than patent protection
Intellectual Property: Trade Secrets• Must be confidential• Protection of trade secret
Import and Export Law• Strong encryption• No terrorist states
Liability• Legal responsibility• Penalties• Negligence and liability
Negligence• Acting without care• Due care
Transborder Data Flow• Political boundaries
– Privacy– Investigations– Jurisdiction
Personally Identifiable Information (PII)• Identify or locate• Not anonymous• Global effort
Privacy Laws and Regulations• Rights and obligations of:
– Individuals– Organizations
International Privacy• Organization for Economic Co-operation and Development
(OECD)• 8 core principles
Privacy Law Examples• Health Insurance Portability and Accountability Act (HIPAA)• Personal Information Protection and Electronics Document Act
(PIPEDA)• European Union Data Protection Directive
Employee Privacy• Employee monitoring
– Authorized usage policies– Internet usage– Email– Telephone
• Training
Incident Management
• Prepare, sustain, improve• Protect infrastructure• Prepare, detect respond
Collection of Digital Evidence• Volatile and fragile• Short life span• Collect quickly• By order of volatility• Document, document, document!
Chain of Custody for Evidence• Who• What • When• Where• How
Investigation Process• Identify suspects• Identify witnesses• Identify system• Identify team• Search warrants
Investigation Techniques• Ownership and possession analysis• Means, opportunity and motives (MOM)
Behavior of Computer Criminals• Computer criminals have specific MO’s
– Hacking software / tools– Types of systems or networks attacked, etc.– Signature behaviors
• MO and signature behaviors• Profiling
Interviewing vs. Interrogation• General gathering• Cooperation• Seek truth
• Specific aim• Hostile• Dangerous
Evidence: Hearsay• Hearsay
– Second hand evidence– Normally not admissible
• Business records exception– Computer generated information– Process of creation description
Reporting and Documentation• Law• Court proceedings• Policy• Regulations
Communication About the Incident• Public disclosure• Authorized personnel only
Computer Forensics: Evidence
• Potential evidence• Evidence and legal system
Computer Forensics• Key components
– Crime scenes– Digital evidence– Guidelines
Computer Forensics: Evidence• Identification of evidence• Collection of evidence
– Use appropriate collection techniques– Reduce contamination– Protect scene– Maintain the chain of custody and authentication
Computer Forensics: Evidence• Scientific methods for analysis
– Characteristics of the evidence– Comparison of evidence
• Presentation of findings– Interpretation and analysis– Format appropriate for the intended audience
Forensic Evidence Procedure• Receive media• Disk write blocker• Bit for bit image• Cryptographic checksum• Store the source drive
Forensic Evidence Analysis Procedure• Recent activity• Keyword search• Slack space• Documented
Media Analysis• Recognizing operating system artifacts• File system• Timeline analysis• Searching data
Software Analysis• What it does• What files it creates
Network Analysis• Data on the wire• Ports• Traffic hiding
Compliance• Knowing legislation• Following legislation
Regulatory Environment Examples• Sarbanes-Oxley (SOX))• Gramm-Leach-Bliley Act (GLBA)• Basel II
Compliance Audit• Audit = a formal written examination of controls• Auditor role = 3rd party evaluator• Continuous auditing = automation
Audit Report Format• Introduction
– Background– Audit perspective– Scope and objectives
• Executive summary• Internal audit opinion• Detail report including auditee responses• Appendix• Exhibits
Key Performance Indicators (KPI)• Illegal software• Privacy• Security related incidents
Physical (Environmental) Security
• Site and Facility Design Criteria• Perimeter Security • Building and Inside Security• Secure Operational Area
Site Location Considerations• Emergency services• Hazards/ threats• Adjacency
Threats to Physical Security• National / environmental• Utility systems• Human-made/ political events
Threat Sources and ControlsThreat
• Theft• Espionage• Dumpster diving• Social engineering• Shoulder surfing• HVAC access
Controls• Locks• Background checks• Disposal procedures• Awareness• Screen filters• Motion sensors in
ventilation ducts
Perimeter and BuildingBoundary Protections
• First line of defense• Protective barriers
– Natural– Structural
Fences• Federal, state or local codes may apply• Parking should not be allowed near fences
Controlled Access Points• Gates are the minimum necessary layer• Bollards
Perimeter Intrusion Detection Systems• Detect unauthorized access into an area
– Electronic ‘eyes’
• Note that some perimeters IDSs can function inside the perimeter as well.
Types of Lighting• Continuous lighting• Trip lighting• Standby lighting• Emergency exit lighting• Emergency egress lighting
Access and Visitor Logs and More Rigorous forms of Logging
ABC CompanyEntrance:___________________ Date:________________
Name Institution Name of Person VisitingTime In Time
Out
Closed Circuit Television (CCTV)• CCTV Capability Requirements
– Detection– Recognition– Identification
• Mixing Capabilities• Virtual CCTV Systems
Guards and Guard Stations• Guards
– Deterrent– Possible liability
• Guard stations
Doors• Isolation of critical areas• Lighting of doorways• Contact devices• Guidelines
Building Entry Point Protection• Locks• Lock components
– Body– Strike– Strike plates– Key– Cylinder
Types of Locks• Something you have – Keyed• Something you know – Combinations• Something you are - Biometric
Lock Attacks• Lock picking• Lock bumping
Lock Controls• Lock and key control system• Key control procedures• Change combinations• Fail
– Soft– Secure– Safe
Other Electronic Physical Controls• Card access• Biometric access methods
Windows and Entry Points• Standard plate glass• Tempered glass• Acrylic materials• Polycarbonate windows• Entry points
Intrusion Detection Systems (IDS)• Closed circuit television• Sensors and monitors
Escorts and Visitor Control• Visitor access control best practices
– Picture identity– Photographs– Enclosed area– Authorized escort
Access Logs• Computerized log• Closed circuit TV
Equipment Room• Perimeter enclosure• Controls• Policy
Data Processing Facility• Small devices threat• Server room• Mainframes• Storage
Communications and Power• Wireless access points• Network access control• Utility and power rooms
Work Area• Operators• System administrators• Restricted work areas
Equipment Protection• Inventory• Locks and tracing equipment• Data encryption• Disabling I/O ports
Environmental Controls
System• Electric power• HVAC• Water / plumbing• Gas• Refrigeration
Threat• Loss of power• Overheating• Flood / dripping• Explosion• Leakage
Fire Protection• Prevention – reduce causes• Detection – alert occupants• Suppression – contain or extinguish
Materials and Suppression Agents
Type Suppression Agents
Common combustibles Water, foam, dry chemicals
Combustible liquids Inert gas, CO2, foam, dry chemicals
Electrical Inert gas, CO2, dry chemicals
Combustible metals Dry powders
Cooking media (fats) Wet chemicals
Flooding Area Coverage• Water – sprinkler systems• Gas – Halon/CO2/Argon systems• Best practices for systems• Portable extinguishers
Types of Electrical Power Faults• Complete loss of power• Power degradation• Interference (noise)• Grounding
Loss of Electrical Power• UPS• Generators• Goals of power• Power controls
Heating Ventilation Air Condition (HVAC)
• Location• Positive pressure• Maintenance
Other Infrastructure Threats• Gas leakage• Water threats
Key Performance Indicators• # of physical security incidents detected• # of false positives for biometrics
Business Continuityand Disaster Recovery Planning
• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management
Sources of Information• Disaster Recovery Institute International• Business Continuity Institute• ISO 25999• ISO 27001, Section 10• NIST SP 800-34
ISO 25999: Business Continuity Management
• Risk management• Disaster recovery• Facilities management• Supply chain management• Quality management
• Health and safety• Knowledge management• Emergency management• Security• Crisis communications and
PR
Overview of BCP• Direct benefits• Indirect benefits• Overlap with Risk Management• BCM vs. BCP vs. COOP
The Enterprise BCP• DRP
– Backup strategies– Emergency procedures– Contracts and provisioning
• BIA– Reciprocal agreements– Alternate sites
• Incident response planning– Succession Plan– Incidence Response Team
The Enterprise BCP (cont.)• Risk analysis
– Safeguards / countermeasures– Insurance plan
• Corporate communication plan– User awareness training– Media/stakeholder relations plan
The Business Continuity Life Cycle• Analyze the business• Assess the risks• Develop the BC strategy• Develop the BC plan• Rehearse the plan
BC Project Phases• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management
Reflecting Organizational Context• Policy is the driver• Aligned with requirements• Provides direction and focus• Use Business Impact Analysis• Identify inputs• Outcomes and deliverables• Reviewed annually
Policy• Organizational authority• Policy document• Program scope• Resources• Outsourcing
Policy contents• Framework• Tools and techniques• Policy contents• Change is infrequent
Outsourced Activities• You are still responsible• Resilience in outsourcing• Supplier continuity
Scope and Choices• Limit scope• Ensure clarity of scope• Strategy, Return on Investment (ROI), and SWOT (Strengths,
Weaknesses, Opportunities, Threats)• Review yearly
Program Management• Assigning responsibilities• Initiating BCP in the organization• Project management• Ongoing management• Documentation• Incident readiness and response
Documentation• Review current BCP if available• Documentation may not equal capability• Staff must be trained to use any necessary software• Types of documentation• Review as directed by policy
Initiating BCP• Awareness, data, implementation• Staff and budget• Result must be a long-term, sustainable program• Review progress monthly
Incident Readiness & Response• Planners become leaders• Be prepared• Triage• Incident management• Success = Return to Operations• Immediate lessons learned
Key Indicators of Success• Senior management commitment• Policy content• BCP Resources• Project management• Documentation
Understanding the Organization• Business Impact Analysis (BIA)
– Benefits– Objectives
• Evaluating Threats (Risk Assessment)• Emergency Assessment• Indicators of Critical Business Functions
Business Impact Analysis• Identifies, quantifies and qualifies loss• Scope and support required• Documents impact and dependencies• MTD, RPO• Business impact analysis process• Workshops, questionnaires, interviews• Business justifications for budget
Maximum Tolerable Period of DisruptionItem Required recovery time
following a disaster
Non-essential 30 days
Normal 7 days
Important 72 hours
Urgent 24 hours
Critical/Essential Minutes to hours
Estimating Continuity Requirements• Total budget for disaster recovery• Identification of necessary resources• Outcomes feed BCP strategy selection• Reviewed with BIA
Evaluating Threats (Risk Assessment)• Risk equation + time element• Risk = Threat impact * probability• Prioritize key processes and assets• Outcomes
Key Indicators or Success• Corporate governance• BIA practice• Risk assessment practice
Determining Business Continuity Strategy
• High-level strategies• RTO < MTPD• Separation distance• Resilience• Address specific business types
Determining Strategy• Determining BC strategies• Strategy options• Activity continuity options• Resource-level consolidation
Activity Continuity Options• Selecting recovery tactics• Reliability• Extent of planning• Cost/benefit analysis• Outcome
Recovery AlternativesAlternative Description Readiness Cost
Multiple processing/ mirrored site
Fully redundant identical equipment
and data
Highest level of availability and readiness
Highest
Mobile site/trailer Designed, self-contained IT and communications
Variable drive time; load data and test systems
High
Hot site Fully provisioned IT and office, HVAC, infrastructure and communications
Short time to load data, test systems. May be yours or
vendor staff
High
Warm site Partially IT equipped, some office, data and voice, infrastructure
Days of weeks. Need equipment, data communications
Moderate
Cold site Minimal infrastructure, HVAC
Weeks or more. Need all IT, office equipment and
communications
Lowest
Processing AgreementsAgreement Description Consideration
Reciprocal or Mutual Aid Two or more organizations agree to recover critical operations for each other.
Technology upgrades/ obsolescence or business growth. Security and access by partner users
Contingency Alternate arrangements if primary provider is interrupted, i.e. voice or data communications
Providers may share paths or lease from each other. Question them.
Service Bureau Agreement with application service provider to process critical business functions.
Evaluate their loading geography and ask about backup mode.
Resource Level Consolidation• Consolidation plan• Availability of solutions• Consolidate, approve, implement• Methods and techniques• Outcomes and deliverables
Business Continuity Plan• Master plan• Modular in design• Executive endorsement• Review quarterly
Business Continuity Plan Contents• When team will be activated• Means by which the team will be activated• Places to meet• Action plans/task list created
• Responsibilities of the team or of specific individuals– Liaising with Emergency Services (fire, police ambulance)– Receiving or seeking information from response teams– Reporting information to the Incident Management Team– Mobilizing third party suppliers of salvage and recovery services– Allocating available resources to recovery teams– Invocation / mobilization instructions
Business Continuity Plan Contents
Developing and Implementing Response
• Incident response structure• Emergency response procedures• Personnel notification• Communications• Restoration
Implementing Incident Management Plan
• Rapid response is critical• Crisis management• Steps to develop an Incident Management Plan• Action plans
Incident Response Structure
• Strategic• Tactical• Operational
Key Indicators of Success• Development and acceptance of Recovery Strategies and
Business Continuity Plans
Disaster Recovery• Salvage• Separate function and team• Facility restoration • System recovery
Testing the Program• Find the flaws• Outsourcing• Timetable for tests• Test design process
Testing TypesTypes Process Participants Frequency Complexity
Desk Check Check the contents of the plan, aid in
maintenance.
AuthorOften LOW
Walk-through
Check interaction and roles of participants.
Author and main people
Simulation Includes: business plans, buildings, communications
Main people and auditors
Parallel testing
Moves work to another site. Recreates the
existing work from the displaced site.
Everyone at location
Full Shuts down and relocates all work
Everyone at both locations Rare HIGH
Embedding BCP• Assessing level of awareness and training• Developing BCP within the Culture• Monitoring cultural change
Test BCP Arrangements• Test, rehearsal, exercise• Combine all plan activities• Stringency, realism and minimal exposure• Contents of a test• Outcomes
Maintaining BCP Arrangements• Ready and embedded• Triggered by change management• Owners keep information current• Documented• Review as needed
Reviewing BCP Arrangements• Audit• Independent BCP audit opinion• As directed by audit policy
Factors for Success• Supported by senior management• Everyone is aware• Everyone is invested• Consensus
Assessing the Level of Awarenessand Training
• Where are we now• What does the policy state• Current vs. desired levels• Training framework in place
Developing a BCP Within the Organization’s Culture
• Training, education, awareness• Well-implemented policy• Design• Delivery planning• Delivery• Cost effective delivery• Higher awareness
Operations Security• Protection and Control of Data Processing Resources
– Media Management– Backups and Recovery– Change Control
• Privileged Entity Control
Control Categories• Preventive• Detective• Corrective• Deterrent• Recovery• Directive• Compensating
Application-related Controls• Transaction• Input• Processing• Output• Test• Supervision / balancing• Job-flow• Logging• Licensing
Operations Security Focus Areas• Auditors• Support staff• Vendors• Security• Programmers• Operators• Engineers• Administrators
Facility Support Systems• The support systems in centralized and decentralized operation
centers must be protected– Hardware– Software– Storage media– Cabling– Physical security
Facility Support Systems (cont.)• Fire protection• HVAC• Electrical power goals
Facility Support Systems (cont.)• Water• Communications• Alarm systems
Media Management• Storage• Encryption• Retrieval• Disposal
Object Reuse• Securely reassigned• Disclosure• Contamination• Recoverability
Clearing of Magnetic Media• Overwriting• Degaussing• Physical destruction
Media Management Practices• Sensitive Media Controls
– Destroying– Marking– Labeling– Handling– Storing– Declassifying
Misuse Prevention
Threats Countermeasures
Personal use Acceptable use policy, workstation controls, web content filtering, email filtering
Theft of media Appropriate media controls
Fraud Balancing of input/output reports, separation of duties, verification of information
Sniffers Encryption
Records Management• Consideration for records management program development• Guidelines for developing a records management program• Records retention
Adequate Software & Data Backup• Operations controls ensure adequate backups of:
– Data– Operating systems– Applications– Transactions– Configurations– Reports
• Backups must be tested• Alternate site recovery plan
Fault Tolerance• Hardware failure is planned for• System recognizes a failure• Automatic corrective action• Standby systems
– Cold – configured, not on, lost connections– Warm – On, some lost data or transactions (TRX)– Hot – ready – failover
RAID – Redundant Array of Independent Discs
• Hardware-based• Software-based• Hot spare
RAID Level 0• Two or more disks• No redundancy• Performance only
RAID Level 1• Exact copy (or mirror)• Two or more disks• Fault tolerant• 200% cost
RAID Level 2• Striping of data with error correcting codes (ECC)• Requires more disks than RAID 3/4/5• Not used, not commercially viable
RAID Level 3• Byte level stripes• 1 drive for parity• All other drives are for data
RAID Level 4• Block level stripes• 1 drive for parity• All other drives are for data
RAID Level 5• Block level stripes• Data and parity interleaved amongst all drives• The most popular RAID implementation
RAID Level 6• Block level stripes• All drives used for data AND parity• 2 parity types• Higher cost• More fault tolerant than RAID implementations 2 - 5
RAID Level 0+1• Mirroring and striping• Higher cost• Higher speed
RAID Level 10• Mirroring and striping• Higher cost• Higher speed
Redundant Array of Independent Tapes (RAIT)
• Using tapes not disk• Rea-time mirroring
Hot Spares• Waiting for disaster• Global• Dedicated
Backup Types• File image• System image• Data mirroring• Electronic vaulting• Remote journaling• Database shadowing• Redundant servers• Standby services
System Recovery – Trusted Recovery• Correct implementation• Failures don’t compromise a system’s secure operation
Types of Trusted Recovery• System reboot• Emergency system restart• System cold start
Fail Secure• Cause little or no harm to personnel• System remains secure
Operational Incident Handling• First line of defense• Logging, tracking and analysis of incidents• Escalation and notification
Incident Response TeamBenefits
• Protection of assets• Profitability• Regulations• Avoiding downstream
damage• Limit exposure
Priorities• Life safety• Labeled data• Communication• Reduce disruption
Contingency Plans• Business continuity plans and procedures
– Power failure– System failure– Denial of service– Intrusions– Tampering– Communication– Production delay– I/O errors
Change Control Management• Business and technology balance• Defines
– Process of changes– Ownership of changes
• Changes are reviewed for impact on security
Change Control Committee Responsibilities
Management• Business impact• Regulations• Risk management• Approval• Accreditation
Technical• Request process• Functional impact• Access control• Testing• Rollback• Certification
Change Control Procedures• Request• Impact assessment• Approval• Build/test• Implement• Monitor
Configuration Management Elements• Hardware inventory• Hardware configuration chart• Software• Firmware• Documentation requirements• Testing
Patch Management• Knowledge of patches• Testing• Deployment• Zero-day challenges
Protection of Operational Files• Library Maintenance
– Backups– Source code– Object code– Configuration files
• Librarian
Operator Privileges• Data input and output• Data maintenance• Labeling• Inventory
Administrator Privileges• Systems administrators• Network administrators• Audit highly-privileged accounts
Security Administrator Privileges• Security administration include:
– Policy• Development• Implementation• Maintenance and compliance
– Vulnerability assessments– Incident response
Control Over Privileged Entities• Review of access rights• Supervision• Monitoring/audit