Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11.
Operations Security CISSP Guide to Security Essentials Chapter 7.
-
Upload
abel-jack-richards -
Category
Documents
-
view
250 -
download
2
Transcript of Operations Security CISSP Guide to Security Essentials Chapter 7.
![Page 1: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/1.jpg)
Operations Security
CISSP Guide to Security Essentials
Chapter 7
![Page 2: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/2.jpg)
Objectives
• Applying security concepts to computer and business operations
• Records management security controls
• Backups
• Anti-virus software and other anti-malware controls
![Page 3: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/3.jpg)
Objectives (cont.)
• Remote access
• Administrative management and control of information security
• Resource protection
• Incident management
![Page 4: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/4.jpg)
Objectives (cont.)
• High availability architectures
• Vulnerability management
• Change management and configuration management
• Operations attacks and countermeasures
![Page 5: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/5.jpg)
Applying Security Operations Concepts
![Page 6: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/6.jpg)
Security Operations Concepts
• Need to know
• Least privilege
• Separation of duties
• Job rotation
• Monitoring of special privileges
![Page 7: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/7.jpg)
Security Operations Concepts (cont.)
• Records management controls
• Backups
• Anti-virus and anti-malware
• Remote access
![Page 8: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/8.jpg)
Flow of Control
• From chapter 11. Policy
2. Guidelines
3. Processes
4. Procedures
5. Recordkeeping
![Page 9: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/9.jpg)
Need to Know
• Individual personnel should have access to only the information that they require in order to perform their stated duties
• Independent of security clearance
• This reduces risk, but can be an administrative burden
![Page 10: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/10.jpg)
Least Privilege
• Users should have the fewest or lowest number of privileges required to accomplish their duties
• Independent of security clearance
![Page 11: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/11.jpg)
Separation of Duties
• High-value or high-risk tasks require two or more different individuals to complete
• Examples– Open a bank vault
– Issue an arrest warrant
– Provision a privileged-access computer account
– Change a firewall rule
![Page 12: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/12.jpg)
Job Rotation
• Move individual workers through a range of job assignments
• Reduces monotony, risk
• Reduces likelihood that employees will perform inappropriate or illegal actions if they fear being caught when next job rotation occurs
![Page 13: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/13.jpg)
Monitoring of Special Privileges
• Privileged users have more power
• Mistakes have greater impact
• Record activities– Network administrator
– System administrator
– Database administrator
– Application administrator
![Page 14: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/14.jpg)
Records Management Controls
• Data classification
• Access management
• Records retention
• Backups
• Data destruction
![Page 15: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/15.jpg)
Data Classification
• Establish sensitivity levels
• Establish handling procedures for each level– Creation, storage, transmittal, destruction
![Page 16: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/16.jpg)
Access Management
• Policies, procedures, and controls that determine how information is accessed and by whom– User account provisioning
– Privilege management
– Password management
– Review of access rights
– Secure log on
![Page 17: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/17.jpg)
Records Retention
• Policies that specify how long different types of records must be retained (minimums and maximums)
• Manage risks related to business records– Risk of compromise of sensitive information
– Risk of loss of important information
– E-Discovery
– Regulation
![Page 18: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/18.jpg)
Backups
• Protection against loss due to malfunctions, failures, mistakes, and disasters
• Activities– Data restoration
– Protection of backup media
– Off-site storage of backup media
![Page 19: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/19.jpg)
Data Restoration
• Periodic testing to ensure that data that is backed up can be restored– Same computer
– Different computer
• Best way to prove that backups are being performed properly
![Page 20: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/20.jpg)
Protection of Backup Media
• Backup media contains sensitive information
• Requires same level of control as original information
• Keep in locked cabinets– Least privilege and need to know
![Page 21: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/21.jpg)
Offsite Storage of Backup Media
• Reduce risk of loss of backup media in the event of a disaster that destroys data center– Fire, flood, sabotage
• Factors– Distance from business location
– Security of transportation
– Security of storage center
– Resilience of storage center against disasters
![Page 22: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/22.jpg)
Data Destruction
• Purpose: ensure that discarded information is truly destroyed and not salvageable by either employees or outsiders
![Page 23: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/23.jpg)
Data Destruction (cont.)
• Once information has reached the end of its need, its destruction needs to be carried out in a manner that is proportional to its sensitivity– Degaussing
– Shredding
– Wiping
![Page 24: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/24.jpg)
Anti-virus and Anti-malware
• Effects of uncontrolled malware– Loss of business information
– Disclosure or compromise of business information
– Corruption of business information
– Disruption of business information processing
– Inability to access business information
– Loss of productivity
• Apply defense in depth to protect assets
• Central anti-malware management
![Page 25: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/25.jpg)
Remote Access
• Connectivity to a network or system from a location away from the network or system, usually from a location apart from the organization’s premises
• Usually through a VPN
![Page 26: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/26.jpg)
Remote Access (cont.)
• Improves productivity by permitting employees to access business information from any location
• Risk mitigation– Encryption, strong authentication, anti-malware,
firewall
![Page 27: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/27.jpg)
Administrative Management and Control
![Page 28: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/28.jpg)
ISO 27001
• Widely accepted model for top-down security management– Define scope and boundaries– Establish a security policy– Risk assessments– Establish control objectives and activities– Security awareness and training– Allocate resources– Internal audits– Monitor and review the security program– Enact continual improvement
![Page 29: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/29.jpg)
Types of Controls
• Technical– Such as firewalls and antivirus software
• Physical– Locks, guards, etc.
• Administrative– Such as policies and audits
• See link Ch 7a for a good discussion, and link CISSP 12 for good whitepapers on all ten CISSP domains
![Page 30: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/30.jpg)
Categories of Controls
• Detective
• Deterrent
• Preventive
• Corrective
• Recovery
• Compensating
![Page 31: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/31.jpg)
Employing Resource Protection
![Page 32: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/32.jpg)
Resource Protection
• Facilities– Water and sewage
– Electricity
– Fire alarms and suppression
– Environmental controls
– Communications
– Security controls
![Page 33: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/33.jpg)
Resource Protection (cont.)
• Hardware– Servers
– Workstations
– Network devices
– Wireless networks
– Printers, copiers
– Cabling
![Page 34: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/34.jpg)
Resource Protection (cont.)
• Software requires control and management– Licensing
– Access control
– Source code (preventing disclosure)
• Intellectual property
• Security
– Source code control
• Software development lifecycle
![Page 35: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/35.jpg)
Resource Protection (cont.)
• Documentation– May contain trade secrets and sensitive
information
– Processes, procedures, and instructions
– Version control
– Access control
![Page 36: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/36.jpg)
Incident Management
![Page 37: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/37.jpg)
Incident
• An Incident is– An unexpected event that results in an interruption of
normal operations
• A Security Incident is– An event in which security policy has been violated
OR– Unauthorized access to a system or information
OR – An event that prevents legitimate access to a system
or information
![Page 38: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/38.jpg)
Incident Management
• Incident declaration
• Triage
• Investigation
• Analysis
• Containment
• Recovery
• Debriefing– See chapter 6 for details
![Page 39: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/39.jpg)
High Availability Architectures
![Page 40: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/40.jpg)
Fault Tolerance
• Makes devices less prone to failure– Multiple power supplies
– Multiple network interfaces
– Multiple processor units
– RAID (Redundant Array of Inexpensive / Independent Disks)
![Page 41: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/41.jpg)
Clustering
• A group of two or more servers that operate functionally as a single logical server
• Active-active mode
• Active-passive mode– Failover: when active status is transferred
• Geo-cluster – servers located at great distances from one another
![Page 42: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/42.jpg)
Replication
• Data changes are transmitted to a counterpart storage system
• An adjunct to clustering, makes current data available to all cluster nodes
![Page 43: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/43.jpg)
Business Continuity Management
• A management activity where analysis is performed to better understand the risks associated with potential disaster scenarios, and the steps that can be taken to reduce the impact of a disaster should one occur
![Page 44: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/44.jpg)
Vulnerability Management
![Page 45: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/45.jpg)
Vulnerability Management
• Penetration testing
• Application scanning
• Patch management
• Code reviews
![Page 46: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/46.jpg)
Penetration Testing
• A scan of many or all TCP / IP “ports” on one or more target systems– Followed by locating and exploiting vulnerabilities
• Mimics the actions of a hacker who scans a system or network for active, exploitable ports and services
![Page 47: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/47.jpg)
Application Scanning
• The process of performing security tests on an application (usually, but not always, a web-based application) in order to find vulnerabilities in the application code itself
![Page 48: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/48.jpg)
The ‘new’ OWASP Top Ten (2010 rc1)
http://www.owasp.org/index.php/Top_10
![Page 49: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/49.jpg)
Code Reviews
• Manual and automated inspections of software source code– Examine and validate approved changes
– Detection of inappropriate changes, unsafe code, security issues
![Page 50: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/50.jpg)
Patch Management
• The process – usually assisted with management tools – to manage the installation of patches on target systems
• Reduces risks associated with malware, hacking attacks that exploit weaknesses– Don't just put on all available patches
– Analyze and test them first and only put on the ones that pass a risk analysis
![Page 51: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/51.jpg)
Change Management
![Page 52: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/52.jpg)
Change Management
• Prepare the change
• Circulate and review the change
• Discuss and agree to the change
• Perform the change
• Recordkeeping
![Page 53: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/53.jpg)
Configuration Management
![Page 54: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/54.jpg)
Configuration Management
• Configuration of hardware, software components
• Configuration management database (CMDB)
• Automated tools
![Page 55: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/55.jpg)
Operations Attacks and Countermeasures
![Page 56: Operations Security CISSP Guide to Security Essentials Chapter 7.](https://reader036.fdocuments.net/reader036/viewer/2022081421/56649ea25503460f94ba6038/html5/thumbnails/56.jpg)
Attacks on Operations
• Social engineering
• Sabotage
• Theft and Disappearance
• Extortion
• Bypass– Circumventing security measures
• Denial of service