The CISSP Prep Guide Chapter 6

1
The CISSP Prep GuideChapter 6

• Operations Security
• The CISSP Prep Guide Mastering the Ten Domains
  of Computer Security by Ronald L. Krutz, Russell
  Dean Vines (August 24, 2001), John Wiley Sons.
  ISBN 0471413569

2
Topics in Chapter

• Controls and Protections
• Monitoring and Auditing
• Threats and Vulnerabilities

3
Domain Definition

• Threat
• an event that could cause harm by violating the
  security
• Vulnerability
• A weakness in a system that enables security to
  be violated
• Asset
• Anything that is a computing resource or ability
  such as hardware, software, data, and personnel

4
Categories of Controls

• Preventative Controls
• Detective Controls
• Corrective Controls
• And Deterrant, Application, Transaction, Input,
  Processing, Output, Change, Test Controls

5
Orange Book Controls

• Operational Assurance
• System Architecture
• System Integrity
• Covert Channel Analysis
• Trusted Facility Management
• Trusted Recovery
• Life Cycle Assurance
• Security Testing
• Design Specification and Testing
• Configuration Management
• Trusted Distribution

6
Covert Channel Analysis

• An information path that is not normally used for
  communication within a system, therefore it is
  not protected by the systems normal security
  mechanisms.
• Covert Storage Channel
• Covert Timing Channel

7
Trusted Facility Management

• Separation of Duties
• The Principle of Least Privilege
• Rotation of Duties
• System Administrator, Security Administrator or
  ISSO, and Enhanced Operator Function
• Concept of Two-man control
• Two operators review and approve the work of each
  other
• Concept of Dual Control
• Both Operators are needed to complete a
  sensitive task

8
Trusted Recovery

• Two Primary Activities for Trusted Recovery
• Preparing for System Failure
• Recovering the System
• Recovery
• Manual recovery
• Automated recovery
• Automated recovery without Undue Loss

9
Configuration/Change Management

• Configuration Management - Requirement for B2, B3
  and A1 systems
• To ensure the change is implemented in a orderly
  manner through formalized testing
• To ensure the user base is informed of the
  impending change
• To analyze the effect of the change on the system
  after implementation
• To reduce the negative impact the change may have
  had on the computing services and resources

10
Configuration/Change Management

• Applying to introduce a change
• Cataloging the intended change
• Scheduling the change
• Implementing the change
• Reporting the change to the appropriate classes

11
Administrative Controls

• Personnel Security
• Employment Screening or Background Checks
• Mandatory Taking of Vacation in One Week
  Increments (for auditing operators account)
• Separation of Duties and Responsibilities
• Least Privilege
• Need to Know
• Change/Configuration Management Controls
• Record Retention and Documentation

12
Operations Job Function Overview

• Computer Operator
• Operations Analyst
• Job Control Analyst
• Production Scheduler
• Production Control Analyst
• Tape Librarian

13
Record Retention

• Data Remanence
• Data left on the media after the media has been
  erased
• Due Care and Due Diligence
• Versus Negligence
• Documentation
• Security Plans, Contingency Plans, Risk Analysis,
  Security Policies and Procedures

14
Operations Controls

• Resource Protection
• Hardware Controls
• Software Controls
• Privileged-entity Controls
• Media Controls
• Physical Access Controls

15
Resource Protection

• Hardware Resources
• Communications, including routers, firewalls,
  gateways, switches, modems, and access servers
• Storage Media floppies, removable drives,
  external hard drives, tapes, and cartridges
• Processing Systems file servers, mail servers,
  Internet servers, backup servers, and tape drives
• Standalone computers and peripherals
• Printers and fax machines

16
Resource Protection

• Software Resources
• Program libraries and source code
• Vendor software or proprietary packages
• Operating System software and system utilites

17
Data Resources

• Backup Data
• User data files
• Password files
• Operating Data Directories
• System logs and audit trails

18
Hardware Controls

• Hardware Maintenance
• Maintenance Accounts
• Diagnostic Port Control
• Hardware Physical Control

19
Software Controls

• Anti-Virus Management
• Software Testing
• Software Utilities
• Safe Software Storage
• Backup Controls

20
Privileged Entity Control

• Special Access to System Commands
• Access to Special Parameters
• Access to the System Control Program

21
Media Resource Protection

• Media Security Controls
• Logging
• Access Control
• Proper Disposal
• Media Viability Controls
• Marking
• Handling
• Storage

22
Physical Access Controls

• Hardware
• Control of communications and the computing
  equipment
• Control of the storage media
• Control of the printed logs and reports
• Software
• Control of the backup files
• Control of the system logs
• Control of the production applications
• Control of the sensitive/critical data

23
Physical Access Controls

• IT department personnel
• Cleaning staff
• Heating ventilation and Air Conditioning (HVAC)
  maintenance personnel
• Third-party service contract personnel
• Consultants, contractors, and temporary staff

24
Monitoring and Auditing

• Monitoring Techniques
• Intrusion Detection
• Penetration testing
• Scanning and Probing
• Demon dialing (or war)
• Sniffing
• Dumpster Diving and Social Engineering
• Violation processing using clipping levels

25
Auditing

• Security Auditing
• Backup Controls
• System and Transaction Controls
• Data library procedures
• Systems development standards
• Data Center security
• Contingency plans

26
Audit Trails

• Transactions date and time
• Who processed the transaction
• At which terminal the transaction was processed
• Various security events relating to the
  transaction, and
• Amendments to production jobs
• Production job reruns
• Computer operator practices

27
Problem Management Concepts

• To reduce failures to a manageable level
• To prevent the occurrence or re-occurrence of a
  problem
• To mitigate the negative impact of problems on
  computing services and resources

28
Problem Management

• The performance and availability of computing
  resources and services
• The system and networking infrastructure
• Procedures and transactions
• The safety and security of personnel

29
Threats and Vulnerabilities

• Threats
• Accidental Loss
• Inappropriate Activities
• Inappropriate Content
• Waste of Corporate Resources
• Sexual or Racial Harassment
• Abuse of Privileges or Rights

30
Illegal Computer Operations and Intentional
Attacks

• Eavesdropping
• Fraud
• Theft
• Sabotage
• External Attacks

31
Vulnerabilities

• Traffic Analysis or Trend Analysis
• Countermeasures
• Padding Messages to make all uniform size
• Sending Noise
• Covert Channel Analysis
• Maintenance Accounts
• Data Scavenging Attacks
• IPL Vulnerability
• Network Address Hijacking

32
(No Transcript)