Operations Security

1
Operations Security
2
Operations Security

• Operations security pertains to everything needed
  to keep a network, computer systems, applications
  and environment up and running in a secure and
  protected manner
• Main goal to protect the companys resources

3
CIA

• Confidentiality
• Controls that affect the sensitivity and secrecy
  of information
• Integrity
• Controls implementation quality
• Affects the data's accuracy and authenticity
• Availability
• Controls that affect the level of fault tolerance
• Ability to recover from failure

4
Controls and Protections

• Controls that protect assets -hardware, software,
  and media -from-
• Threats in an operating environment
• Internal and external intruders
• Operators accessing resources inappropriately
• Root access to systems in an organization

5
Types of Controls

• Preventive controls
• Reduce the impact of unintentional errors
  entering the system
• Prevent unauthorized intruders from accessing the
  system either internally or externally

6
Types of Controls

• Detective controls
• Detect an error once it has occurred
• Corrective controls
• Mitigate the impact of a loss through data
  recovery procedures

7
Types of Controls

• Deterrent controls
• Message for unauthorized data access, logins
• Application controls
• Transaction controls
• Input controls
• Processing controls
• Output controls
• Change controls
• Test controls

8
Security Controls

• Security controls come from
• From the Orange Book - Trusted Computer Security
  Evaluation Criteria (TCSEC)
• Superceded by Common Criteria
• http//csrc.nist.gov/cc/
• http//www.commoncriteriaportal.org/

9
Dual Control

• Two or more people or systems to complete a task
• Typical administrator and privileged operator
  tasks
• Installing system software
• Startup and shutdown of system
• Performing backups and recovery
• Adding and removing system users
• Handling printers and managing print queues

10
Dual Control

• Security operator will set up the account
• Security administrator will
• Set user clearances, initial passwords, access
  rights
• Change security profiles for existing users
• Set security characteristics of devices and
  communication channels
• Set or change file sensitivity labels
• Review audit data

11
Trusted Recovery

• Failure preparation mode
• Backing up all critical files on a regular
  schedule
• System recovery
• Rebooting into single user mode
• Recovering all previously active file systems
• Restoring missing or damaged files from recent
  backups
• Recovering security characteristics (labels)
• Validating security critical files
• System recovery policies developed during the
  days of mainframes. Most apply to distributed
  systems.

12
Covert Channels

• Information path -
• Not used in normal operations
• Not protected by security mechanisms
• E.g. Retrieve information of a system usage based
  on the power usage.
• Covert timing channels
• Convey information by altering the timing of a
  system resource
• Applicable to old mainframes.

13
Operations Security

• Principles and Practices of Good Security

14
Operations Security

• For operations security critical items are
• Due Care - Doing the right thing!
  
• Due Diligence -Continuing to do the right thing!

15
Operations Security

• Includes
• Administrative management
• Product evaluation and operational assurance
• Change configuration management
• Keep track of the changes made
• Trusted recovery states
• Threats to operational security

16
Administrative Management

• Separation of duties
• Ensures that one person cannot compromise the
  organization's security
• Job rotation
• More than one person fulfills the task or
  position distributes responsibility
• Least privilege
• Provides access to just enough information to
  perform the task at hand
• Bare minimum to do the job
• ensures integrity
• Need-to-know- Ensures confidentiality similar to
  military classifications
• Top secret
• Secret
• Sensitive
• Mandatory vacations
• To keep individuals from hiding their actions
  e.g. Salami Slicing

17
Accountability

• Users must be accountable for their actions
• Controls
• Potential damage to the organization
• Responsibility
• Maintained by
• Audit logs

18
Security Operations and Product Evaluation

• Operational assurance
• Life cycle assurance
• Company responsibilities after product is
  implemented
• Clipping levels
• Resource access

19
Operational Assurance

• Guarantees that equipment will function as stated
• Design
• Monitoring
• Auditing
• Controlled Access
• Recovery

20
Life Cycle Assurance

• Guarantees that equipment
• Was designed
• Will operate
• Will be updated ...
• ... in a controlled, known manner
• If there was a change made, we know
• Who
• When
• why

21
Clipping Levels

• Tolerance level set to trigger a problem
• Set clipping levels for
• Passwords
• Logins
• Violations
• Behavior

22
Resource Access

• What is needed vs. what is requested or preferred
• Control access to resources by -
• Discretional access control (DAC)
• Mandatory access control (MAC)
• Role-based access control

23
Change Management

• Applies to
• Hardware
• Software
• Firmware
• Change control documentation
• New hardware
• New applications
• Different configurations
• Patches
• Policies, procedures, and standards

24
Change Management

• Steps in a Change management program
• Request change
• Approve change
• Document change
• Test change
• Implement change
• Report and record change

25
Media Controls

• Media should be controlled by
• Label
• Date
• Storage / retention
• Classify
• Sanitize / destroy
• Above steps much be implemented for all
  electronic and non-electronic media (documents,
  stick-on notes etc.

26
Trusted Recovery

• 3 types
• System reboot
• Restart in a controlled manner
• Emergency reboot
• Restarts when normal procedures cannot be
  initiated
• System cold start
• o/s brings the system down to maintenance mode
  and operator intervention is required to complete
  the recovery

27
Resource Protection Mechanisms and Techniques
28
Data Protection

• Data must be verified when it enters or exits a
  system
• Controls must be used to verify validity of
• Data
• Email
• Transactional information

29
Input and Output Controls

• Controls must be placed on inputs and outputs to
  insure their length, type, and range
• Input controls include
• Dollar counts
• Transaction counts
• Error detection and correction
• Output controls include -
• Validity checking
• Authorization controls
• Verification testing
• Audit trails

30
E-mail attacks

• Email is vulnerable to attack via-
• Spoofing
• Attackers uses your e-mail address
• Attackers use a familiar e-mail address
• Spam
• Used to launch DOS attacks
• Open Mail Relays
• Any person can send e-mail through your e-mail
  servers
• If spammers get access, your mail server could be
  blocked by ISPs and e-mail applications

31
Spoofing

• Email appears to have originated from one source,
  but it actually was sent from another source
• Usually an attempt to trick the user into some
  type of activity

32
SPAM

• Unsolicited
• Part of a mass emailing or bulk email
• The sender is a stranger to the recipient... the
  recipient has never had willful, personal contact
  with the sender

33
Open Mail Relays

• Occurs when mail is forwarded from someone else
  through the user's mail server
• Forwarding e-mail is an acceptable event if
  either the originator or the receiver is a local
  user
• Servers that allow third party mail relays are
  spammer favorites

34
Other Ways to Attack Email

• Attackers "bounce" an email through the targeted
  network's mail systems
• Reveals-
• Each hop along the way
• Valid IP addresses
• Type of email server
• Accomplished by -
• Connecting to an email server
• Sending an e-mail to an invalid address

35
Electronic Mail Security

• PGP
• SMIME
• SSL (web-based mail)

36
PGP

• Pretty Good Privacy (PGP)
• A software package originally developed by
  Phillip Zimmermann
• Provides -
• Cryptographic routines for emails
• File storage applications
• Works off a public / private key system

37
SMIME

• Does the same thing as PGP for end users
• Uses a different algorithm and process
• Both provide end-to-end security for email and
  file transfer

38
SSL

• Secure Sockets Layer (SSL)
• A protocol developed by Netscape for transmitting
  private documents via the Internet
• Functions using a private key to encrypt data
  that is transferred over the SSL connection

39
Fax Security

• Faxes stored in unsecured bins
• Fax servers
• Logging and auditing
• Fax encryptor
• Allows end-to-end encryptors

40
Phreakers

• Individuals that hack phone systems for fun and
  free calls
• PBX and business phone systems are still
  vulnerable today
• Misconfigured systems allow phreakers to make
  thousands of dollars in free calls
• Most organizations discover phreaking only after
  the phone bill is delivered.

41
Attacks and Prevention Methods
42
Malicious Hacker Attack Methodology

• Reconnaissance
• Corporate websites, job websites
• Scanning
  
• Networks
• Hosts
• Gaining access
• Denial of Service
• Maintaining access
• Upload / alter / download programs or data
• Covering tracks
• Some evidence is always left behind

43
Reconnaissance

• The preparatory phase
• Occurs prior to launching an attack
• Attacker seeks to gather as much information as
  possible about a target
• Social Engineering

44
Scanning

• The second pre-attack phase
• Hacker scans the network with specific
  information gathered during reconnaissance using
  -
• War dialers
• Port scanners
• Ping sweeping
• Network mapping tool
• Vulnerability assessment scanners
• Wireless detectors

45
Gaining Access

• First true attack phase
• Hacker exploits the system to gain entry through
  -
• Open service
• Vulnerability
• Buffer overflow
• System misconfiguration
• Blank password

46
Maintaining Access

• Hacker attempts to retain ownership of the system
  through -
• Backdoor planting
• Password cracking
• Root kit planting

47
Covering Tracks

• Activities hackers undertake to extend their stay
  on the system without being detected
• Their goals -
• To continue using the system's resources
• To remove evidence of their activities
• To avoid legal action

48
Penetration Testing

• The art of self assessment
• Do penetration testing to find
• What can the hacker see on the targeted system?
• What can a hacker do with that information?
• Do the administrators notice the penetration
  testers' attempts or success?

49
Hacking Tools

• Security professionals can use hacking tools to
  verify their network's defenses
• OS fingerprinting
• Scanners
• Sniffers
• Hijacking
• Password cracking
• Backdoors
• Vulnerability assessments

50
OS Fingerprinting

• Determines the OS of the targeted system
• Various OS vendors implement the TCP stack
  differently
• Programs like NMAP -
• Send specially crafted packets to a remote OS
• Compare the response to a database
• Determine the OS

51
Scanners

• Scanning tools look for systems and services that
  respond.

52
Hijacking

• Session hijacking involves intercepting an
  in-progress session with the objective of either
  snooping on it in real time or taking control of
  it

53
Password Cracking

• Theft methods include
• Physical access
• Logical access
• Tapping the wire
• Password Cracking tools include -
• L0PHTCRACK
• John the Ripper
• PalmCrack
• Crack 5
• Pocket PC Software

54
Password Cracking Types

• Dictionary attack
• Brute force attack
• Hybrid attack

55
Backdoors

• Enable complete control compromised system
• Sniff passwords and login IDs
• Perform reconnaissance activity communication
• Spy on user activity, keystroke by keystroke
• Control software
• Control hardware

56
Vulnerability Assessments

• Should be periodically performed to ensure the
  network is secure
• There are many individuals waiting to attack