Operations Security

Lisa M. True, CISSP

January 12, 2004

Domain 7

Operations Security

The CISSP candidate will be expected to know the resources that must be protected, the privileges that must be restricted, the control mechanisms that are available, the potential for access abuse, the appropriate controls, and the principles of good practice.

Controls and Protections

The Operations Security domain is concerned with the controls that are used to protect hardware, software, and media resources from the following:– Threats in an operating environment– Internal or external intruders– Operators who are inappropriately accessing

resources

Categories of Controls

• Preventative Controls – lower the amount & impact of unintentional errors

• Detective Controls – used to detect an error once it has occurred

• Corrective (or Recovery) Controls – help mitigate the impact of a loss event through data recovery procedures

Additional Control Categories

• Deterrent Controls (also called directive controls)• Application Controls (built into software) • Transaction Controls

– Input Controls (properly input)– Processing Controls (valid trans & exceptions are reprocessed)– Output Controls (only prints to acct’ing printer)– Change Controls (configuration management)– Test Controls (prevent violations of confidentiality)

Covert Channel Analysis

Information path not normally used for communication within a system – not protected – 2 types

•Covert storage channels - allow the direct or indirect writing of a storage location by one process and the direct or indirect reading of it by another •Covert timing channels - allow one process to signal information to another process by modulating its own use of system resources in such a way that the change in response time observed by the second process would provide information

Separation of DutiesTypical system administrator or enhanced operator functions:– Installing system software– Starting up (booting) and shutting down a system– Adding and removing system users– Performing backups and recovery– Handling printers and managing print queues

Typical security administrator functions:– Setting user clearances, initial passwords, and other security

characteristics for new users– Changing security profiles for existing users– Setting or changing file sensitivity labels– Setting the security characteristics of devices and

communications channels– Reviewing audit data

Two Man Control – check each otherRotation of Duties

Trusted Recovery

• Failure Preparation (backup)• System Recovery

– Rebooting the system into a single user mode—an operating system loaded without the security front end activated—so no other user access is enabled at this time

– Recovering all file systems that were active at the time of the system failure

– Restoring any missing or damaged files and databases from the most recent backups

– Recovering the required security characteristics, such as file security labels

– Checking security-critical files, such as the system password file

Configuration/Change Management Control

• The following are the primary functions of configuration or change control:– To ensure that the change is implemented in a orderly manner through

formalized testing– To ensure that the user base is informed of the impending change– To analyze the effect of the change on the system after implementation– To reduce the negative impact the change may have had on the

computing services and resources• Five generally accepted procedures exist to implement and support

the change control process:1. Applying to introduce a change.2. Cataloging the intended change.3. Scheduling the change.4. Implementing the change.5. Reporting the change to the appropriate parties.

Administrative Controls

• Personnel Security– Employment Screening or Background Checks– Mandatory Taking of Vacation in One Week

Increments– Job Action Warnings or Termination

• Separation of Duties and Responsibilities• Least Privilege• Need to Know• Change/Configuration Management Controls• Record Retention and Documentation

Least Privilege

• The three basic levels of privilege are defined as follows:– Read Only– Read/Write– Access Change

Due Care and Due Diligence

The concepts of due care and due diligence require that an organization engage in good business practices relative to the organization's industry.

Resource Protection• HARDWARE RESOURCES

– Communications, which includes routers, firewalls, gateways, switches, modems, and access servers

– Storage media, which includes floppies, removable drives, external hard drives, tapes, and cartridges

– Processing systems, which includes file servers, mail servers, Internet servers, backup servers, and tape drives

– Standalone computers, which includes workstations, modems, disks, and tapes

– Printers and fax machines• SOFTWARE RESOURCES

– Program libraries and source code– Vendor software or proprietary packages– Operating system software and systems utilities

• DATA RESOURCES– Backup data– User data files– Password files– Operating Data Directories– System logs and audit trails

Hardware Controls

• Hardware Maintenance• Maintenance Accounts• Diagnostic Port Control• Hardware Physical Control

– Sensitive operator terminals and keyboards– Media storage cabinets or rooms– Server or communications equipment data centers– Modem pools or telecommunication circuit rooms

Software Controls

• Anti-Virus Management

• Software Testing

• Software Utilities

• Safe Software Storage

• Backup Controls

Privileged Entity Controls

• Special access to system commands

• Access to special parameters

• Access to the system control program

Media Security Controls

• Logging

• Access Control

• Proper Disposal

Media Viability Controls

• Marking

• Handling

• Storage

Physical Access Controls

• HARDWARE– Control of communications and the computing

equipment– Control of the storage media– Control of the printed logs and reports

• SOFTWARE– Control of the backup files– Control of the system logs– Control of the production applications– Control of the sensitive/critical data

Monitoring Techniques

• Intrusion Detection

• Penetration Testing

• Violation processing using clipping levels

Security Auditing

• Backup controls

• System and transaction controls

• Data library procedures

• Systems development standards

• Data center security

Audit Trails• The audit logs should record the following:

– The transaction's date and time– Who processed the transaction– At which terminal the transaction was processed– Various security events relating to the transaction

• In addition, an auditor should also examine the audit logs for the following:– Amendments to production jobs– Production job reruns– Computer operator practices

• Other important security issues regarding the use of audit logs are as follows:– Retention and protection of the audit media and reports when

their storage is off site– Protection against the alteration of audit or transaction logs– Protection against the unavailability of an audit media during an

event

Problem Management Concepts

The goal of problem management is threefold:

1. To reduce failures to a manageable level.

2. To prevent the occurrence or re-occurrence of a problem.

3. To mitigate the negative impact of problems on computing services and resources.

Threats and Vulnerabilities

• Accidental Loss– Operator input errors and omissions– Transaction processing errors

• Inappropriate Activities– Inappropriate Content– Waste of Corporate Resources– Sexual or Racial Harassment– Abuse of Privileges or Rights

• Illegal Computer Operations and Intentional Attacks– Eavesdropping– Fraud– Theft– Sabotage– External Attack

Vulnerabilities

• Traffic/Trend Analysis– Countermeasures

• Padding messages• Sending noise• Covert channel analysis

• Data Scavenging

• IPL Vulnerabilities

• Network Address Hijacking