cissp prep guide domain: operations security javier romero, gcia cissp january 2003
TRANSCRIPT
CISSP Prep Guide
Domain: Operations Security
Javier Romero, GCIA CISSP
January 2003
CISSP - Domain 4 - Operations Security 2
JaCkCastOficiales de Seguridad
Topics
Domain Definition Controls and Protections
Categories of Controls Orange Book Controls
Covert Channel Analysis Trusted Facility Management Configuration/Change Management
Control Administrative Controls
Least Privilege Operations Job Function Overview Record Retention Documentation
Operations Controls Resource Protection Hardware Controls Software Controls
Privileged Entity Controls Media Resource Protection Physhical Access Controls
Monitoring and Auditing Monitoring
Monitoring Techniques Auditing
Security Auditing Problem Management
Concepts
Threats and Vulnerabilities Threats
Accidental Loss Inappropiate Activities Illegal Computer Operations
Vulnerabilities
CISSP - Domain 4 - Operations Security 3
JaCkCastOficiales de Seguridad
1. Domain Definition
Operation security means:Act of understand threats and vulnerabilities Implement security controls.
Controls: can include resolve soft/hardware problems.
TriplesThreat, a event that could cause damageVulnerability, weakness that enables violationAsset, all resources (hardware, software, data,
personnel) CIA
Confidentiality, Integrity, Availability
CISSP - Domain 4 - Operations Security 4
JaCkCastOficiales de Seguridad
2. Controls and Protections
Premise: Protect hardware, software and media resources from:Threats in an operating environment. Internal or external intrudersOperators inappropriately accessing resources.
Critical aspects of operations controls:Resource protection (hardware control)Privileged-entity control
CISSP - Domain 4 - Operations Security 5
JaCkCastOficiales de Seguridad
2.1. Categories of Controls
Major categories:Preventative Controls (before)Detective Controls (after)Corrective (or Recovery) Controls (restore)
CISSP - Domain 4 - Operations Security 6
JaCkCastOficiales de Seguridad
2.1. Categories of Controls
Additional categories:Deterrent Controls (support others)Application Controls (designed to each app)Transaction Controls.
Input Controls (ensure inputs)Processing Controls (check/correct process)Output Controls (confidentiality/integrity)Change Controls (preserve data)Test Controls (during testing)
CISSP - Domain 4 - Operations Security 7
JaCkCastOficiales de Seguridad
2.2. Orange Book Controls
2 types of assurance: Operational
assurance, see:basic features and
architecture
Life cycle assurance, see:controls / standards to
build / to maintain a system.
Requeriments: (5) System architecture System integrity Covert channel analysis Trusted facility management Trusted recovery
Requeriments: (4) Security Testing Design specification and
testing Configuration management Trusted distribution
CISSP - Domain 4 - Operations Security 8
JaCkCastOficiales de Seguridad
2.2.1. Covert Channel Analysis
Covert storage channels, convey:By changing a system’s stored data.
I.E. changing the amount / patterns of free space on HDD. I.E. changing characteristics of a file.
Covert Timing channelsBy altering the performance or modifying the timing of a
system resource. I.E. using the elapsed time required by a operation I.E. using time between 2 events.
Noise and traffic generation, effective to combat
CISSP - Domain 4 - Operations Security 9
JaCkCastOficiales de Seguridad
2.2.1. Covert Channel Classes
CLASS DESCRIPTION
B2 System must protect against covert STORAGE channels. It must perform a covert channel analysis to all covert storage channels.
B3 AND A1 STORAGE + TIMING, analysis to BOTH
CISSP - Domain 4 - Operations Security 10
JaCkCastOficiales de Seguridad
2.2.2. Trusted Facility Management
Assign functions to a person (security roles) Just for B2 (operator and sys admin) Just for B3, and A1 (security admin) Related to:
Least privilegeSeparation of dutiesNeed to know
CISSP - Domain 4 - Operations Security 11
JaCkCastOficiales de Seguridad
2.2.2.1. Separation of Duties
Called segregation of duties No single person
Have the total control can compromise the system. Person with Least Privileged to work, for a short length of time
Highly secure system has 3 roles: sysadmin, secadmin, ISSO
Roles are functionally different Two-man control, 2 men review/approve work to each other Dual control, you need 2 men to complete a sensitive task
CISSP - Domain 4 - Operations Security 12
JaCkCastOficiales de Seguridad
2.2.2.1. Separation of Duties
Sys admin functions Install system software Start/shut down a system Add/remove sys users Perform backup/recovery Handle printer/queues
Sec admin functions: Set user clearance, initial
password, etc. Change security profile for
users Set/change file sensitive
labels Set sec. characteristics of
devices/comm. channels. Review audit data.
CISSP - Domain 4 - Operations Security 13
JaCkCastOficiales de Seguridad
2.2.2.2 Rotation of Duties
It is a process, may be difficult to implement but it is a effective security control procedure.
Lessen collusion between operators for fraudulent purposes.
Goal is: limit the time of the operator’s role performing a security task changing for another one.
CISSP - Domain 4 - Operations Security 14
JaCkCastOficiales de Seguridad
2.2.3. Trusted Recovery
System must not be compromise by a crash. Trusted has 2 activities: (1) Failure Preparation
Backup all critical files periodically.Must ensure a ordered/protected data recoveryNeeded when system needs to be halted:
A system problem,A missing resource,An inconsistent database,any kind of compromise.
CISSP - Domain 4 - Operations Security 15
JaCkCastOficiales de Seguridad
2.2.3. Trusted Recovery
(2) System Recovery, procedure include:Recover in single user modeRecover all file systemsRecover damaged files + DBRecover security characteristcsCheck security critical files
Common Criteria’s hierarchical recovery types:Manual RecoveryAutomated RecoveryAutomated Recovery without Undue Loss.
CISSP - Domain 4 - Operations Security 16
JaCkCastOficiales de Seguridad
2.2.4. Configuration/Change Management Control
Process of tracking and approval changes; Identifying, controlling, auditing changes, over: Hardware, software, network or others.
Goal = ensure changes don’t affect sys’ security. Secure trusted systems under design/development
CISSP - Domain 4 - Operations Security 17
JaCkCastOficiales de Seguridad
2.2.4. Configuration/Change Management Control
Functions:Check order, notify, analyze, reduce (-) impact
5 procedures:Apply, Catalog, Schedule, Implement, Report
Configuration management classes:B2, B3 – conf./change management control enforced to
develop and maintain systemA1 – conf./change management control enforced to
entire sys’ life cycle.
CISSP - Domain 4 - Operations Security 18
JaCkCastOficiales de Seguridad
2.3. Administrative Controls
Personnel SecurityEmployment Screening or Background ChecksMandatory Taking of Vacation in One Week IncrementsJob Action Warnings or Termination
Separation of Duties and Responsibilities Least Privilege Need to Know Change/Configuration Management Controls Records Retention and Documentation
CISSP - Domain 4 - Operations Security 19
JaCkCastOficiales de Seguridad
2.3.1. Least Privilege
Separar los niveles de acceso. Read Only. Read/Write. Acces Change.
CISSP - Domain 4 - Operations Security 20
JaCkCastOficiales de Seguridad
2.3.2. Operations Job Function Overview
Overview of operational functions. Examples: Computer Operator,
run console, backup, record/report problems, mantain controls. Operations Analyst,
Work Soft/Dev app, check program/ comp. Operators. Job Control Analyst,
Quality of production job, metrics, standards. Production Scheduler,
Plan/Create/Coordinate schedules of computer process. Production Control Analyst, Tape Librarian,
CISSP - Domain 4 - Operations Security 21
JaCkCastOficiales de Seguridad
2.3.3. Record Retention
Record retention deals w/comp. Files, directories, and libraries.
Data Remanence Data still exist. Physical traces. Reconstructions.SysAdmin+SecAdmin must know about.
Due Care and Due DiligenceGood business practices -> organization’s industry.Legal requirements.
CISSP - Domain 4 - Operations Security 22
JaCkCastOficiales de Seguridad
2.3.4. Documentation
A security system needs documentation controls. Docs as:
Security plansContingency plans risk analysesSecurity policiesprocedures
Docs must be protected against disclosure. Docs must be ready in disasters.
CISSP - Domain 4 - Operations Security 23
JaCkCastOficiales de Seguridad
2.4. Operations Controls
Resource Protection Hardware controls Software controls Privileged-entity controls Media controls Physical access controls
CISSP - Domain 4 - Operations Security 24
JaCkCastOficiales de Seguridad
2.4.1. Resource Protection
Hardware:
Communications, Storage media, processing systems, standalone computers, printers/fax
Software:
Program libraries, src code, vendor software, OS / utilities.
Data:
Backups, usr/pwd data files, Operating data dir, logs/audit trails
Transparency:
Flexible; No extra steps to use; No Learn to much about the security control.
CISSP - Domain 4 - Operations Security 25
JaCkCastOficiales de Seguridad
2.4.2 Hardware Protection
Hardware MaintenanceMaintenance = physical + logical access, it must be:
Supervise for On-site, remote or transported works.
Maintenance AccountsVendor accounts w/default passwords.
Diagnostic Port ControlHw. direct access. Used only authorized personnel.
Hardware Physical ControlUse locks and alarms in some data processing areas.
CISSP - Domain 4 - Operations Security 26
JaCkCastOficiales de Seguridad
2.4.3. Software Controls
Antivirus managementNobody must load/execute soft without supervision
Software testingTest w/new code. Test w/upgrades too.
Software utilitiesSec. Policy prevents misuse of utilities.
Safe software storage.Hw/soft access controls ensure integrity of bckps.
Backup controlsAccuracy restoring, secure bckps x theft, damage,
enviromental problems.
CISSP - Domain 4 - Operations Security 27
JaCkCastOficiales de Seguridad
2.4.4. Privileged Entity Controls
= privileged operations functions. Special access to computing resources by
operators and sys admin according their job title. Examples of classes of privileged operations
functions:Special access to system commandsAccess to special parametersAccess to the system control program
CISSP - Domain 4 - Operations Security 28
JaCkCastOficiales de Seguridad
2.4.5. Media Resource Protection
Media Security Controls, ie.LoggingAccess ControlProper Disposal: Overwrite, Degauss, Destruction.
Media Viability Controls, ie.MarkingHandlingStorage
CISSP - Domain 4 - Operations Security 29
JaCkCastOficiales de Seguridad
2.4.6. Physical Access Controls
I.E. Equipments which could need protection: Hardware control over
Communications / Computing EquipmentStorage media.Printed logs / reports.
SoftwareBckp. Files, System logs.Production applications, sensitive / critical data.
Type of personnel to have special access.
CISSP - Domain 4 - Operations Security 30
JaCkCastOficiales de Seguridad
3. Monitoring and Auditing
MonitoringTechniques, mechanisms, tools.Actions to identifiy event’s vectors / report info.Monitor: illegal sw, hw faults, anomalies.
Auditing It is the foundstone to monitoring “controls”Helps monitor, to develop patterns.
CISSP - Domain 4 - Operations Security 31
JaCkCastOficiales de Seguridad
3.1. Monitoring Techniques
Intrusion Detection Intruders, traffic patterns, evidence.
Penetration TestingSniffing, Scanning/probing, Demon DialingDumpster diving, Social Engineering
Violation Analysis, detects violations as:Errors, exceeded privileged, Many people w/unrestricted access.Patterns w/serious intrusion attempts
CISSP - Domain 4 - Operations Security 32
JaCkCastOficiales de Seguridad
3.2. Security Auditing
Two types Internal auditors
More mandateCheck compliance/standards of due care, operational cost-
efficiencies, recomendations
External auditors,Often = Certified Public Accounts (CPAs)Financial statements
Auditors’ functions, review:Controls, procedures, standards, plans /
implementations.
CISSP - Domain 4 - Operations Security 33
JaCkCastOficiales de Seguridad
3.2.1. Audit Trails
Let identify/resolve problems. Historial trace. Enforce accountability. Let reconstruct events. Logs must content:
Data/Time, Who, Terminal (from), Related events.
Auditor must look:Reruns or Rectification of jobs, Practices of operator
Note: Protect audit media/reports:When storage is off-site, against alteration / unavaila.
CISSP - Domain 4 - Operations Security 34
JaCkCastOficiales de Seguridad
3.3.3. Problem Management Concepts
PM is the way to Control the process:Of problem isolation / problem resolution
Goal:Reduce fails (acceptable risk), prevent reocurrence of
problem, mitigate impacts
How implement:Define potential problem areas.Define abnormal events to be investigated.
CISSP - Domain 4 - Operations Security 35
JaCkCastOficiales de Seguridad
4. Threats and Vulnerabilities
Threats = eventsCan cause damage / create loss CIACan be malicious: file modificationCan be accidental: accidental deletion of a file
VulnerabilitiesWeakness that can be exploited by a threat.
Reduce vul. reduce risk + impact of threats
CISSP - Domain 4 - Operations Security 36
JaCkCastOficiales de Seguridad
4.1. Threats
Accidental LossLack of training/proficiency
Operator input errors and omissions
Malfunctioning of app. processing procedureTransaction processing errors.
Inappropiate Activities Inappropiate ContentWaste of Corporate ResourcesSexual or Racial HarassmentAbuse of Privilege or Rights
CISSP - Domain 4 - Operations Security 37
JaCkCastOficiales de Seguridad
4.1. Threats
Illegal Computer Operations and Intentional AttacksEavesdropping, sniffing, dumpster diving, shoulder
surfing, data scavenging, trend analysis, social eng.Fraud, altering of data integrity, collusionTheft, hw/sw theft, trade secretsSabotage, DoS, delays of productionExternal Attack, demon dialing, scanning, probing, virus,
etc.
CISSP - Domain 4 - Operations Security 38
JaCkCastOficiales de Seguridad
4.2. Vulnerabilities
Traffic/Trend Analysis Maintenance Accounts Data Scavenging Attacks IPL Vulnerabilities Network Address Hijacking