security operations -- an overview

Information Systems 365/765Nicholas Davis, November 10, 2016

Lecture 16 Operations Security

Operations SecurityOperations Security• What happens after the secure network

and systems are built• Day to day work and use• Continual maintenance (due care and

due diligence)• Prudent Person Concept (despite all the

controls in place, operations security still depends on people using their common sense and good judgment to uphold IT secuirty principles)

05/03/23 UNIVERSITY OF WISCONSIN 2

Administrative Management Administrative Management

DesignDesign• Dealing with personal issues (separation of job duties and job rotation)

• High risk activities are broken up among various employees

• The organization should have a written complete and detailed list of duties of personnel

• User and Administrator should have different access rights on systems

• Backup and redundancy of job functions• Enforce least privilege and mandatory

vacations 05/03/23 UNIVERSITY OF WISCONSIN 3

Security and Network Security and Network PersonnelPersonnel

TasksTasks• Implements and maintains security devices and software

• Carries out security assessments• Creates and maintains user profiles and

access• Configures the security labels in

Mandatory Access Control• Sets initial password• Reviews audit logs


Security and Network Security and Network PersonnelPersonnel

AccountabilityAccountabilityLimit excessive privilegesEnable monitoring, logging and auditing (should be routine)Questions which you should ask:•Are users doing functions which are part of the job descriptions?•Are repetitive mistakes being made?•Do too many users have rights to sensitive data?


Clipping LevelsClipping Levels(Threshold)(Threshold)

• Threshold is a baseline for activities committed before an alarm is raised

• Once exceeded, violations are recorded for review

• The purpose is to discover problems before damage occurs

• Example, you have logged in incorrectly 10 times, your account is locked, reset password


Assurance LevelsAssurance LevelsOperational Assurance: describes the standards to which an information system was built. This is determined during the design process.

Lifecycle Assurance: describes how the information system is maintained and grown, while making sure to abide by the original operational assurance, setting standards and expectations to be metRoutine audits of active accounts, etc.


Operational ResponsibilitiesOperational Responsibilities

Duties of staff may include: software, personnel and softwareManagement is responsible for managing personal behavior of employeesThe operations people focus on avoiding recurring issuesAll deviations from the norm should be investigated


Unusual or UnexplainedUnusual or UnexplainedOccurrencesOccurrences

Steps is such a situation are:1.Investigate2.Diagnose3.Solve4.Make changes in system to keep issue from occurring in the future


Deviations From StandardsDeviations From StandardsStandards = expected service levels of information systemsIt provides a solid baseline, from which deviations can be investigatedExamples of common problems:Unscheduled system reboots (Zoinks, Scooby!)Asset identification and management (where’s my stuff?)Systems controls (how did this person gain access?)05/03/23 UNIVERSITY OF WISCONSIN 10

System HardeningSystem Hardening

Types of controls: Physical, Technical, AdministrativePhysical safeguards:1.Wiring and networking closets locked2.Networks in public locations should be physically un-accessible3.Removable devices should be locked and encrypted


Systems HardeningSystems Hardening(Continued)(Continued)

Licensing issues: Make sure your company is using the software in compliance with vendor contracts and stipulated operating procedures

Make sure you have a Service Level Agreement (SLA) with your software, hardware and service providers, indicating acceptable and unacceptable performance and recovery baseline agreements


Remote Access SecurityRemote Access SecurityDefinition: Providing secure information systems access to remote usersCan help reduce costs, by permitting work flexibility, but also may expose you to increased risk. It is a balancing act.1.All communication via remote access should be encrypted at all times2.Generally remote access to critical systems by end users should not be permitted3.Administrators must use strong authentication such as One Time Password device (OTP)


Configuration and ChangeConfiguration and ChangeManagementManagement

Policies should:1.Document how all changes are made and approved2.Guidelines should be different based upon the kind of data being managed3.Disruptions in service must be planned and approved in advance4.Contingency plans must be in place to address planned outages


Change Control ProcessChange Control ProcessProcess:1.Submit request for change to take place2.Formal approval of the change3.Formal documentation of the change4.Assurance of testing must be presented to the group approving the change5.Implement the change6.Report results to management


Examples of Change Examples of Change ControlledControlled

EventsEventsNew computers installedNew applications installedChanges in system configurations implementedPatches and system updatesNew networking equipment installedCompany IT infrastructure merged with that of another company which was acquired


Physical Media ControlsPhysical Media Controls1. Protect from unauthorized access2. Protect from environmental issues such

as flooding, overheating, etc. 3. Media should be labeled4. Media should be sanitized when they

reach the end of their use/life.5. Tracking number, chain of custody of

media6. Location of backups7. Keep history of any changes to media

(replacements, etc)05/03/23 UNIVERSITY OF WISCONSIN 17

Network and ResourceNetwork and ResourceAvailabilityAvailability

Failsafe measures are very important!1.Have redundant hardware and software replacements on hand2.Implement fault tolerance technologies such as load balancing login servers

Note the difference between redundancy and load balancing: Redundancy means having a backup system which can take over if the primary system goes down, and load balancing means that two or more systems are operating in tandem to decrease resource utilization and dependency on a single point, which could fail.


Network and ResourceNetwork and ResourceAvailabilityAvailability

1. Mean Time Between Failures (MTBF) should be tracked and proactively addressed. “Trend” your devices, so that you can plan for replacement and be ready.

2. Understand the Mean Time To Repair (MTTR), so you can make adequate plans when a system breaks.

3. Avoid single points of failure, whenever possible


Redundant Array of Redundant Array of Independent Disks (RAID)Independent Disks (RAID)

RAID 0 = striping of data across several disks. If any one disk is lost, the missing data can be determined by looking at points on either side of missing data. If a disk goes down, pull it and replace it.RAID 1 = mirroring of source disk. If a disk goes down, it can be rebuilt from the mirror disk.


BackupsBackups• Steps:• Document your procedures• Test and certify restores• Do continuous incremental online

backups• Engage is Business Continuity

Planning, keep copies both onsite and offsite, in case of disaster


Mainframe OperationalMainframe OperationalSecuritySecurity

Continue to be useful, reliable and expensiveGenerally have less patching requirementsGenerally more powerful and less flexible than client server systemsDinosaurs!


Fax SecurityFax Security

• There is no such thing as a secure Fax

• Never use a Fax for a sensitive communication!


Vulnerability TestingVulnerability TestingGoals:1.Evaluate your company’s true and actual security posture vs your company’s stated and or assumed security posture2.Confirms known vulnerabilities and identifies new vulnerabilities3.Tests how your company reacts to attacks of information systems


security operations -- an overview

Internet