sfbayissa_cissp_operations2010
-
Upload
amanthegreat -
Category
Documents
-
view
213 -
download
0
Transcript of sfbayissa_cissp_operations2010
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 1/91
Operations Security
CISSP Review
4/2/2010 1
Presented By: Bob Harren, CISSP, CCNA, [email protected]
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 2/91
Domain Objective
• Recognize the activities involved in securing theoperations of an enterprise and identify thetechnologies used to maintain network and
resource availability.
• Identify the effects of various hardware and
software violations on the system, and recognizehow different types of operational and life-cycleassurance are used to secure operations.
• Determine the effects of different attacks on thenetwork and identify the consequences of thoseeffects.
4/2/2010 2
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 3/91
Domain Objective
• Recognize how different auditing andmonitoring techniques are used to identify
and protect against system and network
attacks.
• Recognize the need for resource protection,
distinguish between e-mail protocols, andidentify different types of e-mail vulnerability.
• Identify mechanisms & security issues withthe Web, & recognize technologies fortransferring & sharing files over the Internet.
4/2/2010 3
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 4/91
Domain Objective
• Recognize key reconnaissance attack
methods and identify different types ofadministrative management and media
storage control.
• Identify appropriate security measures &
controls for creating more secure workspace
in given scenarios.
4/2/2010 4
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 5/91
Administrative Management
(Separation of Duties)
Assign different tasks to different personnel
No single person can completely compromise a system
Related to the concept of least privileges – least privilegesrequired to do one’s job
Secure Systems - System Administrator and SecurityAdministrator must be different roles.
Highly Secure Systems - System Administrator, SecurityAdministrator & Enhanced Operator must be different roles.
If same person roles must be controlled and audited.
4/2/2010 5
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 6/91
Administrative Management(Separation of Duties)
Organizational Role Core Responsibilities
Control Group Obtains & validates info from analysts, admins, and users and passes to usergroups.
Systems Analyst Designs data flow of systems based on operational and user requirements.
Application Programmer Develops and maintains production software.
Help Desk/Support Resolves end-user and system technical or operations problems.
IT Engineer Performs the day-to-day operational duties on systems and applications.
Database Administrator Creates new database tables and manages the database.
Network Administrator Installs and maintains the LAN/WAN environment.
Security Administrator Defines, configures, and maintains the security mechanisms
Tape Librarian Receives, records, releases, and protects files backed up on media
Quality Assurance Can consist of both Quality Assurance (QA) and Quality Control (QC).
4/2/2010 6
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 7/91
Introduction
• Topic: Operations Security
• Approach - General security principles• The Problem
• The Control
4/2/2010 7
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 8/91
Confidentiality
operationscontrols affect
confidentiality ofdata.
Integrityhow well
operationscontrols are
implementedaffects data
integrity
Availability
faulttolerance and
ability torecover
4/2/2010 8
C.I.A. Triad
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 9/91
General Security Principles
• Accountability
– Authorization
– Logging• Separation of duties
• Least privilege
• Risk reduction – Job Rotation
– Mandatory vacations
• Layered defense
• Redundancy
4/2/2010 9
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 10/91
Threat – an event that could cause harm by
violating the security ( i.e. Operator abuse ofprivileges)
Vulnerability – weakness in a system that enablessecurity to be violated (i.e. Weak Segregation ofduties)
Asset – anything that is a computer resource (i.e.software data)
4/2/2010 10
Definitions
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 11/91
Critical Operational Controls
• Resource protection
• Privileged-entity control
• Hardware control
• Controls to protect hardware, software and
media from: – Threats in an operating environment
– Internal and external intruders
– Operators inappropriately accessing resources
4/2/2010 11
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 12/91
Preventative – prevent harmful occurrence
• Lower amount and impact of errors entering the system
• Prevent unauthorized intruders from accessing thesystem
Detective – detect after harmful occurrence
• Track unauthorized transactions
Corrective – restore after harmful occurrence
• Data recovery
4/2/2010 12
Categories of Controls
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 13/91
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 14/91
The Problem
Powerful system utilities
Powerful system commands
Direct control over hardware and software
Direct control over all files
Direct control over printers and output queues
Powerful Input / Output commandsDirect access to servers
Initial program load from console4/2/2010 14
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 15/91
The Problem
Erroneous transactions (fraud)
• Altering proper transactions
• Adding improper transactions
Denial of service/Delays in operation
Personal use, Disclosure
Audit trail/log corruption/modification
4/2/2010 15
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 16/91
Protected Resources
Password files
Application program libraries
Source code
Vendor software
Communications HW/SW
Main storage
Disk & tape storage4/2/2010 16
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 17/91
Protected Resources
Processing equipment
Stand-alone computers
Printers
Sensitive/Critical data
System utilitiesSystem logs/audit trails
Backup files
Sensitive forms
Printouts
People4/2/2010 17
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 18/91
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 19/91
Separation of Duties - Operator
Installing system software
Start up/Shut down
Backup/recovery
Mounting disks/tapes
Handling hardware
Adding/removing users
4/2/2010 19
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 20/91
Separation of Duties - Security
• User activities
– Adding/removing users
– Setting clearances – Setting passwords
– Setting other security characteristics
– Changing profiles• Setting file sensitivity labels
• Setting security characteristics of devices,
communications channels
• Reviewing audit data
4/2/2010 20
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 21/91
Installing software
Start up and shutdown of system
Adding removingusers
Performing backup and recovery
Handling printersand queues
4/2/2010 21
System AdminEnhanced Operator Functions
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 22/91
4/2/2010 22
Security Admin Functions
Setting user clearances,
Setting initial passwords and userids
Changing security profiles for users
Setting file sensitivity labels
Setting security of devices
Renewing audit data
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 23/91
4/2/2010 23
Security Admin Functions
B2 security level requires that systems must supportseparate operator and system administrator roles.
B3 and A1, systems must clearly identify the functionsof the security administrator to perform the security-
related functions.
Rotation of duties - Limiting the length of time a
person performs duties before being moved
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 24/91
The Problem
Physical access to the computer room and devices there
Shoulder surfing over Operator’s shoulder
Physical access to printouts - rerouting
Access to print queues
Access to printers
4/2/2010 24
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 25/91
The Control
• Authentication & Least Privilege – Authorization for access to the facility
– Closed shop - physical access controls limitingaccess to authorized personnel
– Operations security - controls over resources - HW,media & operators with access
• Operations terminals
• Servers/routers/modems/circuit rooms
• Sniffer - device that attaches to the network andcaptures network traffic
• Magnetic media
4/2/2010 25
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 26/91
The Problem
• Inability to recover from failures
• Legal liabilities
4/2/2010 26
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 27/91
The Control
• Redundancy
– Regular backups of all software and files
4/2/2010 27
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 28/91
• Assurance – level of confidence that security policies
have been implemented correctly•
• Operational Assurance – focuses on basic features
and architecture of a system•
• Life Cycle Assurance – controls and standards required
for building and maintaining a system
4/2/2010 28
Orange Book Controls (TCSEC)
Trusted Computer Security Evaluation Criteria
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 29/91
Trusted Computer Security Evaluation
Criteria• Orange Book Addresses:
– Confidentiality
– NOT Integrity
– It looks specifically at the operating system and notother issues
• Levels
– D – Minimal Protection
– C – Discretionary Protection – (C1 and C2)
– B – Mandatory Protection – (B1, B2, and B3)
– A – Verified protection, formal methods (A1)
4/2/2010 29
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 30/91
• Operational Assurance – focuses on basic
features and architecture of a system – System Architecture
– System Integrity
– Covert Channel Analysis
– Trusted Facility Management
– Trusted Recovery
4/2/2010 30
Orange Book Controls (TCSEC)
Trusted Computer Security Evaluation Criteria
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 31/91
• Life Cycle Assurance – controls and standards
required for building and maintaining a system – Security Testing
– Design Specification and testing
– Configuration Management
– Trusted Distribution
4/2/2010 31
Orange Book Controls (TCSEC)
Trusted Computer Security Evaluation Criteria
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 32/91
Trusted System Operations
• Trusted computer base - HW/FW/SW protected
by appropriate mechanisms at appropriate levelof sensitivity/security to enforce security policy
• Trusted facility management - supports separate
operator and administrator roles (B2)• Clearly identify security admin functions
• Definition - Integrity – formal declaration or certification of a product
4/2/2010 32
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 33/91
An information path that is not normally within a system and istherefore not protected by the systems’ normal securitymechanism.
Secret ways to convey information to another program or person
• Covert Storage Channels - convey information by changing
stored data (B2)• Covert Timing Channels – convey information by altering the
performance of or modifying the timing of system resources inmeasurable way. (B3, A1= Storage and Timing)
Combat Covert Channel Analysis - with noise and trafficgeneration
4/2/2010 33
Covert Channel Analysis
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 34/91
Configuration Management
• Controlling modifications to system HW/FW/ SW/Documentation
• Ensure integrity and limiting non-approved changes
• Baseline controls
– policies
– standards – procedures
– responsibilities
– requirements – impact assessments
– software level maintenance
4/2/2010 34
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 35/91
Configuration Management
• Organized and consistent plan covering
– description of physical/media controls
– electronic transfer of software – communications software/protocols
– encryption methods/devices
– security features/limitations of software – hardware requirements/settings/protocols
– system responsibilities/authorities
4/2/2010 35
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 36/91
• Ensures Security is not breached when a systemcrashes or fails
• System must be restarted without compromising security• Two primary activities
1. Failure Preparation – Backups on a regular basis
2. System Recovery
• Rebooting in single user mode – no other usersallowed on the system
• Recovering all file systems
• Restoring files & security
• Checking security of critical files
4/2/2010 36
Trusted RecoveryRequired for B3 and A1 levels
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 37/91
Backup Management
Summary of Technologies Used to Keep the JuicesFlowing
• Disk shadowing (mirroring)
• Redundant servers
• RAID, MAID, RAIT
• Clustering, Grid Computing• Backups
• Dual backbones
• Direct Access Storage Device• Redundant power
• Mesh network topology instead of star, bus, or ring
4/2/2010 37
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 38/91
Manual Recovery – Sys Admin must be involved
Automated Recovery – no intervention for singlefailure
Automated Recovery without Undue Loss – similarto Automated Recovery, higher level of recovery noundue loss of protected object
4/2/2010 38
Three hierarchical recovery types:
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 39/91
• Enter into single user mode
• Fix issue and recover
• Validate critical files and operations
• Security Concerns
– Boot up sequence (C:, A:, D:) should not be availableto reconfigure
– Writing actions to system logs should not be able to
be bypassed – System forced shutdown should not be allowed
– Output should not be able to be rerouted
After a System Crash
4/2/2010 39
Ch C l
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 40/91
Change Control process
The following steps are examples of the typesof procedures that should be part of any change
control policy:1. Approval of the change
2. Documentation of the change
3. Tested and presented
4. Implementation
5. Report change to management
4/2/2010 40
C fi ti Ch M t
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 41/91
• Process of tracking and approving changes
• Identify, control and audit changes
• Changes to the system must not diminish security
• Includes roll back procedures
• Documentation updates to reflect changes
• Recommended for systems below B2, B3 and A1
• Change Control Functions: – Orderly manner and formalized testing
– Users informed of changes
– Analyze effects of changes
– Reduce negative impact of changes
• Configuration Management required for Development andImplementation stages for B2 and B3
• Configuration Management required for life cycle of system for A1
4/2/2010 41
Configuration Change ManagementRequired B2, B3 and A1
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 42/91
Risk Assessment/Analysis
• Includes:
– Threat – Vulnerability
– Asset
• Ease of Use principle – A system that is easier to secure is more likely to be
secure
4/2/2010 42
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 43/91
• HR and personnel controls• Personnel Security –
• Employment screening
• Mandatory Vacation
• Warnings and Termination for violating security policy
• Separation of Duties
• Least Privileges
• Need to Know
• Change Control/ Configuration Control• Record Retention and Documentation
4/2/2010 43
Administrative Controls
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 44/91
No access beyond job requirements
Group level privileges for Operators
Read Only
Read /Write - usually copies of original data
Access Change – make changes to original data
4/2/2010 44
Least privilege
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 45/91
Media Controls
Tapes, disks, diskettes, cards, paper, optical
Volume labels required
• Human/machine readable
• Date created, created by
• Date to destroy/retention period
• Volume/file name, version• Classification
Audit trail
Separation of responsibility - librarian
Backup procedures
4/2/2010 45
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 46/91
Media Controls
Record Retention - Records should be maintained IAWmanagement, legal, audit and tax requirements
Data Remanence – Data left on media after it has beenerased
Due care and Due Diligence – Security Awareness,Signed Acceptance of Employee Computer Use Policy
Ensuring environmental conditions do not endanger media
Documentation – procedures for operations, contingencyplans, security polices and procedures
4/2/2010 46
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 47/91
Protecting Resources from disclosure alteration or
misuse
Hardware – routers, firewalls, computers, printers
Software – libraries, vendor software, OS software
Data Resource – backup data, user data, logs
4/2/2010 47
Operation Controls
Resource Protection
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 48/91
4/2/2010 48
Hardware Controls
• Hardware Maintenance
– Requires physical and logical access by support and
vendors – Supervision of vendors and maintenance, background
checks
• Maintenance Accounts – Disable maintenance accounts when not needed
– Rename default passwords
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 49/91
4/2/2010 49
Hardware Controls
• Diagnostic Port Control
– Specific ports for maintenance
– Should be blocked from external access
• Hardware Physical Controls – require locks andalarms
– Sensitive operator terminals
– Media storage rooms
– Server and communications equipment – Modem pools and circuit rooms
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 50/91
• Redundant hardware ready for “hot swapping” keeps informationhighly available by having multiple copies of information (mirroring)or enough extra information available to reconstruct information in
case of partial loss (parity, error correction).• Fault-tolerant technologies keep information available against not
only individual storage device faults but even against whole systemfailures. Fault tolerance is among the most expensive possible
solutions, justified only for the most mission-critical information. Alltechnology will eventually experience a failure of some form.
• Service level agreements (SLAs) help service providers, whether
they are an internal IT operation or an outsourcer, decide what typeof availability technology is appropriate
• Solid operational procedures are also required to maintainavailability.
Availability Solutions
4/2/2010 50
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 51/91
4/2/2010 51
RAIDLevels
Activity Name
0 Data striped over several drives. No redundancy orparity is involved. If one volume fails, the entirevolume can be unusable
Striping
1 Mirroring of drives. Data are written to two drives at
once. If one drive fails, the other drive has the exactsame data available
Mirroring
3 Data striping over all drives and parity data held onone drive. If a drive fails, it can be reconstructed
from the parity drive.
Byte-level parity
5 Data are written in disk sector units to all drives.Parity is written to all drives also, which ensuresthere is no single point of failure.
Interleave parity
6Similar to level 5 but with added fault tolerance,which is a second set of parity data written to alldrives.
Second or doubleparity data
10 Data are simultaneously mirrored and striped acrossseveral drives and can support multiple drive
failures.
Striping andMirroring
Terms you may most likely see again on the exam
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 52/91
• Disk shadowing (mirroring)• Redundant servers
• RAID, MAID, RAIT• Clustering
• Backups• Dual backbones
• Direct Access Storage Device
• Redundant power
• Mesh network topology
Terms you may most likely see again on the exam.
4/2/2010 52
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 53/91
4/2/2010 53
Software Controls
Anti-virus Management – prevent download of viruses
Software Testing – formal rigid software testing process
Software Utilities – control of powerful utilities
Safe software Storage – prevent modification of
software and copies of backups
Back up Controls – test and restore backups
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 54/91
4/2/2010 54
Privileged Entity Controls
“ privileged operations functions”
Extended special access to systemcommands
Access to special parameters
Access to system control program – someonly run in particular state
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 55/91
• Simple Mail Transfer Protocol (SMTP)
• Post Office Protocol (POP)• Internet Message Access Protocol (IMAP)
• E-mail Relaying
– Spamming
– Phishing
– Spear phishing
4/2/2010 55
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 56/91
• Logging – log the use of the media,provides accountability
• Access Control – physical access control• Proper Disposal – sanitization of data – rewriting, degaussing, destruction
Media SecurityControls – preventthe loss of sensitive
information whenthe media is storedoutside the system
• Marking – label and mark media, barcodes
• Handling – physical protection of data• Storage – security and environmentalprotection from heat, humidity, liquids,dust, smoke, magnetism
Media ViabilityControls – protect
during handling,shipping and
storage
4/2/2010 56
Media Resource Protection
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 57/91
• Hardware – routers, firewalls,
computers, printers• Software – libraries, vendor
software, OS software
Protectionfrom physicalaccess
• following an authorized personthrough a doorPhysicalpiggybacking
4/2/2010 57
Physical Protection
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 58/91
• Monitoring – problem identification and
resolution• Monitor for:
– Illegal Software Installation
– Hardware Faults – Error States
– Operational Events
4/2/2010 58
Monitoring and Auditing
Penetration Testing
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 59/91
Scanning and Probing – port scanners, network mapping tools
Vulnerability Scanning – determine best possible attacks
Demon Dialing – war dialing for modems
Sniffing – capture data packets
Dumpster Diving – searching paper disposal areas
Social Engineering – most common, get information by asking
4/2/2010 59
gTesting a networks defenses by using the same techniquesas external intruders
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 60/91
• Clipping levels must be established to beeffective
• Clipping Level – baseline of normal activity, usedto ignore normal user errors
• Profile Based Anomaly Detection
• Looking for:
– Repetitive Mistakes
– Individuals who exceed authority – Too many people with unrestricted access
– Patterns indication serious intrusion attempts
4/2/2010 60
Violation Analysis
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 61/91
Backup Controls
System and Transaction Controls
Data Library Controls
Systems Development Standards
Data Center Security
Contingency Plans
4/2/2010 61
Auditing
A dit T il
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 62/91
• history of modifications, deletions,additions.Enables tracking
Allows foraccountability
• Transaction time and date• Who processed transaction
• Which terminal was used
• Security events relating to transaction
Audit logs shouldrecord:
• Amendment to production jobs• Production job reruns
• Computer Operator practicesAlso should look at:
4/2/2010 62
Audit Trails
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 63/91
Goals of problem management:
Reduce failures to a manageable level
Prevent occurrence of a problem
Mitigate the impact of problems
4/2/2010 63
Problem Management
Objective of problem management is
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 64/91
• Performance and availability ofcomputing resources
• The system and networkinginfrastructure
• Procedures and transactions
• Safety and security of personnel
PotentialProblems
• Degraded resource availability
• Deviations from the standardtransaction procedures
• Unexplained occurrences in aprocessing chain
Abnormal Eventscan be discovered
by an audit
4/2/2010 64
j p g
resolution of the problem
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 65/91
• if realized can causedamage to a system orcreate a loss of C.I.A.
Threat
• a weakness in a systemthat can be exploited by athreat
Vulnerability
4/2/2010 65
Threats and Vulnerabilities
Th t
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 66/91
• Accidental loss• Operator input error and omissions - manual input
errors
• Transaction processing errors – programming errors• Inappropriate Activities:
– Can be grounds for job action or dismissal
• Illegal Computer Operations – Eavesdropping – sniffing, dumpster diving, social engineering
– Fraud – collusion, falsified transactions
– Theft – information or trade secrets, physical hardware andsoftware theft
– Sabotage – Denial of Service (DoS), production delays
– External Attacks – malicious cracking, scanning, war dialing
4/2/2010 66
Threats
Some Attacks to know!
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 67/91
• Denial-of-Service (DoS) attack: Attacker sends multiple service requests
to the victim’s computer until they eventually overwhelm the system.
• Man-in-the-middle attack: An intruder injects herself into an ongoingdialog between two computers to intercept and read messages
• Mail bombing: An attack used to overwhelm mail servers and clients
with unrequested e-mails - DoS attack.
• Wardialing: Brute force attack in which an attacker has a programto systematically dials a large bank of phone numbers to find modems.
• Ping of death: Type of DoS attack in which oversized ICMP packets
are sent to the victim.
• Fake login screens: A fake login screen is created and installed on thevictim’s system.
• Teardrop: Attack sends malformed fragmented packets to a victim. The
victim’s system crashes – can’t reassemble the packets correctly.
• Slamming and cramming: When a user’s service provider hasbeen changed without that user’s consent
• Traffic analysis: This is a method of uncovering information by watching
traffic patterns on a network.
4/2/2010 67
Some Attacks to know!
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 68/91
• analyzing data characteristicsTraffic/Trend
Analysis
• Padding Messages – making
messages uniform size• Sending Noise – transmittingnon-informational data elementsto disguise real data
Countermeasuresinclude:
• unintended channelCovert Channel
Analysis
4/2/2010 68
Vulnerabilities
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 69/91
Piecing together information from bits of data
Keyboard Attacks – sitting at the keyboard usingnormal utilities to gain information
Laboratory Attack – using very precise electronicequipment
4/2/2010 69
Data Scavenging
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 70/91
• Ability to put the system in singleuser mode at boot up
• Grants Operator powerful
features
Initial ProgramLoad (IPL)
Vulnerabilities
• Enables intruder to capturetraffic for analysis or passwordtheft
• Intruder can reroute the dataoutput, obtain supervisoryterminal function and bypasssystem logs.
Network Address
Hijacking
4/2/2010 70
Summary
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 71/91
• Operations Security involves: – keeping up with implemented solutions,
– keeping track of changes,
– properly maintaining systems,
– continually enforcing necessary standards,
– following thru on security practices & tasks.
• Security requires discipline day in and day out,
sticking to a regime, and practicing due care.
Summary
4/2/2010 71
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 72/91
Which of the following permissions should not beassigned to system operators?
a. Volume mounting
b. Changing the system time
c. Controlling job flow
d. Monitoring execution of the system
Question?
4/2/2010 72
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 73/91
Original copies of software should reside with?
a. Media librarian
b. Software librarian
c. Security administrator
d. System administrator
Question?
4/2/2010 73
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 74/91
When a computer is collected and then reissued toa different employee the operations managershould be concerned with?
a. Buffer overflowb. Data remanence
c. Media reissued. Purging
Question?
4/2/2010 74
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 75/91
Compensating controls are used
a. To detect errors in the system
b. When an existing control is insufficient to
provide the required access
c. To augment a contingency plan
d. As a deterrent control
Question?
4/2/2010 75
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 76/91
XYZ Corporation has created a new application fortracking customer information as well as their
product database. Of the following individualswho should be given full access and control overthis application??
a. Network administrator
b. No onec. Security administrator
d. Application developer
Question?
4/2/2010 76
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 77/91
Which of the following describes the level that isset within a system to enable it to determine atwhat point activity is considered suspicious?
a. Clipping level
b. Threshold levelc. Baseline level
d. Error level
Question?
4/2/2010 77
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 78/91
Relative humidity levels in the IT operations centershould be less than?
a. 20 percent
b. 35 percent
c. 50 percent
d. 60 percent
Question?
4/2/2010 78
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 79/91
The correlation of system time among networkcomponents is important for what purpose?
a. Availability
b. Network connectivity
c. Backups
d. Audit log review
Question?
4/2/2010 79
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 80/91
• An operations manager is alerted to a serioussituation that was the result of a security breach.As it turns out a network segment is no longerfunctioning. Of the following which would not be
a possible cause?• Smurf attack
• Network sniffer and tester
• Chosen cipher text attack
• Fraggle attack
Question?
4/2/2010 80
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 81/91
Patch management is a part of?
• Contingency planning
• Change control management
• Business continuity planning
• System update management
Question?
4/2/2010 81
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 82/91
Which type of users should be allowed to usesystem accounts?
• Ordinary users
• Security administrators
• System administrators
• None of the above
Question?
4/2/2010 82
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 83/91
Which group characteristic or practice should beavoided?
a. Account groupings based on duties
b. Group accounts
c. Distribution of privileges to members of the
groupd. Assigning an account to multiple groups
Question?
4/2/2010 83
Q i ?
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 84/91
Which of the following would be considered adetective control that could be used by thesecurity department to detect a securityviolation?
• Access control log• Intrusion prevention system
• Biometric access control
• Separation of duties
Question?
4/2/2010 84
Q i ?
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 85/91
Wireless network traffic is the best security withwhich of the following protocols?
• Wireless Encryption Protocol (WEP)
• Wired Equivalent Privacy (WEP)
• Wi-Fi Protected Access (WPA)v
• Wireless Protected Access (WPA)
Question?
4/2/2010 85
Q i ?
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 86/91
XYZ Corporation has found that their employeesare consistently coat tailing into the data center.Of the following what should be done first tobegin to stop this practice??
a. Create a visitor log
b. Install biometric access control
c. Install a proximity card reader
d. Create a policy regarding access control
Question?
4/2/2010 86
Q ti ?
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 87/91
• Phishing is essentially another form of?
• Denial of service
• Social engineering
• Malware
• Spyware
Question?
4/2/2010 87
Q ti ?
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 88/91
Which level of RAID stripes data across multipledisks at the byte level and writes all parity to aseparate drive?
• RAID 0
• RAID 1• RAID 3
• RAID 4
Question?
4/2/2010 88
Q ti ?
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 89/91
• What measurement unit is used to describe theamount of energy necessary to reduce amagnetic field to zero?
• Reduction• Maxwell
• Tesla• Gauss
Question?
4/2/2010 89
Q ti ?
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 90/91
• Which of the following would be the bestrecommendation for destroying sensitiveinformation that has been stored on a CD-ROM?
a. Degauss the CD-ROMb. Physically destroy the CD-ROM
c. Physically alter the CD-ROMd. Sanitize the CD-ROM
Question?
4/2/2010 90
8/7/2019 sfbayissa_cissp_operations2010
http://slidepdf.com/reader/full/sfbayissacisspoperations2010 91/91
Operations Security
CISSP Review
Presented By: Bob Harren, CISSP, CCNA, CCDA