Addis Ababa University
Faculty of Science
Department of Computer Science
COSC 6301 – Computer Security
Chapter 4 – Operational Controls
By
Girum Ketema (PhD)
Girumk@gmail.com
Girum.ketema@ju.edu.et
Outline
Human Resource
Contingencies and Disaster Preparedness
Computer Security Incident Handling
Awareness
Security Considerations
Physical and Environmental Security
Outline
Human Resource
Contingencies and Disaster Preparedness
Computer Security Incident Handling
Awareness
Security Considerations
Physical and Environmental Security
Personnel
• Many issues in computer security involve
•
•
•
•
End users
Designers
Implementors
Managers.
• Many security issues relate to how these individuals interact with
computers and the access and authorities they need to do their job.
Staffing
• Staffing process involves Four Steps
•
•
•
•
Defining the Position (Job Description)
Determining Sensitivity of the Position
Filling the Position
Training
• This process is applicable for all types of employees
Staffing – Defining the Position
• When defining a position security issues associated with the position shall
be identified
• After a position has been broadly defined, the responsible supervisor
should determine the type of computer access needed for the position.
• There are two general principles to apply when granting access:
• Separation of duties
• refers to dividing roles and responsibilities so that a single individual cannot sabotage a
critical process.
• Important to setup a check and balance system
• Least privilege
• refers to the security objective of granting users only those accesses they need to perform
their official duties.
• Helps to Limit accidental damages caused by employees
Staffing - Determining Position Sensitivity
• Determining how sensitive a position is helps organizations in determining
how strict the screening process should be
• Knowledge of the duties and required access levels are important to
determine sensitivity
• Various levels of sensitivity can be introduced in an organization.
• Factors to be considered include
•
•
•
•
Type of Harm
Degree of Harm
Access to Classified Information
Fiduciary responsibilities
• Excess control, wastes resources; too little control, increases risk
Staffing – Screening and Selection
• Vacancy announcement and application process
• Recommendation based employment is also possible
• More sensitive positions require more pre-employment background
check
• For less sensitive positions, post-entry screening can be done
• It is more effective to use separation of duties and least privilege to
limit the sensitivity of the position, rather than relying on screening to
reduce the risk to the organization.
Staffing – Employee Training and Awareness
• This is a continuous process
• Training shall include computer security responsibilities
• Two options are available
• Initial security training before they are given any access to computer systems
or
• Give employees restricted access (e.g. on their PC) until training is completed
• More intensive trainings should be given periodically
User Administration
• Effective administration of users' computer access is essential to
maintaining system security.
• User account management focuses on identification, authentication,
and access authorizations.
• Account management shall be augmented with auditing.
• Timely modification or removal of access and associated issues for
employees who are reassigned, promoted, or terminated, or who
retire.
User Admin – User Account Management
• User account management involves
• The process of requesting, issuing, and closing user
accounts
• Tracking users and their respective access authorizations
• Managing these functions.
• There is a set of processes to be followed to get
access to a system
• The request must also specify the Access Level
• Users will be given
• Account Identifier – e.g., User ID
• Authentication Means – e.g., password, PIN, or Card
User Admin – User Account Management
• We may attach user ID to positions or we may use groups to give
similar access privilege as other people in the same position
• Training should be given about security issues associated with the
accounts
• User account management is a continuous process
•
•
•
•
Creation of new accounts
Deletion of accounts (when employees retire or leave)
Modification (when employees are reassigned)
New applications are created.
• The manager shall inform any change to the application managers /
security experts
User Admin – Management Review
• It is necessary to review user account management on a system.
• Such reviews may examine
•
•
•
•
•
The levels of access each individual has
Conformity with the concept of least privilege
Whether all accounts are still active
Whether management authorizations are up-to-date
Whether required training has been completed
• Such management review, can be done by
• In-house system personnel (self-audit)
• Organization’s internal auditor
• External auditor
User Admin - Detecting Unauthorized/Illegal
Activities
• Detecting unauthorized or illegal activities is one of the functions of a
system team
• Mostly auditing and analysis of audit trails is used to identify illegal
activities
• Other methods may also be used to detect unauthorized activities
• Example: Tracking an employee's activities (outside the system)
User Admin - Temporary Assignments and Inhouse Transfers
• One significant aspect of managing a system involves keeping user
access authorizations up-to-date.
• Access authorizations are changed under two types of circumstances:
• Change in job role
• Temporarily (e.g., while covering for an employee on sick leave) or
• Permanently (e.g., after an in-house transfer)
• Termination
• Failure to change the temporary access authorizations back to their
original form after the job is completed contradicts with the principle
of least privilege
User Admin - Termination
• When the contract of an employee is terminated, the access authorization shall
also be terminated.
• The termination can be
• Friendly – Voluntary transfer or retirement
• Unfriendly – involuntary transfer or Fired
• Friendly Termination
• A standard set of procedures will be followed to remove the account (eg. During clearance)
• Managers must ensure data availability after the employee has left
• Confidentiality must be ensured
• Unfriendly termination
• More complicated as the employee may create havoc
• The system access shall be terminated as quickly as possible
• Physical removal from the office may also be necessary
Public Access Considerations
• Many systems may have to be accessed by the public
• Additional security measures are required as security threats arise
due to
• Increased threats against public access systems
• The difficulty of security administration.
• It is recommended to segregate information available to the general
public and for internal users
• Both internal users and external hackers may attempt to breach the
security of our system
Outline
Human Resource
Contingencies and Disaster Preparedness
Computer Security Incident Handling
Awareness
Security Considerations
Physical and Environmental Security
Contingencies
• A computer security contingency is an event with the potential to disrupt
computer operations
• Example: A power outage, hardware failure, fire, or storm.
• If the event is very destructive, it is often called a disaster.
• Contingency Planning – early steps taken to avert potential contingencies and
disasters or minimize the damage
• is closely related to incident handling.
• Contingency planning may be done in multiple steps
•
•
•
•
•
•
Step 1. Identifying the mission- or business-critical functions.
Step 2. Identifying the resources that support the critical functions.
Step 3. Anticipating potential contingencies or disasters.
Step 4. Selecting contingency planning strategies.
Step 5. Implementing the contingency strategies.
Step 6. Testing and revising the strategy.
Step 1. Identifying the mission- or business-critical
functions.
• Protecting an organization from disaster is very difficult if the critical areas
are not identified
• The definition of an organization’s critical mission or business functions is
often called a business plan.
• Business plans support contingency plans in identifying critical functions
and prioritizing them
• A fully redundant capability for each function is prohibitively expensive for
most organizations.
• In the event of a disaster, certain functions will not be performed.
• If appropriate priorities have been set, it could mean the difference in the
organization’s ability to survive a disaster.
Step 2. Identifying the resources that support
the critical functions.
• Identification of resources includes
• Identifying which supporting resources are available
• The time frame of the availability of the resources (eg. One time, continuously, every
month, …)
• Effect of unavailability of the resource on the business
• Common Issues with identification
• Different managers may oversee different resources and may not know the
interactions of the resources to support the critical business
• Contingency planning should address all the resources needed to perform
a function, regardless whether they directly relate to a computer.
• All resources are not related to computers
Step 2. Resources that support …
Step 3. Anticipating potential contingencies or disasters.
• Identify a likely range of problems.
• The development of scenarios will help an organization develop a plan to address the
wide range of things that can go wrong.
• Scenarios should include small and large contingencies.
• Important to create scenarios: imagination, creativity, research
• Scenarios should address all resources identified in step 2
• Human Resources: Can people get to work? Are key personnel willing to cross a picket line? Are
there critical skills and knowledge possessed by one person? Can people easily get to an
alternative site?
• Processing Capability: Are the computers harmed? What happens if some of the computers are
inoperable, but not all?
• Automated Applications and Data: Has data integrity been affected? Is an application sabotaged?
Can an application run on a different processing platform?
• Computer-Based Services: Can the computers communicate? To where? Can people
communicate? Are information services down? For how long?
• Infrastructure: Do people have a place to sit? Do they have equipment to do their jobs? Can they
occupy the building?
• Documents/Paper: Can needed records be found? Are they readable?
Step 4. Selecting contingency planning strategies.
• The next step is to plan how to recover needed resources.
• It is necessary to consider what controls are in place to prevent and
minimize contingencies.
• Since no set of controls can cost-effectively prevent all contingencies, it is
necessary to coordinate prevention and recovery efforts
• A contingency planning strategy consists of three parts:
• Emergency response – the initial actions taken to protect lives and limit damage.
• Recovery - the steps that are taken to continue support for critical functions.
• Resumption - the return to normal operations
• The selection of a strategy needs to be based on practical considerations,
including feasibility and cost.
Step 4 – Selecting … (Factors)
• Human Resource
• Ensure an organization has access to workers with the right skills and knowledge,
training and documentation of knowledge are needed.
• Processing Capability
•
•
•
•
Hot site - A building already equipped with processing capability and other services.
Cold site - A building for housing processors that can be easily adapted for use.
Redundant site - A site equipped and configured exactly like the primary site.
Reciprocal agreement - An agreement that allows two organizations to back each
other up.
• Hybrids - Any combinations of the above such as using having a hot site as a backup
in case a redundant or reciprocal agreement site is damaged by a separate
contingency
Step 4 – Selecting … (Factors)
• Automated Applications and Data
• The primary contingency strategy for applications and data is regular backup and secure offsite
storage.
• Important decisions to be addressed include
• how often the backup is performed
• how often it is stored off-site,
• how it is transported
• Computer-based Services
• Service providers may offer contingency services.
• Traffic can be rerouted
• Communication services may be purchased from multiple providers
• Physical infrastructure
• Additional space at hot or cold sites
• Documentation
• Backup of documentation and paper stored off-site
Step 5. Implementing the contingency strategies.
• Make appropriate preparations, document the strategies, and train
employees.
• Implementation
• Important part of any contingency plan
• Proper documentation shall be available
• Important issues:
• (1) How many plans? – One organizational plan Vs. separate plans for each system or app
• (2) Who prepares the plans? – centralized coordinator vs. functional and resource managers
• Documenting
• Contingency plan must be updated regularly and should be placed in a safe place
• Training
• Employees must be regularly trained on the contingency plan
Step 6. Testing and revising the strategy.
• Contingency plans shall be tested continuously to check if everything
is working
• The extent and frequency of testing will vary between organizations
and among systems.
• There are several types of testing
• Reviews - a simple test to check the accuracy of contingency plan
documentation.
• Analyses - may be performed on the entire plan or portions of it, such as
emergency response procedures.
• Simulations of disasters
Outline
Human Resource
Contingencies and Disaster Preparedness
Computer Security Incident Handling
Awareness
Security Considerations
Physical and Environmental Security
Computer Security Incidents
• A computer security incident is an event that can result from a
computer virus, other malicious code, or a system intruder, either an
insider or an outsider.
• Computer Security Incidents
•
•
•
•
Corrupted data files
hacking
Viruses
Natural Disasters
• Incident handing is closely related to contingency planning as well as
support and operations.
• Organizations should develop Incident Handling Capability
Benefits of an Incident Handling Capability
• Major Benefits
• Containing and Repairing Damage from Incidents
• Preventing Future Damage
• Side Benefits
• Uses of Threat and Vulnerability Data
• Enhancing Internal Communications and Organization Preparedness.
• Enhancing the Training and Awareness Program.
Characteristics of a Successful Incident
Handling Capability
• Understanding of the constituency it will serve;
• Educated constituency;
• Means for centralized communications;
• Expertise in the requisite technologies;
• Links to other groups to assist in incident handling (as needed)
Technical Support for Incident Handling
• Communications for Centralized Reporting of Incidents
• Call centers
• Rapid Communication Facilities
• Email
• SMS
•…
• Secure Communication Facilities
• encryption
Outline
Human Resource
Contingencies and Disaster Preparedness
Computer Security Incident Handling
Awareness
Security Considerations
Physical and Environmental Security
Awareness, Training, Education
• Computer security awareness and training program should be aimed
at bringing
• Behavioral Change
• Ensure Accountability
• Increase awareness
• Awareness and Training Programs include
• Awareness
• Training
• Education
Awareness Vs Training Vs Education
Implementation of Awareness and Training
Programs
• Step 1 : Identify Program Scope, Goals, and Objectives.
• Step 2: Identify Training Staff.
• Step 3: Identify Target Audiences.
• Step 4: Motivate Management and Employees.
• Step 5: Administer the Program.
• Step 6: Maintain the Program.
• Step 7: Evaluate the Program.
Outline
Human Resource
Contingencies and Disaster Preparedness
Computer Security Incident Handling
Awareness
Security Considerations
Physical and Environmental Security
Important security considerations
• User support,
• Software support,
• Configuration management,
• Backups,
• Media controls,
• Documentation
• Maintenance.
Security Considerations …
• User Support
• Takes place through help desk
• Help Desks can support an entire organization, a subunit, a specific system, or a
combination of these.
• User support technicians must be able to identify which problems are related to
security
• Software Support
• Controlling what software can be used
• ensure that software has not been modified without proper authorization.
• Licensing of software
• Configuration Management
• the process of keeping track of changes to the system and, if needed, approving
them.
• We must ensure that configuration changes do not affect security issues
Security Considerations …
• Backups
• Backups must be secured just like the originals
• Media controls
• Controlling uses of CDs, backup tapes and memory sticks
• Activities
•
•
•
•
Marking
Logging
Integrity verification
Physical access protection
• Documentation
• All aspects of support and operation activities must be documented
• Maintenance
• Maintenance may introduce security vulnerabilities and must be addressed
Outline
Human Resource
Contingencies and Disaster Preparedness
Computer Security Incident Handling
Awareness
Security Considerations
Physical and Environmental Security
Security Risks to be Considered
• Interruptions in Providing Computer Services.
• Physical Damage.
• Unauthorized Disclosure of Information.
• Loss of Control over System Integrity.
• Physical Theft.
Physical and Environmental Security
• Physical access controls
• Fire safety
• Supporting utilities
• Structural collapse
• Plumbing leaks
• Interception of data
• Mobile and portable systems