CISSP Prep Guide

advertisement
CISSP Prep Guide
Domain: Operations Security
Javier Romero, GCIA CISSP
January 2003
Topics
JaCkCast
Oficiales de Seguridad
 Domain Definition
 Controls and Protections
 Categories of Controls
 Orange Book Controls
 Covert Channel Analysis
 Trusted Facility Management
 Configuration/Change Management
Control
 Administrative Controls




Least Privilege
Operations Job Function Overview
Record Retention
Documentation
 Operations Controls
 Resource Protection
 Hardware Controls
 Software Controls
 Privileged Entity Controls
 Media Resource Protection
 Physhical Access Controls
 Monitoring and Auditing
 Monitoring
 Monitoring Techniques
 Auditing
 Security Auditing
 Problem Management
Concepts
 Threats and Vulnerabilities
 Threats
 Accidental Loss
 Inappropiate Activities
 Illegal Computer Operations
 Vulnerabilities
CISSP - Domain 4 - Operations Security
2
1. Domain Definition
JaCkCast
Oficiales de Seguridad
 Operation security means:
 Act of understand threats and vulnerabilities
 Implement security controls.
 Controls: can include resolve soft/hardware problems.
 Triples
 Threat, a event that could cause damage
 Vulnerability, weakness that enables violation
 Asset, all resources (hardware, software, data,
personnel)
 CIA
 Confidentiality, Integrity, Availability
CISSP - Domain 4 - Operations Security
3
2. Controls and Protections
JaCkCast
Oficiales de Seguridad
 Premise: Protect hardware, software and media
resources from:
 Threats in an operating environment.
 Internal or external intruders
 Operators inappropriately accessing resources.
 Critical aspects of operations controls:
 Resource protection (hardware control)
 Privileged-entity control
CISSP - Domain 4 - Operations Security
4
2.1. Categories of Controls
JaCkCast
Oficiales de Seguridad
Major categories:
Preventative Controls (before)
Detective Controls (after)
Corrective (or Recovery) Controls (restore)
CISSP - Domain 4 - Operations Security
5
2.1. Categories of Controls
JaCkCast
Oficiales de Seguridad
Additional categories:
Deterrent Controls (support others)
Application Controls (designed to each app)
Transaction Controls.
Input Controls (ensure inputs)
Processing Controls (check/correct process)
Output Controls (confidentiality/integrity)
Change Controls (preserve data)
Test Controls (during testing)
CISSP - Domain 4 - Operations Security
6
2.2. Orange Book Controls
JaCkCast
Oficiales de Seguridad
 2 types of assurance:
 Operational
assurance, see:
 basic features and
architecture
 Life cycle assurance,
see:
 controls / standards to
build / to maintain a
system.
 Requeriments: (5)





System architecture
System integrity
Covert channel analysis
Trusted facility management
Trusted recovery
 Requeriments: (4)
 Security Testing
 Design specification and
testing
 Configuration management
 Trusted distribution
CISSP - Domain 4 - Operations Security
7
2.2.1. Covert Channel Analysis
JaCkCast
Oficiales de Seguridad
 Covert storage channels, convey:
 By changing a system’s stored data.
 I.E. changing the amount / patterns of free space on HDD.
 I.E. changing characteristics of a file.
 Covert Timing channels
 By altering the performance or modifying the timing of a
system resource.
 I.E. using the elapsed time required by a operation
 I.E. using time between 2 events.
 Noise and traffic generation, effective to combat
CISSP - Domain 4 - Operations Security
8
2.2.1. Covert Channel Classes
JaCkCast
Oficiales de Seguridad
CLASS
DESCRIPTION
B2
System must protect against covert
STORAGE channels. It must perform a
covert channel analysis to all covert
storage channels.
B3 AND A1
STORAGE + TIMING, analysis to BOTH
CISSP - Domain 4 - Operations Security
9
2.2.2. Trusted Facility Management
JaCkCast
Oficiales de Seguridad
 Assign functions to a person (security roles)
 Just for B2 (operator and sys admin)
 Just for B3, and A1 (security admin)
 Related to:
 Least privilege
 Separation of duties
 Need to know
CISSP - Domain 4 - Operations Security
10
2.2.2.1. Separation of Duties
JaCkCast
Oficiales de Seguridad
 Called segregation of duties
 No single person
 Have the total control
 can compromise the system.
 Person with Least Privileged to work, for a short length of time
 Highly secure system has 3 roles:
 sysadmin, secadmin, ISSO
 Roles are functionally different
 Two-man control, 2 men review/approve work to each other
 Dual control, you need 2 men to complete a sensitive task
CISSP - Domain 4 - Operations Security
11
2.2.2.1. Separation of Duties
JaCkCast
Oficiales de Seguridad






Sys admin functions
Install system software
Start/shut down a system
Add/remove sys users
Perform backup/recovery
Handle printer/queues
 Sec admin functions:
 Set user clearance, initial
password, etc.
 Change security profile for
users
 Set/change file sensitive
labels
 Set sec. characteristics of
devices/comm. channels.
 Review audit data.
CISSP - Domain 4 - Operations Security
12
2.2.2.2 Rotation of Duties
JaCkCast
Oficiales de Seguridad
 It is a process, may be difficult to implement but it
is a effective security control procedure.
 Lessen collusion between operators for fraudulent
purposes.
 Goal is: limit the time of the operator’s role
performing a security task changing for another
one.
CISSP - Domain 4 - Operations Security
13
2.2.3. Trusted Recovery
JaCkCast
Oficiales de Seguridad
 System must not be compromise by a crash.
 Trusted has 2 activities:
 (1) Failure Preparation
 Backup all critical files periodically.
 Must ensure a ordered/protected data recovery
 Needed when system needs to be halted:
 A system problem,
 A missing resource,
 An inconsistent database,
 any kind of compromise.
CISSP - Domain 4 - Operations Security
14
2.2.3. Trusted Recovery
JaCkCast
Oficiales de Seguridad
 (2) System Recovery, procedure include:
 Recover in single user mode
 Recover all file systems
 Recover damaged files + DB
 Recover security characteristcs
 Check security critical files
 Common Criteria’s hierarchical recovery types:
 Manual Recovery
 Automated Recovery
 Automated Recovery without Undue Loss.
CISSP - Domain 4 - Operations Security
15
2.2.4. Configuration/Change Management
Control
JaCkCast
Oficiales de Seguridad
 Process of tracking and approval changes;
Identifying, controlling, auditing changes, over:
Hardware, software, network or others.
 Goal = ensure changes don’t affect sys’ security.
 Secure trusted systems under design/development
CISSP - Domain 4 - Operations Security
16
2.2.4. Configuration/Change Management
Control
JaCkCast
Oficiales de Seguridad
 Functions:
 Check order, notify, analyze, reduce (-) impact
 5 procedures:
 Apply, Catalog, Schedule, Implement, Report
 Configuration management classes:
 B2, B3 – conf./change management control enforced to
develop and maintain system
 A1 – conf./change management control enforced to
entire sys’ life cycle.
CISSP - Domain 4 - Operations Security
17
2.3. Administrative Controls
JaCkCast
Oficiales de Seguridad
 Personnel Security
 Employment Screening or Background Checks
 Mandatory Taking of Vacation in One Week Increments
 Job Action Warnings or Termination
 Separation of Duties and Responsibilities
 Least Privilege
 Need to Know
 Change/Configuration Management Controls
 Records Retention and Documentation
CISSP - Domain 4 - Operations Security
18
2.3.1. Least Privilege
JaCkCast
Oficiales de Seguridad
 Separar los niveles de acceso.
 Read Only.
 Read/Write.
 Acces Change.
CISSP - Domain 4 - Operations Security
19
2.3.2. Operations Job Function Overview
JaCkCast
Oficiales de Seguridad
 Overview of operational functions. Examples:
 Computer Operator,
 run console, backup, record/report problems, mantain controls.
 Operations Analyst,
 Work Soft/Dev app, check program/ comp. Operators.
 Job Control Analyst,
 Quality of production job, metrics, standards.
 Production Scheduler,
 Plan/Create/Coordinate schedules of computer process.
 Production Control Analyst,
 Tape Librarian,
CISSP - Domain 4 - Operations Security
20
2.3.3. Record Retention
JaCkCast
Oficiales de Seguridad
 Record retention deals w/comp. Files, directories,
and libraries.
 Data Remanence
 Data still exist. Physical traces. Reconstructions.
 SysAdmin+SecAdmin must know about.
 Due Care and Due Diligence
 Good business practices -> organization’s industry.
 Legal requirements.
CISSP - Domain 4 - Operations Security
21
2.3.4. Documentation
JaCkCast
Oficiales de Seguridad
 A security system needs documentation controls.
 Docs as:
 Security plans
 Contingency plans
 risk analyses
 Security policies
 procedures
 Docs must be protected against disclosure.
 Docs must be ready in disasters.
CISSP - Domain 4 - Operations Security
22
2.4. Operations Controls
JaCkCast
Oficiales de Seguridad
 Resource Protection
 Hardware controls
 Software controls
 Privileged-entity controls
 Media controls
 Physical access controls
CISSP - Domain 4 - Operations Security
23
2.4.1. Resource Protection
JaCkCast
Oficiales de Seguridad
 Hardware:
 Communications, Storage media, processing systems,
standalone computers, printers/fax
 Software:
 Program libraries, src code, vendor software, OS /
utilities.
 Data:
 Backups, usr/pwd data files, Operating data dir,
logs/audit trails
 Transparency:
 Flexible; No extra steps to use; No Learn to much about
the security control.
CISSP - Domain 4 - Operations Security
24
2.4.2 Hardware Protection
JaCkCast
Oficiales de Seguridad
 Hardware Maintenance
 Maintenance = physical + logical access, it must be:
 Supervise for On-site, remote or transported works.
 Maintenance Accounts
 Vendor accounts w/default passwords.
 Diagnostic Port Control
 Hw. direct access. Used only authorized personnel.
 Hardware Physical Control
 Use locks and alarms in some data processing areas.
CISSP - Domain 4 - Operations Security
25
2.4.3. Software Controls
JaCkCast
Oficiales de Seguridad
 Antivirus management
 Nobody must load/execute soft without supervision
 Software testing
 Test w/new code. Test w/upgrades too.
 Software utilities
 Sec. Policy prevents misuse of utilities.
 Safe software storage.
 Hw/soft access controls ensure integrity of bckps.
 Backup controls
 Accuracy restoring, secure bckps x theft, damage,
enviromental problems.
CISSP - Domain 4 - Operations Security
26
2.4.4. Privileged Entity Controls
JaCkCast
Oficiales de Seguridad
 = privileged operations functions.
 Special access to computing resources by
operators and sys admin according their job title.
 Examples of classes of privileged operations
functions:
 Special access to system commands
 Access to special parameters
 Access to the system control program
CISSP - Domain 4 - Operations Security
27
2.4.5. Media Resource Protection
JaCkCast
Oficiales de Seguridad
 Media Security Controls, ie.
 Logging
 Access Control
 Proper Disposal: Overwrite, Degauss, Destruction.
 Media Viability Controls, ie.
 Marking
 Handling
 Storage
CISSP - Domain 4 - Operations Security
28
2.4.6. Physical Access Controls
JaCkCast
Oficiales de Seguridad
 I.E. Equipments which could need protection:
 Hardware control over
 Communications / Computing Equipment
 Storage media.
 Printed logs / reports.
 Software
 Bckp. Files, System logs.
 Production applications, sensitive / critical data.
 Type of personnel to have special access.
CISSP - Domain 4 - Operations Security
29
3. Monitoring and Auditing
JaCkCast
Oficiales de Seguridad
 Monitoring
 Techniques, mechanisms, tools.
 Actions to identifiy event’s vectors / report info.
 Monitor: illegal sw, hw faults, anomalies.
 Auditing
 It is the foundstone to monitoring “controls”
 Helps monitor, to develop patterns.
CISSP - Domain 4 - Operations Security
30
3.1. Monitoring Techniques
JaCkCast
Oficiales de Seguridad
 Intrusion Detection
 Intruders, traffic patterns, evidence.
 Penetration Testing
 Sniffing, Scanning/probing, Demon Dialing
 Dumpster diving, Social Engineering
 Violation Analysis, detects violations as:
 Errors, exceeded privileged,
 Many people w/unrestricted access.
 Patterns w/serious intrusion attempts
CISSP - Domain 4 - Operations Security
31
3.2. Security Auditing
JaCkCast
Oficiales de Seguridad
 Two types
 Internal auditors
 More mandate
 Check compliance/standards of due care, operational costefficiencies, recomendations
 External auditors,
 Often = Certified Public Accounts (CPAs)
 Financial statements
 Auditors’ functions, review:
 Controls, procedures, standards, plans /
implementations.
CISSP - Domain 4 - Operations Security
32
3.2.1. Audit Trails
JaCkCast
Oficiales de Seguridad
 Let identify/resolve problems. Historial trace.
 Enforce accountability. Let reconstruct events.
 Logs must content:
 Data/Time, Who, Terminal (from), Related events.
 Auditor must look:
 Reruns or Rectification of jobs, Practices of operator
 Note: Protect audit media/reports:
 When storage is off-site, against alteration / unavaila.
CISSP - Domain 4 - Operations Security
33
3.3.3. Problem Management Concepts
JaCkCast
Oficiales de Seguridad
 PM is the way to Control the process:
 Of problem isolation / problem resolution
 Goal:
 Reduce fails (acceptable risk), prevent reocurrence of
problem, mitigate impacts
 How implement:
 Define potential problem areas.
 Define abnormal events to be investigated.
CISSP - Domain 4 - Operations Security
34
4. Threats and Vulnerabilities
JaCkCast
Oficiales de Seguridad
 Threats = events
 Can cause damage / create loss CIA
 Can be malicious: file modification
 Can be accidental: accidental deletion of a file
 Vulnerabilities
 Weakness that can be exploited by a threat.
 Reduce vul. reduce risk + impact of threats
CISSP - Domain 4 - Operations Security
35
4.1. Threats
JaCkCast
Oficiales de Seguridad
 Accidental Loss
 Lack of training/proficiency
 Operator input errors and omissions
 Malfunctioning of app. processing procedure
 Transaction processing errors.
 Inappropiate Activities
 Inappropiate Content
 Waste of Corporate Resources
 Sexual or Racial Harassment
 Abuse of Privilege or Rights
CISSP - Domain 4 - Operations Security
36
4.1. Threats
JaCkCast
Oficiales de Seguridad
 Illegal Computer Operations and Intentional
Attacks
 Eavesdropping, sniffing, dumpster diving, shoulder
surfing, data scavenging, trend analysis, social eng.
 Fraud, altering of data integrity, collusion
 Theft, hw/sw theft, trade secrets
 Sabotage, DoS, delays of production
 External Attack, demon dialing, scanning, probing, virus,
etc.
CISSP - Domain 4 - Operations Security
37
4.2. Vulnerabilities
JaCkCast
Oficiales de Seguridad
 Traffic/Trend Analysis
 Maintenance Accounts
 Data Scavenging Attacks
 IPL Vulnerabilities
 Network Address Hijacking
CISSP - Domain 4 - Operations Security
38
Download