CISSP Prep Guide Domain: Operations Security Javier Romero, GCIA CISSP January 2003 Topics JaCkCast Oficiales de Seguridad Domain Definition Controls and Protections Categories of Controls Orange Book Controls Covert Channel Analysis Trusted Facility Management Configuration/Change Management Control Administrative Controls Least Privilege Operations Job Function Overview Record Retention Documentation Operations Controls Resource Protection Hardware Controls Software Controls Privileged Entity Controls Media Resource Protection Physhical Access Controls Monitoring and Auditing Monitoring Monitoring Techniques Auditing Security Auditing Problem Management Concepts Threats and Vulnerabilities Threats Accidental Loss Inappropiate Activities Illegal Computer Operations Vulnerabilities CISSP - Domain 4 - Operations Security 2 1. Domain Definition JaCkCast Oficiales de Seguridad Operation security means: Act of understand threats and vulnerabilities Implement security controls. Controls: can include resolve soft/hardware problems. Triples Threat, a event that could cause damage Vulnerability, weakness that enables violation Asset, all resources (hardware, software, data, personnel) CIA Confidentiality, Integrity, Availability CISSP - Domain 4 - Operations Security 3 2. Controls and Protections JaCkCast Oficiales de Seguridad Premise: Protect hardware, software and media resources from: Threats in an operating environment. Internal or external intruders Operators inappropriately accessing resources. Critical aspects of operations controls: Resource protection (hardware control) Privileged-entity control CISSP - Domain 4 - Operations Security 4 2.1. Categories of Controls JaCkCast Oficiales de Seguridad Major categories: Preventative Controls (before) Detective Controls (after) Corrective (or Recovery) Controls (restore) CISSP - Domain 4 - Operations Security 5 2.1. Categories of Controls JaCkCast Oficiales de Seguridad Additional categories: Deterrent Controls (support others) Application Controls (designed to each app) Transaction Controls. Input Controls (ensure inputs) Processing Controls (check/correct process) Output Controls (confidentiality/integrity) Change Controls (preserve data) Test Controls (during testing) CISSP - Domain 4 - Operations Security 6 2.2. Orange Book Controls JaCkCast Oficiales de Seguridad 2 types of assurance: Operational assurance, see: basic features and architecture Life cycle assurance, see: controls / standards to build / to maintain a system. Requeriments: (5) System architecture System integrity Covert channel analysis Trusted facility management Trusted recovery Requeriments: (4) Security Testing Design specification and testing Configuration management Trusted distribution CISSP - Domain 4 - Operations Security 7 2.2.1. Covert Channel Analysis JaCkCast Oficiales de Seguridad Covert storage channels, convey: By changing a system’s stored data. I.E. changing the amount / patterns of free space on HDD. I.E. changing characteristics of a file. Covert Timing channels By altering the performance or modifying the timing of a system resource. I.E. using the elapsed time required by a operation I.E. using time between 2 events. Noise and traffic generation, effective to combat CISSP - Domain 4 - Operations Security 8 2.2.1. Covert Channel Classes JaCkCast Oficiales de Seguridad CLASS DESCRIPTION B2 System must protect against covert STORAGE channels. It must perform a covert channel analysis to all covert storage channels. B3 AND A1 STORAGE + TIMING, analysis to BOTH CISSP - Domain 4 - Operations Security 9 2.2.2. Trusted Facility Management JaCkCast Oficiales de Seguridad Assign functions to a person (security roles) Just for B2 (operator and sys admin) Just for B3, and A1 (security admin) Related to: Least privilege Separation of duties Need to know CISSP - Domain 4 - Operations Security 10 2.2.2.1. Separation of Duties JaCkCast Oficiales de Seguridad Called segregation of duties No single person Have the total control can compromise the system. Person with Least Privileged to work, for a short length of time Highly secure system has 3 roles: sysadmin, secadmin, ISSO Roles are functionally different Two-man control, 2 men review/approve work to each other Dual control, you need 2 men to complete a sensitive task CISSP - Domain 4 - Operations Security 11 2.2.2.1. Separation of Duties JaCkCast Oficiales de Seguridad Sys admin functions Install system software Start/shut down a system Add/remove sys users Perform backup/recovery Handle printer/queues Sec admin functions: Set user clearance, initial password, etc. Change security profile for users Set/change file sensitive labels Set sec. characteristics of devices/comm. channels. Review audit data. CISSP - Domain 4 - Operations Security 12 2.2.2.2 Rotation of Duties JaCkCast Oficiales de Seguridad It is a process, may be difficult to implement but it is a effective security control procedure. Lessen collusion between operators for fraudulent purposes. Goal is: limit the time of the operator’s role performing a security task changing for another one. CISSP - Domain 4 - Operations Security 13 2.2.3. Trusted Recovery JaCkCast Oficiales de Seguridad System must not be compromise by a crash. Trusted has 2 activities: (1) Failure Preparation Backup all critical files periodically. Must ensure a ordered/protected data recovery Needed when system needs to be halted: A system problem, A missing resource, An inconsistent database, any kind of compromise. CISSP - Domain 4 - Operations Security 14 2.2.3. Trusted Recovery JaCkCast Oficiales de Seguridad (2) System Recovery, procedure include: Recover in single user mode Recover all file systems Recover damaged files + DB Recover security characteristcs Check security critical files Common Criteria’s hierarchical recovery types: Manual Recovery Automated Recovery Automated Recovery without Undue Loss. CISSP - Domain 4 - Operations Security 15 2.2.4. Configuration/Change Management Control JaCkCast Oficiales de Seguridad Process of tracking and approval changes; Identifying, controlling, auditing changes, over: Hardware, software, network or others. Goal = ensure changes don’t affect sys’ security. Secure trusted systems under design/development CISSP - Domain 4 - Operations Security 16 2.2.4. Configuration/Change Management Control JaCkCast Oficiales de Seguridad Functions: Check order, notify, analyze, reduce (-) impact 5 procedures: Apply, Catalog, Schedule, Implement, Report Configuration management classes: B2, B3 – conf./change management control enforced to develop and maintain system A1 – conf./change management control enforced to entire sys’ life cycle. CISSP - Domain 4 - Operations Security 17 2.3. Administrative Controls JaCkCast Oficiales de Seguridad Personnel Security Employment Screening or Background Checks Mandatory Taking of Vacation in One Week Increments Job Action Warnings or Termination Separation of Duties and Responsibilities Least Privilege Need to Know Change/Configuration Management Controls Records Retention and Documentation CISSP - Domain 4 - Operations Security 18 2.3.1. Least Privilege JaCkCast Oficiales de Seguridad Separar los niveles de acceso. Read Only. Read/Write. Acces Change. CISSP - Domain 4 - Operations Security 19 2.3.2. Operations Job Function Overview JaCkCast Oficiales de Seguridad Overview of operational functions. Examples: Computer Operator, run console, backup, record/report problems, mantain controls. Operations Analyst, Work Soft/Dev app, check program/ comp. Operators. Job Control Analyst, Quality of production job, metrics, standards. Production Scheduler, Plan/Create/Coordinate schedules of computer process. Production Control Analyst, Tape Librarian, CISSP - Domain 4 - Operations Security 20 2.3.3. Record Retention JaCkCast Oficiales de Seguridad Record retention deals w/comp. Files, directories, and libraries. Data Remanence Data still exist. Physical traces. Reconstructions. SysAdmin+SecAdmin must know about. Due Care and Due Diligence Good business practices -> organization’s industry. Legal requirements. CISSP - Domain 4 - Operations Security 21 2.3.4. Documentation JaCkCast Oficiales de Seguridad A security system needs documentation controls. Docs as: Security plans Contingency plans risk analyses Security policies procedures Docs must be protected against disclosure. Docs must be ready in disasters. CISSP - Domain 4 - Operations Security 22 2.4. Operations Controls JaCkCast Oficiales de Seguridad Resource Protection Hardware controls Software controls Privileged-entity controls Media controls Physical access controls CISSP - Domain 4 - Operations Security 23 2.4.1. Resource Protection JaCkCast Oficiales de Seguridad Hardware: Communications, Storage media, processing systems, standalone computers, printers/fax Software: Program libraries, src code, vendor software, OS / utilities. Data: Backups, usr/pwd data files, Operating data dir, logs/audit trails Transparency: Flexible; No extra steps to use; No Learn to much about the security control. CISSP - Domain 4 - Operations Security 24 2.4.2 Hardware Protection JaCkCast Oficiales de Seguridad Hardware Maintenance Maintenance = physical + logical access, it must be: Supervise for On-site, remote or transported works. Maintenance Accounts Vendor accounts w/default passwords. Diagnostic Port Control Hw. direct access. Used only authorized personnel. Hardware Physical Control Use locks and alarms in some data processing areas. CISSP - Domain 4 - Operations Security 25 2.4.3. Software Controls JaCkCast Oficiales de Seguridad Antivirus management Nobody must load/execute soft without supervision Software testing Test w/new code. Test w/upgrades too. Software utilities Sec. Policy prevents misuse of utilities. Safe software storage. Hw/soft access controls ensure integrity of bckps. Backup controls Accuracy restoring, secure bckps x theft, damage, enviromental problems. CISSP - Domain 4 - Operations Security 26 2.4.4. Privileged Entity Controls JaCkCast Oficiales de Seguridad = privileged operations functions. Special access to computing resources by operators and sys admin according their job title. Examples of classes of privileged operations functions: Special access to system commands Access to special parameters Access to the system control program CISSP - Domain 4 - Operations Security 27 2.4.5. Media Resource Protection JaCkCast Oficiales de Seguridad Media Security Controls, ie. Logging Access Control Proper Disposal: Overwrite, Degauss, Destruction. Media Viability Controls, ie. Marking Handling Storage CISSP - Domain 4 - Operations Security 28 2.4.6. Physical Access Controls JaCkCast Oficiales de Seguridad I.E. Equipments which could need protection: Hardware control over Communications / Computing Equipment Storage media. Printed logs / reports. Software Bckp. Files, System logs. Production applications, sensitive / critical data. Type of personnel to have special access. CISSP - Domain 4 - Operations Security 29 3. Monitoring and Auditing JaCkCast Oficiales de Seguridad Monitoring Techniques, mechanisms, tools. Actions to identifiy event’s vectors / report info. Monitor: illegal sw, hw faults, anomalies. Auditing It is the foundstone to monitoring “controls” Helps monitor, to develop patterns. CISSP - Domain 4 - Operations Security 30 3.1. Monitoring Techniques JaCkCast Oficiales de Seguridad Intrusion Detection Intruders, traffic patterns, evidence. Penetration Testing Sniffing, Scanning/probing, Demon Dialing Dumpster diving, Social Engineering Violation Analysis, detects violations as: Errors, exceeded privileged, Many people w/unrestricted access. Patterns w/serious intrusion attempts CISSP - Domain 4 - Operations Security 31 3.2. Security Auditing JaCkCast Oficiales de Seguridad Two types Internal auditors More mandate Check compliance/standards of due care, operational costefficiencies, recomendations External auditors, Often = Certified Public Accounts (CPAs) Financial statements Auditors’ functions, review: Controls, procedures, standards, plans / implementations. CISSP - Domain 4 - Operations Security 32 3.2.1. Audit Trails JaCkCast Oficiales de Seguridad Let identify/resolve problems. Historial trace. Enforce accountability. Let reconstruct events. Logs must content: Data/Time, Who, Terminal (from), Related events. Auditor must look: Reruns or Rectification of jobs, Practices of operator Note: Protect audit media/reports: When storage is off-site, against alteration / unavaila. CISSP - Domain 4 - Operations Security 33 3.3.3. Problem Management Concepts JaCkCast Oficiales de Seguridad PM is the way to Control the process: Of problem isolation / problem resolution Goal: Reduce fails (acceptable risk), prevent reocurrence of problem, mitigate impacts How implement: Define potential problem areas. Define abnormal events to be investigated. CISSP - Domain 4 - Operations Security 34 4. Threats and Vulnerabilities JaCkCast Oficiales de Seguridad Threats = events Can cause damage / create loss CIA Can be malicious: file modification Can be accidental: accidental deletion of a file Vulnerabilities Weakness that can be exploited by a threat. Reduce vul. reduce risk + impact of threats CISSP - Domain 4 - Operations Security 35 4.1. Threats JaCkCast Oficiales de Seguridad Accidental Loss Lack of training/proficiency Operator input errors and omissions Malfunctioning of app. processing procedure Transaction processing errors. Inappropiate Activities Inappropiate Content Waste of Corporate Resources Sexual or Racial Harassment Abuse of Privilege or Rights CISSP - Domain 4 - Operations Security 36 4.1. Threats JaCkCast Oficiales de Seguridad Illegal Computer Operations and Intentional Attacks Eavesdropping, sniffing, dumpster diving, shoulder surfing, data scavenging, trend analysis, social eng. Fraud, altering of data integrity, collusion Theft, hw/sw theft, trade secrets Sabotage, DoS, delays of production External Attack, demon dialing, scanning, probing, virus, etc. CISSP - Domain 4 - Operations Security 37 4.2. Vulnerabilities JaCkCast Oficiales de Seguridad Traffic/Trend Analysis Maintenance Accounts Data Scavenging Attacks IPL Vulnerabilities Network Address Hijacking CISSP - Domain 4 - Operations Security 38