chapter005
DESCRIPTION
Information Assurance for the EnterpriseTRANSCRIPT
McGraw-Hill/IrwinMcGraw-Hill/Irwin CopyrightCopyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved.© 2007 by The McGraw-Hill Companies, Inc. All rights reserved.
Information Assurance for the Enterprise: Information Assurance for the Enterprise: A Roadmap to Information SecurityA Roadmap to Information Security, by Schou and Shoemaker, by Schou and Shoemaker
Chapter 5
Maintaining Security of Operations
5-5-22
Objectives
Establish routine security of operation Create a dependable operational security
process Ensure operational response to incidents
5-5-33
Security of Operations
A critical part of information assurance lifecycleEnsures the integrity and performanceProcess involves actions such as:
• Ensuring that current operating procedures are properly aligned with organization’s security policies
• Monitoring performance of assigned security duties to confirm that they correspond to proper processes
• Defining and executing operational housekeeping processes to ensure that the security function continues to operate properly
5-5-44
Aims: Aligning Purpose with Practice
Information assurance goals must be satisfied for the organization to be secureFactors that can affect this process include
changes in:• People who use the system or their motivations• Types of systems interconnected with the
organization’s systems• Type or sensitivity of data • Way the organization does business or type of
business the organization conducts• Rigor and extent of information assurance objectives• Organizational risk model and risk tolerance approach
5-5-55
Aims: Aligning Purpose with Practice
If information assurance goal is not being metThe organization performs a risk assessment/risk
mitigation process to decide how to meet it
5-5-66
Threat Response: Keeping the Organization on Its Toes
Threat response is either proactive or reactive Proactive activities include
• Identification of threats and vulnerabilities• Creation, assessment, and optimization of security
solutions• Implementation of controls to protect the software and
the information
Reactive activities include • Detecting and reacting to external or internal intrusions
or security violations in a timely manner
5-5-77
Staying Alert: Elements of the Operational Security Process
Operational security process is composed of principles
These principles represent the primary functions of the operational security process: SensingAnalyzingRespondingManaging
5-5-88
Sensing: Understanding the Threat
Operational sensing is proactiveMust be performed continuously Implemented and run by defined policies,
procedures, tools, and standardsMonitors, tests, and assesses the environment,
to detect vulnerabilities and security violationsIdentifies and resolves threats as they arise Reviews monitor and evaluate management and
end-user behavior
5-5-99
Sensing: Understanding the Threat
Security assurance requires documentary evidence of:• Feasible information assurance and security perimeter
• Overall concept of standard operating procedure
• Generic operational testing and review plan
• Policies to ensure appropriate response to unexpected incidents
• Secure site plan
• Business Continuity and Disaster Recovery Plan (BCP/DRP)
• Assurance that all are adequately trained in secure operation
• Assurance that all are capable of utilizing security functionality relevant to their position in the organization
5-5-1010
Analyzing: Making Smart Decisions
A good decision about a given threat requires understanding the consequences and impactsThreat assessment – understanding the
consequencesImpact analysis – evaluating the strategy Reporting – understanding the alternativesAuthorizing – getting the go-ahead
5-5-1111
Responding: Ensuring a Disciplined Response
This function implements the authorized corrective actionFactors that might influence the decision are:
• Resource constraints• Difficulty, or unfeasibility of the response required
All threats and vulnerabilities should be tracked and the resulting responses overseen
A defined process is required to ensure that this is done accurately
5-5-1212
Managing: Maintaining an Effective Process
All information assurance processes as a routine function have to be:PlannedDesignedAdministeredMaintained
Ensure that effective leadership vision and expertise is exercised at all timesIt oversees and coordinates the alignment
process to maintain the best response to threats and changes in a dynamically changing situation
5-5-1313
Implementation: Setting Up the Security of Operations Process
Security of operations is founded on organization-wide policies, procedures, and countermeasures Maintains the relevance and effectiveness of the
infrastructure Specifies the approved methods and processes that will
be followed to ensure security performance Should be embedded as part of day-to-day workplace
functioning Operational assessment is critical
Methods and metrics used to track performance must be specified
Certifications must be used to judge proper execution
5-5-1414
Operational Planning A formal security of operations plan is an important
baseline document Acts as a point of reference in the evolution of events and
day-to-day management Operationalizes and coordinates the elements of the
security of operations function Organizes and focuses the effective deployment of
resources Supports the budgeting process Makes the security objectives explicit Serves as a mechanism for assessing contractual and
regulatory obligations Organizes technical and management response so that
the right set of countermeasures is always in place
5-5-1515
Operational Planning
Operational security plan is built and maintained through eight stages
5-5-1616
Steps for a Secure Operation
Step 1: document the baseline Step 2: determine the benchmarks Step 3: establish a security architecture Step 4: build awareness Step 5: deploy supporting technology Step 6: assess performance Step 7: specify how corrective action will be
taken Step 8: enforce accountability
5-5-1717
Operational Response Security of operations should ensure that an
effective operational response in in place It resolves problems as they appearResponse is established and maintained by a
planPlan integrates the sensing, analyzing, and
responding principles into a set of procedures that meet the security needs
Pre-defined response ensures that an optimum solution is provided in a timely fashion
• Timeliness is underwritten by effective incident reporting
5-5-1818
Operational Response
Ensuring effective reporting and responseFormal incident response team (IRT) or
operational response team (ORT) Ensuring timely reports
Provides a description of both the type and estimated impact of the incident
Ensuring timely responseIncident reports should go to a single central
coordinator or facilitator for confirmation analysis and subsequent action
5-5-1919
Anticipating Potential Incidents Potential incidents include:
Pre-attack probes Unauthorized access attempts Denial of service attempts Vulnerabilities in the infrastructure
Reports are generic and result from routine data-gathering activity and analysis
Reports also result from analyses performed by the software
Reports are generated by intrusion detection devices Operational event logging monitors events taking place
within the system
5-5-2020
Working with Active Incidents Always require an operational response
Actions are dictated by circumstances requiring:• Applying a technical patch• Reconfiguration, or reinstallation of the system• Change in policy and procedure• Implementation of new enforcement mechanisms
Operational response team:• Contains the harm from an incident and prevents its
reoccurrence• Supervises the change to the target system through
the configuration management process• Performs the coordination and documentation
activities needed
5-5-2121
Ensuring Continuing Integrity: Configuration Management
Formal procedure undertaken for change managementRefers to the evolution of change to objectsIt is a critical component of security for two
reasons:• Predictable day-to-day functioning of systems• Ability to detect unauthorized changes
Maintains the integrity of the items under its control
Allows for the evaluation and performance of management changes
Establishes the integrity of the system
5-5-2222
Human-based: ConfigurationManagement
Configuration manager roleProcesses all requests for changeManages the change authorization processVerifies that the change is complete
Baseline manager roleIdentifies, accounts for, and maintains all
configuration items with the identification schemeEstablishes a baseline management ledger
(BML) • Records all changes and promotions to baselines in
this ledger• Maintains libraries associated with it
5-5-2323
Human-based: ConfigurationManagement
Verification manager roleConfirms that items in the change management
ledger conform to the identification schemeVerifies that changes have been carried outConducts milestone reviews and audits
Status accounting – ensures the continuing correct status of each baselineChanges at any level in the structure must be
maintained at all levels
5-5-2424
Human-based: ConfigurationManagement
Configuration management planBuilds a plan that lists the activities in the
configuration management function including:• The procedures to be followed during the configuration
management process• The schedule for routine activities• The procedures for performing configuration
management activity involving other organizations
5-5-2525
Operational Housekeeping
Operational housekeeping – ensures that routine information processing activities are performed securelyResponsible for ensuring that the organization’s
information is protected from common threats • Proactive measures such as periodic inspections and
compliance audits• Managerial concerns• Ensuring that routine patches and repairs to
equipment and facilities are performed
5-5-2626
Preparing an Operational Procedure Manual
Every organization has to compile, distribute, and update a procedure manualDetails all required procedures to ensure
continuous security of operationsShould contain simple checklists providing clear
directions for employees performing routine housekeeping
Should ensure that the required steps are listed along with expected results, and a way to determine those results are accurate
There should be a clear statement of the interrelationship between related procedures
5-5-2727
Managing Security Patches
Security patches should be in place so that:Software can be consistently updated and
maintained to close vulnerabilities They are important safeguards and are a routine
part of the security maintenance process Any operating system security update should be
verified, tested, and installed immediately
5-5-2828
Back Up Your Data, Back Up Your Job
Backups are important housekeeping functionsSupport the recovery functionAre essential prerequisites for business
continuity• Support the recovery point objective (RPO) in
business continuity planning
Other reasons could include:• Hard drive failure• Serious virus attack or other accidents
Based on a schedule dictated by operational circumstances
5-5-2929
Enforcing Personal Security Discipline
Personal security discipline implies that the staff members routinely follow approved security procedures Steps need to be taken to ensure that routine
activities are performed in a continuous and repeatable way
Discipline is the key to ensuring that routine behaviors are performedDiscipline hinges on people understanding the
importance of routine security practicesEducation, training, and awareness function
5-5-3030
Maintaining Your Software
Software must be configured and operate without conflictEnsure safe and secure operationProvide essential automated security serviceVisible part of the process:
• Registry and file system utilities aligned correctly, interacting properly
• Running disk cleanups and performing hardware checks
Security utilities• Virus and spyware checkers and spam filters
5-5-3131
Making Your Software Behave
Software functionality is difficult to assure since software interactions occur within the computerNecessary to perform system integrity checks
• Assure that the registry files, applications, and system utilities are installed properly and working as designed
Preventive maintenance should be routinely scheduled, coordinated, enforced, and reported through the information assurance function
5-5-3232
Watching Your Back
Have a set of operational procedures in place to secure application systemsProcedures include system management
responsibilities such as: • Ensuring that security functions are enabled on both
user and administrative accounts• Conducting software engineering procedures such as
routine operational testing• Including simple processes such as regularly ensuring
that passwords are changed• Checking system event logs periodically
5-5-3333
Disposing of Assets in a Secure Manner
A critical part of the day-to-day integrity of information is the secure disposal of mediaThere must be rules for the secure erasure or
destruction of electronic storage media• Routine clear out of temporary files and temporary
Internet cache files• Use of modern shredders to dispose of paper copies• In the case of especially sensitive material, the use of
contracted destruction services• Magnetic storage media such as floppies routinely
degaussed or shredded prior to disposal
5-5-3434
Locking Down Electronic Office Systems
Ensure that e-mail and office automation systems are tightly controlledThere is a need to develop and formalize a
statement of what is and is not acceptable use• This is called an acceptable use policy• Serves as the formal basis for subsequent control
5-5-3535
Defining Good Security Practice for an E-Mail System
Defining, communicating, and enforcing good security practice in the daily operation of the e-mail system can prevent most violationsMonitoring of acceptable use is frequently used
in larger organizations and can be embedded in a software utility