McGraw-Hill/IrwinMcGraw-Hill/Irwin CopyrightCopyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved.© 2007 by The McGraw-Hill Companies, Inc. All rights reserved.

Information Assurance for the Enterprise: Information Assurance for the Enterprise: A Roadmap to Information SecurityA Roadmap to Information Security, by Schou and Shoemaker, by Schou and Shoemaker

Chapter 5

Maintaining Security of Operations

5-5-22

Objectives

Establish routine security of operation Create a dependable operational security

process Ensure operational response to incidents

5-5-33

Security of Operations

A critical part of information assurance lifecycleEnsures the integrity and performanceProcess involves actions such as:

• Ensuring that current operating procedures are properly aligned with organization’s security policies

• Monitoring performance of assigned security duties to confirm that they correspond to proper processes

• Defining and executing operational housekeeping processes to ensure that the security function continues to operate properly

5-5-44

Aims: Aligning Purpose with Practice

Information assurance goals must be satisfied for the organization to be secureFactors that can affect this process include

changes in:• People who use the system or their motivations• Types of systems interconnected with the

organization’s systems• Type or sensitivity of data • Way the organization does business or type of

business the organization conducts• Rigor and extent of information assurance objectives• Organizational risk model and risk tolerance approach

5-5-55

Aims: Aligning Purpose with Practice

If information assurance goal is not being metThe organization performs a risk assessment/risk

mitigation process to decide how to meet it

5-5-66

Threat Response: Keeping the Organization on Its Toes

Threat response is either proactive or reactive Proactive activities include

• Identification of threats and vulnerabilities• Creation, assessment, and optimization of security

solutions• Implementation of controls to protect the software and

the information

Reactive activities include • Detecting and reacting to external or internal intrusions

or security violations in a timely manner

5-5-77

Staying Alert: Elements of the Operational Security Process

Operational security process is composed of principles

These principles represent the primary functions of the operational security process: SensingAnalyzingRespondingManaging

5-5-88

Sensing: Understanding the Threat

Operational sensing is proactiveMust be performed continuously Implemented and run by defined policies,

procedures, tools, and standardsMonitors, tests, and assesses the environment,

to detect vulnerabilities and security violationsIdentifies and resolves threats as they arise Reviews monitor and evaluate management and

end-user behavior

5-5-99

Sensing: Understanding the Threat

Security assurance requires documentary evidence of:• Feasible information assurance and security perimeter

• Overall concept of standard operating procedure

• Generic operational testing and review plan

• Policies to ensure appropriate response to unexpected incidents

• Secure site plan

• Business Continuity and Disaster Recovery Plan (BCP/DRP)

• Assurance that all are adequately trained in secure operation

• Assurance that all are capable of utilizing security functionality relevant to their position in the organization

5-5-1010

Analyzing: Making Smart Decisions

A good decision about a given threat requires understanding the consequences and impactsThreat assessment – understanding the

consequencesImpact analysis – evaluating the strategy Reporting – understanding the alternativesAuthorizing – getting the go-ahead

5-5-1111

Responding: Ensuring a Disciplined Response

This function implements the authorized corrective actionFactors that might influence the decision are:

• Resource constraints• Difficulty, or unfeasibility of the response required

All threats and vulnerabilities should be tracked and the resulting responses overseen

A defined process is required to ensure that this is done accurately

5-5-1212

Managing: Maintaining an Effective Process

All information assurance processes as a routine function have to be:PlannedDesignedAdministeredMaintained

Ensure that effective leadership vision and expertise is exercised at all timesIt oversees and coordinates the alignment

process to maintain the best response to threats and changes in a dynamically changing situation

5-5-1313

Implementation: Setting Up the Security of Operations Process

Security of operations is founded on organization-wide policies, procedures, and countermeasures Maintains the relevance and effectiveness of the

infrastructure Specifies the approved methods and processes that will

be followed to ensure security performance Should be embedded as part of day-to-day workplace

functioning Operational assessment is critical

Methods and metrics used to track performance must be specified

Certifications must be used to judge proper execution

5-5-1414

Operational Planning A formal security of operations plan is an important

baseline document Acts as a point of reference in the evolution of events and

day-to-day management Operationalizes and coordinates the elements of the

security of operations function Organizes and focuses the effective deployment of

resources Supports the budgeting process Makes the security objectives explicit Serves as a mechanism for assessing contractual and

regulatory obligations Organizes technical and management response so that

the right set of countermeasures is always in place

5-5-1515

Operational Planning

Operational security plan is built and maintained through eight stages

5-5-1616

Steps for a Secure Operation

Step 1: document the baseline Step 2: determine the benchmarks Step 3: establish a security architecture Step 4: build awareness Step 5: deploy supporting technology Step 6: assess performance Step 7: specify how corrective action will be

taken Step 8: enforce accountability

5-5-1717

Operational Response Security of operations should ensure that an

effective operational response in in place It resolves problems as they appearResponse is established and maintained by a

planPlan integrates the sensing, analyzing, and

responding principles into a set of procedures that meet the security needs

Pre-defined response ensures that an optimum solution is provided in a timely fashion

• Timeliness is underwritten by effective incident reporting

5-5-1818

Operational Response

Ensuring effective reporting and responseFormal incident response team (IRT) or

operational response team (ORT) Ensuring timely reports

Provides a description of both the type and estimated impact of the incident

Ensuring timely responseIncident reports should go to a single central

coordinator or facilitator for confirmation analysis and subsequent action

5-5-1919

Anticipating Potential Incidents Potential incidents include:

Pre-attack probes Unauthorized access attempts Denial of service attempts Vulnerabilities in the infrastructure

Reports are generic and result from routine data-gathering activity and analysis

Reports also result from analyses performed by the software

Reports are generated by intrusion detection devices Operational event logging monitors events taking place

within the system

5-5-2020

Working with Active Incidents Always require an operational response

Actions are dictated by circumstances requiring:• Applying a technical patch• Reconfiguration, or reinstallation of the system• Change in policy and procedure• Implementation of new enforcement mechanisms

Operational response team:• Contains the harm from an incident and prevents its

reoccurrence• Supervises the change to the target system through

the configuration management process• Performs the coordination and documentation

activities needed

5-5-2121

Ensuring Continuing Integrity: Configuration Management

Formal procedure undertaken for change managementRefers to the evolution of change to objectsIt is a critical component of security for two

reasons:• Predictable day-to-day functioning of systems• Ability to detect unauthorized changes

Maintains the integrity of the items under its control

Allows for the evaluation and performance of management changes

Establishes the integrity of the system

5-5-2222

Human-based: ConfigurationManagement

Configuration manager roleProcesses all requests for changeManages the change authorization processVerifies that the change is complete

Baseline manager roleIdentifies, accounts for, and maintains all

configuration items with the identification schemeEstablishes a baseline management ledger

(BML) • Records all changes and promotions to baselines in

this ledger• Maintains libraries associated with it

5-5-2323

Human-based: ConfigurationManagement

Verification manager roleConfirms that items in the change management

ledger conform to the identification schemeVerifies that changes have been carried outConducts milestone reviews and audits

Status accounting – ensures the continuing correct status of each baselineChanges at any level in the structure must be

maintained at all levels

5-5-2424

Human-based: ConfigurationManagement

Configuration management planBuilds a plan that lists the activities in the

configuration management function including:• The procedures to be followed during the configuration

management process• The schedule for routine activities• The procedures for performing configuration

management activity involving other organizations

5-5-2525

Operational Housekeeping

Operational housekeeping – ensures that routine information processing activities are performed securelyResponsible for ensuring that the organization’s

information is protected from common threats • Proactive measures such as periodic inspections and

compliance audits• Managerial concerns• Ensuring that routine patches and repairs to

equipment and facilities are performed

5-5-2626

Preparing an Operational Procedure Manual

Every organization has to compile, distribute, and update a procedure manualDetails all required procedures to ensure

continuous security of operationsShould contain simple checklists providing clear

directions for employees performing routine housekeeping

Should ensure that the required steps are listed along with expected results, and a way to determine those results are accurate

There should be a clear statement of the interrelationship between related procedures

5-5-2727

Managing Security Patches

Security patches should be in place so that:Software can be consistently updated and

maintained to close vulnerabilities They are important safeguards and are a routine

part of the security maintenance process Any operating system security update should be

verified, tested, and installed immediately

5-5-2828

Back Up Your Data, Back Up Your Job

Backups are important housekeeping functionsSupport the recovery functionAre essential prerequisites for business

continuity• Support the recovery point objective (RPO) in

business continuity planning

Other reasons could include:• Hard drive failure• Serious virus attack or other accidents

Based on a schedule dictated by operational circumstances

5-5-2929

Enforcing Personal Security Discipline

Personal security discipline implies that the staff members routinely follow approved security procedures Steps need to be taken to ensure that routine

activities are performed in a continuous and repeatable way

Discipline is the key to ensuring that routine behaviors are performedDiscipline hinges on people understanding the

importance of routine security practicesEducation, training, and awareness function

5-5-3030

Maintaining Your Software

Software must be configured and operate without conflictEnsure safe and secure operationProvide essential automated security serviceVisible part of the process:

• Registry and file system utilities aligned correctly, interacting properly

• Running disk cleanups and performing hardware checks

Security utilities• Virus and spyware checkers and spam filters

5-5-3131

Making Your Software Behave

Software functionality is difficult to assure since software interactions occur within the computerNecessary to perform system integrity checks

• Assure that the registry files, applications, and system utilities are installed properly and working as designed

Preventive maintenance should be routinely scheduled, coordinated, enforced, and reported through the information assurance function

5-5-3232

Watching Your Back

Have a set of operational procedures in place to secure application systemsProcedures include system management

responsibilities such as: • Ensuring that security functions are enabled on both

user and administrative accounts• Conducting software engineering procedures such as

routine operational testing• Including simple processes such as regularly ensuring

that passwords are changed• Checking system event logs periodically

5-5-3333

Disposing of Assets in a Secure Manner

A critical part of the day-to-day integrity of information is the secure disposal of mediaThere must be rules for the secure erasure or

destruction of electronic storage media• Routine clear out of temporary files and temporary

Internet cache files• Use of modern shredders to dispose of paper copies• In the case of especially sensitive material, the use of

contracted destruction services• Magnetic storage media such as floppies routinely

degaussed or shredded prior to disposal

5-5-3434

Locking Down Electronic Office Systems

Ensure that e-mail and office automation systems are tightly controlledThere is a need to develop and formalize a

statement of what is and is not acceptable use• This is called an acceptable use policy• Serves as the formal basis for subsequent control

5-5-3535

Defining Good Security Practice for an E-Mail System

Defining, communicating, and enforcing good security practice in the daily operation of the e-mail system can prevent most violationsMonitoring of acceptable use is frequently used

in larger organizations and can be embedded in a software utility