domain10 operations security

8/10/2019 Domain10 Operations Security

1/25

CISSP Essentials:

Mastering the Common Body of Knowledge

Class 10:

Operations security

Lecturer Shon Harris, CISSP, MCSE

President, Logical Security


2/25

CISSP Essentials Library:

www.searchsecurity.com/CISSPessentials

Class 10 Quiz:www.searchsecurity.com/Class10quiz

Class 10 Spotlight:

www.searchsecurity.com/Class10spotlight

CISSP Essentials:



3/25

Operations security objectives

Operations responsibilities

Operations personnelConfiguration management

Media access protection

System recovery

Facsimile security

Vulnerability and penetration

testing

Attack types


4/25

Computer operations

Operations responsibilities System administration

Routine activities required to keep systems and networks upand running

Fixing hardware and software issues

Applying patches and hotfixes

Maintaining security mechanisms

Backups and recovery

Media library

Configuration management

Controlling and maintaining remote access

Maintaining input\output controls

Contingency planning

Variance detection

Incident handling

Penetration testing

Licensing issues

Unusual or unexplained occurrences

Deviations from standards

Unscheduled initial program loads


5/25

Personnel

Operators in a mainframe environment Monitor execution of system

Control flow of jobs Mount input/output volumes

Initial Program Load (IPL)

Rename/relabel resources

Reassign ports/lines

Personnel controls Administrative controls Separation of duties

Job rotation

Activity logging

Mandatory vacations

Need-to-know

Least privilege

These are the people with the most privileged access!


6/25

Security operations personnel

Security administrator Implements and maintains security devices and

software

Carries out security assessments

Creates and maintains user profiles

Implements and maintains access control mechanisms

Configures and maintains security labels in MACenvironments

Best if this is a different role than a networkadministrator

The security administrator should not report to the networkadministrator!

Should report to a security officer

Separate chains of command should exist to avoid conflicts ofinterest


7/25

Some threats to computer operations

Threats

User errors and omissions

Internal fraud

Loss of system and network capabilities

Malicious hackers

Malicious code

Collusion

Two or more people coming together to carry out

fraudulent activities

Espionage

Software and hardware malfunctions

Physical facility or system attacks


8/25

Controlling change

Configuration management

Performed after a change has been approvedthrough a change control process

Ensures that the changes to production systems

are done properly

Ensures that changes do not take place unintentionallyor unknowingly

Security issues

Identifying, controlling, accounting for and auditing

changes made to the baseline TCB

Documentation and maintenance of documents

pertaining to system and software changes

Reflects changes in contingency plans


9/25

Agenda

Fault-tolerance mechanisms

RAID Disk duplexing

Disk shadowing (mirroring)

Software check pointing

Redundant servers

Clustering

Backups

Dual backbones

Redundant power

Mesh network topology instead of

star, bus or ring


10/25


11/25

Backups

Online backups Real-time, or near real-time, backups

Usually used for critical databases

Electronic vaulting technology

Batch backups Frequency of backup depends upon how often data

changes

Backing up of

Data

Software products

Databases

Utility programs


12/25

Backup types

Full backup All files are backed up

Fastest restoration process

Takes the longest to perform backup

Incremental backup Backs up files that have changed since last backup

Backups can be performed quickly, but restorationtakes longer

Full backup must be restored first and then each incremental backup

Differential backup Backs up files that have changed since last full backup

For restoration, full backup is restored and thendifferential backup is restored


13/25

Agenda

Remote access

Fax security

Vulnerability and penetration

testing

Honeypots


14/25

Before carrying out vulnerability testing

Things that need to be agreed upon Goals of the assessment

Evaluates the true security posture of an environment

Identifies as many vulnerabilities as possible

Test how systems react to certain circumstances and attacks

Written agreement from management

Protects the tester Ensures there are no misunderstandings

Explaining testing ramifications

Vulnerable systems could be knocked offline

Production could be negatively affected

Results from test are just a snapshot in time As the environment changes, new vulnerabilities can arrive


15/25

Vulnerability assessments

Types of assessments Personnel

Reviews employee tasks and identifies vulnerabilities

Social engineering

Employee policies and procedures

Physical

Facility and perimeter protection mechanisms Interior protection mechanisms

Protection of server room, wiring closets, sensitive systems,assets, etc.

Dumpster diving

Protection mechanisms for man-made, natural or technical threats

System and network

Automated scanning product

Identifies system vulnerabilities

Some may attempt to exploit vulnerabilities


16/25

Step in attack Explanation Example

Reconnaissance Intelligence work of obtaining

information, either passively or

actively

Passively = Sniffing traffic,

eavesdropping

Actively = ARIN and Whois

databases, examining Web

site HTML code, socialengineering

Scanning Identifying systems that are running

and the services active on them

Ping sweeps and port scans

Gaining access Exploiting identified vulnerabilities

to gain unauthorized access

Exploiting a buffer overflow,

brute forcing a password,logging onto a system

Maintaining access Uploading malicious software to

ensure re-entry is possible

Installing a Trojan horse that

implements a backdoor on a

system

Covering tracks Carrying out activities to hide ones

malicious activities

Deleting or modifying data in

system and application logs


17/25

Penetration testing

Attempting to break in Passive reconnaissance

Footprinting Sniffing

Perform active reconnaissance Scanning systems Map the network, and enumerate resources

and accounts Exploit identified vulnerabilities

Operating system and application attacks Buffer overflows -- remote and local

Sending malformed packets

Sending invalid data types

Denial of service Elevate privileges Configure a re-entry point

Backdoor

Install rootkit


18/25

Protection mechanism - Honeypot

Honeypot

Usually placed in a DMZ Must not be connected to internal network

Sacrificial lamb system on the network

The goal is that hackers will attack this

system instead of production systems Can gather data for possible prosecution

It is enticing because many ports are open

and services are running

Could be just emulating services


19/25

Agenda

Unauthorized disclosure

It can happen intentionally orunintentionally

Companies need to be aware of both

threats and protect themselves

Social engineering

Object reuse issues

Keyboard loggers

Emanation leakage


20/25

Data leakage - Social engineering

Characteristics Convincing people that you are authorized to access

sensitive data Skillful lying with the goal of obtaining information

Kevin Mitnicks attack of choice

Examples: Spoofing e-mail

Impersonating a repair person to gain access to segments in the facility Calling an administrator impersonating a user who needs his password

Calling users and impersonating the administrator to have them give outor change passwords

Impersonating a law enforcement agent inquiring about certain securitydefenses or recent violations


21/25


22/25

Object reuse

Ways of implementing object reuse protection

Degaussing

Machine that works as a large magnet

Returns electrons to their original state, meaning the polarization of electrons

is changed

Returning magnetic flux to initial state or zero

Zeroization

Software tool that writes NULL values continually over media

Government use requires tool to write NULL values over media seven times

Physical destruction

If media cannot be properly erased any other way


23/25

Data leakage Keystroke logging

Keystroke monitoring

Software logger tools

After a system is compromised, a logger can be uploaded

Data (usually credentials) is saved for hacker or sent to hacker for

unauthorized access

Physical loggers

Connector between keyboard and computer Holds all data that user types in

Attacker plants logger and retrieves it at a later time


24/25

Controlling data leakage - TEMPEST

TEMPEST

U.S. government started a studyon how data can be leaked and

captured through electrical signals

TEMPEST went from a study to a

standard for equipment vendors

Equipment has a metal mesh to reduce the devices

radiation

Faraday cage

TEMPEST equipment is expensive and specialized

Selling and purchasing this type of equipment is highly controlled by

the government


25/25

CISSP Essentials:


Lecturer Shon Harris, CISSP, MCSE

President, Logical Security

www.LogicalSecurity.com

[email protected]

Register for previous classes at the CISSP EssentialsLibrary:

www.searchsecurity.com/CISSPessentials

domain10 operations security

Documents