CISSP Prep Guide

1
CISSP Prep Guide

• Domain Operations Security
• Javier Romero, GCIA CISSP
• January 2003

2
Topics

• Domain Definition
• Controls and Protections
• Categories of Controls
• Orange Book Controls
• Covert Channel Analysis
• Trusted Facility Management
• Configuration/Change Management Control
• Administrative Controls
• Least Privilege
• Operations Job Function Overview
• Record Retention
• Documentation
• Operations Controls
• Resource Protection
• Hardware Controls
• Software Controls

• Privileged Entity Controls
• Media Resource Protection
• Physhical Access Controls
• Monitoring and Auditing
• Monitoring
• Monitoring Techniques
• Auditing
• Security Auditing
• Problem Management Concepts
• Threats and Vulnerabilities
• Threats
• Accidental Loss
• Inappropiate Activities
• Illegal Computer Operations
• Vulnerabilities

3
1. Domain Definition

• Operation security means
• Act of understand threats and vulnerabilities
• Implement security controls.
• Controls can include resolve soft/hardware
  problems.
• Triples
• Threat, a event that could cause damage
• Vulnerability, weakness that enables violation
• Asset, all resources (hardware, software, data,
  personnel)
• CIA
• Confidentiality, Integrity, Availability

4
2. Controls and Protections

• Premise Protect hardware, software and media
  resources from
• Threats in an operating environment.
• Internal or external intruders
• Operators inappropriately accessing resources.
• Critical aspects of operations controls
• Resource protection (hardware control)
• Privileged-entity control

5
2.1. Categories of Controls

• Major categories
• Preventative Controls (before)
• Detective Controls (after)
• Corrective (or Recovery) Controls (restore)

6
2.1. Categories of Controls

• Additional categories
• Deterrent Controls (support others)
• Application Controls (designed to each app)
• Transaction Controls.
• Input Controls (ensure inputs)
• Processing Controls (check/correct process)
• Output Controls (confidentiality/integrity)
• Change Controls (preserve data)
• Test Controls (during testing)

7
2.2. Orange Book Controls

• 2 types of assurance
• Operational assurance, see
• basic features and architecture
• Life cycle assurance, see
• controls / standards to build / to maintain a
  system.

• Requeriments (5)
• System architecture
• System integrity
• Covert channel analysis
• Trusted facility management
• Trusted recovery
• Requeriments (4)
• Security Testing
• Design specification and testing
• Configuration management
• Trusted distribution

8
2.2.1. Covert Channel Analysis

• Covert storage channels, convey
• By changing a systems stored data.
• I.E. changing the amount / patterns of free space
  on HDD.
• I.E. changing characteristics of a file.
• Covert Timing channels
• By altering the performance or modifying the
  timing of a system resource.
• I.E. using the elapsed time required by a
  operation
• I.E. using time between 2 events.
• Noise and traffic generation, effective to combat

9
2.2.1. Covert Channel Classes
CLASS DESCRIPTION
B2 System must protect against covert STORAGE channels. It must perform a covert channel analysis to all covert storage channels.
B3 AND A1 STORAGE TIMING, analysis to BOTH
10
2.2.2. Trusted Facility Management

• Assign functions to a person (security roles)
• Just for B2 (operator and sys admin)
• Just for B3, and A1 (security admin)
• Related to
• Least privilege
• Separation of duties
• Need to know

11
2.2.2.1. Separation of Duties

• Called segregation of duties
• No single person
• Have the total control
• can compromise the system.
• Person with Least Privileged to work, for a short
  length of time
• Highly secure system has 3 roles
• sysadmin, secadmin, ISSO
• Roles are functionally different
• Two-man control, 2 men review/approve work to
  each other
• Dual control, you need 2 men to complete a
  sensitive task

12
2.2.2.1. Separation of Duties

• Sys admin functions
• Install system software
• Start/shut down a system
• Add/remove sys users
• Perform backup/recovery
• Handle printer/queues

• Sec admin functions
• Set user clearance, initial password, etc.
• Change security profile for users
• Set/change file sensitive labels
• Set sec. characteristics of devices/comm.
  channels.
• Review audit data.

13
2.2.2.2 Rotation of Duties

• It is a process, may be difficult to implement
  but it is a effective security control procedure.
• Lessen collusion between operators for fraudulent
  purposes.
• Goal is limit the time of the operators role
  performing a security task changing for another
  one.

14
2.2.3. Trusted Recovery

• System must not be compromise by a crash.
• Trusted has 2 activities
• (1) Failure Preparation
• Backup all critical files periodically.
• Must ensure a ordered/protected data recovery
• Needed when system needs to be halted
• A system problem,
• A missing resource,
• An inconsistent database,
• any kind of compromise.

15
2.2.3. Trusted Recovery

• (2) System Recovery, procedure include
• Recover in single user mode
• Recover all file systems
• Recover damaged files DB
• Recover security characteristcs
• Check security critical files
• Common Criterias hierarchical recovery types
• Manual Recovery
• Automated Recovery
• Automated Recovery without Undue Loss.

16
2.2.4. Configuration/Change Management Control

• Process of tracking and approval changes
  Identifying, controlling, auditing changes, over
  Hardware, software, network or others.
• Goal ensure changes dont affect sys security.
• Secure trusted systems under design/development

17
2.2.4. Configuration/Change Management Control

• Functions
• Check order, notify, analyze, reduce (-) impact
• 5 procedures
• Apply, Catalog, Schedule, Implement, Report
• Configuration management classes
• B2, B3 conf./change management control enforced
  to develop and maintain system
• A1 conf./change management control enforced to
  entire sys life cycle.

18
2.3. Administrative Controls

• Personnel Security
• Employment Screening or Background Checks
• Mandatory Taking of Vacation in One Week
  Increments
• Job Action Warnings or Termination
• Separation of Duties and Responsibilities
• Least Privilege
• Need to Know
• Change/Configuration Management Controls
• Records Retention and Documentation

19
2.3.1. Least Privilege

• Separar los niveles de acceso.
• Read Only.
• Read/Write.
• Acces Change.

20
2.3.2. Operations Job Function Overview

• Overview of operational functions. Examples
• Computer Operator,
• run console, backup, record/report problems,
  mantain controls.
• Operations Analyst,
• Work Soft/Dev app, check program/ comp.
  Operators.
• Job Control Analyst,
• Quality of production job, metrics, standards.
• Production Scheduler,
• Plan/Create/Coordinate schedules of computer
  process.
• Production Control Analyst,
• Tape Librarian,

21
2.3.3. Record Retention

• Record retention deals w/comp. Files,
  directories, and libraries.
• Data Remanence
• Data still exist. Physical traces.
  Reconstructions.
• SysAdminSecAdmin must know about.
• Due Care and Due Diligence
• Good business practices -gt organizations
  industry.
• Legal requirements.

22
2.3.4. Documentation

• A security system needs documentation controls.
• Docs as
• Security plans
• Contingency plans
• risk analyses
• Security policies
• procedures
• Docs must be protected against disclosure.
• Docs must be ready in disasters.

23
2.4. Operations Controls

• Resource Protection
• Hardware controls
• Software controls
• Privileged-entity controls
• Media controls
• Physical access controls

24
2.4.1. Resource Protection

• Hardware
• Communications, Storage media, processing
  systems, standalone computers, printers/fax
• Software
• Program libraries, src code, vendor software, OS
  / utilities.
• Data
• Backups, usr/pwd data files, Operating data dir,
  logs/audit trails
• Transparency
• Flexible No extra steps to use No Learn to much
  about the security control.

25
2.4.2 Hardware Protection

• Hardware Maintenance
• Maintenance physical logical access, it must
  be
• Supervise for On-site, remote or transported
  works.
• Maintenance Accounts
• Vendor accounts w/default passwords.
• Diagnostic Port Control
• Hw. direct access. Used only authorized
  personnel.
• Hardware Physical Control
• Use locks and alarms in some data processing
  areas.

26
2.4.3. Software Controls

• Antivirus management
• Nobody must load/execute soft without supervision
• Software testing
• Test w/new code. Test w/upgrades too.
• Software utilities
• Sec. Policy prevents misuse of utilities.
• Safe software storage.
• Hw/soft access controls ensure integrity of
  bckps.
• Backup controls
• Accuracy restoring, secure bckps x theft, damage,
  enviromental problems.

27
2.4.4. Privileged Entity Controls

• privileged operations functions.
• Special access to computing resources by
  operators and sys admin according their job
  title.
• Examples of classes of privileged operations
  functions
• Special access to system commands
• Access to special parameters
• Access to the system control program

28
2.4.5. Media Resource Protection

• Media Security Controls, ie.
• Logging
• Access Control
• Proper Disposal Overwrite, Degauss, Destruction.
• Media Viability Controls, ie.
• Marking
• Handling
• Storage

29
2.4.6. Physical Access Controls

• I.E. Equipments which could need protection
• Hardware control over
• Communications / Computing Equipment
• Storage media.
• Printed logs / reports.
• Software
• Bckp. Files, System logs.
• Production applications, sensitive / critical
  data.
• Type of personnel to have special access.

30
3. Monitoring and Auditing

• Monitoring
• Techniques, mechanisms, tools.
• Actions to identifiy events vectors / report
  info.
• Monitor illegal sw, hw faults, anomalies.
• Auditing
• It is the foundstone to monitoring controls
• Helps monitor, to develop patterns.

31
3.1. Monitoring Techniques

• Intrusion Detection
• Intruders, traffic patterns, evidence.
• Penetration Testing
• Sniffing, Scanning/probing, Demon Dialing
• Dumpster diving, Social Engineering
• Violation Analysis, detects violations as
• Errors, exceeded privileged,
• Many people w/unrestricted access.
• Patterns w/serious intrusion attempts

32
3.2. Security Auditing

• Two types
• Internal auditors
• More mandate
• Check compliance/standards of due care,
  operational cost-efficiencies, recomendations
• External auditors,
• Often Certified Public Accounts (CPAs)
• Financial statements
• Auditors functions, review
• Controls, procedures, standards, plans /
  implementations.

33
3.2.1. Audit Trails

• Let identify/resolve problems. Historial trace.
• Enforce accountability. Let reconstruct events.
• Logs must content
• Data/Time, Who, Terminal (from), Related events.
• Auditor must look
• Reruns or Rectification of jobs, Practices of
  operator
• Note Protect audit media/reports
• When storage is off-site, against alteration /
  unavaila.

34
3.3.3. Problem Management Concepts

• PM is the way to Control the process
• Of problem isolation / problem resolution
• Goal
• Reduce fails (acceptable risk), prevent
  reocurrence of problem, mitigate impacts
• How implement
• Define potential problem areas.
• Define abnormal events to be investigated.

35
4. Threats and Vulnerabilities

• Threats events
• Can cause damage / create loss CIA
• Can be malicious file modification
• Can be accidental accidental deletion of a file
• Vulnerabilities
• Weakness that can be exploited by a threat.
• Reduce vul.? reduce risk impact of threats

36
4.1. Threats

• Accidental Loss
• Lack of training/proficiency
• Operator input errors and omissions
• Malfunctioning of app. processing procedure
• Transaction processing errors.
• Inappropiate Activities
• Inappropiate Content
• Waste of Corporate Resources
• Sexual or Racial Harassment
• Abuse of Privilege or Rights

37
4.1. Threats

• Illegal Computer Operations and Intentional
  Attacks
• Eavesdropping, sniffing, dumpster diving,
  shoulder surfing, data scavenging, trend
  analysis, social eng.
• Fraud, altering of data integrity, collusion
• Theft, hw/sw theft, trade secrets
• Sabotage, DoS, delays of production
• External Attack, demon dialing, scanning,
  probing, virus, etc.

38
4.2. Vulnerabilities

• Traffic/Trend Analysis
• Maintenance Accounts
• Data Scavenging Attacks
• IPL Vulnerabilities
• Network Address Hijacking