Saturday, March 22, 2014

CISSP - Operations Security

Another important domain in CISSP CBK is Operations Security, which is more interesting for more people than some of the other domains (or it may be only my preference) and which takes less time to understand.

In this domain there are some important concepts that must be well known such as Data Backup modes and techniques (RAID levels) and Security Incident Response Management.

Administrative Security

Least Privilege

Principle of least privilege dictates that persons have no more than the access that is strictly required for the performance of their duties.

This principle is more meaningful in environments where Discretionary Access Control is applied. An important point to remember about DAC is that in this model, Data Owner defines who can access that specific data. With DAC, the principle of least privilege suggests that a user will be given access to data if, and only if, a data owner determines that a business need exists for the user to have the access.

Need to Know

With MAC, we have a further concept that helps to inform the principle of least privilege: need to know. Though the vetting process for someone accessing highly sensitive information is stringent, clearance level alone is insufficient when dealing with the most sensitive of information. An extension to the principle of least privilege in MAC environments is the concept of compartmentalization.

Compartmentalization is a method for enforcing need to know and can be best understood by considering a highly sensitive military operation; while there may be a large number of individuals (high rank), only a subset needs to know specific information. The others have no need to know and therefore no access.

Separation of Duties

Separation of duties prescribes that multiple people are required to complete critical or sensitive transactions. The goal of separation of duties is to ensure that in order for someone to be able to abuse access to sensitive data or transactions, that person must convince another party to act in concert.

If several people act in a way to compromise the security of sensitive information, collusion happens.

Rotation of Duties / Job Rotation

Rotation of duties simply requires that one person does not perform critical functions or responsibilities without interruption. If the operational impact of the loss of an individual would be too great, then perhaps one way to soften this impact would be to provide additional depth of coverage for this individual’s responsibilities.

Rotation of duties can also mitigate fraud. One of the best ways to detect this fraudulent behavior is to require that responsibilities that could lead to fraud be frequently rotated among multiple people. In addition to the increased detection capabilities, the fact that responsibilities are routinely rotated deters fraud.

Mandatory Leave / Forced Vacation

Discovering a lack of depth in personnel with critical skills can help organizations understand risks associated with employees unavailable for work due to unforeseen circumstances. Forcing all employees to take leave can identify areas where depth of coverage is lacking. Further, requiring employees to be away from work while it is still operating can also help reveal fraudulent or suspicious behavior.

Non-disclosure agreement (NDA)

Requiring employees to sign an NDA is a practice which is seen in more and more enterprises of today’s world. A special emphasis on signing NDA must be put on 3rd parties such as consultants, contractors and on-site outsourced workforce.

Background Checks

Privilege Monitoring

Some employees by their job definition may require some privileges that are higher than ordinary employees. The operations of these employees constitute greater risk and must be regularly checked.

Furthermore employees, changing functions or gaining some new responsibilities may keep their old privileges while earning the new ones. This is a difficult technical problem of today’s Identity/Access Management Systems to be addressed leading to privilege creeps. Privilege monitoring may also help to detect and recover such situations.

Sensitive Information and Media Security

Labeling/Marking

All information should be labeled according to the data classification policy to get the correct kind of care

Handling

Storage

Especially sensitive data should be kept encrypted in storage media.

Retention

Retention of sensitive information should not persist beyond the period of usefulness or legal requirement (whichever is greater), as it needlessly exposes the data to threats of disclosure when the data is no longer needed.

Media sanitization or destruction of data

Data Remanence

Data remanence is data that persists beyond non-invasive means to delete it. Deleting a file from the Recycle Bin does not necessarily mean that the file is unrecoverably deleted. Several other measures such as wiping (overwriting random bits on file’s location several times), degaussing (applying electromagnetic waves to a disk that will no longer be used), shredding and physical destruction should be considered according to the sensitivity of the data.

Asset Management

Configuration Management

Configuration management in this context has a different meaning that it has in various IT Service Management models. From Security perspective, configuration items should have a baseline configuration model which is security hardened and used as a standard for all of the same items to ease security management.

Baselining

Security baselining is the process of capturing a point-in-time understanding of the current system security configuration. Establishing an easy means for capturing the current system security configuration can be extremely helpful in responding to a potential security incident.

Patch Management

Patch management should be very tightly related to change management process. Automation and reporting is also very important

Vulnerability Management 

Vulnerability scanning is a way to discover poor configurations and missing patches in an environment. Vulnerability management is much more than just discovering the vulnerabilities and presenting the finding in form of a report. Vulnerability management requires a risk management to use institutions resources such as time and money to address necessary risks and do the reporting. The remediation or mitigation of vulnerabilities should be prioritized on both risk and ease of application.

The term for a vulnerability being known before the existence of a patch is zero-day vulnerability. The best way to deal with zero-day vulnerabilities is the application of defense-in-depth principle.

Change Management

The purpose of the change control process is to understand, communicate, and document any changes with the primary goal of being able to understand, control, and avoid direct or indirect negative impact that the changes might impose.

There should be a change control board that oversees and coordinates the change control process. The person proposing the change should attempt to supply information about any potential negative impacts that might result from the change, as well as any negative impacts that could result from not implementing the change. Rollback plan (backout plan) should be prepared in order to detail the procedures for reversing the change in case it is deemed necessary. Phases of change management procedure can be resumed as below:
  • Identifying a change
  • Proposing a change
  • Assessing the risk associated with the change
  • Testing the change
  • Scheduling the change
  • Notifying impacted parties of the change
  • Implementing the change
  • Reporting results of the change implementation

Finally, all changes must be closely tracked and auditable. A detailed change record should be kept.

Continuity of Operations

Service Level Agreements (SLAs)

Service Level Agreements are became more important in last years as more and more IT services are outsourced are provided in “as a service” model like in the case of cloud services. The goal of the SLA is to stipulate all expectations regarding the behavior of service (organizations mostly pay too much attention to availability and tend to forget other important factors) at the beginning of procurement process to include in contract negotiations.

Adequate time and effort should be spent to define specific service levels reflecting organization’s expectations from the service that is going to be acquired. Contractors may demand additional fees for requirements which were not previously included in contract negotiation phase.

Fault Tolerance

Full backup is simply is a replica of all allocated data on a hard disk and contains all of the allocated data on the hard disk, which makes them simple from a recovery standpoint in the event of a failure.The amount of media required to hold full backups is obviously more than other backup methods. Another downside of using only full backups is the time it takes to perform the backup itself, which may take too long according to the amount of data present on the system.

Incremental backups only archive files that have changed since the last backup of any kind was performed. Because fewer files are backed up, the time to perform the incremental backup is greatly reduced. For example, each Sunday, a full backup is performed. For Monday’s incremental backup, only those files that have been changed since Sunday’s backup will be marked for backup. On Tuesday, those files that have been changed since Monday’s incremental backup will be marked for backup.

Whereas the incremental backup only archives those files that had changed since any backup, the differential backup method backs up any files that have been changed since the last full backup.For example, Each Sunday, a full backup is performed. For Monday’s differential backup, only those files that have been changed since Sunday’s backup will be archived. On Tuesday, again those files that have been changed since Sunday’s full backup, including those backed up with Monday’s differential, will be archived.

Redundant Array of Inexpensive Disks (RAID)

The goal of (RAID) is to help mitigate the risk associated with hard disk failures. The various RAID levels consist of different approaches to disk array configurations. RAID configurations are not always made to mitigate hard disk failures, such in the case of RAID 0 and RAID 3 and can be done to improve read and write performance of the disks.

Before going further into RAID, we should understand the basic terms of RAID operation such as mirroring, striping and parity.

Mirroring is simply used to achieve full data redundancy by writing the same data to multiple hard disks. Because mirrored data must be written to multiple disks, the write times are slower; however, performance gains can be achieved when reading mirrored data by simultaneously pulling data from multiple hard disks.

Striping is a RAID concept that is focused on increasing the read and write performance by spreading data across multiple hard disks. With data being spread among multiple disk drives, read and writes can be performed in parallel across multiple disks rather than serially on one disk. This parallelization provides a performance increase and does not aid in data redundancy.

Parity is a way to achieve data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance. The table below explains basic RAID modes.

RAID Level
Description
RAID 0
Simple Striping, no redundancy
RAID 1
Mirrored disks, usable disk capacity is half of the total disk capacity
RAID 2
Requires either 14 or 39 disks and special controller, not commercially viable
RAID 3
Byte Level Striping with Dedicated Parity Disk (A disk alone is used for parity)
RAID 4
Block Level Striping with Dedicated Parity Disk (A disk alone is used for parity)
RAID 5
Block Level Striping with Distributed Parity (Parity is distributed to disks)
RAID 6
Block Level Striping with Double Distributed Parity (Uses double parity)






 


In addition to standard there are other RAID levels such as RAID 10 which are called nested RAID levels and which combine 2 RAID modes, in the case of RAID 10 these are RAID 1 and RAID 0.  RAID 01, RAID 50, RAID 60 and RAID 100 are other well-known nested RAID levels.

Other than disk backups, for critical systems, system level backups should also be considered. This can be realized by the use of redundancy of other critical system components such as power supplies, NICs and disk controllers. Systems as a whole can be backed up by using either active-active (load balancing) or active-passive redundancy methods which are more costly but which provide better levels of availability.

Incident Response Management

Security Incident Response is treated in most organizations no different than other IT incidents which results in important losses in regards to confidentiality and availability of the organization’s information.
Security Incident Response plan should be prepared prior to incidents and must be followed. This plan can be resumed in 4 or 6 steps according to the methodologies but the basis is the same.
  1. Preparation This stage includes training, writing incident response policies and procedures, and providing tools such as laptops with sniffing software, cables, original OS media, removable drives, etc.
  2. Detection and analysis Organizations should have an automated system (like SIEM) for pulling events from several systems and bringing those events into the wider organizational context. Attacker may use one attack or attack to mask the real attack.
  3. Containment A good analogy to explain containment is to compare it  to emergency medical technicians arriving on the scene of an accident, as they seek only to stabilize an injured patient (stop their condition from worsening) and do not attempt to cure the patient.
  4. Eradication In order for an organization to be able to reliably recover from an incident, the cause of the incident must be determined. Eradication cannot be made without a proper root cause analysis.
  5. Recovery
  6. Lessons learned

1 comment:

  1. Nice blog. Incident response plan can reduce damage, improve recovery time, and mitigate losses after a security incident.

    ReplyDelete