Another important domain in CISSP CBK is Operations
Security, which is more interesting for more people than some of the other
domains (or it may be only my preference) and which takes less time to
understand.
In this domain there are some important concepts that must
be well known such as Data Backup modes and techniques (RAID levels) and
Security Incident Response Management.
Administrative Security
Least Privilege
Principle of least privilege dictates that
persons have no more than the access that is strictly required for the
performance of their duties.
This principle is more meaningful in
environments where Discretionary Access Control is applied. An important point
to remember about DAC is that in this model, Data Owner defines who can access
that specific data. With DAC, the principle of least privilege suggests that a
user will be given access to data if, and only if, a data owner determines that
a business need exists for the user to have the access.
Need to Know
With MAC, we have a further concept that
helps to inform the principle of least privilege: need to know. Though the
vetting process for someone accessing highly sensitive information is
stringent, clearance level alone is insufficient when dealing with the most
sensitive of information. An extension to the principle of least privilege in
MAC environments is the concept of compartmentalization.
Compartmentalization is a method for
enforcing need to know and can be best understood by considering a highly sensitive
military operation; while there may be a large number of individuals (high
rank), only a subset needs to know specific information. The others have no
need to know and therefore no access.
Separation of Duties
Separation of duties prescribes that
multiple people are required to complete critical or sensitive transactions.
The goal of separation of duties is to ensure that in order for someone to be
able to abuse access to sensitive data or transactions, that person must
convince another party to act in concert.
If several people act in a way to
compromise the security of sensitive information, collusion happens.
Rotation of Duties / Job Rotation
Rotation of duties simply requires that
one person does not perform critical functions or responsibilities without
interruption. If the operational impact of the loss of an individual would be
too great, then perhaps one way to soften this impact would be to provide
additional depth of coverage for this individual’s responsibilities.
Rotation of duties can also mitigate
fraud. One of the best ways to detect this fraudulent behavior is to require
that responsibilities that could lead to fraud be frequently rotated among
multiple people. In addition to the increased detection capabilities, the fact
that responsibilities are routinely rotated deters fraud.
Mandatory Leave / Forced Vacation
Discovering a lack of depth in personnel
with critical skills can help organizations understand risks associated with
employees unavailable for work due to unforeseen circumstances. Forcing all
employees to take leave can identify areas where depth of coverage is lacking.
Further, requiring employees to be away from work while it is still operating
can also help reveal fraudulent or suspicious behavior.
Non-disclosure agreement (NDA)
Requiring employees to sign an NDA is a practice
which is seen in more and more enterprises of today’s world. A special emphasis
on signing NDA must be put on 3rd parties such as consultants, contractors and
on-site outsourced workforce.
Background Checks
Privilege Monitoring
Some employees by their job definition may require some
privileges that are higher than ordinary employees. The operations of these
employees constitute greater risk and must be regularly checked.
Furthermore employees, changing functions or gaining some
new responsibilities may keep their old privileges while earning the new ones.
This is a difficult technical problem of today’s Identity/Access Management
Systems to be addressed leading to privilege creeps. Privilege monitoring may
also help to detect and recover such situations.
Sensitive Information and Media Security
Labeling/Marking
All information should be labeled according to the data
classification policy to get the correct kind of care
Handling
Storage
Especially sensitive data should be kept encrypted in
storage media.
Retention
Retention of sensitive information should not persist beyond
the period of usefulness or legal requirement (whichever is greater), as it
needlessly exposes the data to threats of disclosure when the data is no longer
needed.
Media sanitization or destruction of data
Data Remanence
Data remanence is data that persists beyond non-invasive
means to delete it. Deleting a file from the Recycle Bin does not necessarily
mean that the file is unrecoverably deleted. Several other measures such as
wiping (overwriting random bits on file’s location several times), degaussing
(applying electromagnetic waves to a disk that will no longer be used),
shredding and physical destruction should be considered according to the
sensitivity of the data.
Asset Management
Configuration Management
Configuration management in this context has a different
meaning that it has in various IT Service Management models. From Security
perspective, configuration items should have a baseline configuration model
which is security hardened and used as a standard for all of the same items to
ease security management.
Baselining
Security baselining is the process of capturing a
point-in-time understanding of the current system security configuration.
Establishing an easy means for capturing the current system security
configuration can be extremely helpful in responding to a potential security
incident.
Patch Management
Patch management should be very tightly related to change
management process. Automation and reporting is also very important
Vulnerability Management
Vulnerability scanning is a way to discover poor configurations
and missing patches in an environment. Vulnerability management is much more
than just discovering the vulnerabilities and presenting the finding in form of
a report. Vulnerability management requires a risk management to use
institutions resources such as time and money to address necessary risks and do
the reporting. The remediation or mitigation of vulnerabilities should be
prioritized on both risk and ease of application.
The term for a vulnerability being known before the
existence of a patch is zero-day vulnerability. The best way to deal with zero-day vulnerabilities is
the application of defense-in-depth principle.
Change Management
The purpose of the change control process is to understand,
communicate, and document any changes with the primary goal of being able to
understand, control, and avoid direct or indirect negative impact that the
changes might impose.
There should be a change control board that oversees and
coordinates the change control process. The person proposing the change should
attempt to supply information about any potential negative impacts that might
result from the change, as well as any negative impacts that could result from
not implementing the change. Rollback
plan (backout plan) should be prepared in order to detail the procedures
for reversing the change in case it is deemed necessary. Phases of change
management procedure can be resumed as below:
- Identifying a change
- Proposing a change
- Assessing the risk associated with the change
- Testing the change
- Scheduling the change
- Notifying impacted parties of the change
- Implementing the change
- Reporting results of the change implementation
Finally, all changes must be closely tracked and auditable.
A detailed change record should be kept.
Continuity of Operations
Service Level Agreements (SLAs)
Service Level Agreements are became more important in last
years as more and more IT services are outsourced are provided in “as a
service” model like in the case of cloud services. The goal of the SLA is to
stipulate all expectations regarding the behavior of service (organizations
mostly pay too much attention to availability and tend to forget other
important factors) at the beginning of procurement process to include in
contract negotiations.
Adequate time and effort should be spent to define specific
service levels reflecting organization’s expectations from the service that is
going to be acquired. Contractors may demand additional fees for requirements
which were not previously included in contract negotiation phase.
Fault Tolerance
Full backup is
simply is a replica of all allocated data on a hard disk and contains all of
the allocated data on the hard disk, which makes them simple from a recovery
standpoint in the event of a failure.The amount of media required to hold full backups is obviously more than other backup methods. Another downside of using only full backups is the time it takes to perform the
backup itself, which may take too long according to the amount of data present
on the system.
Incremental backups
only archive files that have changed since the last backup of any kind was
performed. Because fewer files are backed up, the time to perform the
incremental backup is greatly reduced. For example, each Sunday, a full backup is performed. For
Monday’s incremental backup, only those files that have been changed since
Sunday’s backup will be marked for backup. On Tuesday, those files that have
been changed since Monday’s incremental backup will be marked for backup.
Whereas the incremental backup only archives those files
that had changed since any backup, the differential
backup method backs up any files that have been changed since the last full
backup.For example, Each Sunday, a full backup is performed. For
Monday’s differential backup, only those files that have been changed since
Sunday’s backup will be archived. On Tuesday, again those files that have been
changed since Sunday’s full backup, including those backed up with Monday’s
differential, will be archived.
Redundant Array of Inexpensive Disks (RAID)
The goal of (RAID) is to help mitigate the risk associated
with hard disk failures. The various RAID levels consist of different
approaches to disk array configurations. RAID configurations are not always
made to mitigate hard disk failures, such in the case of RAID 0 and RAID 3 and
can be done to improve read and write performance of the disks.
Before going further into RAID, we should understand the
basic terms of RAID operation such as mirroring, striping and parity.
Mirroring is
simply used to achieve full data redundancy by writing the same data to
multiple hard disks. Because mirrored data must be written to multiple disks, the
write times are slower; however, performance gains can be achieved when
reading mirrored data by simultaneously pulling data from multiple hard disks.
Striping is a
RAID concept that is focused on increasing the read and write performance by
spreading data across multiple hard disks. With data being spread among
multiple disk drives, read and writes can be performed in parallel across
multiple disks rather than serially on one disk. This parallelization provides
a performance increase and does not aid in data redundancy.
Parity is a way
to achieve data redundancy without incurring the same degree of cost as that of
mirroring in terms of disk usage and write performance. The table below
explains basic RAID modes.
|
RAID Level
|
Description
|
|
RAID 0
|
Simple Striping, no redundancy
|
|
RAID 1
|
Mirrored disks, usable disk capacity is half of the total disk
capacity
|
|
RAID 2
|
Requires either 14 or 39 disks and special controller, not
commercially viable
|
|
RAID 3
|
Byte Level Striping with Dedicated Parity Disk (A disk alone is used
for parity)
|
|
RAID 4
|
Block Level Striping with Dedicated Parity Disk (A disk alone is used
for parity)
|
|
RAID 5
|
Block Level Striping with Distributed Parity (Parity is distributed
to disks)
|
|
RAID 6
|
Block Level Striping with Double Distributed Parity (Uses double
parity)
|
In addition to standard there are other RAID levels such as
RAID 10 which are called nested RAID
levels and which combine 2 RAID modes, in the case of RAID 10 these are
RAID 1 and RAID 0. RAID 01, RAID 50,
RAID 60 and RAID 100 are other well-known nested RAID levels.
Other than disk backups, for critical systems, system level
backups should also be considered. This can be realized by the use of
redundancy of other critical system components such as power supplies, NICs and
disk controllers. Systems as a whole can be backed up by using either active-active (load balancing) or active-passive redundancy methods which
are more costly but which provide better levels of availability.
Incident Response Management
Security Incident Response is treated in most organizations
no different than other IT incidents which results in important losses in
regards to confidentiality and availability of the organization’s information.
Security Incident Response plan should be prepared prior to
incidents and must be followed. This plan can be resumed in 4 or 6 steps according
to the methodologies but the basis is the same.
- Preparation This stage includes training, writing incident response policies and procedures, and providing tools such as laptops with sniffing software, cables, original OS media, removable drives, etc.
- Detection and analysis Organizations should have an automated system (like SIEM) for pulling events from several systems and bringing those events into the wider organizational context. Attacker may use one attack or attack to mask the real attack.
- Containment A good analogy to explain containment is to compare it to emergency medical technicians arriving on the scene of an accident, as they seek only to stabilize an injured patient (stop their condition from worsening) and do not attempt to cure the patient.
- Eradication In order for an organization to be able to reliably recover from an incident, the cause of the incident must be determined. Eradication cannot be made without a proper root cause analysis.
- Recovery
- Lessons learned
Nice blog. Incident response plan can reduce damage, improve recovery time, and mitigate losses after a security incident.
ReplyDelete