Transcript Change Control Management

Operations Security
Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
[email protected]
IST 515
Organizational
Security Policy
Organizational
Design
Asset Classification
and Control
Access Control
Compliance
Personnel Security
Awareness Education
System Development
and Maintenance
Physical and
Environmental Security
Communications &
Operations Mgmt.
Business Continuity
Management
Scope of Operations Security
•
•
•
•
•
Users
Operators
System administrators
Service accounts
Security administrators
Continuity of
Operations
•
•
•
•
•
Problem management
System recovery
Intrusion detection
Vulnerability scanning
Continuity planning
Privileged
Entity Controls
•
•
•
•
•
Change
Control
Management
Operations
Security
Resources
Protection
Configuration management
Production software
Software access control
Library maintenance
Patch management
•
•
•
•
•
Facilities
Hardware
Networked devices
Software
Documents
Aspects of Operations Security
•
•
•
•
•
•
•
•
•
Identity Thefts
Spyware
Phishing / Spam
Malware (Virus, Worm, Trojans)
Awareness Training
Configuration Management
Change Control Management
Patch Management
Social Engineering
Phishing
Lininger, R. and Vines, R. D., Phishing: Cutting the Identify Theft Line,
Wiley, 2005.
Types of Malware
Types of Changes
Aspects of Change Management
Social Engineering
Social Engineering
Objectives







Describe the privileges that must be restricted.
Describe the resources that must be protected and
Employ resource protection.
Handle violations, incidents, and breaches and report
when necessary.
Respond to attacks and other vulnerabilities such as
spam, virus, spyware, phishing.
Understand configuration management concepts.
Implement and support patch and vulnerability
management.
Ensure administrative management and control.
Readings
• Tipton, H. and Henry, K. (Eds.), Official (ISC)2
Guide to the CISSP CBK, Auerbach, 2007.
Domain 9 (Required).
• Wikipedia, Operations security .
http://en.wikipedia.org/wiki/Operations_security.
Operations Security
• Operations security is concerned with the
protection and control of information processing
assets in centralized and distributed
environments.
• The security service of availability is the core
goal for operations security.
• Operations security covers four major lessons:
- Privileged entity controls.
- Resources protection.
- Continuity of operations.
- Change control management.
Privileged Entity Controls
• Classes of System Accounts:
- Operators.
- System administrators.
- Service accounts
- Security administrators.
• Assigning privileges among various classes of
system accounts should follow the concepts of:
- Least privilege.
- Separation of duties.
Privileges of Operators
• Implementing the initial program load. This is used to start the
operating system.
• Monitoring execution of the system. This include errors,
interruptions, and job completion messages.
• Volume mounting. This allows the desired application access
to the system and its data.
• Controlling job flow. Operators can initiate, pause, or
terminate programs.
• Bypass label processing. This allows the operator to bypass
security label information to run foreign tapes.
• Renaming and relabeling resources. This allows programs to
properly execute in the mainframe environment.
• Reassignment of ports and lines.
Privileges of Ordinary Users
• Ordinary users should be assigned restrictive
system privileges. They are only allowed
access to applications that in turn have only
those operating system privileges necessary to
run.
• The concept of least privilege should be used
to protect the system from intentional and
unintentional damage or misuse.
• How about IPAS (Information Privacy and
Security project)? http://www.ipas.psu.edu/
(http://www.teara.govt.nz/files/c916atl.jpg)
Privileges of System Administrators
• These individuals are assigned to ensure that the
system is functioning properly for system users.
• The two primary activities of administrator tasks
are maintenance and monitoring.
• System components requiring regular maintenance
and monitoring include workstations, servers,
network devices, databases, and applications.
• System administrators require the ability to affect
certain critical operations such as setting the time,
boot sequence, system logs, and passwords.
Privileges of Security Administrators
• Security administrators provide a check and
balance of the power assigned to system
administrators with the ability to audit and
review their activities. However, They usually
have fewer rights than system administrators.
• The aspects of security operations include:
- Account management.
- Assignment of file sensitivity labels.
- System security settings.
- Review of audit data
Resource Protection
Resources that need to be protected:
• Facilities. Fire detection and suppression systems;
Heating, ventilation and air conditioning systems; Water
and sewage systems and systems; Power supply and
distribution system; Integrated facility access control and
intrusion detection system.
• Network devices. Access control to servers, host systems,
operator consoles, and workstations; Firewalls, Virtual
private network; Router and switches; Cable media;
Wireless equipment.
• Software. Copyright infringement.
• Documentation.
Domain Definition
• Threat: an event that could cause harm by
violating the security
• Vulnerability: A weakness in a system that
enables security to be violated
• Asset: Anything that is a computing resource
or ability such as hardware, software, data,
and personnel
Threats to Operations
• Disclosure. Unauthorized account sharing;
inappropriate access by person with
administrative privileges; Malicious code.
• Destruction. Malware or malicious code;
Unintentional errors; Nature or man-made
disasters.
• Interruption and Nonavailability. Failure of
equipment, services, and operational
procedures; Denial of services (DOS).
• Theft. Insiders or burglary.
Threats to Operations
• Corruption and Modification. Sporadic
fluctuations in temperature and power line
while writing data. Inappropriate or accidental
changes to file or table permissions.
• Espionage. Loss of proprietary information.
• Hackers and Crackers.
• Malicious Code. Programs designed to steal
information or cause damage to system
operations. Trojan horses, viruses, worms,
spyware, and logic bombs.
Categories of Controls (1)
• Preventative Controls. Controls that protect systems and
information from intentional or accidental compromise
by denying unauthorized access. Measures include:
locks, encryption, and access control lists.
• Detective Controls. Controls that react to changes in an
environment or process that deviate a normal or
accepted pattern. Automated measures include: audit
logs, intrusion detection systems, and vulnerability
scans. Manual measures include: review of audit logs,
compliance review of systems, security tests and
evaluations, penetration tests. Physical measures
include: tamper-evident tape and intrusion detection
seals.
Categories of Controls (2)
• Corrective Controls. Controls that react to detected
events by rectifying the violation and preventing its
reoccurrence. Measures include self-healing
systems, rollback mechanisms (in DBMS), and
awareness training.
• Directive Controls. Controls that use to dictate
appropriate behavior and acceptable types of activity
regarding systems and information. Administrative
directive controls include policies, procedures,
guidelines and agreements. Other measures include
laws, governmental regulations, and industry
standards
Categories of Controls (3)
• Recovery Controls. Controls that encompass processes
to return the system to a secure state after the
occurrence of a security events. Administrative
recovery controls include business continuity, disaster
recovery and contingency plans. Technical recovery
controls include backups, redundant systems, and
antivirus corrective actions.
• Deterrent Controls. Controls that use to cause an
attacker or violator to reconsider his actions. E.g.,
policies that prescribe penalties for violators; video
cameras; intrusion detection systems; misuse of
detection systems; and auditing.
Categories of Controls (4)
• Compensating Controls. Controls that augment or
supplement existing controls to mitigate the vulnerability
(or address risk). E.g., a firewall adds in front of the
service on the network.
Control Methods
•
•
•
•
•
•
•
•
Separation of responsibilities.
Least privilege.
Job rotation.
Need to know.
Security audits and reviews.
Supervision.
Input/output controls.
Antivirus management.
Media Types
Soft-copy Media:
• Magnetic (floppy disks, tapes, hard drives)
• Optical (CD-ROMs, DVD).
• Solid State (Flash drives, memory cards)
Hard-copy Media:
• Paper.
• Microfiche.
Media Protection Methods (1)
• Transmission of sensitive information should
be protected regardless of the storage method.
• Sensitive data on electronic media should be
encrypted during the transmission process.
• Electronic transport strategies such as system
snapshots, shadowing, network backups, and
electronic vaulting should be use to send bulk
information from one part of a network to
another.
Media Protection Methods (2)
• Special seals and tamper-evident tape is helpful
in deterring and detecting unauthorized access to
hard-copy information.
• Scans should be periodically conducted to
discover the existence of sniffer devices or
software.
• Data saved to backup media should be protected
from compromise through the use of encryption.
• System auditing can be used to track access to
information prior to a backup.
Media Protection Methods (3)
• Degassers can be used to erase data saved to
magnetic media.
• Software tools can be used to overwrite every
sector of magnetic media with a random or
predetermined bit pattern.
• Shedding, burning, grinding and pulverizing are
common methods of physically destroying
media.
Handling Sensitive Media
• Marking – Organizations should have policies in place
regarding the marking of media.
• Handling. Only designated personnel should have access
to sensitive media.
• Storing. Sensitive media should not be left lying about
where a passerby could access.
• Destruction. Media that is no longer needed or is
defective should be destroyed rather than simply
disposed of.
• Declassification. Declassification should be
implemented to ensure that excessive protection controls
are not used for nonsensitive information.
Continuity of Operations (1)
• Organizations that rely on IT systems must have
plans and procedures to continue operations in the
event of a failure or catastrophe such as temporary
loss of electrical power or even a complete
destruction of the IT system facility.
• Continuity of operations also involves the
implementation of detective and preventative controls
to detect the potential of or prevent the loss of
availability.
Continuity of Operations (2)
• System availability is ensured through properly
implemented redundancy and backups.
• Continuity of operations can also be accomplished
through the focused asset management and
maintenance of hardware, software, data,
communications, and facilities.
• A fault tolerant system can be used to detect
equipment failure and take immediate automatic
action to ensure the continuity of operations.
Continuity of Operations Methods
• Data protection.
• Software management control be applied so that the latest
copy can be restored on the system.
• Hardware protection.
• Communications protection.
• Facilities protection.
• Problem management.
• System recovery.
• Intrusion detection system.
• Vulnerability scanning.
• Business continuity planning
Problem Management
• System component failure.
• Power failure.
• Telecommunication failure.
• Physical break-in.
• Tampering.
• Production delay.
• Input/output errors.
• Attacks.
System Recovery Methods
• Application restart.
• Warm reboot.
• Cold reboot.
• Emergency restart.
Types of Attacks
• Denial of services (DoS).
• Intrusion.
• Malware.
• Spyware.
• SPAM.
• Phishing.
Change Control Management
• The rapid advancement of technology, coupled with
regular discovery of vulnerabilities, requires proper
change control management to maintain the necessary
integrity of the system.
– Software packages are added, removed or modified.
– New hardware is introduced, while legacy devices are
replaced.
– Software updates due to flaws.
• Change control management is embodied in policies,
procedures, and operational practices.
(http://www.marriedtothesea.com/090406/olivia-tremor-control.gif)
Change Control Management
•
•
•
•
•
•
Configuration Management.
Production Software.
Software Access Control.
Change Control Process.
Library Maintenance.
Patch Management.
Change Control Management
1. Applying to introduce a change
2. Reviewing and approving the changes
3. Cataloging the intended change
4. Scheduling the change
5. Implementing the change
6. Reporting the change to the appropriate
classes
•
•
•
•
•
Is complicated.
Needs a process
Multiple aspects
Continued effort
Respond to incidents
It is easy to say than do!
Be Creative!
Configuration Management
• Configuration management is a process of
identifying and documenting hardware
components, software, and the associated settings.
• Detailed hardware inventories are necessary for
recovery and integrity purpose.
• A configuration list for each device (e.g.,
firewalls, routers, and switches) should also be
maintained to provide assurance for network
integrity and availability. These configurations
should also be periodically checked to make sure
that unauthorized changes have not occurred.
Configuration/Change Management
• To ensure the change is implemented in a orderly
manner through formalized testing
• To ensure the user base is informed of the
impending change
• To analyze the effect of the change on the system
after implementation
• To reduce the negative impact the change may
have had on the computing services and
resources
• Risk management assessment/plan is needed
Hardware Lists
•
•
•
•
•
•
•
•
•
Make.
Model.
MAC address.
Serial number.
Operating system or firmware version.
Location.
BIOS and other hardware-related password.
Assigned IP address if applicable.
Organizational property management label or
bar code.
Configuration Management
• Operating systems and applications also require
configuration management and be standardized
to the greatest extent possible.
• Original copies and installed versions of system
and application software require appropriate
protection and management for information
assurance purposes.
• Installed software should have appropriate
access controls in place to prevent unauthorized
access or modification.
Change Control Process (1)
• Maintaining system integrity is accomplished
through the process of change control management.
• A well-defined process implements structured and
controlled changes necessary to support system
integrity, and accountability for changes.
• Decisions to implement changes should be made by
a committee of representatives from various groups
within the organization, such as ordinary users,
security, system operations, and upper-level
management.
Change Control Process (2)
• Actions of the committee should be documented
for historical and accountability purposes.
• The change management structure should be
codified as an organization policy.
• Procedures for the operational aspects of the
change management process should also be
created.
• Change management policies and procedures
are forms of directive controls.
Change Control Process (3)
• Requests. Proposed changes should be formally
presented to the committee in writing. Focusing on
justification, costs and benefits.
• Impact Assessment.
• Approval / Disapproval.
• Build and Test.
• Notification.
• Implementation.
• Validation.
• Documentation.
Change Control Process
• System users
Committee:
• Users
• Security
• System operations
• Upper-level
management
Requests
• In writing
• Justification
• Cost/Benefit
Impact Assessment
• Feasibility
• Cost/Benefit
No
Approve ?
Documentation
Yes
• Operations support
• Security
Build & Test
Validation
Notification
Implementation
Patch Management
Patch Management (1)
• The process that involves the deployment of security
updates. The patch management process must be
formalized through documentation and receive
management approval to provide the best possible
strategy for implementing this type of system change.
• Security practitioners should monitor their networks
for known vulnerabilities due to product flaws.
• Once a discovery is made of a flawed item in the
system, a determination should be made whether to
patch the item. A risk-based decision is required to
determine the necessity of patching the problem.
Patch Management (2)
• When the need arises to patch a product, a schedule
for conducting the fix must be established.
• Consideration must be given for the order in which
patches are deployed.
• Furthermore, the organization should prioritize
updates according to the criticality they represent.
• Prior to deploying updates to production servers,
make certain that a full system backup is conducted.
• Deploy the update in stages, when possible, to
accomplish a final validation of the update in the
production environment.
Categories of Flaw Type
Level of Access or Damage:
Ease of Exploit:
• Provides administrator or
root privilege for executing
a process.
• Allows execution of
arbitrary code in the context
of the executing process or
user.
• Denial of a network service.
• Denial of service for local
user.
• Easy: Exploit tools exist for
the attack, or it is too trivial
in nature to exploit.
• Moderate: Requires
moderate skill or the use of
complicated exploit tools.
• Difficult: Requires a high
level of technical skill with
no exploit code available.
Required Locality
• Required locality defines the physical or logical
access necessary to exploit the flaw:
– Network exploitable from any port or protocol
– Network exploitable through a particular port
or protocol
– Network exploitable by authorized users only
– Local console or physical access required
(Insider attack).
Everyone needs a Crystal Ball!
But where can we find it?