Threats in an operating environment Controls user for protection from Internal or external intruders Operators who are inappropriately

accessing resources Critical Aspects of operations controls Resource protection, including hardware control Privileged-entity control Lower the impact and amount of unintentional errors that are entering the system Prevent unauthorized intruders to access system internally or externally Detect error once it occurred. Help mitigate the impact of a loss event through data recovery procedures

Preventative Controls

Detective Controls

Corrective/Recovery Controls

Deterrent Controls

Encourage compliance with external control, such as regulatory compliance. Known as directive controls and complement other controls Designed into software application to minimize and detect the software's operational irregularities. Input Controls - Transactions properly input into the system only once. Processing Controls - Guarantee that transactions are valid and accurate and wrong entries are reprocessed correctly and promptly Output Controls - Protect confidentiality of an output and verify the integrity of an output by comparing the input transaction with the output data. Change Controls - implemented to preserve data integrity in a system while changes are being made to the configuration. Test Controls - put into place during the testing of a system to prevent violations of confidentiality and to ensure transaction integrity.

Application Controls Categories of Control

Transaction Controls

Designed to control transactions at various stages

Orange Book - defines Trusted Computer System Evaluation Criteria (TCSEC) D - Minimal Protection C - Discretionary Protection C1 - Discretionary Security Protection C2 - Controlled Access Protection Classes of security B - Mandatory Protection B1 - Labeled Security Protection B2 - Structured Protection B3 - Security Domains A1 - Verified Protection System architecture System integrity Covert Storage Channel Covert channel analysis Covert Timing Channel B3 and A1 should protect against both covert storage and covert timing channels and perform analysis on both channels. B2 TCSEC Class should protect against Covert Storage Channel and perform analysis for all covert storage channels

Assignment of specific individual to administer the security-related functions of a system B2 Requirement that the TCB shall support separate operator and administrator functions System administrative personnel shall be able to perform security administrator functions only after taking a distinct, auditable action to assume the security administrator role on the system. Non-security functions that can be performed in the security administration role shall be limited to those essential to performing security role effectively.

Trusted facility management

B3 and A1 Requirement that the functions performed in the role of a security administrator shall be identified.

Operational Assurance - focuses on the basic features and architecture of a system.

Separation of Duties

Two-man control, two operators view and approve work of each other. Provide accountability and minimize fraud in highly sensitive or high-risk transactions

Rotation of Duties Ensures that security is not breached when a system crash or other failure (discontinuity) occurs. Must ensure that system is restarted without compromising its required protection scheme and it can recover and roll back without being compromised after failure. Required at B3 and A1 level systems Back up all critical files on regular basis Failure Preparation Operations Security - act of understanding threats to and vulnerabilities of computer operations in order to routinely support operational activities that enable computer systems to function correctly. Threat - presence of any potential event that could cause harm by violating security Vulnerability - weakness in a system that enables security to be violated Asset - anything that is computing resource or ability Triples Trusted Recovery Must enable data recovery is a protected and orderly manner and ensure continued system security Manual Recovery - Sysadmin intervention is required to return system to a secure state Automated Recovery - Automatic return to secure state (without Sysadmin), however manual intervention is required to resolve any additional failures Automated recovery without Undue Loss - similar to automated recovery, defining prevention against undue loss of protected objects Security testing Design specification and testing Failure Resistant Disk System Failure Tolerant Disk System Disaster Tolerant Disk System Raid 0 - Stripping Raid 1 - Mirroring Raid 2 - Hamming Code Raid 3 - Byte Level Parity Raid 4 Block Level Parity Raid 5 Interleave Parity Level 6 - Second Independent Parity Level 7 - Single Virtual Disk Level 10 - Stripping Across Multiple Pairs (1+0) Level 15 - Striping with Parity across RAID 5 Pairs (1+5) Level 51 - Mirrored Raid 5 Arrays with parity (5+1) Full Backup Method Incremental Backup Method Differential Method Write once read many (WORM) Used for archives that does not change individual backups of small data sets of specific application Continuous online backup by using optical or tape jukeboxes, similar to WORMs Appears as infinite disk to the system Can be configured to provide the closest version of an available real-time backup THis is commonly employed in very large data retrieval systems hardware/software system that used RAID technology in large device with multiple tapes (32 or 64 sometimes). Configured as a single array Fast and multitasking backup of multiple targets with considerable fault tolerance Slow data transfer of the backup Server disk utilization expands over time The time the last backup was run is never the time of the server crash. Backup Issues and Problems Aspect of CM Configuration status accounting Documents the status of configuration control activities and provides information needed to manage configuration effectively Tracks status of current changes Quality assurance component of configuration management. Configuration audit Involves periodic checks of accounting information completeness and consistency. Verifies that policies are followed Penetration Testing Trusted distribution Trusted Computer Base (TCB) - totality of protection mechanisms within a computer system, including hardware, firmware and software, the combination of which is responsible for enforcing a security policy. Valid personnel clearance for all information on the system Dedicated mode - user with access to AIS and its components has: Formal access approval for all information stored or processed Valid need to know for all information contained within the system Benefits of Incident-handling capability Modes of Operations - Description of conditions under which AIS functions, based on sensitivity of data processed and the clearance levels and authorizations of the users. Auditing Internal - work for organization whose systems are to be audited External - hired from third party organizations Enables enforcement of individual accountability be creating a reconstruction of events. Purpose is to assist with problem identification, which leads to problem resolution Auditor can retrieve and certify data Must allow the review of patterns of access to individual objects, access histories of specific processes and individuals, and the use of the various protection mechanisms supported be the system and their effectiveness Allow discovery of both users and outsiders repeated attempts to bypass the protection mechanisms Act as a deterrent against perpetrators habitual attempts to bypass the system protection mechanisms Supply an additional form of user assurance that attempts to bypass the protection mechanisms are recorded and discovered. Problem management is a way to control the process of problem isolation and problem resolution. Reduce failures to a manageable level Prevent the occurrence or reoccurrence of a problem Mitigate negative impact of problems on computing services and resources Final Objective is resolution of a problem Goals Problem Management Concepts Administrative Controls Separated from operational controls because more oriented to human resources personnel administration and policy, than hardware or software controls Employment Screening/Background Checks Audit Trail - set of records that collectively provides documentary evidence of processing, used to aid in tracing from original transactions forward to related records and reports or backward from records and reports to their component source transactions. Audit Mechanism Goals Security Auditing Least Privilege Personnel Security Mandatory vacations Warnings and Termination Separation of Duties and responsibilities Read Only - lowest level, most operators should be assigned. Read/Write - higher level. Access/Change - Highest level. Change access permissions, change an modify originals. Data Remanence - data left on the media after it has been erased. Object reuse - system resources are allocated and reassigned to users in a manner preventing disclosure of sensitive information. Need to know Change Control Record Retention and Documentation Control Due Care - Care which ordinary prudent person would have exercised under the same or similar circumstances Due Diligence Fax Encryptor, encrypts all fax traffic on data link layer Documentation Controls Record Retention - deals with retaining computer files, directories and libraries. System-High Mode - user with access to AIS and it components has: Valid personnel clearance for most restricted information processed in the AIS Formal access approval for that information to which he/she is to have access A valid need to know for that information to which user is to have access Some do not have a valid personnel clearance for all the information processed in AIS Multilevel Mode - statements for users that have access to AIS and its components: All have the proper clearance and have appropriate formal access approval for that information to which they are to have access All have a valid need to know for that information to which they are to have access Configuration Management Plan Configuration Control Board (CCB) Configuration Control Tape Arrays Hierarchical Storage Management (HSM) Other Backup formats Tape Backup Methods Change Control Functions Levels RAID Orange Book Controls Defines Assurance requirements for secure computer operations, meaning assurance is a level of confidence that ensures that a trusted computer's base (TCB) security policy has been correctly implemented and that the system's security features have accurately implemented that policy. Classification Management of security features and a level of assurance provided through the control of changes made to the system configurations throughout development and operational life cycle. Primary goal is to ensure that changes to the system do not unintentionally diminish security. Goals Make it possible to roll back to a previous version of a system in case new build is faulty Ensures that changes are reflected in documentation Ensure that change implemented in orderly manner through formal testing Ensure that user base is informed about change Analyze effect of the change on system after implementation Reduce the negative impact that the change may have on the computing services and resources 1. Applying to introduce change 2. Approval of change 2. Cataloging the intended change

Concepts

System Recovery

Common Criteria types

Resource Availability
Compact Disc Optical Media

Controls and Protections

Procedures of change process

3. Testing change 4. Scheduling and implementing change 5. Reporting the change to the appropriate parties

Zip/Jaz Drives, SyQuest and Bernoulli Boxes

Life-Cycle Assurance - focuses on controls and standards that are necessary for building and maintaining the system.

Configuration management

Configuration Management more formalized, higher-level process of managing changes to a complicated system B2, B3 - Configuration management procedures must be enforced during development and maintenance of a system A1 - Configuration Management procedures must be enforced during the entire life cycle of a system Configuration Item - uniquely identifiable subset of a system, smallest portion for independent configuration control procedures Configuration Identification - process of splitting system into configuration items Means to ensure that system changes are approved before being implemented. Only proposed and approved are implemented Implementation is complete and accurate

Configuration Management

Problem Identification Problem Resolution Intrusion Detection Scanning and Probing Demon Dialing/War dialing Sniffing Dumpster Diving Social Engineering Clipping Levels - baseline of user activity that is considered a routine level of user errors. Profile-based anomaly detection uses profiles to look for abnormalities in user behavior. Profile Metrics - ways in which various types of activities are recorded in the profile. Primary Benefit - containing and repairing damage from incidents and preventing future damage. Enhancement of the risk assessment process. Enhancements of internal communications and the readiness of the organization to respond to any type of incident, not just computer security Security Training Personnel will have better understanding of users knowledge of security issues. Violation Processing

Goals

CISSP Operations Security Domain

Monitoring Techniques

Auditor types

Monitoring and Auditing

Fax Security

Embody day to day procedures used to protect computer operations Resource Protection Hardware physical control Maintenance Accounts - service accounts for software Hardware Maintenance Diagnostic Port Control Safe Software Storage Software Testing Software Controls Software Utilities Antivirus Management Operations Controls Privileged-entity controls Logging Access Control Overwriting Media Security Control - protect CIA Proper Disposal Media Controls Degaussing 7 times common recommendation Best Method for purging most magnetic media Hard Drives will require restoration of factory-installed timing tracks. Backup Controls

Hardware Protection

Destruction Media Viability Controls - preserve working state of the media, to facilitate accurate restoration Physical Access Controls Transparency of Controls - controls should not be preventing users from doing legitimate tasks and day-today jobs Marking Handling Storage

Accidental Loss Inappropriate activities not rising to level of criminal activity personal financial gain or destruction Threat - any event that can cause damage to a system and create a loss of CIA Eavesdropping Illegal computer operations and intentional attacks Fraud Theft Sabotage External Attack Covert Channel Analysis

Threats and Vulnerabilities

Traffic/Trend Analysis

Countermeasures

Padding Messages Sending Noise

Maintenance User accounts/Service User accounts Vulnerability - weakness in a system that can be exploited by threat. Keyboard Attacks - through resources that are available to normal users who are sitting at the keyboard Laboratory Attacks - using precise electronic equipment. Planned and orchestrated attacks

Data-Scavenging

Types

IPL Vulnerabilities (Initial Program Load) Social Engineering Network address hijacking

Areas of Vulnerability

Subtopic Attachment Propagate SPAM

Email relay Server

Configure sending messages only addressed to its domain Apply anti-virus, spam and content filtering for incoming and outgoing communications

Standard Customer COmmunication Policy Sender Policy Framework (SPF) checks the "envelope sender" of an email message. (Domain name of initiating SMTP) SenderID - Checks after message data is transmitted and examines several sender-related fields in the header of an email message to identify the "purposed responsible address" DomainKeys - Checks a header containing a digital signature for the message and verifies the domain of each email sender as well as the integrity of the message. Cisco Identified Internet Mail - Adds to headers to the RFC 2822 message format to confirm the authenticity of the sender's address.

Operational Email Security

Phishing

Email Authentication Systems