Chapter 9: Operations Security

Question 1

Types of controls

Answer 1

Preventative: reduce the frequency and impact of errors

Detective: discovers errors after they occur

Corrective: mitigates the impact of a loss

Deterrent: Encourage compliance with external controls

Application level: minimize and detect software irregularities

Transaction level: control over stages of a transaction

Question 2

Strong security system elements

Answer 2

Employing competent people into a clear authority structure

Adequate separation of duties

Proper procedures for authorizing changes

Maintaining adequate documentation and records

Maintaining proper physical controls over assets and records

Executing independent checks on performance

Question 3

The three factors in engagement in fraudulent or immoral behavior

Answer 3

Motivation: why do they need the result of their crime (usually money driven reasons here, but could be an ego or thrill factor, too)

Justification: why it isn’t as bad as others might say it is (the company “owes” them, or it is hurting a company, not people, etc)

Opportunity: the (either reasonable or unreasonable) idea that the person is not likely to get caught, usually because of a shortcoming at the company

Question 4

Process controls

Answer 4

Ensures security principles inform all processes, both human and technological processes

Question 5

Trusted recovery controls

Answer 5

Ensures that systems stay safe even when the system crashes or loses power; dictates “fail-secure” systems

Question 6

Configuration and Change Management controls

Answer 6

Ensuring accountability for how changes in a system are approved and occur; a threat to this sort of accountability would be a “block upgrade” in which the request changes are too big to manage or track well

Question 7

Record retention processes

Answer 7

Ensures that records are kept for an appropriate amount of time; could be both hard and soft records

Question 8

Personnel security controls

Answer 8

Ensures quality people are at the company. Includes preemployment checks, criminal checks, and mandatory vacation time. Also could include rotating duties and proper disciplinary structures

Question 9

Resource protection controls

Answer 9

Guards physical assets

Question 10

Privileged entity controls

Answer 10

Special controls for system administrators; may involve eliminating default accounts or shared accounts to ensure nonrepudiability

Question 11

Media viability controls

Answer 11

Marking media so that everyone knows classification levels, or owners, or dates, or whatever might matter to someone picking up the physical asset

Question 12

Operation process controls

Answer 12

Permission constraints or accountabilities for operators

Question 13

Sarbanes-Oxley Act (SOX)

Answer 13

Passed after Enron meltdown. Requires integrity of financial records. Section 404 pertains to the data centers in which financial records reside

Question 14

Operation Security Controls in Action:
Software Support

Answer 14

Limiting which software can run on which system

Inspecting or testing software before distribution or usage

Auditing software licensing

Prohibiting unauthorized changes or modifications to existing software

Question 15

Operation Security Controls in Action:
Config and Change Management

Answer 15

(Similar to Software Support in many cases)

Management of which connection or open to what on the network

Changes have proper documentation

Changes are audited to ensure security protocols still apply 100%

Question 16

Operation Security Controls in Action:
Backups

Answer 16

Backup frequency

Backup storage status

Backup testing schedule

Backup schedules may need to be different for different systems or data

Question 17

Operation Security Controls in Action:
Media Controls

Answer 17

Marking: may contain date/content style information or may contain handling instructions

Logging: Helps to ensure data does not go missing via missing drives, for example. Also can help provide location accountability when it is something that might need checked out

Integrity verification: making sure that the data is correctly matched to external label to ensure findability and correct understanding of status. Also can use hashing or other cryptography to ensure data has not been corrupted or contaminated

Physical access control: ensuring that only people who are supposed to have access to both the media and the media readers

Environmental controls: to ensure media does not encounter conditions that might result in damaged or destroyed media

Transmittal: ensuring that media moves only within authorized means, such as couriers, locked containers, etc

Disposition: ensuring that data is properly destroyed, either physically or logically, when the media is no longer being used. Overwriting, degaussing, and destroying media are acceptable

Question 18

Operation Security Controls in Action:
Documentation

Answer 18

Formalization of processes and procedures

Putting processes and procedures into an offline and accessible form in case of disaster recovery

Question 19

Operation Security Controls in Action:
Maintenance

Answer 19

Physical and logical maintenance both

Must take place within security policies

Depending on system, may require outside assistance and verification of third party personnel

Keeping maintenance records thoroughly

Ensuring “maintenance grade” passwords are changed

Encryption and decryption of certain maintenance details

Question 20

Operation Security Controls in Action:
Interdependencies

Answer 20

Being aware of crossover between areas and how they interconnect together and what vulnerabilities open up in those cases. for example, the physical security of a data center requires both IT and Security to be appeased.

(people from different departments sitting next to each other, or areas where multiple types of people have a finger in the same project or system