Chapter 9: Operations Security Flashcards
Types of controls
Preventative: reduce the frequency and impact of errors
Detective: discovers errors after they occur
Corrective: mitigates the impact of a loss
Deterrent: Encourage compliance with external controls
Application level: minimize and detect software irregularities
Transaction level: control over stages of a transaction
Strong security system elements
Employing competent people into a clear authority structure
Adequate separation of duties
Proper procedures for authorizing changes
Maintaining adequate documentation and records
Maintaining proper physical controls over assets and records
Executing independent checks on performance
The three factors in engagement in fraudulent or immoral behavior
Motivation: why do they need the result of their crime (usually money driven reasons here, but could be an ego or thrill factor, too)
Justification: why it isn’t as bad as others might say it is (the company “owes” them, or it is hurting a company, not people, etc)
Opportunity: the (either reasonable or unreasonable) idea that the person is not likely to get caught, usually because of a shortcoming at the company
Process controls
Ensures security principles inform all processes, both human and technological processes
Trusted recovery controls
Ensures that systems stay safe even when the system crashes or loses power; dictates “fail-secure” systems
Configuration and Change Management controls
Ensuring accountability for how changes in a system are approved and occur; a threat to this sort of accountability would be a “block upgrade” in which the request changes are too big to manage or track well
Record retention processes
Ensures that records are kept for an appropriate amount of time; could be both hard and soft records
Personnel security controls
Ensures quality people are at the company. Includes preemployment checks, criminal checks, and mandatory vacation time. Also could include rotating duties and proper disciplinary structures
Resource protection controls
Guards physical assets
Privileged entity controls
Special controls for system administrators; may involve eliminating default accounts or shared accounts to ensure nonrepudiability
Media viability controls
Marking media so that everyone knows classification levels, or owners, or dates, or whatever might matter to someone picking up the physical asset
Operation process controls
Permission constraints or accountabilities for operators
Sarbanes-Oxley Act (SOX)
Passed after Enron meltdown. Requires integrity of financial records. Section 404 pertains to the data centers in which financial records reside
Operation Security Controls in Action:
Software Support
Limiting which software can run on which system
Inspecting or testing software before distribution or usage
Auditing software licensing
Prohibiting unauthorized changes or modifications to existing software
Operation Security Controls in Action:
Config and Change Management
(Similar to Software Support in many cases)
Management of which connection or open to what on the network
Changes have proper documentation
Changes are audited to ensure security protocols still apply 100%
Operation Security Controls in Action:
Backups
Backup frequency
Backup storage status
Backup testing schedule
Backup schedules may need to be different for different systems or data
Operation Security Controls in Action:
Media Controls
Marking: may contain date/content style information or may contain handling instructions
Logging: Helps to ensure data does not go missing via missing drives, for example. Also can help provide location accountability when it is something that might need checked out
Integrity verification: making sure that the data is correctly matched to external label to ensure findability and correct understanding of status. Also can use hashing or other cryptography to ensure data has not been corrupted or contaminated
Physical access control: ensuring that only people who are supposed to have access to both the media and the media readers
Environmental controls: to ensure media does not encounter conditions that might result in damaged or destroyed media
Transmittal: ensuring that media moves only within authorized means, such as couriers, locked containers, etc
Disposition: ensuring that data is properly destroyed, either physically or logically, when the media is no longer being used. Overwriting, degaussing, and destroying media are acceptable
Operation Security Controls in Action:
Documentation
Formalization of processes and procedures
Putting processes and procedures into an offline and accessible form in case of disaster recovery
Operation Security Controls in Action:
Maintenance
Physical and logical maintenance both
Must take place within security policies
Depending on system, may require outside assistance and verification of third party personnel
Keeping maintenance records thoroughly
Ensuring “maintenance grade” passwords are changed
Encryption and decryption of certain maintenance details
Operation Security Controls in Action:
Interdependencies
Being aware of crossover between areas and how they interconnect together and what vulnerabilities open up in those cases. for example, the physical security of a data center requires both IT and Security to be appeased.
(people from different departments sitting next to each other, or areas where multiple types of people have a finger in the same project or system
