Operations and Maintenance Flashcards
Operations security
staying secure or keeping the resiliency levels of the software above the acceptable risk levels.
The different types of operations security controls are
Detective; Preventive; Deterrent; Corrective; Compensating.
Detective Controls
are those that can be used to build historical evidence of user and system/process actions. E.g. auditing (logging), intrusion detection systems (IDS).
Preventive Controls
are those which make the success of the attacker difficult as its goal is to prevent the attack actively or proactively. E.g. Input validation, output encoding, bounds checking, patching, intrusion prevention systems (IPS).
Deterrent Controls
are those, which don’t necessarily prevent an attack nor are they merely passive in nature. Their aim is to dissuade an attacker from continuing their attack. E.g. auditing when the users of the software are aware of being audited,
Corrective Controls
are those which aim to provide the recoverability of software assurance. E.g. Load balancing, clustering, failover of data and systems.
Compensating Controls
are those controls that must be implemented when the prescribed software controls as mandated by a security policy or requirement cannot be met due to legitimate technical or documented business constraints. E.g.
Ongoing activities that are useful to ensure that the
software stays secure:
Monitoring; Incident Management; Problem Management; Change Management including Patch and Vulnerability Management; Backup, Recovery and Archiving.
Monitoring can be used to:
Validate compliance to regulations and other governance requirements; Demonstrate due diligence and due care on the part of the organization towards its stakeholders; Provide evidence for audit defense; Assist in forensics investigations; Identify new threats; …
What to monitor
Any operations that can have a negative impact on the brand and reputation of the organization, when it does not function as expected, must be monitored.
The PCI DSS as one of its requirements mandates that
Any physical access to cardholder data or systems that house cardholder data must be appropriately restricted and the restrictions periodically verified.
The primary ways in which monitoring is accomplished within organizations today is by
Scanning; Logging; Intrusion detection.
Audits are monitoring mechanisms by
which an organization can attest the assurance aspects (reliability, resiliency and recoverability) of the network, systems and software that they have built or bought.
They are effective to determine the implementation and effectiveness of security principles such as
Separation of duties and least privilege.
Some of the reasons as to what periodic audits of software can be used for
Determine that the security policy of the software is met; Assure data confidentiality, integrity and availability protections; Make sure that authentication cannot be bypassed; Ensure that rights and privileges are working as expected; Check for the proper function of auditing (logging); Check for the proper function of auditing (logging); Find out if the unnecessary services, ports, protocols and services
are disabled or removed; …
Incident management activities
The proper protocols to follow and the steps to take when a security breach (or incident) occurs.
NIST Special Publication on Computer Security
Incident Handling Guide (SP 800-61)
guidance on how to manage computer security incidents effectively.
NIST Special Publication SP 800-61
NITS SP 800-61 (Computer Security Incident Handling Guide) guidance on how to manage computer security incidents effectively.
The first step in incident response is to determine
If the reported or suspected incident is truly an incident or not. If it is a valid incident, then the type of the incident is determined.
Incident management shall define clear procedures to
to assess the current and potential business impact and risk must be established along with the implementation of effective and efficient mechanisms to collect, analyze and report incident data.
Event
Any action that is directed at an object which attempts to change the state of the object.
Red flags
It is generated when events match preset conditions or patterns upon further analysis. E.g. adverse events include flooded networks, rootkit installations, unauthorized data access, malicious code executions or business disruptions.
Alerts
flagged events that need to be scrutinized further to determine if the event occurrence is an incident. Alerts can be categorized into incidents.
Security incidents
Adverse events that violate or threaten to violate the security policy of the network, system or software
applications.
Types of Incidents
Denial of Service (DoS); Malicious Code; Unauthorized Access; Inappropriate Usage; Multiple Component.
Incident Response Process
Preparation, detection and analysis, containment, eradication and recovery, and post-incident analysis.
Preparation phase activities
Establish incident response policies and procedures; Create and train an incident response team (IRT); Perform periodic risk assessments and reduce the identified risks to an acceptable level; Create a SLA that documents the appropriate actions and maximum response times; Identify additional personnel, both internal and external to the organization that may have to be called to address the incident; Acquire tools and resources that the IRT personnel can use; Conduct awareness and training on the security policies and
procedures and how they are related to actions that are prescribed in the Incident Response Plan (IRP).
For Detection and Analysis, one of the first activities is to look at the logs or audit trails. The log analysis process is made up of the following steps:
Collection, Normalization, Correlation and Visualization.
Collection defines the different types of logs that should collected for analysis such as
Network and Host Intrusion Detection Systems (NIDS and HIDS) logs; Network Access Control Lists (ACL) logs; Host logs such as OS system messages such logon success and failure information, system errors; Application (Software) logs that provide information about the activity and interactions between users/ processes and the applications; database logs.
Principlan reasons for the correlation of log
The primary reason for the correlation of logs with threat or threat agent is to deduce patterns. Secondarily, it can be used to determine the incident type.
How to determine the frequency of the log analysis
It is directly related to the value of the asset whose logs are being analyzed.
Upon the detection and validation of a security incident, the first course of action that needs to be taken is.
Containment - to limit any further damage or additional risks. E.g. shutting down the system, disconnecting the affected systems from the network, disabling ports
and protocols, turning off services, taking the application offline.
Containment strategy can range from
immediate shutdown to delayed containment.
Delayed containment is useful to collect more evidence by monitoring the attacker’s activity, but this can be dangerous.
The attacker may have the opportunity to elevate privilege and compromise additional assets.
Criteria to determine the right containment strategy includes:
Potential impact and theft of resources; The need to preserve evidence; Availability of service; Time and resources needed to execute the strategy; The completeness and effectiveness of the strategy; The duration and criticality of the solution; The possibility of the attack to cause additional damage.
Eradication
The steps necessary to remove and eliminate components of the incident.
Recovery mechanisms aim
To restore the resource (network, system or software application) back to its normal working state. E.g. restoring systems from legitimate backups, rebuilding services, restoration of compromised accounts and files with correct ones, patch installations, password changes and enhanced perimeter controls.
Post-Incident Analysis
Lessons learned activities produce a set of objective and subjective data regarding each incident.
As part of Post-Incident Analysis, “lesson-learned” activity can:
Provide the data necessary to identify and address the problem at its root; Help identify security weaknesses in the network, system or software; Help identify deficiencies in policies and procedures; Be used for evidentiary purposes; Be used as reference material in handling future incidents; Serve as training material; Help improve the security measures and the incident handling processes.
NIST SP 800-61
Computer Security Incident Handling Guide special publication (SP 800-61) illustrates some of the outside parties that may have to be contacted and communicated when security incidents occur within the organization.
IRT
Incident Response Team
Not all incidents require a full-fledged post-incident analysis but at a bare minimum the 5Ws need to be determined and reported on:
What happened? When did it happen? Where did it happen? Who was involved? and Why did it happen?
The goal of problem management
To determine and eliminate the root cause of the and in doing so it improves the service that IT provides to the business because the same issue so not be repeated again.
Problem Management Process Flow
Incident Notification; Root Cause Analysis; Solution Determination; Request for Change; Implementation Solution; Monitor and Report.
RCA is performed to determine
‘Why’ the problem occurred in the first place.
Fishbone diagrams help the team to
To graphically identify and organize possible causes of a problem (effect) and using this technique, the team can identify the root cause of the problem.
When brainstorming using fishbone diagrams, the RCA process can benefit if categories are used such as
People (awareness, training or education. etc.), Process (non-existent, ill-defined, etc.), Technology, Network, Host, Software (coding, 3rd party component, API, etc.), Environment (Production, Development, Test, etc.).
Patches
Additional pieces of code that are used to update or fix existing software so that the software is not susceptible to any bugs are known.
Patching
The process of applying these updates or fixes.
Patches are often made available from vendors in one of two ways. The most common mechanisms are:
Hotfix or Quick Fix Engineering (QFE); Service Pack
QFE
Quick Fix Engineering
Service Pack
An update to the software that fixes known problems and in some cases provides additional enhancements and functionality as well.
There are some challenges that come with patching
The applied patch could potentially cause a disruption of existing business processes and operations; Lack of a simulated environment combined with lack of time, budget and resources.
Patches that are not tested for their security impact can potentially
Revert configuration settings from a secure into an insecure state (e.g. enable, disabled ports/services);
Some of the necessary steps that need to be taken as part of the patching process include
Notifying the users of the software or systems about the patch; Testing the patch in a simulated environment; Documenting the change along with the rollback plan; Identifying maintenance windows or the time when the patch is to be installed must be performed; Installing the patch; Testing the patch post-installation in the production environment is also necessary; Validating that the patch did not regress the state of security and that it leaves the systems and software in compliance with the MSB; Monitoring the patched systems; Conducting post-mortem analysis in case the patch had to be rolled back and using the lessons learned to prevent future issues.
Special publication 800-40 published by NIST
Guide to Enterprise Patch Management Technologies - prescribe the Patch management that is the process for identifying, acquiring, installing, and verifying patches for products and systems.
Operational activities that assure uninterrupted business operations and continuity
Backups, recovery and archiving.
When a system has been infected by malware such as Trojan horses and spyware, the only option left for assuring continued integrity is probably
To completely format and reinstall the software accompanied with restoring the data from a secure, trusted and verified backup.
Retrieve and restore backups task
Only those with need-toknow privileges should be authorized.
Bastion host is
A fortified computer system that is completely exposed to external attack and illegal entry. E.g. firewall, DNS, Web server, mail servers.
Concern about the bastion host
Bastion hosts must be carefully designed as insecure design of these can lead to easy penetration by external threat agents into the internal network.
Bastion host - security controls
it must be be hardened and any unnecessary services, protocols, ports, programs and services need to be disabled before it is deployed.
Bastion host systems can be used to continuously monitor the security of the computing environment when it is used in conjunction with intrusion detection systems (IDS) and which other security control?
Auditing
What is the best recommendation to champion security objectives within the software development organization?
Informing the development team that there should be no injection flaws in the payroll application, using security metrics over Fear, Uncertainty and Doubt (FUD).
Normalization is
The process of using regular expressions to parse audit logs into information that indicate security incidents, duplicate and redundant information are removed.
