ISA 400 Management of Information Security Philip Robbins – October 31, 2015 Application and Operations Security Information Security & Assurance Program University of Hawai'i West Oahu Week #10
Management of Information Security Week #10 Topics Domain: Application Security Domain: Operations Security Quiz Extra Credit
CISSP Exam Objectives for OPSEC Administrative Controls Sensitive Information (content) / Media Security Asset Management Continuity of Operations Incident Response Management Backup & Restoration
Operations deals with the day-to-day activities that need to take place to keep everything running and functioning correctly. Security objectives: -Fix or replace hardware. -Restore data backups. -Correct network connectivity issues. -Control changes. -Manage accounts. Operations Security
Unique Terms Collusion Remanence Redundant Array of Inexpensive Disks (RAID) Mirroring Striping Parity Due Care Due Diligence
Threats to Operations Disclosure Destruction Interruption/Non Availability Corruption/Modification Theft Espionage Hackers / Crackers Malicious Code
Control Methods Separation of Responsibilities Principle of Least Privilege (POLP) Need to Know Job Rotation Security Audits and Reviews Supervision
Background Checks Pre-employment screening Background investigations Administrative control Criminal records check Verification of employment history Credit reports Drug screening The level of background check performed has to do with the sensitivity of the position.
Privilege Monitoring Those with the most access require the most watching Job functions that require greater scrutiny: – Account creation/modification/deletion – System reboots – Data backup – Data restoration – Source code access – Audit log access – Security configuration capabilities
Privileged Entities Users that require some level of special access or special privileges in order to perform a given task Management of Privileged Entities is very important due to the fact that these entities often have the ability to bypass security controls
Privileged Entity Classes (ISC)2 privileged entity classes: – Ordinary Users – Operators – Security Administrators – System Administrators – System Accounts
Ordinary Users Only have access to applications and systems necessary for them to perform a given task Should not be able to monitor processes Must operate within security labels Should be prevented from altering the boot process
Operators Have elevated privileged, but less than administrators Can usually perform the following: – Start the operating system – Monitor process execution – Mount / Dismount volumes – Control jobs – Bypass / Rename labels
Security Administrators Provide oversight for the security operations of a system Usually have fewer rights than system administrators Ensure separation of duties is enforced Provide a check and balance of power to system administrators Ensure security policies are enforced
System Administrators Ensure that a system or systems functions properly for users Perform maintenance and monitoring tasks Require the ability to affect critical operations such as boot sequence, log files, and passwords Manage hardware and software for workstations and servers
System Accounts Dedicated to providing a system service Usually run background services/daemons Often assigned elevated privileges upon install of an operating system Many are created by database installations
Sensitive Information and Media Security Sensitive Information Labeling/Marking Handling Storage Retention Sanitation/Destruction Data Remnance
Object Reuse (Data Remenance) Degaussing: involves using a magnetic field to wipe information on storage media such as hard disks. – The coercivity level refers to the amount of energy required to wipe a disk. This energy level is often measured in Oersteds (Oe) Overwrite software: writes 0s and 1s to a disk repeatedly so as to make the original date unreadable. Examples include the DoD seven-pass wipe and the Gutmann 35-pass wipe. Media destruction: policies and procedures should be in place to handle the destruction of media after it has reached the end of its lifecycle.
Object Reuse (Data Remenance) Purging = making data unrecoverable Zeroization = overwriting (not good for flash) Degauzing = magnetic scrambling (not good for optical media) Destruction = burning, shredding, crushing Erasing = performing delete operation against a file (erased=sanitized) Clearing = overwriting Sanitization = purging or degaussing Data remenance = residual data that is recoverable
Object Reuse (Data Remenance) Data Wipes: (1 pass accepted by industry to render data unrecoverable) DoD short method – 3 passes DoD standard method – 7 passes Gutmann approach - 35 passes
Configuration Management Proper configuration management ensures that all hardware and software in an organization are tracked and helps to identify potential security problems. CHANGE IS CONSTANT AND MUST BE CONTROLLED Make & Model of systems MAC address, IP addresses Serial #’s OS / firmware versions Location BIOS passwords Resource requirements Patches?
Baselining A captured point in time where current system security configuration is understood Creates a common security configuration Helpful when responding to security incidents Makes recovery of systems easier Effective method of providing a required level of protection across a broad area
Avoiding System Failure Fail-Safe Failure state puts the system into a high level of security and possibly disables activities until the problem can be corrected. Fail-Secure Prevents unauthorized access to info and resources and allows troubleshooting. Fail-Open Allows users to bypass failed security controls.
RAID RAID: Redundant Array of Independent (or Inexpensive) Disks Data storage virtualization technology that combines multiple disk drive components into a logical unit for the purposes of data redundancy and performance improvement. Each level of redundancy provides a different balance between two key goals: reliability and availability.
RAID 0: writes files across multiple drives simultaneously (striping). Provides no fault tolerance (actually increases your risk – unless you’re backing up frequently), but provides increased performance for data read and writes.
RAID 1: mirroring – duplicates all data from one disk to another. Provides redundancy for data and, optionally, for RAID controllers. Disk reads can also be improved with RAID 1 arrays.
RAID 5: stripes data and parity information across multiple drives, offering both performance and redundancy. Parity computations are used in RAID drive arrays for fault tolerance by calculating the data in two drives and storing the results on a third.
RAID 10: a combination of RAID 0 and RAID 1, sometimes called RAID 1+0 or RAID 0+1
RAID 10 is not the same as RAID 01
RAID 10: a combination of RAID 0 and RAID 1, sometimes called RAID 1+0 or RAID 0+1 RAID 10 is not the same as RAID 01
Main difference between RAID 10 vs RAID 01 Performance on both RAID 10 and RAID 01 will be the same. The storage capacity on these will be the same. The main difference is the fault tolerance level. RAID 10 fault tolerance is more. RAID 01 fault tolerance is less So, given a choice between RAID 10 and RAID 01, always choose RAID 10.
RAID Levels RAID Level DescriptionStrengthsWeaknesses 0 StripingHighest performanceNo redundancy; 1 fail = all fail 1 MirroringDuplicates data on other disksExpensive; double cost of storage Striping and Mirroring Highest performance, highest data protection (can tolerate multiple drive failures) Expensive; double cost of storage 3/4 Striped with dedicated parity Excellent performance; fault tolerance Write requests suffer from same single parity-drive 5 Block-level striping with distributed parity Best cost/performance for networks; high performance; high data protection Write performance is slower than RAID 0 or RAID 1
33 Review Questions Question #1 Which level of RAID does not provide additional reliability? A.RAID 1 B.RAID 5 C.RAID 0 D.RAID 3
34 Review Questions Question #1 Which level of RAID does not provide additional reliability? A.RAID 1 B.RAID 5 C.RAID 0 D.RAID 3
35 Review Questions Question #2 (last one) Which type of RAID uses block-level striping with parity information distributed across multiple disks? A.RAID 1 B.RAID 5 C.RAID 0 D.RAID 3
36 Review Questions Question #2 (last one) Which type of RAID uses block-level striping with parity information distributed across multiple disks? A.RAID 1 B.RAID 5 C.RAID 0 D.RAID 3
37 Questions? www2.hawaii.edu/~probbins