Operations Security CISSP Guide to Security Essentials Chapter 7.

Slides:

Advertisements

Similar presentations

David Assee BBA, MCSE Florida International University

Advertisements

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Separate Domains of IT Infrastructure

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

Security Controls – What Works

Information Security Policies and Standards

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Stephen S. Yau CSE , Fall Security Strategies.

Session 3 – Information Security Policies

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Information Security Technological Security Implementation and Privacy Protection.

Chapter 10: Computer Controls for Organizations and Accounting Information Systems

SEC835 Database and Web application security Information Security Architecture.

ISA Topic 9: Operations Security ISA 562 Internet Security Theory & Practice.

Security Operations. 2 Domain Objectives Protection and Control of Data Processing Resources Media Management Backups and Recovery Change Control Privileged.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.

Module 02: 1 Introduction to Computer Security and Information Assurance Objectives Recognize that physical security and cyber security are related Recognize.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Information Systems Security Computer System Life Cycle Security.

Confidentiality Integrity Accountability Communications Data Hardware Software Next.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2015 Operations Security.

Operations Security Lisa M. True, CISSP January 12, 2004 Domain 7.

Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Information Systems Security Operational Control for Information Security.

What does secure mean? You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Information Systems Security Operations Security Domain #9.

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

IS Network and Telecommunications Risks Chapter Six.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

E.Soundararajan R.Baskaran & M.Sai Baba Indira Gandhi Centre for Atomic Research, Kalpakkam.

SECURITY OF DATA By: ADRIAN PERHAM. Issues of privacy; Threats to IT systems; Data integrity; Standard clerical procedures; Security measures taken to.

Chapter 2 Securing Network Server and User Workstations.

Chap1: Is there a Security Problem in Computing?.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

INFORMATION SECURITY AND CONTROL. SECURITY: l Deter l Detect l Minimize l Investigate l Recover.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Contingency Management Indiana University of Pennsylvania John P. Draganosky.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Welcome to the ICT Department Unit 3_5 Security Policies.

IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.

Information Systems Security

Risk management.

Critical Security Controls

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Operations Security.

I have many checklists: how do I get started with cyber security?

CISSP Guide to Security Essentials

Objectives Telecommunications and Network Physical and Personnel

How to Mitigate the Consequences What are the Countermeasures?

Mohammad Alauthman Computer Security Mohammad Alauthman

Presentation transcript:

Operations Security CISSP Guide to Security Essentials Chapter 7

Objectives Applying security concepts to computer and business operations Records management security controls Backups Anti-virus software and other anti-malware controls

Objectives (cont.) Remote access Administrative management and control of information security Resource protection Incident management

Objectives (cont.) High availability architectures Vulnerability management Change management and configuration management Operations attacks and countermeasures

Applying Security Operations Concepts

Security Operations Concepts Need to know Least privilege Separation of duties Job rotation Monitoring of special privileges

Security Operations Concepts (cont.) Records management controls Backups Anti-virus and anti-malware Remote access

Flow of Control From chapter 1 1.Policy 2.Guidelines 3.Processes 4.Procedures 5.Recordkeeping

Need to Know Individual personnel should have access to only the information that they require in order to perform their stated duties Independent of security clearance This reduces risk, but can be an administrative burden

Least Privilege Users should have the fewest or lowest number of privileges required to accomplish their duties Independent of security clearance

Separation of Duties High-value or high-risk tasks require two or more different individuals to complete Examples –Open a bank vault –Issue an arrest warrant –Provision a privileged-access computer account –Change a firewall rule

Job Rotation Move individual workers through a range of job assignments Reduces monotony, risk Reduces likelihood that employees will perform inappropriate or illegal actions if they fear being caught when next job rotation occurs

Monitoring of Special Privileges Privileged users have more power Mistakes have greater impact Record activities –Network administrator –System administrator –Database administrator –Application administrator

Records Management Controls Data classification Access management Records retention Backups Data destruction

Data Classification Establish sensitivity levels Establish handling procedures for each level –Creation, storage, transmittal, destruction

Access Management Policies, procedures, and controls that determine how information is accessed and by whom –User account provisioning –Privilege management –Password management –Review of access rights –Secure log on

Records Retention Policies that specify how long different types of records must be retained (minimums and maximums) Manage risks related to business records –Risk of compromise of sensitive information –Risk of loss of important information –E-Discovery –Regulation

Backups Protection against loss due to malfunctions, failures, mistakes, and disasters Activities –Data restoration –Protection of backup media –Off-site storage of backup media

Data Restoration Periodic testing to ensure that data that is backed up can be restored –Same computer –Different computer Best way to prove that backups are being performed properly

Protection of Backup Media Backup media contains sensitive information Requires same level of control as original information Keep in locked cabinets –Least privilege and need to know

Offsite Storage of Backup Media Reduce risk of loss of backup media in the event of a disaster that destroys data center –Fire, flood, sabotage Factors –Distance from business location –Security of transportation –Security of storage center –Resilience of storage center against disasters

Data Destruction Purpose: ensure that discarded information is truly destroyed and not salvageable by either employees or outsiders

Data Destruction (cont.) Once information has reached the end of its need, its destruction needs to be carried out in a manner that is proportional to its sensitivity –Degaussing –Shredding –Wiping

Anti-virus and Anti-malware Effects of uncontrolled malware –Loss of business information –Disclosure or compromise of business information –Corruption of business information –Disruption of business information processing –Inability to access business information –Loss of productivity Apply defense in depth to protect assets Central anti-malware management

Remote Access Connectivity to a network or system from a location away from the network or system, usually from a location apart from the organization’s premises Usually through a VPN

Remote Access (cont.) Improves productivity by permitting employees to access business information from any location Risk mitigation –Encryption, strong authentication, anti-malware, firewall

Administrative Management and Control

ISO Widely accepted model for top-down security management –Define scope and boundaries –Establish a security policy –Risk assessments –Establish control objectives and activities –Security awareness and training –Allocate resources –Internal audits –Monitor and review the security program –Enact continual improvement

Types of Controls Technical –Such as firewalls and antivirus software Physical –Locks, guards, etc. Administrative –Such as policies and audits See link Ch 7a for a good discussion, and link CISSP 12 for good whitepapers on all ten CISSP domains

Categories of Controls Detective Deterrent Preventive Corrective Recovery Compensating

Employing Resource Protection

Resource Protection Facilities –Water and sewage –Electricity –Fire alarms and suppression –Environmental controls –Communications –Security controls

Resource Protection (cont.) Hardware –Servers –Workstations –Network devices –Wireless networks –Printers, copiers –Cabling

Resource Protection (cont.) Software requires control and management –Licensing –Access control –Source code (preventing disclosure) Intellectual property Security –Source code control Software development lifecycle

Resource Protection (cont.) Documentation –May contain trade secrets and sensitive information –Processes, procedures, and instructions –Version control –Access control

Incident Management

Incident An Incident is –An unexpected event that results in an interruption of normal operations A Security Incident is –An event in which security policy has been violated OR –Unauthorized access to a system or information OR –An event that prevents legitimate access to a system or information

Incident Management Incident declaration Triage Investigation Analysis Containment Recovery Debriefing –See chapter 6 for details

High Availability Architectures

Fault Tolerance Makes devices less prone to failure –Multiple power supplies –Multiple network interfaces –Multiple processor units –RAID (Redundant Array of Inexpensive / Independent Disks)

Clustering A group of two or more servers that operate functionally as a single logical server Active-active mode Active-passive mode –Failover: when active status is transferred Geo-cluster – servers located at great distances from one another

Replication Data changes are transmitted to a counterpart storage system An adjunct to clustering, makes current data available to all cluster nodes

Business Continuity Management A management activity where analysis is performed to better understand the risks associated with potential disaster scenarios, and the steps that can be taken to reduce the impact of a disaster should one occur

Vulnerability Management

Penetration testing Application scanning Patch management Code reviews

Penetration Testing A scan of many or all TCP / IP “ports” on one or more target systems –Followed by locating and exploiting vulnerabilities Mimics the actions of a hacker who scans a system or network for active, exploitable ports and services

Application Scanning The process of performing security tests on an application (usually, but not always, a web-based application) in order to find vulnerabilities in the application code itself

The ‘new’ OWASP Top Ten (2010 rc1)

Code Reviews Manual and automated inspections of software source code –Examine and validate approved changes –Detection of inappropriate changes, unsafe code, security issues

Patch Management The process – usually assisted with management tools – to manage the installation of patches on target systems Reduces risks associated with malware, hacking attacks that exploit weaknesses –Don't just put on all available patches –Analyze and test them first and only put on the ones that pass a risk analysis

Change Management

Prepare the change Circulate and review the change Discuss and agree to the change Perform the change Recordkeeping

Configuration Management

Configuration of hardware, software components Configuration management database (CMDB) Automated tools

Operations Attacks and Countermeasures

Attacks on Operations Social engineering Sabotage Theft and Disappearance Extortion Bypass –Circumventing security measures Denial of service