About Me <ul><li>Richard Mosher </li></ul><ul><li>Manager in Cincinnati (Ohio Valley) </li></ul><ul><li>CISSP in November ...
Introduction <ul><li>Topic: Operations Security </li></ul><ul><li>Approach - General security principles </li></ul><ul><li...
General Security Principles <ul><li>Accountability </li></ul><ul><ul><li>Authorization </li></ul></ul><ul><ul><li>Logging ...
Critical Operational Controls <ul><li>Resource protection </li></ul><ul><li>Privileged-entity control </li></ul><ul><li>Ha...
The Problem <ul><li>Powerful system utilities </li></ul><ul><li>Powerful system commands </li></ul><ul><ul><li>Superzappin...
The Problem <ul><li>Initial program load - IPL from tape </li></ul><ul><li>Control over job schedule and execution  </li><...
Protected Resources <ul><li>Password files </li></ul><ul><li>Application program libraries </li></ul><ul><li>Source code <...
Protected Resources (2) <ul><li>Processing equipment </li></ul><ul><li>Stand-alone computers </li></ul><ul><li>Printers </...
The Control <ul><li>Accountability - </li></ul><ul><ul><li>Personnel reviews - Background checks </li></ul></ul>
The Control <ul><li>Accountability - </li></ul><ul><ul><li>Personnel reviews - Background checks </li></ul></ul><ul><ul><l...
The Control <ul><li>Accountability - </li></ul><ul><ul><li>Personnel reviews - Background checks </li></ul></ul><ul><ul><l...
The Control <ul><li>Accountability - </li></ul><ul><ul><li>Personnel reviews - Background checks </li></ul></ul><ul><ul><l...
The Control <ul><li>Accountability - </li></ul><ul><ul><li>Personnel reviews - Background checks </li></ul></ul><ul><ul><l...
The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging ...
The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging ...
The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging ...
The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging ...
The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging ...
The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging ...
The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging ...
Separation of Duties - Operator <ul><li>Installing system software </li></ul><ul><li>Start up/Shut down </li></ul><ul><li>...
Separation of Duties - Security <ul><li>User activities </li></ul><ul><ul><li>Adding/removing users (?) </li></ul></ul><ul...
The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging ...
The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging ...
The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging ...
The Problem <ul><li>Physical access to the computer room and devices there </li></ul><ul><ul><li>IS programmers </li></ul>...
The Control <ul><li>Authentication & Least Privilege </li></ul><ul><ul><li>Authorization for access to the facility </li><...
The Control <ul><li>Authentication & Least Privilege </li></ul><ul><ul><li>Authorization for access to the facility </li><...
The Control <ul><li>Authentication & Least Privilege </li></ul><ul><ul><li>Authorization for access to the facility </li><...
The Control <ul><li>Authorization for access to the facility </li></ul><ul><li>Enforced control of access to the facility ...
The Control <ul><li>Authorization for access to the facility </li></ul><ul><li>Enforced control of access to the facility ...
The Control <ul><li>Authorization for access to the facility </li></ul><ul><li>Enforced control of access to the facility ...
The Control <ul><li>Authorization for access to the facility </li></ul><ul><li>Enforced control of access to the facility ...
The Problem <ul><li>Inability to recover from failures </li></ul><ul><li>Legal liabilities </li></ul>
The Control <ul><li>Redundancy </li></ul><ul><ul><li>Regular backups of all software and files </li></ul></ul>
The Control <ul><li>Regular backups of all software and files </li></ul><ul><li>Hardware Asset Management </li></ul><ul><u...
Environmental Contamination <ul><li>Buildup of conductive particles, contaminants </li></ul><ul><ul><li>Circuit boards, mi...
Environmental Contamination <ul><li>Contaminants - Max 20 m-inches </li></ul><ul><ul><li>Hair - 3,000 m-inches </li></ul><...
Environmental Detection <ul><li>White glove samples examined with microscope </li></ul><ul><ul><li>Identification, no conc...
Environmental Controls <ul><li>Cost justification  </li></ul><ul><ul><li>Analyze with Vicon & maintain error logs </li></u...
The Control <ul><li>Regular backups of all software and files </li></ul><ul><li>Hardware configuration and inventory </li>...
The Control <ul><li>Regular backups of all software and files </li></ul><ul><li>Hardware configuration and inventory </li>...
Trusted System Operations <ul><li>Trusted computer base - HW/FW/SW protected by appropriate mechanisms at appropriate leve...
Definitions <ul><li>Acceptance </li></ul><ul><ul><li>Verification that performance & security requirements have been met <...
The Control <ul><li>Regular backups of all software and files </li></ul><ul><li>Hardware configuration and inventory </li>...
Emergency Procedures <ul><li>Communications channel for evacuation signal </li></ul><ul><li>Procedures to secure tapes, pr...
Configuration Management <ul><li>Controlling modifications to system HW/FW/ SW/Documentation </li></ul><ul><li>Ensure inte...
Configuration Management <ul><li>Organized and consistent plan covering </li></ul><ul><ul><li>description of physical/medi...
Risk Assessment/Analysis <ul><li>Includes: </li></ul><ul><ul><li>Threat </li></ul></ul><ul><ul><li>Vulnerability </li></ul...
Vulnerabilities Summary <ul><li>Improper access to system utilities </li></ul><ul><li>Improper access to information </li>...
Summary of Controls <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>...
Summary of Controls (2) <ul><li>Read vs Read/Write access  </li></ul><ul><li>Authorization for access to the facility </li...
The Real World <ul><li>Operations Controls </li></ul><ul><ul><li>Organizations understaffed, wear too many hats </li></ul>...
The Real World (2) <ul><li>Operations Controls </li></ul><ul><ul><li>Most of IS and many users have access to facility </l...
Secure System Operation <ul><li>Identification </li></ul><ul><li>Authorization </li></ul><ul><li>Alarm </li></ul><ul><li>S...
Media Controls <ul><li>Tapes, disks, diskettes, cards, paper, optical </li></ul><ul><li>Volume labels required </li></ul><...
Final Considerations <ul><li>What system commands are available? </li></ul><ul><ul><li>To whom? With what authentication? ...
Upcoming SlideShare
Loading in …5
×

Operations_Security - Richard Mosher

1,432 views

Published on

Operations_Security - Richard Mosher

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,432
On SlideShare
0
From Embeds
0
Number of Embeds
73
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Who am I? Dick Mosher Manager, Cincinnati CISSP in ‘94 CBCP in ‘99 15 years in utility industry, 12 as security officer Responsible for mainframe, client server, Internet policies and procedures, disaster/recovery Joined E&amp;Y in December, ‘97 Contact info: Richard Mosher/SOhioKentuckyIndiana/AUDIT/EYLLP/US@EY-Namerica EYComm: 5176673 Office: 513-723-4379 Mobile: 606-466-4572 [email_address]
  • Operations_Security - Richard Mosher

    1. 1. About Me <ul><li>Richard Mosher </li></ul><ul><li>Manager in Cincinnati (Ohio Valley) </li></ul><ul><li>CISSP in November of 1994 </li></ul><ul><li>CBCP in June of 1999 </li></ul><ul><li>15 years in utility industry, 12 as security officer </li></ul><ul><li>Responsible for mainframe, client server, internet, policies/procedures, disaster/recovery </li></ul><ul><li>Joined E&Y in December of 1997 </li></ul><ul><li>Contact info: </li></ul><ul><ul><li>Richard Mosher/SOhioKentuckyIndiana/AUDIT/EYLLP/US </li></ul></ul><ul><ul><li>EYComm: 5176673 </li></ul></ul><ul><ul><li>Office: 513-723-4379 Mobile: 606-466-4572 </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul>
    2. 2. Introduction <ul><li>Topic: Operations Security </li></ul><ul><li>Approach - General security principles </li></ul><ul><li>The Problem </li></ul><ul><li>The Control </li></ul>
    3. 3. General Security Principles <ul><li>Accountability </li></ul><ul><ul><li>Authorization </li></ul></ul><ul><ul><li>Logging </li></ul></ul><ul><li>Separation of duties </li></ul><ul><li>Least privilege </li></ul><ul><li>Risk reduction </li></ul><ul><li>Layered defense </li></ul><ul><li>Redundancy </li></ul>
    4. 4. Critical Operational Controls <ul><li>Resource protection </li></ul><ul><li>Privileged-entity control </li></ul><ul><li>Hardware control </li></ul>
    5. 5. The Problem <ul><li>Powerful system utilities </li></ul><ul><li>Powerful system commands </li></ul><ul><ul><li>Superzapping - system utility or application that bypasses all access controls and audit/logging functions to make updates to code or data </li></ul></ul><ul><li>Direct control over hardware and software </li></ul><ul><li>Direct control over all files </li></ul><ul><li>Direct control over printers and output queues </li></ul><ul><li>Powerful Input/Output commands </li></ul><ul><li>Direct access to servers </li></ul><ul><li>Initial program load from console </li></ul>
    6. 6. The Problem <ul><li>Initial program load - IPL from tape </li></ul><ul><li>Control over job schedule and execution </li></ul><ul><li>Control over all storage media </li></ul><ul><li>Bypass label processing </li></ul><ul><li>Re-labeling resources </li></ul><ul><li>Resetting date/time, passwords </li></ul><ul><li>Control of access ports/lines </li></ul><ul><li>Erroneous transactions (fraud) </li></ul><ul><ul><li>Altering proper transactions </li></ul></ul><ul><ul><li>Adding improper transactions </li></ul></ul><ul><li>Denial of service/Delays in operation </li></ul><ul><li>Personal use, Disclosure </li></ul><ul><li>Audit trail/log corruption/modification </li></ul>
    7. 7. Protected Resources <ul><li>Password files </li></ul><ul><li>Application program libraries </li></ul><ul><li>Source code </li></ul><ul><li>Vendor software </li></ul><ul><ul><li>Operating System </li></ul></ul><ul><ul><ul><li>Libraries </li></ul></ul></ul><ul><ul><ul><li>Utilities </li></ul></ul></ul><ul><ul><ul><li>Directories </li></ul></ul></ul><ul><ul><ul><li>Address Tables </li></ul></ul></ul><ul><ul><li>Proprietary packages </li></ul></ul><ul><li>Communications HW/SW </li></ul><ul><li>Main storage </li></ul><ul><li>Disk & tape storage </li></ul>
    8. 8. Protected Resources (2) <ul><li>Processing equipment </li></ul><ul><li>Stand-alone computers </li></ul><ul><li>Printers </li></ul><ul><li>Sensitive/Critical data </li></ul><ul><ul><li>Files </li></ul></ul><ul><ul><li>Programs </li></ul></ul><ul><li>System utilities </li></ul><ul><li>System logs/audit trails </li></ul><ul><ul><li>Violation reports </li></ul></ul><ul><li>Backup files </li></ul><ul><li>Sensitive forms </li></ul><ul><li>Printouts </li></ul><ul><li>People </li></ul>
    9. 9. The Control <ul><li>Accountability - </li></ul><ul><ul><li>Personnel reviews - Background checks </li></ul></ul>
    10. 10. The Control <ul><li>Accountability - </li></ul><ul><ul><li>Personnel reviews - Background checks </li></ul></ul><ul><ul><li>Password management </li></ul></ul><ul><ul><ul><li>Personal </li></ul></ul></ul><ul><ul><ul><li>System </li></ul></ul></ul><ul><ul><ul><li>Maintenance </li></ul></ul></ul><ul><ul><ul><ul><li>Trap door - system or application password included for ease of vendor maintenance </li></ul></ul></ul></ul>
    11. 11. The Control <ul><li>Accountability - </li></ul><ul><ul><li>Personnel reviews - Background checks </li></ul></ul><ul><ul><li>Password management </li></ul></ul><ul><ul><li>Logging of all activities </li></ul></ul><ul><ul><ul><li>Protected/duplicated log </li></ul></ul></ul>
    12. 12. The Control <ul><li>Accountability - </li></ul><ul><ul><li>Personnel reviews - Background checks </li></ul></ul><ul><ul><li>Password management </li></ul></ul><ul><ul><li>Logging of all activities </li></ul></ul><ul><ul><li>Problem reporting and change procedures </li></ul></ul><ul><ul><ul><li>Reports, tracks, resolves problems affecting service </li></ul></ul></ul><ul><ul><ul><ul><li>Reduce failures </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Prevent recurrence </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Reduce impact </li></ul></ul></ul></ul><ul><ul><ul><li>Types - Performance/availability </li></ul></ul></ul><ul><ul><ul><ul><li>Hardware/software </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Environment </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Procedures/Operations </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Network </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Safety/security </li></ul></ul></ul></ul>
    13. 13. The Control <ul><li>Accountability - </li></ul><ul><ul><li>Personnel reviews - Background checks </li></ul></ul><ul><ul><li>Password management </li></ul></ul><ul><ul><li>Logging of all activities </li></ul></ul><ul><ul><li>Problem reporting and change procedures </li></ul></ul><ul><ul><ul><li>Violation analysis </li></ul></ul></ul><ul><ul><ul><ul><li>Repetitive mistakes </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Exceeding authority </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Unrestricted access </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Where? </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Patterns - hackers, disgruntled employees </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Clipping level - baseline violation count to establish normal violation levels </li></ul></ul></ul></ul>
    14. 14. The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging of all activities </li></ul><ul><li>Problem reporting and change procedures </li></ul><ul><li>Least Privilege </li></ul><ul><ul><li>Granular access control over system commands </li></ul></ul><ul><ul><li>Individual access permissions </li></ul></ul><ul><ul><li>Hardware/Software elements & procedures to enable authorized access and prevent unauthorized access </li></ul></ul>
    15. 15. The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging of all activities </li></ul><ul><li>Problem reporting and change procedures </li></ul><ul><li>Least Privilege </li></ul><ul><ul><li>Granular access control over system commands </li></ul></ul><ul><ul><li>Individual access permissions </li></ul></ul><ul><ul><li>Periodic review of access needed/granted </li></ul></ul>
    16. 16. The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging of all activities </li></ul><ul><li>Problem reporting and change procedures </li></ul><ul><li>Granular access control over system commands </li></ul><ul><li>Individual access permissions </li></ul><ul><li>Periodic review of access needed/granted </li></ul><ul><li>Separation of Duties </li></ul><ul><ul><li>All changes require approval </li></ul></ul>
    17. 17. The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging of all activities </li></ul><ul><li>Problem reporting and change procedures </li></ul><ul><li>Granular access control over system commands </li></ul><ul><li>Individual access permissions </li></ul><ul><li>Periodic review of access needed/granted </li></ul><ul><li>Separation of Duties </li></ul><ul><ul><li>All changes require approval </li></ul></ul><ul><ul><li>Operational staff should not code or approve changes </li></ul></ul><ul><ul><ul><li>Operating system OR Applications OR Job controls </li></ul></ul></ul>
    18. 18. The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging of all activities </li></ul><ul><li>Problem reporting and change procedures </li></ul><ul><li>Granular access control over system commands </li></ul><ul><li>Individual access permissions </li></ul><ul><li>Periodic review of access needed/granted </li></ul><ul><li>Separation of Duties </li></ul><ul><ul><li>All changes require approval </li></ul></ul><ul><ul><li>Operational staff should not code or approve changes </li></ul></ul><ul><ul><li>Operational staff should not perform security duties </li></ul></ul><ul><ul><ul><li>Security administration </li></ul></ul></ul><ul><ul><ul><li>Network administration </li></ul></ul></ul><ul><ul><ul><li>Application administration </li></ul></ul></ul>
    19. 19. The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging of all activities </li></ul><ul><li>Problem reporting and change procedures </li></ul><ul><li>Granular access control over system commands </li></ul><ul><li>Individual access permissions </li></ul><ul><li>Periodic review of access needed/granted </li></ul><ul><li>Separation of Duties </li></ul><ul><ul><li>All changes require approval </li></ul></ul><ul><ul><li>Operational staff should not code or approve changes </li></ul></ul><ul><ul><li>Operational staff should not perform security duties </li></ul></ul><ul><ul><li>Operations staff should not do data entry </li></ul></ul><ul><ul><ul><li>Transaction logging with date/time/person </li></ul></ul></ul><ul><ul><ul><li>Control counts </li></ul></ul></ul>
    20. 20. The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging of all activities </li></ul><ul><li>Problem reporting and change procedures </li></ul><ul><li>Granular access control over system commands </li></ul><ul><li>Individual access permissions </li></ul><ul><li>Periodic review of access needed/granted </li></ul><ul><li>Separation of Duties </li></ul><ul><ul><li>All changes require approval </li></ul></ul><ul><ul><li>Operational staff should not code or approve changes </li></ul></ul><ul><ul><li>Operational staff should not perform security duties </li></ul></ul><ul><ul><li>Operations staff should not do data entry </li></ul></ul><ul><ul><li>Responsibilities in Operations should be divided </li></ul></ul><ul><ul><ul><li>Help desk </li></ul></ul></ul><ul><ul><ul><li>Job rotation </li></ul></ul></ul>
    21. 21. Separation of Duties - Operator <ul><li>Installing system software </li></ul><ul><li>Start up/Shut down </li></ul><ul><li>Backup/recovery </li></ul><ul><li>Mounting disks/tapes </li></ul><ul><li>Handling hardware </li></ul><ul><li>Adding/removing users (?) </li></ul>
    22. 22. Separation of Duties - Security <ul><li>User activities </li></ul><ul><ul><li>Adding/removing users (?) </li></ul></ul><ul><ul><li>Setting clearances </li></ul></ul><ul><ul><li>Setting passwords </li></ul></ul><ul><ul><li>Setting other security characteristics </li></ul></ul><ul><ul><li>Changing profiles </li></ul></ul><ul><li>Setting file sensitivity labels </li></ul><ul><li>Setting security characteristics of devices, communications channels </li></ul><ul><li>Reviewing audit data </li></ul>
    23. 23. The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging of all activities </li></ul><ul><li>Problem reporting and change procedures </li></ul><ul><li>Granular access control over system commands </li></ul><ul><li>Individual access permissions </li></ul><ul><li>Periodic review of access needed/granted </li></ul><ul><li>All changes require approval </li></ul><ul><li>Operational staff should not code or approve changes </li></ul><ul><li>Operational staff should not perform security duties </li></ul><ul><li>Operations staff should not do data entry </li></ul><ul><li>Responsibilities in Operations should be divided </li></ul><ul><li>Layered Defense </li></ul><ul><ul><li>Emergency procedures requiring approval </li></ul></ul>
    24. 24. The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging of all activities </li></ul><ul><li>Problem reporting and change procedures </li></ul><ul><li>Granular access control over system commands </li></ul><ul><li>Individual access permissions </li></ul><ul><li>Periodic review of access needed/granted </li></ul><ul><li>All changes require approval </li></ul><ul><li>Operational staff should not code or approve changes </li></ul><ul><li>Operational staff should not perform security duties </li></ul><ul><li>Operations staff should not do data entry </li></ul><ul><li>Responsibilities in Operations should be divided </li></ul><ul><li>Emergency procedures requiring approval </li></ul><ul><ul><li>Read vs Read/Write access </li></ul></ul>
    25. 25. The Control <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging of all activities </li></ul><ul><li>Problem reporting and change procedures </li></ul><ul><li>Granular access control over system commands </li></ul><ul><li>Individual access permissions </li></ul><ul><li>Periodic review of access needed/granted </li></ul><ul><li>All changes require approval </li></ul><ul><li>Operational staff should not code or approve changes </li></ul><ul><li>Operational staff should not perform security duties </li></ul><ul><li>Operations staff should not do data entry </li></ul><ul><li>Responsibilities in Operations should be divided </li></ul><ul><li>Emergency procedures requiring approval </li></ul><ul><li>Training - Equipment/system documentation, procedures </li></ul>
    26. 26. The Problem <ul><li>Physical access to the computer room and devices there </li></ul><ul><ul><li>IS programmers </li></ul></ul><ul><ul><li>Cleaning/maintenance </li></ul></ul><ul><ul><li>Vendor support </li></ul></ul><ul><ul><li>Contract/Temp staff </li></ul></ul><ul><ul><li>Memory content modification </li></ul></ul><ul><ul><li>Microcode changes </li></ul></ul><ul><ul><li>Device shutdown </li></ul></ul><ul><li>Shoulder surfing over Operator’s shoulder </li></ul><ul><li>Physical access to printouts - rerouting </li></ul><ul><li>Access to print queues </li></ul><ul><li>Access to printers </li></ul>
    27. 27. The Control <ul><li>Authentication & Least Privilege </li></ul><ul><ul><li>Authorization for access to the facility </li></ul></ul><ul><ul><li>Closed shop - physical access controls limiting access to authorized personnel </li></ul></ul><ul><ul><li>Operations security - controls over resources - HW, media & operators with access </li></ul></ul><ul><ul><ul><li>Operations terminals </li></ul></ul></ul><ul><ul><ul><li>Servers/routers/modems/circuit rooms </li></ul></ul></ul><ul><ul><ul><li>Sniffer - device that attaches to the network and captures network traffic </li></ul></ul></ul><ul><ul><ul><li>Magnetic media </li></ul></ul></ul>
    28. 28. The Control <ul><li>Authentication & Least Privilege </li></ul><ul><ul><li>Authorization for access to the facility </li></ul></ul><ul><ul><li>Enforced control of access to the facility </li></ul></ul><ul><ul><li>Security perimeter - boundary where security controls protect assets </li></ul></ul><ul><ul><li>System high security - system and all peripherals are protected at level of highest security classification of any information housed by the system </li></ul></ul><ul><ul><li>Tempest - reception of electromagnetic emanations which can be analyzed to disclose sensitive or protected information </li></ul></ul>
    29. 29. The Control <ul><li>Authentication & Least Privilege </li></ul><ul><ul><li>Authorization for access to the facility </li></ul></ul><ul><ul><li>Enforced control of access to the facility </li></ul></ul><ul><ul><li>Physical oversight of operator console </li></ul></ul><ul><ul><ul><li>Supervision of personnel - Realtime and Non-realtime </li></ul></ul></ul><ul><ul><ul><ul><li>Morale evaluation </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Operating logs </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Inventory </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Change control procedures </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Incident reporting </li></ul></ul></ul></ul><ul><ul><ul><ul><li>System/audit logs </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Audits/security reviews </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Job rotation </li></ul></ul></ul></ul>
    30. 30. The Control <ul><li>Authorization for access to the facility </li></ul><ul><li>Enforced control of access to the facility </li></ul><ul><li>Physical oversight of operator console </li></ul><ul><li>Separation of Duties & Layered Defense </li></ul><ul><ul><li>Protection of printouts </li></ul></ul><ul><ul><li>Heading/Trailing banners with recipient name and location </li></ul></ul><ul><ul><li>Print “No Output” when report is empty </li></ul></ul>
    31. 31. The Control <ul><li>Authorization for access to the facility </li></ul><ul><li>Enforced control of access to the facility </li></ul><ul><li>Physical oversight of operator console </li></ul><ul><li>Separation of Duties & Layered Defense </li></ul><ul><ul><li>Protection of printouts </li></ul></ul><ul><ul><li>Positive identification and logging of printouts </li></ul></ul><ul><ul><li>Sign for receipt of sensitive printouts </li></ul></ul>
    32. 32. The Control <ul><li>Authorization for access to the facility </li></ul><ul><li>Enforced control of access to the facility </li></ul><ul><li>Physical oversight of operator console </li></ul><ul><li>Separation of Duties & Layered Defense </li></ul><ul><ul><li>Protection of printouts </li></ul></ul><ul><ul><li>Positive identification and logging of printouts </li></ul></ul><ul><ul><li>Protection of print queues </li></ul></ul>
    33. 33. The Control <ul><li>Authorization for access to the facility </li></ul><ul><li>Enforced control of access to the facility </li></ul><ul><li>Physical oversight of operator console </li></ul><ul><li>Separation of Duties & Layered Defense </li></ul><ul><ul><li>Protection of printouts </li></ul></ul><ul><ul><li>Positive identification and logging of printouts </li></ul></ul><ul><ul><li>Protection of print queues </li></ul></ul><ul><ul><li>Audit of facility and processes </li></ul></ul><ul><ul><ul><li>audit logs </li></ul></ul></ul><ul><ul><ul><li>logons </li></ul></ul></ul><ul><ul><ul><li>operating system calls/utilities </li></ul></ul></ul><ul><ul><ul><li>system connectivity </li></ul></ul></ul>
    34. 34. The Problem <ul><li>Inability to recover from failures </li></ul><ul><li>Legal liabilities </li></ul>
    35. 35. The Control <ul><li>Redundancy </li></ul><ul><ul><li>Regular backups of all software and files </li></ul></ul>
    36. 36. The Control <ul><li>Regular backups of all software and files </li></ul><ul><li>Hardware Asset Management </li></ul><ul><ul><li>Hardware configuration </li></ul></ul><ul><ul><li>Hardware inventory </li></ul></ul><ul><ul><li>Fault tolerant equipment - design reliability </li></ul></ul><ul><ul><li>Configuration </li></ul></ul><ul><ul><li>Secure disposal </li></ul></ul><ul><ul><ul><li>Cleaning/Sanitizing </li></ul></ul></ul><ul><ul><ul><ul><li>Overwriting </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Destructive delete </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Degaussing </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Destruction </li></ul></ul></ul></ul><ul><ul><li>Environmental protection </li></ul></ul>
    37. 37. Environmental Contamination <ul><li>Buildup of conductive particles, contaminants </li></ul><ul><ul><li>Circuit boards, microswitches, sensors </li></ul></ul><ul><ul><li>Spontaneous combustion </li></ul></ul><ul><ul><ul><li>National Fire Protection - US computer room fire every 10 min </li></ul></ul></ul><ul><ul><ul><li>80% unknown causes (HW) </li></ul></ul></ul><ul><ul><li>Causes equipment failure </li></ul></ul><ul><ul><ul><li>Mass storage devices </li></ul></ul></ul><ul><ul><ul><li>Pass through disk drive filters </li></ul></ul></ul><ul><ul><ul><li>Read/write errors, disk crashes </li></ul></ul></ul><ul><ul><li>Government/contractor installations </li></ul></ul><ul><ul><ul><li>Max 100K parts per million in cubic foot of air </li></ul></ul></ul><ul><ul><ul><li>Data center particulates <= 0.5 microns (19.69 microinches) </li></ul></ul></ul>
    38. 38. Environmental Contamination <ul><li>Contaminants - Max 20 m-inches </li></ul><ul><ul><li>Hair - 3,000 m-inches </li></ul></ul><ul><ul><li>Dust - 1,500 m-inches </li></ul></ul><ul><ul><li>Fingerprint - 600 m-inches </li></ul></ul><ul><ul><li>Smoke - 250 m-inches </li></ul></ul><ul><ul><li>2314 head flying height - 100 m-inches </li></ul></ul><ul><ul><li>2300 head flying height - 50 m-inches </li></ul></ul><ul><ul><li>Metallics (vacuum cleaner brushes, printers, floors) </li></ul></ul><ul><ul><li>Carbonaceous (autos, tobacco, toner, paper, burn) </li></ul></ul><ul><ul><li>Synthetic (clothing, carpet) </li></ul></ul><ul><ul><li>Cement/crystalline (subfloor, cleaning fluids, air purifiers) </li></ul></ul>
    39. 39. Environmental Detection <ul><li>White glove samples examined with microscope </li></ul><ul><ul><li>Identification, no concentrations </li></ul></ul><ul><li>Petri dish samples examined with microscope </li></ul><ul><ul><li>Identification, no concentrations </li></ul></ul><ul><li>Aspirating pump collection examined with microscope </li></ul><ul><ul><li>Identification, some concentration data </li></ul></ul><ul><li>Particulate counter and collection bag </li></ul><ul><ul><li>Contaminant typing, some concentration data </li></ul></ul><ul><li>Vicon detector with filtering media and micro exam </li></ul><ul><ul><li>Accurate typing and concentration with multiple samples </li></ul></ul>
    40. 40. Environmental Controls <ul><li>Cost justification </li></ul><ul><ul><li>Analyze with Vicon & maintain error logs </li></ul></ul><ul><li>Control program </li></ul><ul><ul><li>Separate equipment </li></ul></ul><ul><ul><li>Activity restrictions </li></ul></ul><ul><ul><li>Brushless vacuums with micron ratings <= 1 micron or wall mounted vacuum outside </li></ul></ul><ul><ul><li>No ion-generating purifiers, conditioners, heaters </li></ul></ul><ul><ul><li>Tile quality of floors </li></ul></ul><ul><ul><li>Top-line filtration </li></ul></ul><ul><ul><li>Train maintenance staff </li></ul></ul>
    41. 41. The Control <ul><li>Regular backups of all software and files </li></ul><ul><li>Hardware configuration and inventory </li></ul><ul><li>Fault tolerant equipment </li></ul><ul><li>Secure disposal </li></ul><ul><li>Software Asset Management </li></ul><ul><ul><li>Operating/Backup software inventory </li></ul></ul><ul><ul><li>Backups </li></ul></ul><ul><ul><ul><li>Generations </li></ul></ul></ul><ul><ul><ul><li>Off-site </li></ul></ul></ul><ul><ul><ul><li>Environmental control </li></ul></ul></ul><ul><ul><ul><li>Controlled & authorized access to backups </li></ul></ul></ul><ul><ul><li>COTS Computer Off-the-Shelf Products </li></ul></ul><ul><ul><li>Maintenance accounts/passwords </li></ul></ul>
    42. 42. The Control <ul><li>Regular backups of all software and files </li></ul><ul><li>Hardware configuration and inventory </li></ul><ul><li>Fault tolerant equipment </li></ul><ul><li>Operating and backup software inventory </li></ul><ul><li>Off-site storage of backups </li></ul><ul><li>Environmental and access control of backup storage </li></ul><ul><li>Trusted recovery procedures </li></ul><ul><ul><li>Ensure security not breached during system crash and recovery </li></ul></ul><ul><ul><li>Requires backup </li></ul></ul><ul><ul><li>Reboot (Crash or power failure) </li></ul></ul><ul><ul><li>Recover file systems (Missing resource) </li></ul></ul><ul><ul><li>Restore files and databases (Inconsistent database) </li></ul></ul><ul><ul><li>Check security files (System compromise) </li></ul></ul>
    43. 43. Trusted System Operations <ul><li>Trusted computer base - HW/FW/SW protected by appropriate mechanisms at appropriate level of sensitivity/security to enforce security policy </li></ul><ul><li>Trusted facility management - supports separate operator and administrator roles (B2) </li></ul><ul><li>Clearly identify security admin functions </li></ul><ul><li>Definition - Integrity </li></ul><ul><ul><li>formal declaration or certification of a product </li></ul></ul>
    44. 44. Definitions <ul><li>Acceptance </li></ul><ul><ul><li>Verification that performance & security requirements have been met </li></ul></ul><ul><li>Accreditation </li></ul><ul><ul><li>Formal acceptance of security adequacy, authorization for operation and acceptance of existing risk (QC) </li></ul></ul><ul><li>Certification </li></ul><ul><ul><li>Formal testing of security safeguards </li></ul></ul><ul><li>Operational assurance </li></ul><ul><ul><li>Verification that a system is operating according to its security requirements </li></ul></ul><ul><ul><ul><li>Design & Development reviews </li></ul></ul></ul><ul><ul><ul><li>Formal modeling </li></ul></ul></ul><ul><ul><ul><li>Security architecture </li></ul></ul></ul><ul><ul><ul><li>ISO 9000 quality techniques </li></ul></ul></ul><ul><li>Assurance </li></ul><ul><ul><li>Degree of confidence that the implemented security measures work as intended </li></ul></ul>
    45. 45. The Control <ul><li>Regular backups of all software and files </li></ul><ul><li>Hardware configuration and inventory </li></ul><ul><li>Fault tolerant equipment </li></ul><ul><li>Operating and backup software inventory </li></ul><ul><li>Off-site storage of backups </li></ul><ul><li>Environmental and access control of backup storage </li></ul><ul><li>Trusted reboot procedures </li></ul><ul><li>Contingency Management </li></ul><ul><ul><li>Tested procedures to be taken before, during and after a threatening incident </li></ul></ul><ul><ul><li>Continuity of operations - maintenance of essential DP services after incident </li></ul></ul><ul><ul><li>Recovery procedure - actions to restore DP capability after incident </li></ul></ul>
    46. 46. Emergency Procedures <ul><li>Communications channel for evacuation signal </li></ul><ul><li>Procedures to secure tapes, programs, … </li></ul><ul><li>Evacuation routes/wardens </li></ul><ul><li>Transportation routes for transporting employees </li></ul><ul><li>Medical assistance </li></ul><ul><li>Requesting police/fire assistance </li></ul><ul><li>Storing backup files off-site </li></ul><ul><li>Activating backup </li></ul>
    47. 47. Configuration Management <ul><li>Controlling modifications to system HW/FW/ SW/Documentation </li></ul><ul><li>Ensure integrity and limiting non-approved changes </li></ul><ul><li>Baseline controls </li></ul><ul><ul><li>policies </li></ul></ul><ul><ul><li>standards </li></ul></ul><ul><ul><li>procedures </li></ul></ul><ul><ul><li>responsibilities </li></ul></ul><ul><ul><li>requirements </li></ul></ul><ul><ul><li>impact assessments </li></ul></ul><ul><ul><li>software level maintenance </li></ul></ul>
    48. 48. Configuration Management <ul><li>Organized and consistent plan covering </li></ul><ul><ul><li>description of physical/media controls </li></ul></ul><ul><ul><li>electronic transfer of software </li></ul></ul><ul><ul><li>communications software/protocols </li></ul></ul><ul><ul><li>encryption methods/devices </li></ul></ul><ul><ul><li>security features/limitations of software </li></ul></ul><ul><ul><li>hardware requirements/settings/protocols </li></ul></ul><ul><ul><li>system responsibilities/authorities </li></ul></ul><ul><ul><li>security roles/responsibilities </li></ul></ul><ul><ul><li>user needs (sensitivity, functionality) </li></ul></ul><ul><ul><li>audit information and process </li></ul></ul><ul><ul><li>risk assessment results </li></ul></ul>
    49. 49. Risk Assessment/Analysis <ul><li>Includes: </li></ul><ul><ul><li>Threat </li></ul></ul><ul><ul><li>Vulnerability </li></ul></ul><ul><ul><li>Asset </li></ul></ul><ul><li>Ease of Use principle </li></ul><ul><ul><li>A system that is easier to secure is more likely to be secure </li></ul></ul>
    50. 50. Vulnerabilities Summary <ul><li>Improper access to system utilities </li></ul><ul><li>Improper access to information </li></ul><ul><li>Improper update of information </li></ul><ul><li>Improper destruction of information </li></ul><ul><li>Improper change to job schedule </li></ul><ul><li>Improper access to printed materials </li></ul><ul><li>Physical access to the computer room </li></ul><ul><li>Physical access to printouts </li></ul><ul><li>Access to print queues </li></ul><ul><li>Denial of service </li></ul><ul><li>Inability to recover from failures </li></ul><ul><li>Fraud </li></ul>
    51. 51. Summary of Controls <ul><li>Personnel reviews - Background checks </li></ul><ul><li>Password management </li></ul><ul><li>Logging of all activities </li></ul><ul><li>Problem reporting and change procedures </li></ul><ul><li>All changes require approval </li></ul><ul><li>Granular access control over system commands </li></ul><ul><li>Individual access permissions </li></ul><ul><li>Periodic review of access needed/granted </li></ul><ul><li>Operational staff should not code or approve changes </li></ul><ul><li>Operational staff should not perform security duties </li></ul><ul><li>Operations staff should not do data entry </li></ul><ul><li>Responsibilities in Operations should be divided </li></ul><ul><li>Password Management </li></ul><ul><li>Emergency procedures requiring approval </li></ul>
    52. 52. Summary of Controls (2) <ul><li>Read vs Read/Write access </li></ul><ul><li>Authorization for access to the facility </li></ul><ul><li>Enforced control of access to the facility </li></ul><ul><li>Physical oversight of operator console </li></ul><ul><li>Protection of printouts </li></ul><ul><li>Positive identification and logging of printouts </li></ul><ul><li>Protection of print queues </li></ul><ul><li>Regular backups of all software and files </li></ul><ul><li>Off-site storage of backups </li></ul><ul><li>Environmental control of backup storage </li></ul><ul><li>Controlled & authorized access to backups </li></ul>
    53. 53. The Real World <ul><li>Operations Controls </li></ul><ul><ul><li>Organizations understaffed, wear too many hats </li></ul></ul><ul><ul><li>Separation of duties seldom complete </li></ul></ul><ul><ul><li>A single password is used by all operators </li></ul></ul><ul><ul><li>System commands are unrestricted on the console </li></ul></ul><ul><ul><ul><li>OR are granted to all operations staff </li></ul></ul></ul><ul><ul><li>Commands are not logged </li></ul></ul><ul><ul><ul><li>OR logs are not reviewed </li></ul></ul></ul><ul><ul><li>Emergency procedures and approvals poorly defined </li></ul></ul><ul><ul><li>Operations personnel may support system software </li></ul></ul><ul><ul><ul><li>OR perform security functions </li></ul></ul></ul>
    54. 54. The Real World (2) <ul><li>Operations Controls </li></ul><ul><ul><li>Most of IS and many users have access to facility </li></ul></ul><ul><ul><li>Printouts are laid out for pickup without oversight </li></ul></ul><ul><ul><li>Print queues are openly available to on-line users </li></ul></ul><ul><ul><li>Only some platforms are backed up </li></ul></ul><ul><ul><li>Backups are often stored on site </li></ul></ul><ul><ul><ul><li>In computer room </li></ul></ul></ul><ul><ul><ul><li>OR In an office </li></ul></ul></ul><ul><ul><li>No restrictions are placed on access to backups </li></ul></ul><ul><ul><li>Communications closets open </li></ul></ul>
    55. 55. Secure System Operation <ul><li>Identification </li></ul><ul><li>Authorization </li></ul><ul><li>Alarm </li></ul><ul><li>Surveillance </li></ul><ul><ul><li>Real-time/Non-real-time </li></ul></ul><ul><li>Integrity </li></ul>
    56. 56. Media Controls <ul><li>Tapes, disks, diskettes, cards, paper, optical </li></ul><ul><li>Volume labels required </li></ul><ul><ul><li>Human/machine readable </li></ul></ul><ul><ul><li>Date created, created by </li></ul></ul><ul><ul><li>Date to destroy/retention period </li></ul></ul><ul><ul><li>Volume/file name, version </li></ul></ul><ul><ul><li>Classification </li></ul></ul><ul><li>Audit trail </li></ul><ul><li>Separation of responsibility - librarian </li></ul><ul><li>Backup procedures </li></ul>
    57. 57. Final Considerations <ul><li>What system commands are available? </li></ul><ul><ul><li>To whom? With what authentication? </li></ul></ul><ul><li>How are changes made and approved? </li></ul><ul><ul><li>To system software? To applications? To access? </li></ul></ul><ul><li>How are responsibilities divided? </li></ul><ul><li>How available are printouts/print queues? </li></ul><ul><li>How accessible is operations facility? </li></ul><ul><li>Proportionality - Cost vs Benefit </li></ul>

    ×