Understand the operations necessary to protect and control information processing assets Identify the security services available Know the process and techniques that can be implemented to keep the system operational when faced with threats

1. Operations Security

2. Objectives
● Understand the operations necessary to protect and
control information processing assets
● Identify the security services available
● Know the process and techniques that can be
implemented to keep the system operational when
faced with threats

3. Major Components of OpSec
● Privileged entity controls
○ Separation of Duties
○ Principle of Least Privilege
● Resource protection
○ Threat and Vulnerability Management
● Change control management
● Problem Management
● Auditing

4. Related Security Principles
● Accountability: management and administration
controls
○ Authorization
○ Logging
● Separation of Tasks/Duties
● Least privilege
● System architecture, configurations, redundancy
● Risk Reduction
● Layered Defense or Defense in Depth
● Transfer of risk, e.g. insurance

5. Constant Awareness Required
● Monitoring
● Auditing
● Surveillance
● IDS
● IPS
And what are we
looking for
○ threats
○ vulnerabilities
○ scanners
○ exposures
○ signatures
○ ...

6. Threat Model
Controls to protect hardware, software and media
from:
● Threats in a operating environment
● Internal/External intruders
● Operators inappropriately accessing resources
● OpSec Triple: Threats/Vulnerabilities/Assets

7. Threats - Inappropriate Activities
Can be grounds for job action or dismissal
● Inappropriate content
● Waste of Corporate Resources
● Sexual or Racial Harassment
● Abuse of privileges or rights

8. Threats - Illegal Operations
● Eavesdropping: sniffing, dumpster diving, etc.
● Fraud: falsified transactions
● Theft: information or trade secrets, physical
hardware
● Sabotage: DOS, production delays
● External Attacks

9. Network and System
Vulnerabilities
● Traffic/Trend Analysis: analyzing data
characteristics
● Covert Channel Analysis: unintended channel
● Countermeasures include:
○ Padding Messages
○ Sending Noise

10. Other Threats
● Data Scavenging - piecing together
information from bits of data
● Keyboard Attacks/Laboratory Attacks
● IPL Vulnerabilities
● Network Address Hijacking

11. Additional Topics
● Adds, moves and changes
● Information sensitivity: handling, storage,
life-cycle, destruction
● Exploits: viruses and worms
● Incident handling: logging, reporting, tracking

12. • Crimes: Means/opportunity/motive (MOM)
• Types of exploits: at each layer
• Insiders or those closest to assets are the
greatest risks
• Hackers, crackers and externally based
technical exploits drive the majority of
security discussions but not the bulk of
economic losses
Exploits and Malicious Attacks

13. Privileged Entity Controls
Definition
● Privileged operations functions
● Extended special access to system commands
● Access to special parameters
● Access to system control program: some only
run in particular state

14. Prevailing Laws and Regulations
● A number of laws have been passed that
require information privacy.
● Ensuring Privileged Entity Control is critical to
following the law and staying compliant.
○ NIS Directive
○ GDPR
○ EU Cybersecurity Act
○ Member States

15. ● Data entry personnel must not be the same
individuals verifying the data
● Reconciliation of the information should not
be performed by the individual entering the
information
Separation of Duties

16. Separation of Duties
• Assign different task to different personnel
• No single person runs a system
• Related to concept of least privileges
• Secure Systems
• Highly Secure Systems

17. Separation of Duties
The same individual should not typically perform the
following functions:
• Systems administration
• Network management
• Data entry
• Computer operations
• Security administration
• Systems development and maintenance
• Security auditing
• Information systems management
• Change management

18. Separation of Duties
System Administrator
• Installing system software
• Planned Start up/Shut down
• Backup/recovery
• Mounting disks/tapes
• Handling hardware
• Adding/removing users

19. Separation of Duties
Security Administrator
● User activities
○ Adding/removing users
○ Setting clearances
○ Setting passwords
○ Setting other security characteristics
○ Changing profiles
● Setting file sensitivity labels
● Setting security characteristics of devices,
communications channels
● Reviewing audit data

20. Principle of Least Privilege
• The principle of least privilege (POLP) is the
practice of limiting access to the minimal level
that will allow normal functioning
• The principle is also applied to programs and
processes
• The principle of least privilege originated in the
United States Department of Defense in the
1970s. The Rainbow Series of security documents
highly emphasized this concept

21. Resources Protection
Protecting resources from disclosure, alteration,
misuse or unsafe conditions
• Hardware
• Software
• Data Processing Resources
• Media
• Change Management

22. Control Categories
● Preventative: prevent incident
○ Firewall or Locked Door
● Detective: detect after incident
○ Network IDS or Video Camera
● Corrective: correct after incident
○ IPS or Guard reaction
● Deterrent Control: deter behavior before
incident
○ Login warning banner or “Do Not Enter” sign

23. Additional Controls
● Application Controls
● Transaction Controls
● Input Controls
● Processing Controls
● Output Controls
● Change Controls
● Test Controls

24. Hardware Controls
● Hardware Maintenance
● Maintenance Accounts
● Diagnostic Port Control
● Hardware Physical Controls
○ Require locks and alarms

25. Problems with Software
● Powerful system utilities
● Powerful system commands
○ Superzapping - system utility or application that
bypasses all access controls and audit/logging functions
to make updates to code or data
● Direct control over hardware and software
● Direct control over all files
● Direct control over printers and output queues
● Powerful Input/Output commands
● Direct access to servers
● Initial program load from console

26. Problems with Software
● Initial program load: IPL from tape
● Control over job schedule and execution
● Control over all storage media
● Bypass label processing
● Re-labeling resources
● Resetting date/time, passwords
● Control of access ports/lines
● Erroneous transactions (fraud)
○ Altering proper transactions
○ Adding improper transactions
● Denial of service/Delays in operation
● Personal use, Disclosure
● Audit trail/log corruption/modification

27. Software Controls
● Anti-virus Management
● Software Testing
● Software Utilities
● Safe software Storage
● Back up Controls

28. Data Processing Resources
Physically safeguarding the resources that
process data for an organization, such as
• People
• Facilities
• Communications equipment
• Archives
• Data storage media
• Servers and network equipment

29. Media Protection - Key Terms
Due care and Due Diligence: legal standards
important in defining negligence and liability
• Due Diligence is understanding where your
risks lie
• Due Care is taking reasonable action to
mitigate those risks

30. Media Protection Key Terms
● Records Retention: policy driven, critical
influences include legal, personnel and
operational considerations
● Data Remanence: information left AFTER
erasure of media

31. Media Security Controls
Prevent the loss of sensitive information when
the media is stored outside the system
● Logging
○ log the use of the media
● Access Control
○ physical access control
● Proper Disposal
○ sanitization of data

32. Media Viability Controls
Protect during handling, shipping and storage
● Marking
○ label and mark media
● Handling
○ physical protection of data
● Storage
○ security and environmental protection

33. Data Backup
● RAID
● Multiple servers
● CDDVDOptical Jukebox
● Removable Hard Drives
● Tape
● Storage Area Network (SAN) backup to
Network Attached Storage (NAS)

34. Data Backup
● Basic Types
○ Full: Backup everything of interest
○ Differential: Files that have changed since
○ last Full backup
○ Incremental: Files that have changed since
last backup (any type of backup)
● On-Site vs. Off-Site

35. RAID
Redundant Array of Inexpensive Disks
● Striping
● Mirroring
● Parity or checksums
● RAID Levels

36. RAID Levels
● Level 0: Striped Disk Array
○ No fault tolerance
○ Performance Increase
● Level 1: Mirroring
○ Single controller
○ Duplexing (multiple controllers)
○ No Performance Increase
● Level 2: Bit Level Striping
○ Data striped over disk drives at bit level
○ Hamming code used for parity
● Level 3: Duplexing
○ Two separate controllers w/parity
○ Data striped across drives, parities kept on their own drive

37. RAID Levels
● Level 4: Duplexing w/parity
○ Data striped across drives at the block level (as opposed to
byte level)
● Level 5
○ Array of at least 3 hard drives (array controller)
○ Data is striped (entire data block written)
○ Parity is distributed over all the disks
● Level 6
○ Two different and independent parity schemes, plus the
features of Level 5 (Raid DP – Raid 6 w/ double parity)
● Level 10: Mirroring and striping
○ (high performance and reliability)

38. Discussion…