Understand the operations necessary to protect and control information processing assets
Identify the security services available
Know the process and techniques that can be implemented to keep the system operational when faced with threats
2. Objectives
● Understand the operations necessary to protect and
control information processing assets
● Identify the security services available
● Know the process and techniques that can be
implemented to keep the system operational when
faced with threats
3. Major Components of OpSec
● Privileged entity controls
○ Separation of Duties
○ Principle of Least Privilege
● Resource protection
○ Threat and Vulnerability Management
● Change control management
● Problem Management
● Auditing
4. Related Security Principles
● Accountability: management and administration
controls
○ Authorization
○ Logging
● Separation of Tasks/Duties
● Least privilege
● System architecture, configurations, redundancy
● Risk Reduction
● Layered Defense or Defense in Depth
● Transfer of risk, e.g. insurance
5. Constant Awareness Required
● Monitoring
● Auditing
● Surveillance
● IDS
● IPS
And what are we
looking for
○ threats
○ vulnerabilities
○ scanners
○ exposures
○ signatures
○ ...
6. Threat Model
Controls to protect hardware, software and media
from:
● Threats in a operating environment
● Internal/External intruders
● Operators inappropriately accessing resources
● OpSec Triple: Threats/Vulnerabilities/Assets
7. Threats - Inappropriate Activities
Can be grounds for job action or dismissal
● Inappropriate content
● Waste of Corporate Resources
● Sexual or Racial Harassment
● Abuse of privileges or rights
8. Threats - Illegal Operations
● Eavesdropping: sniffing, dumpster diving, etc.
● Fraud: falsified transactions
● Theft: information or trade secrets, physical
hardware
● Sabotage: DOS, production delays
● External Attacks
9. Network and System
Vulnerabilities
● Traffic/Trend Analysis: analyzing data
characteristics
● Covert Channel Analysis: unintended channel
● Countermeasures include:
○ Padding Messages
○ Sending Noise
10. Other Threats
● Data Scavenging - piecing together
information from bits of data
● Keyboard Attacks/Laboratory Attacks
● IPL Vulnerabilities
● Network Address Hijacking
11. Additional Topics
● Adds, moves and changes
● Information sensitivity: handling, storage,
life-cycle, destruction
● Exploits: viruses and worms
● Incident handling: logging, reporting, tracking
12. • Crimes: Means/opportunity/motive (MOM)
• Types of exploits: at each layer
• Insiders or those closest to assets are the
greatest risks
• Hackers, crackers and externally based
technical exploits drive the majority of
security discussions but not the bulk of
economic losses
Exploits and Malicious Attacks
13. Privileged Entity Controls
Definition
● Privileged operations functions
● Extended special access to system commands
● Access to special parameters
● Access to system control program: some only
run in particular state
14. Prevailing Laws and Regulations
● A number of laws have been passed that
require information privacy.
● Ensuring Privileged Entity Control is critical to
following the law and staying compliant.
○ NIS Directive
○ GDPR
○ EU Cybersecurity Act
○ Member States
15. ● Data entry personnel must not be the same
individuals verifying the data
● Reconciliation of the information should not
be performed by the individual entering the
information
Separation of Duties
16. Separation of Duties
• Assign different task to different personnel
• No single person runs a system
• Related to concept of least privileges
• Secure Systems
• Highly Secure Systems
17. Separation of Duties
The same individual should not typically perform the
following functions:
• Systems administration
• Network management
• Data entry
• Computer operations
• Security administration
• Systems development and maintenance
• Security auditing
• Information systems management
• Change management
18. Separation of Duties
System Administrator
• Installing system software
• Planned Start up/Shut down
• Backup/recovery
• Mounting disks/tapes
• Handling hardware
• Adding/removing users
19. Separation of Duties
Security Administrator
● User activities
○ Adding/removing users
○ Setting clearances
○ Setting passwords
○ Setting other security characteristics
○ Changing profiles
● Setting file sensitivity labels
● Setting security characteristics of devices,
communications channels
● Reviewing audit data
20. Principle of Least Privilege
• The principle of least privilege (POLP) is the
practice of limiting access to the minimal level
that will allow normal functioning
• The principle is also applied to programs and
processes
• The principle of least privilege originated in the
United States Department of Defense in the
1970s. The Rainbow Series of security documents
highly emphasized this concept
21. Resources Protection
Protecting resources from disclosure, alteration,
misuse or unsafe conditions
• Hardware
• Software
• Data Processing Resources
• Media
• Change Management
22. Control Categories
● Preventative: prevent incident
○ Firewall or Locked Door
● Detective: detect after incident
○ Network IDS or Video Camera
● Corrective: correct after incident
○ IPS or Guard reaction
● Deterrent Control: deter behavior before
incident
○ Login warning banner or “Do Not Enter” sign
24. Hardware Controls
● Hardware Maintenance
● Maintenance Accounts
● Diagnostic Port Control
● Hardware Physical Controls
○ Require locks and alarms
25. Problems with Software
● Powerful system utilities
● Powerful system commands
○ Superzapping - system utility or application that
bypasses all access controls and audit/logging functions
to make updates to code or data
● Direct control over hardware and software
● Direct control over all files
● Direct control over printers and output queues
● Powerful Input/Output commands
● Direct access to servers
● Initial program load from console
26. Problems with Software
● Initial program load: IPL from tape
● Control over job schedule and execution
● Control over all storage media
● Bypass label processing
● Re-labeling resources
● Resetting date/time, passwords
● Control of access ports/lines
● Erroneous transactions (fraud)
○ Altering proper transactions
○ Adding improper transactions
● Denial of service/Delays in operation
● Personal use, Disclosure
● Audit trail/log corruption/modification
27. Software Controls
● Anti-virus Management
● Software Testing
● Software Utilities
● Safe software Storage
● Back up Controls
28. Data Processing Resources
Physically safeguarding the resources that
process data for an organization, such as
• People
• Facilities
• Communications equipment
• Archives
• Data storage media
• Servers and network equipment
29. Media Protection - Key Terms
Due care and Due Diligence: legal standards
important in defining negligence and liability
• Due Diligence is understanding where your
risks lie
• Due Care is taking reasonable action to
mitigate those risks
30. Media Protection Key Terms
● Records Retention: policy driven, critical
influences include legal, personnel and
operational considerations
● Data Remanence: information left AFTER
erasure of media
31. Media Security Controls
Prevent the loss of sensitive information when
the media is stored outside the system
● Logging
○ log the use of the media
● Access Control
○ physical access control
● Proper Disposal
○ sanitization of data
32. Media Viability Controls
Protect during handling, shipping and storage
● Marking
○ label and mark media
● Handling
○ physical protection of data
● Storage
○ security and environmental protection
33. Data Backup
● RAID
● Multiple servers
● CDDVDOptical Jukebox
● Removable Hard Drives
● Tape
● Storage Area Network (SAN) backup to
Network Attached Storage (NAS)
34. Data Backup
● Basic Types
○ Full: Backup everything of interest
○ Differential: Files that have changed since
○ last Full backup
○ Incremental: Files that have changed since
last backup (any type of backup)
● On-Site vs. Off-Site
35. RAID
Redundant Array of Inexpensive Disks
● Striping
● Mirroring
● Parity or checksums
● RAID Levels
36. RAID Levels
● Level 0: Striped Disk Array
○ No fault tolerance
○ Performance Increase
● Level 1: Mirroring
○ Single controller
○ Duplexing (multiple controllers)
○ No Performance Increase
● Level 2: Bit Level Striping
○ Data striped over disk drives at bit level
○ Hamming code used for parity
● Level 3: Duplexing
○ Two separate controllers w/parity
○ Data striped across drives, parities kept on their own drive
37. RAID Levels
● Level 4: Duplexing w/parity
○ Data striped across drives at the block level (as opposed to
byte level)
● Level 5
○ Array of at least 3 hard drives (array controller)
○ Data is striped (entire data block written)
○ Parity is distributed over all the disks
● Level 6
○ Two different and independent parity schemes, plus the
features of Level 5 (Raid DP – Raid 6 w/ double parity)
● Level 10: Mirroring and striping
○ (high performance and reliability)