This document discusses operations security principles and controls. It covers general security concepts like accountability, separation of duties, and least privilege. It then details various technical, physical, and administrative controls for securing hardware, software, data, communications, facilities, personnel, and operations. The goals are to prevent security issues, detect any violations, and enable recovery of systems and data if problems occur. Key areas covered include access controls, backup and disaster recovery, change management, and configuration management.

1. Operations Security
1

2. Operations Security
 General security principles
 Operations Security
 Identify historical and real-time security events
 Capture subsequent actions
 Identify the key elements involved
 The Controls
 Alert appropriate authorities
 Take appropriate corrective or recovery actions
2

3. Operations Security
 The process of safeguarding information assets
while the data is resident in the computer, storage
media in transit through communication links, or
otherwise associated with the data processing
environment
 Identifies the controls over hardware, media, and
the operators and administrators with access
privileges to these resources
3

4. General Security Principles
 Accountability
Authorization
Logging
 Separation of duties
 Least privilege
 Risk reduction
 Layered defense
 Redundancy
4

5. The Security Goals
 Operations management
 Problem management
 Service level management
 Performance and capacity management
 Change management
 Configuration management
 Software control and distribution
 Availability and continuity management
 Security management
5

6. The Controls
 Directive Controls (Administrative controls)
 Intended to advise employees of the behavior
expected of them during their interfaces with or use of
the organization’s information systems
 Preventive Controls
 Physical, administrative, and technical measures
intended to preclude actions violating policy or
increasing risk to system resources
 Detective Controls
 The use of practices, processes, and tools that
identify and possibly react to security violations
6

7. The Controls Cont…
 Corrective Controls
 Involve physical, administrative, and technical
measures designed to react to detection of an
incident in order to reduce or eliminate the opportunity
for the unwanted event to recur
 Recovery Controls
 To restore the system or operation to a normal
operating state
7

8. Hardware Controls
 Include the physical protection of the equipment.
 Surge Protectors, UPS
 Configuration and maintenance logs
 Problem Tracking
8

9. Software Controls
 OS Controls
 Restrict and Monitor
 Changing computer system privileges or controls
 Changing protective features or parameters affecting another
user
 Allocating resources
 Halting the computing system
 Controlling the allocation and sharing of system and data
resources (e.g., memory, file space, CPU cycles, etc.)
 Enforce the conditions of software licenses and respect
software copyright requirements
 All acquired software from any source — vendors, partners,
freeware, etc. — must be examined for malicious code
 Check software for backdoors and trapdoors
9

10. Operational controls
 Either in a data center or a network environment,
establish, document, and enforce operating
procedures for all equipment and software
 Recovery actions
System reboot
Emergency system restart
System cold start
 Types of recovery
Manual recovery
Automated recovery
Automated recovery without undue loss
Function recovery
10

11. Data and Media Controls
 Backup
 Electronic Vaulting
Backup data is sent electronically to the selected
recovery or backup storage location
 Remote Journaling
The same logging procedure used for a database
management system to create the on-site journal is
used to create a second journal at the off-site storage
location
 Database Shadowing
The system creates updates to the production system,
journals them, and sends them to the alternate
computer
11

12. Data and Media Controls Cont…
 Direct Access Storage Devices (DASDs)
 Fault Tolerance
 Network Data mirroring
 Redundant Arrays of Independent Disks (RAID)
Failure Resistant Disk Systems (FRDSs) – protect
against data loss due to disk failure and its
enhancement
Failure Tolerant Disk Systems (FTDSs) - protect
against loss of data access due to failure of any single
component
Disaster Tolerant Disk Systems (DTDSs) - consist of
two or more independent zones, either of which
provides access to stored data
12

13. RAID Levels
 Level 0 -- Striped Disk Array without Fault Tolerance
 Level 1 -- Mirroring and Duplexing
 Level 2 -- Error-Correcting Coding
 Level 3 -- Bit-Interleaved Parity
 Level 4 -- Dedicated Parity Drive
 Level 5 -- Block Interleaved Distributed Parity
 Level 6 -- Independent Data Disks with Double Parity
 Level 10 – A Stripe of Mirrors
13

14. Data and Media Controls Cont…
 Store all media securely
 Encrypt sensitive data
 Track and control all media
 Label media
 Secure all data
 Train users
 Establish and train staff in media transport and transmittal
procedures
 Use a media library/librarian
 Disposal controls
 Object reuse controls
 Access controls
 Data classification controls
14

15. Telecommunications Equipment
 Monitor for errors, inconsistencies, etc
 Penetration tests should be conducted to ensure
that communications controls
 All communications equipment (e.g., bridges,
routers, switches, etc.) should be located in secured
facilities
 Passwords and other sensitive information being
communicated electronically should be encrypted
15

16. Support Systems Controls
 Maintain an environmentally sound data center
 Appropriate temperature
 Humidity levels
 Air quality
 Procedures for the installation, monitoring, and
maintenance of environmental support equipment
16

17. Physical Areas Controls
 Minimize exposure to threats, such as fire, water,
corrosive agents, smoke, and other potential
hazards, from adjacent areas, explosion or shock,
and unobserved unauthorized access
 Guest or visitor log
 Ensure appropriate accountability for an equipment
in and out
17

18. Personnel Controls
 Hiring process, Background Checks
 Supervision of initial job training, ongoing training,
and security awareness training
 Least Privilege
 Separation of duty
 Mandatory Vacation
 Programmers should not be allowed to have
ongoing direct access to computers running
production systems
 Audit Trails
 Vendor service personnel should be escorted
18

19. Change Control Management
 A change is requested by completion of a change request
form
 A change request form is analyzed for validity
 The ways the change could be implemented are analyzed
 The costs associated with the changes are analyzed
 The analysis and change recommendations are recorded
 The change request is given to the change control board for
final decision
 Accepted changes are made and recorded
 The change implementation is submitted to quality control for
approval
19

20. The Problems
 Powerful system utilities
 Powerful system commands
 Superzapping - system utility or application that bypasses all
access controls and audit/logging functions to make updates to
code or data
 Direct control over hardware and software
 Direct control over all files
 Direct control over printers and output queues
 Powerful Input/Output commands
 Direct access to servers
 Initial program load from console
20

21. The Problems Cont…
 Initial program load - IPL from tape
 Control over job schedule and execution
 Control over all storage media
 Bypass label processing
 Re-labeling resources
 Resetting date/time, passwords
 Control of access ports/lines
 Erroneous transactions (fraud)
 Altering proper transactions
 Adding improper transactions
 Denial of service/Delays in operation
 Personal use, Disclosure
 Audit trail/log corruption/modification
21

22. Protected Resources
 Password files
 Application program libraries
 Source code
 Vendor software
 Operating System
 Libraries
 Utilities
 Directories
 Address Tables
 Proprietary packages
 Communications HW/SW
 Main storage
 Disk & tape storage
22

23. Protected Resources Cont…
 Processing equipment
 Stand-alone computers and Printers
 Sensitive/Critical data
 Files
 Programs
 System utilities
 System logs/audit trails
 Violation reports
 Backup files
 Sensitive forms
 Printouts
 People
23

24. The Control
 Accountability
– Personnel reviews - Background checks
– Password management
• Personal
• System
• Maintenance
– Trap door - system or application password included
for ease of vendor maintenance
– Logging of all activities
• Protected/duplicated log
24

25. The Controls Cont…
 Accountability
– Problem reporting and change procedures
• Reports, tracks, resolves problems affecting service
– Reduce failures
– Prevent recurrence
– Reduce impact
• Types - Performance/availability
– Hardware/software
– Environment
– Procedures/Operations
– Network
– Safety/security
25

26. The Controls Cont…
 Least Privilege
– Granular access control over system commands
– Individual access permissions
– Hardware/Software elements & procedures to enable
authorized access and prevent unauthorized access
– Periodic review of access needed/granted
 Separation of Duties
– All changes require approval
– Operational staff should not code or approve changes
• Operating system OR Applications OR Job controls
– Operational staff should not perform security duties
• Security administration
• Network administration
• Application administration
26

27. Separation of Duties - Operator
 Installing system software
 Start up/Shut down
 Backup/recovery
 Mounting disks/tapes
 Handling hardware
 Adding/removing users (?)
27

28. Separation of Duties - Security
 User activities
 Setting clearances
 Setting passwords
 Setting other security characteristics
 Changing profiles
 Setting file sensitivity labels
 Setting security characteristics of devices, communications
channels
 Reviewing audit data
28

29. The Problems
 Physical access to the computer room and devices there
– IS programmers
– Cleaning/maintenance
– Vendor support
– Contract/Temp staff
– Memory content modification
– Microcode changes
– Device shutdown
 Shoulder surfing over Operator’s shoulder
 Physical access to printouts - rerouting
 Access to print queues
 Access to printers
29

30. The Controls
 Authentication & Least Privilege
– Authorization for access to the facility
– Closed shop - physical access controls limiting
access to authorized personnel
– Operations security - controls over resources - HW,
media & operators with access
– System high security - system and all peripherals are
protected at level of highest security classification of
any information housed by the system
– Tempest - reception of electromagnetic emanations
which can be analyzed to disclose sensitive or
protected information
30

31. Environmental Contamination
 Buildup of conductive particles, contaminants
– Circuit boards, micro switches, sensors
– Spontaneous combustion
• National Fire Protection - US computer room fire every 10
min
• 80% unknown causes (HW)
– Causes equipment failure
• Mass storage devices
• Pass through disk drive filters
• Read/write errors, disk crashes
– Government/contractor installations
• Max 100K parts per million in cubic foot of air
• Data center particulates <= 0.5 microns (19.69 microinches)
31

32. The Controls Cont…
 Software Asset Management
– Operating/Backup software inventory
– Backups
• Generations
• Off-site
• Environmental control
• Controlled & authorized access to backups
– COTS Computer Off-the-Shelf Products
– Maintenance accounts/passwords
32

33. The Controls Cont…
 Trusted recovery procedures
– Ensure security not breached during system crash
and recovery
– Requires backup
– Reboot (Crash or power failure)
– Recover file systems (Missing resource)
– Restore files and databases (Inconsistent database)
– Check security files (System compromise)
33

34. Trusted System Operations
 Trusted computer base - HW/FW/SW protected by
appropriate mechanisms at appropriate level of
sensitivity/security to enforce security policy
 Trusted facility management - supports separate operator and
administrator roles (B2)
 Clearly identify security admin functions
 Definition - Integrity
– formal declaration or certification of a product
34

35. Configuration Management
 Controlling modifications to system HW/FW/
SW/Documentation
 Ensure integrity and limiting non-approved changes
 Baseline controls
– policies
– standards
– procedures
– responsibilities
– requirements
– impact assessments
– software level maintenance
35

36. Configuration Management Cont…
 Organized and consistent plan covering
– description of physical/media controls
– electronic transfer of software
– communications software/protocols
– encryption methods/devices
– security features/limitations of software
– hardware requirements/settings/protocols
– system responsibilities/authorities
– security roles/responsibilities
– user needs (sensitivity, functionality)
– audit information and process
– risk assessment results
36

37. Vulnerabilities Summary
 Improper access to system utilities
 Improper access to information
 Improper update of information
 Improper destruction of information
 Improper change to job schedule
 Improper access to printed materials
 Physical access to the computer room
 Physical access to printouts
 Access to print queues
 Denial of service
 Inability to recover from failures
 Fraud
37

38. The Real World
 Operations Controls
– Organizations understaffed, wear too many hats
– Separation of duties seldom complete
– A single password is used by all operators
– System commands are unrestricted on the console
• OR are granted to all operations staff
– Commands are not logged
• OR logs are not reviewed
– Emergency procedures and approvals poorly
defined
– Operations personnel may support system software
• OR perform security functions
38

39. The Real World Cont…
 Operations Controls
– Most of IS and many users have access to facility
– Printouts are laid out for pickup without oversight
– Print queues are openly available to on-line users
– Only some platforms are backed up
– Backups are often stored on site
• In computer room
• OR In an office
– No restrictions are placed on access to backups
– Communications closets open
39

40. Media Controls
 Tapes, disks, diskettes, cards, paper, optical
 Volume labels required
– Human/machine readable
– Date created, created by
– Date to destroy/retention period
– Volume/file name, version
– Classification
 Audit trail
 Separation of responsibility - librarian
 Backup procedures
40

41. Definitions
 Acceptance
– Verification that performance & security requirements have been met
 Accreditation
– Formal acceptance of security adequacy, authorization for operation and
acceptance of existing risk (QC)
 Certification
– Formal testing of security safeguards
 Operational assurance
– Verification that a system is operating according to its security
requirements
• Design & Development reviews
• Formal modeling
• Security architecture
• ISO 9000 quality techniques
 Assurance
– Degree of confidence that the implemented security measures work as
intended
41

42. ?
42