Chapter 8: Communications and Operations Security

Security Program and
Policies
Principles and Practices
by Sari Stern Greene
Chapter 8: Communications and Operations Security

Copyright 2014 Pearson Education, Inc. 2
Objectives
❑ Author useful standard operating procedures
❑ Implement change control processes
❑ Understand the importance of patch management
❑ Protect information systems against malware
❑ Consider data backup and replication strategies
❑ Recognize the security requirements of email and
email systems
❑ Appreciate the value of log data and analysis
❑ Evaluate service provider relationships
❑ Write policies and procedures to support operational
and communications security

Standard Operating Procedures
(SOPs)
❑ SOPs provide direction to improve
communication, reduce training time, and improve
work consistency
❑ SOPs should be documented to protect the
company from the pitfalls of institutional
knowledge
■ If a business process is only known by one employee,
and that employee becomes unavailable, how is this
process going to be performed successfully?

Cont.
■ SOPs should be written in as simple a style
as possible for all to clearly understand the
procedures
■ SOPs should include all steps of a given
procedure
■ SOPs should not be overly detailed and
should remain clear

Cont.
■ If a procedure contains less than 10 steps, it
should be presented in step format
■ If a procedure contains 10 steps or more, but
few decisions, it should be presented in a
graphical format or a hierarchical format
■ If a procedure requires many decisions, then
it should be presented as a flowchart

Cont.
■ After a procedure has been researched,
documented, reviewed, and tested, it should
be authorized by the process owner
■ The integrity of the SOP documents must be
protected so that employees don’t follow
instructions that have been maliciously
tampered with

Cont.
■ The change management process must be
defined so that the SOPs mirror the evolution
of the business processes
■ All revisions of the SOP documents must be
reviewed and approved by the process owner

Operational Change Control
■ Change control: Internal procedure by which only
authorized changes are made to software, hardware,
network access privileges, or business processes
■ Change control process
❑ Starts with a Request for Change (RFC)
❑ Description of the proposed change
❑ Justification why the change should be implemented
❑ Impact of not implementing the change
❑ Alternatives
❑ Cost
❑ Resource requirements and timeframe
❑ The change is then evaluated and if approved implemented

Operational Change Control Cont.
■ Change control plan
❑ Developed after the change is approved
❑ Components
■ Security review to ensure no new vulnerabilities are introduced
■ Implementation instructions
■ Rollback and/or recovery options
■ Post implementation monitoring
■ Change must be communicated to all relevant parties
❑ Two categories of messages
■ Messages about the change
■ Messages how the change will impact employees
■ All actions should be documented throughout the
implementation process

Why Is Patching Handled
Differently
■ Patch
❑ Software or code designed to fix a problem
■ Security patching is the primary method of fixing
security vulnerabilities
■ Patches need to be applied quickly
■ Patch management
❑ The process of scheduling, testing, approving, and
applying security patches
❑ Patching could be unpredictable and disruptive
❑ User should be notified of potential downtime

Malware Protection
■ Malware
❑ Short for malicious software
❑ Software designed to disrupt computer operation,
gather sensitive information, or gain unauthorized
access to computer systems and mobile devices
❑ It can be bundled with other programs or self-
replicated
❑ Typically requires user interaction

Malware Protection cont.
■ Malware categories
❑ Virus
❑ Worm
❑ Trojans
❑ Bots
❑ Ransomware
❑ Rootkits
❑ Spyware/adware
❑ Hybrid

How Is Malware Controlled
■ Prevention controls
❑ Stop an attack before it occurs
■ Detection controls
❑ Identify the presence of malware, alert the user,
and prevent the malware from carrying out its
mission

What Is Antivirus Software?
■ Used to detect, contain, and in some cases
eliminate malicious software
■ Most AV software employs two techniques
❑ Signature-based recognition
❑ Behavior-based (heuristic) recognition

Data Replication
■ Data Replication
❑ The process of copying data to a second location that is available
for immediate or near-time use
■ Data backup
❑ The process of copying and storing data that can be restored to
its original location
■ Failure to back up threatens data availability and data
integrity
❑ Lost/corrupt data can also have a negative impact on the
company:
■ Financially
■ Legally
■ PR-wise

Is There a Recommended Backup or
Replication Strategy?
❑ The following aspects should be considered when
the strategy is designed:
■ Reliability
■ Speed
■ Simplicity
■ Ease of use
■ Security of the stored information
❑ Backed-up or replicated data should be stored at
an off-site location in an environment secured
from theft, the elements, and natural disasters

The Importance of Testing
❑ If the company relies on backup to protect data
integrity and availability, then it needs to be sure
that the information stored on the backup media is
restorable in case of an incident
❑ Just as it is important that a backup would take
place according to a set schedule, test restores
should also be officially scheduled

Securing Messaging
❑ E-mail is, by default, an insecure way to transmit
information
❑ Unless optional encryption is added to the e-mail
solution, no confidential information should EVER
be sent via e-mail
❑ Inherently, e-mail does not employ ANY
encryption, and all information sent is sent in clear
text

Securing Messaging Cont.
■ Employees should not commit any
information to email that they would not feel
comfortable writing on company letterhead
■ Employees must be trained to understand the
risks and responsibilities associated with
using e-mail as a business tool in a corporate
environment

■ Documents sent as e-mail attachments might
contain more information than the sender
intended to share
❑ Metadata
■ Details about a file that describes or identifies it, such as
title, author name, subjects, and keywords
■ E-mail is an effective method of distributing
malware
❑ Can be embedded in an attachment
❑ Sent as a hyperlink

■ Incoming attachments may contain a malicious
payload:
❑ Virus
❑ Worm
❑ Trojan
❑ Other malicious scripts
❑ Hoax
■ Users must be trained to be suspicious toward
attachments
■ Access to personal email accounts should not
be allowed from the corporate network

■ Common e-mail-related mistakes
❑ Hitting the wrong button: using “reply all” as
opposed to “reply” or “forward” instead of “reply”
❑ Sending an e-mail to the wrong e-mail address
because it is close to the intended recipient’s
❑ Leaving an entire string of replies in an e-mail
forwarded to a third person who should not have
been privy to some of the information discussed in
earlier e-mails
■ Training users is paramount to e-mail security

Are E-Mail Servers at Risk?
■ Compromising the e-mail server
❑ Relay abuse
■ Involves using the mail server to distribute spam and malware
❑ A denial of service attack against an e-mail is an
attack against the availability of the service
❑ The e-mail server should be set up so that it does not
allow an open relay of SMTP traffic. Failure do to so
implies two issues:
■ The e-mail server will be used by unscrupulous spammers
■ The domain name used for e-mail purposes will be blacklisted

Activity Monitoring and Log
Analysis
■ Log: A record of the vents occurring within an
organization’s systems and networks
■ Almost every device and application on the
network can log activity
■ Log management
❑ Configuring the log sources, including log generation,
storage, and security
❑ Performing analysis of log data
❑ Initiating appropriate responses to identified events
❑ Managing the long-term storage of log data

Analyzing Logs
■ Log analysis techniques
❑ Correlation
❑ Sequencing
❑ Signature
❑ Trend analysis

Service Provider Oversight
■ Service providers include vendors, contractors,
business partners and affiliates who store,
process, transmit, or access company
information on company information systems
■ Service providers internal controls should meet
or exceed those of the contracting organization
■ Due diligence is the process used to assess the
adequacy of service providers
■ SSAE16 audit reports are the most widely
accepted due diligence documentation

Summary
■ Day-to-day activities can have a huge impact on the security of the
network and the data it contains. SOPs are important in providing a
consistent framework across the company.
■ Change must be managed. Two mandatory components of a
change management process are RFC documents and a change
control plan.
■ Malware is becoming the tool of choice for criminals to exploit
devices, operating systems, applications, and user vulnerabilities.
Many types of malware exist and companies should protect against
them.
■ Sound backup strategies should be developed, tested, authorized
and implemented. E-mail, while being a fantastic business tool, is
also a double-edge sword because of its inherent lack of built-in
security and must be treated as such.
■ Operational security extends to service providers. Service provider
controls should meet or exceed those of the company.

Chapter 8: Communications and Operations Security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to Chapter 8: Communications and Operations Security

Similar to Chapter 8: Communications and Operations Security (20)

More from Nada G.Youssef

More from Nada G.Youssef (16)

Recently uploaded

Recently uploaded (20)

Chapter 8: Communications and Operations Security