CHAPTER 2 COMPLIANCE AND OPERATIONAL SECURITY

Transcription

1 CHAPTER 2 COMPLIANCE AND OPERATIONAL SECURITY 2.1 EXPLAIN THE IMPORTANCE OF RISK RELATED CONCEPTS. Control types (Technical, Management, Operational) There are many ways to classify controls. Some prefer to have them classified as physical, technical, or administrative, while others use the classification of Technical, Management, and Operational. Technical controls are safeguards incorporated in hardware, software and/or devices. They are sometimes referred to as logical controls. Administrative controls are management controls covering constraints, operational procedures, accountability procedures, etc. Operational controls deal specifically with operational procedures. False positives Some vulnerabilities identified by automated detection tools may not represent real vulnerabilities. When this happens, it is known as a false positive. False negatives Some vulnerabilities may not be properly identified by automated detection tools. When this happens, it is known as a false negative. The key strategy to mitigate these is to keep the threat database updated at all times. Importance of policies in reducing risk Many different types of policies exist to reduce risk. Examples include Privacy policy, Acceptable use, Security policy, Mandatory vacations, Job rotation, Separation of duties, Least privilege, etc. Risk calculation Risk calculation is the process of determining the level of security risk for a network. There are many different ways to perform risk calculation, such as Likelihood assessment, ALE, Impact, SLE, ARO, MTTR, MTTF, MTBF, etc. The Single Loss Expectancy (SLE) model is the model that serves as the foundation of the Annualized Loss Expectancy (ALE) and Cumulative Loss Expectancy (CLE) models. The Annualized rate of occurrence (ARO) characterizes the frequency with which a threat is expected to occur yearly. The Exposure factor (EF) tells the magnitude of loss on the value of an asset.

2 Quantitative vs. qualitative Qualitative assessment relies heavily on professional judgment, while quantitative methods are more statistical and based upon actual numbers. Vulnerabilities A threat indicates a potential occurrence, while a vulnerability is a weakness. Countermeasures are used to address the vulnerabilities. Threat vectors A threat is an undesired event and a potential occurrence, while a threat vector describes the method a threat uses to reach the target. Probability / threat likelihood Likelihood assessment are performed to estimate the frequency or chance of a threat happening. It takes into account the presence, tenacity, and strengths of threats. Simply put, it is about probability of occurrence. Risk avoidance, transference, acceptance, mitigation, deterrence When dealing with risks there are different strategies. These include risk avoidance, transference, acceptance, mitigation, and deterrence. Each describes a security behavior and design model including approaches that achieve the specific strategy. Risks associated with Cloud Computing and Virtualization Cloud Computing and Virtualization are not without risks. For cloud computing, the service provider is in charge of the actual implementation and must be relied upon to secure the connection and data. For virtualization, when the hosting platform is compromised every virtualized environment being hosted is at risk. Recovery time objective and recovery point objective Recovery Time Objective (RTO) defines the time frame between an unplanned interruption and the resumption at a reduced level of service. Recovery Point Objective (RPO) defines how much work in progress can be lost.

3 2.2 DESIGN A NAME RESOLUTION SOLUTION STRATEGY On boarding/off boarding business partners In the context of identity management, onboarding means adding a new employee or business partner to the identity and access management system. Offboarding is the opposite. Social media networks and/or applications Social media networks (Facebook, Twitter etc) may become a serious security threat when employees are free to share information with strangers. A policy must be in place to ensure internal information is not being shared over those platforms. Interoperability agreements (SLA, BPA, MOU, ISA) There are different types of interoperability agreements, including SLA, BPA, MOU, and ISA.With a service level agreement (SLA), the level of service is formally defined and legally binding. A Memorandum of Understanding (MOU) is different in that it is not necessarily legally binding. A Blanket Purchase Agreement (BPA) is nothing more than a pre arranged purchase agreement. Privacy considerations The HIPAA Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for protected health information, to the minimum necessary for accomplishing the intended purpose. Protecting privacy is needed to avoid legal liabilities. Risk awareness To ensure successful security training, the factors of Risk Awareness, Training and Education must be considered. Security awareness must be promoted to top management, and should be done by performing information security education/training. Unauthorized data sharing Unauthorized data sharing is obviously a huge security risk and must be prohibited. All staff members should be made aware of and agree to this policy. Data ownership Ownership of company data and critical information should be assigned to capable individuals, with responsibilities fully defined and accepted.

4 Data backups The frequency of the data backups depends on the frequency of changes and the criticality of the data. Backup copies of the critical data must always be maintained. Less critical end user data should be backed up following a frequency determined by the user. Follow security policy and procedures Security policy and procedures must be followed. A Baseline Security Policy is a top level directive statement that sets the minimum standards of a security specification for all departments. Security Guidelines should introduce general concepts and elaborate interpretations on the Baseline Policy. Review agreement requirements to verify compliance and performance standards It is important to review the agreement requirements as well as to verify the relevant compliance and performance standards. This is a security concern and also a legal concern. 2.3 GIVEN A SCENARIO, IMPLEMENT APPROPRIATE RISK MITIGATION STRATEGIES. Change management Change controls are for regulating changes to system. The purpose of Change Management is to establish and maintain the integrity of the system change process. Incident management Incident management is the process of responding to and controlling an incident following the emergency response procedures. User rights and permissions reviews Access rights reviews are user rights and permissions reviews intended to reduce unwarranted data access by aligning user rights and permissions with the overall security policy. Setting up a proper review workflow is important for making a repeatable process for effective permissions management. Perform routine audits The board and senior management should ensure that the security program is independently reviewed by the internal or external auditor, at least annually. Additionally, they should review and approve the associating audit report.

5 Enforce policies and procedures to prevent data loss or theft An enforcement mechanism for the various policies and procedures is needed to prevent data loss or theft in a practical way. Policies must be enforced or they are meaningless. Enforce technology controls Data Loss Prevention (DLP) Data loss prevention (DLP) attempts to detect and prevent potential data breach through monitoring and detecting when sensitive data is being used, in motion and at rest (i.e. data storage). Some other terms associated with it includes Information Leak Detection and Prevention (ILDP) and Information Leak Prevention (ILP). 2.4 GIVEN A SCENARIO, IMPLEMENT BASIC FORENSIC PROCEDURES. Order of volatility When collecting data for a forensic investigation, there is an order of volatility that you should follow since some data will be lost faster than the others. In the case of computer systems, follow this order: RAM contents > Swap space > Network processes > System processes > File system > Raw data blocks Capture system image After capturing an image of a running system (system image) in addition to an image of the storage system, perform memory analysis to check and examine the state of the system accordingly. Network traffic and logs Network traffic logs are used to check for suspicious traffic. There are a lot of free tools that can be used for this purpose. Keep in mind, the traffic data logged through devices (firewalls, IDS, etc.) is very useful for tracing back to the source of the attack. Capture video and Record time offset Through special software it is possible to capture video of what is happening on another network computer. Record offset is simply the intentional misplacement of the recorded video.

6 Take hashes Hashing is a process that cuts down large inputs to something smaller and fixed in size. During the forensics process, certain cryptographic hashing algorithms (such as MD5 and SHA 1) are especially useful. Hashes may be used to identify and even remove junk data, de duplicate files, and also to form a solid foundation of evidence security. Screenshots Screenshots are captures from a desktop of the activity occurring at the time of the capture. Screenshots can be valuable evidence in a forensic case. Witnesses Human witnesses may be asked to testify in court. Typically, a key witness statement must be obtained in order to place charges against the suspect. Track man hours and expense During the investigation effort, the man hours and expense should be tracked to determine the costs involved. Chain of custody Chain of Custody refers to the movement and location of evidence from the time it is acquired until it is presented in court. Hashes form a solid foundation of evidence security (through comparing hash values). Big Data analysis Big data analysis involves examining an extremely large amount of different types of data (referred to as big data) so as to discover hidden patterns and unknown correlations. 2.5 SUMMARIZE COMMON INCIDENT RESPONSE PROCEDURES. Preparation For proper Incident Response preparation, steps to be taken during an incident response effort must be planned and cover general and specific courses of action for an organization.

7 Incident identification The person who discovers the incident must notify the IR team. Possible sources of personnel who may discover the incident should be identified. Also, these identified sources should be equipped with the proper contact procedure and contact list. Escalation and notification Procedures for escalation and notification should be planned. Generally, when an incident involves Personal Information or Protected Information, it should be escalated to the attention of someone higher up in the management structure, such as the Chief Information Security Officer, to create an incident response report. Mitigation steps Procedures to mitigate should be planned based upon the incident assessment. Possible types of procedures which cover the mitigation steps may include Worm response procedure, Virus response procedure, System failure procedure, Active intrusion response procedure, Inactive Intrusion response procedure, System abuse procedure, Property theft response procedure, Denial of service response procedure, Spyware response procedure, etc. Lessons learned After the incident, the team should come together to review and discuss the lessons learned so that the incident response plan can be augmented via creation of additional procedures as needed. Reporting After an incident is adequately and properly handled, a report should be issued to detail the root cause and total cost of the incident. This report should also talk about the steps that should be taken to prevent future incidents. Recovery/reconstitution procedures At the Recovery stage there are recovery/reconstitution procedures to be performed. They may be performed when active incident response is no longer needed to successfully resolve the case. The activities needed may include evidence collection, analysis and investigation, forensics, remediation, and full recovery. Common resolutions for correcting system vulnerability usually involve upgrading and patching. Some alternatives include physical, network, host, and access restrictions. First responder The staff member who discovered the incident should refer to his contact list for management personnel and incident response members to be contacted. Those designated on the list should be notified.

8 Incident isolation (Quarantine, Device removal) Incident isolation means containment. Resources with vulnerabilities found should be contained until the vulnerabilities are resolved. Activities may include Quarantine and Device removal. Data breach When there is a data breach, the way to handle it depends on the type of data involved. It should be based on a proper data classification scheme. Damage and loss control In terms of damage and loss control, the ultimate goal is to limit damage and reduce recovery time. This is considered reactive rather than proactive. Best practice is to proactively avoid damage whenever possible. 2.6 EXPLAIN THE IMPORTANCE OF SECURITY RELATED AWARENESS AND TRAINING. Security policy training and procedures Security awareness is made possible by providing security policy training and procedures, possibly via computer based training or by supplying specialized security awareness education material. Staff should be provided with guidance to help them understand the material. Role based training Some suggest that the best possible security training strategy is role based, which centers the training in the context of the role and what it takes to perform the role securely. Personally identifiable information Personally identifiable information (PII) is a term that can be found in US privacy law. It refers to information that can be useful to identify, contact, or identify an individual in context.

9 Information classification (High, Medium, Low, Confidential, Private, Public) Proper security measures should be implemented based on the classification of information. It is common to classify information into High, Medium, Low, Confidential, Private, and Public. Different classes of information define the levels of security protection needed based upon the level of data sensitivity and subsequent impact. Normally, public information when exposed produces very little risk. Data labeling, handling and disposal A proper Data Management Program to perform data labeling, handling and disposal is key in providing maximum economy and efficiency in the creation, labeling, use, maintenance, and disposition of data. The goal is to ensure data is retained as long as needed and unneeded data is not created or retained beyond its usefulness. Furthermore, a data disposition schedule may be used to specify the length of time and the manner in which data is retained or disposed. Compliance with laws, best practices and standards Whatever security policies are implemented, they should always ensure compliance with the relevant laws, best practices and standards. User habits (Password behaviors, Data handling, Clean desk policies, Prevent tailgating, Personally owned devices) User habits play an important role in security. Things like Password behaviors, Data handling, Clean desk policies, Prevent tailgating, and Personally owned devices must be properly addressed. Tailgating is the act of an unauthorized individual who follows someone to a restricted area without consent. Physical security measures can stop this. Also note that good password behavior is always related to training, awareness, monitoring, and motivation. New threats and new security trends/alerts (New viruses, Phishing attacks, Zero day exploits) New viruses, Phishing attacks, Zero day exploits, etc., are considered new threats that come alongside new security trends and alerts. Phishing applies primarily to appearing to come from a legitimate business requesting "verification" of information. Zero day exploit is exploiting a previously unknown vulnerability when the developer hasn t had time to address it.

10 Use of social networking and P2P The use of social networking and P2P platforms has given rise to risks particularly related to social engineering attacks. These manipulate people into performing actions or divulging confidential information. Training must be done to address this. Follow up and gather training metrics to validate compliance and security posture For a training effort to succeed, one must follow up by gathering training metrics to validate the resulting compliance and security posture. The training efforts must be evaluated and reviewed so improvements to the level of compliance and security posture can be validated. 2.7 GIVEN A SCENARIO, IMPLEMENT APPROPRIATE RISK MITIGATION STRATEGIES. Environmental controls Environmental controls should be in place to ensure equipments are protected from natural disasters. There are different types of environmental controls available. They include HVAC, Fire suppression, EMI shielding, Hot and cold aisles, Environmental monitoring, Temperature and humidity controls. Physical security Effective physical security measures aim to protect against unauthorized access, damage, or interference. The requirements and placement of each physical security measures should be determined based upon the value of the information assets being protected. Possible measures include Hardware locks, Mantraps, Video Surveillance, Fencing, Proximity readers, Access list, Proper lighting, Signs, Guards, Barricades, Biometrics, Protected distribution of cabling, Alarms, and Motion detection. Control types As previously mentioned, there are many different types of control, such as Deterrent, Preventive, Detective, Compensating, Technical, and Administrative. From an IS point of view, controls may be generally classified as physical, technical, or administrative in nature. Some suggest that they be further classified as either preventive or detective.

11 2.8 SUMMARIZE RISK MANAGEMENT BEST PRACTICES. Business continuity concepts In the context of business continuity, there are many different terms, including Business impact analysis, Identification of critical systems and components, Removing single points of failure, Business continuity planning and testing, Risk assessment, Continuity of operations, Disaster recovery, IT contingency planning, Succession planning, High availability, Redundancy, and Tabletop exercises. Business Continuity comprises all plans and procedures that ensure the continuity of business operations at the company's site and its satellite locations in the event of an incident leading to closure of facilities. A business continuity plan should permit an organization to resume operations as soon as possible given the scope and severity of disruption. Fault tolerance Hardware based solutions such as RAID, Clustering, and Load balancing are all measures for fault tolerance. Fault tolerance is used to maximize possible up time and resource availability for a network. RAID involves multiple drives. Clustering involves multiple servers. Load balancing can also allow the workload to be shared. Disaster recovery concepts In the field of disaster recovery, there are many concepts available, including Backup plans/policies, Backup execution/frequency, Cold site, Hot site, and Warm site. Backups may be made locally or remotely. Backup copies of the OS, the application software and all the critical data must be made on a regular basis. The frequency depends largely on the frequency of changes made as well as the criticality of the information. Generally, applications with high transaction volumes should have data backups made more frequently. A cold site is simply a spare location without hardware and software. A hot site is a duplicate of the original site. A warm site is a cheaper, in between solution. 2.9 GIVEN A SCENARIO, SELECT THE APPROPRIATE CONTROL TO MEET THE GOALS OF SECURITY. Confidentiality (Encryption, Access controls, Steganography) The CIA triad stands for Confidentiality, Integrity and Availability, which are the key principles that should be guaranteed. In terms of C, the valid measures are Encryption, Access controls, and Steganography.

12 Integrity (Hashing, Digital signatures, Certificates, Non repudiation) The CIA triad stands for Confidentiality, Integrity and Availability, which are the key principles that should be guaranteed. In terms of I, the appropriate measures are Hashing, Digital signatures, Certificates, and Non repudiation. Availability (Redundancy, Fault tolerance, Patching) The CIA triad stands for Confidentiality, Integrity and Availability, which are the key principles that should be guaranteed. In terms of A, the appropriate measures include Redundancy, Fault tolerance, and Patching. Safety (Fencing, Lighting, Locks, CCTV, Escape plans, Drills, Escape routes, Testing controls) The CIA triad does not have a Safety element. In terms of safety, the measures are primarily physical, such as Fencing, Lighting, Locks, CCTV, etc. Escape plans, Drills, Escape routes, and Testing controls are important items that should be covered in a safety plan.