CHAPTER Operations Security This chapter presents the following: • Administrative management responsibilities • Operations department responsibilities • Configuration management • Trusted recovery states • Redundancy and fault-tolerant systems • E-mail security • Threats to operations security Operations security pertains to everything that takes place to keep networks, computer systems, applications, and environments up and running in a secure and protected manner It consists of ensuring that people, applications, and servers have the proper access privileges to only the resources they are entitled to and that oversight is implemented via monitoring, auditing, and reporting controls Operations take place after the network is developed and implemented This includes the continual maintenance of an environment and the activities that should take place on a day-to-day or week-toweek basis These activities are routine in nature and enable the network and individual computer systems to continue running correctly and securely Networks and computing environments are evolving entities; just because they are secure one week does not mean they are still secure three weeks later Many companies pay security consultants to come in and advise them on how to improve their infrastructure, policies, and procedures A company can then spend thousands or even hundreds of thousands of dollars to implement the consultant’s suggestions, install properly configured firewalls, intrusion detection systems (IDSs), antivirus software, and patch management systems However, if the IDS and antivirus software not continually have updated signatures, if the systems are not continually patched, if firewalls and devices are not tested for vulnerabilities, or if new software is added to the network and not added to the operations plan, then the company can easily slip back into an insecure and dangerous place This can happen if the company does not keep its operations security tasks up-to-date Most of the necessary operations security issues have been addressed in earlier chapters They were integrated with related topics and not necessarily pointed out as actual operations security issues So instead of repeating what has already been stated, 1027 12 CISSP All-in-One Exam Guide 1028 this chapter reviews and points out the operations security topics that are important for organizations and CISSP candidates The Role of the Operations Department I am a very prudent man Response: That is debatable The continual effort to make sure the correct policies, procedures, standards, and guidelines are in place and being followed is an important piece of the due care and due diligence efforts that companies need to perform Due care and due diligence are comparable to the “prudent person” concept A prudent person is seen as responsible, careful, cautious, and practical, and a company practicing due care and due diligence is seen in the same light The right steps need to be taken to achieve the necessary level of security, while balancing ease of use, compliance with regulatory requirements, and cost constraints It takes continued effort and discipline to retain the proper level of security Operations security is all about ensuring that people, applications, equipment, and the overall environment are properly and adequately secured Although operations security is the practice of continual maintenance to keep an environment running at a necessary security level, liability and legal responsibilities also exist when performing these tasks Companies, and senior executives at those companies, often have legal obligations to ensure that resources are protected, safety measures are in place, and security mechanisms are tested to guarantee they are actually providing the necessary level of protection If these operations security responsibilities are not fulfilled, the company may have more than antivirus signatures to be concerned about An organization must consider many threats, including disclosure of confidential data, theft of assets, corruption of data, interruption of services, and destruction of the physical or logical environment It is important to identify systems and operations that are sensitive (meaning they need to be protected from disclosure) and critical (meaning they must remain available at all times) (Refer to Chapter 10 to learn more about the legal, regulatory, and ethical responsibilities of companies when it comes to security.) It is also important to note that while organizations have a significant portion of their operations activities tied to computing resources, they still also rely on physical resources to make things work, including paper documents and data stored on microfilm, tapes, and other removable media A large part of operations security includes ensuring that the physical and environmental concerns are adequately addressed, such as temperature and humidity controls, media reuse, disposal, and destruction of media containing sensitive information Overall, operations security is about configuration, performance, fault tolerance, security, and accounting and verification management to ensure that proper standards of operations and compliance requirements are met Administrative Management I think our tasks should be separated, because I don’t trust you Response: Fine by me Administrative management is a very important piece of operations security One aspect of administrative management is dealing with personnel issues This includes Chapter 12: Operations Security 1029 separation of duties and job rotation The objective of separation of duties is to ensure that one person acting alone cannot compromise the company’s security in any way High-risk activities should be broken up into different parts and distributed to different individuals or departments That way, the company does not need to put a dangerously high level of trust in certain individuals For fraud to take place, collusion would need to be committed, meaning more than one person would have to be involved in the fraudulent activity Separation of duties, therefore, is a preventive measure that requires collusion to occur in order for someone to commit an act that is against policy Table 12-1 shows many of the common roles within organizations and their corresponding job definitions Each role needs to have a completed and well-defined job description Security personnel should use these job descriptions when assigning access rights and permissions in order to ensure that individuals have access only to those resources needed to carry out their tasks Table 12-1 contains just a few roles with a few tasks per role Organizations should create a complete list of roles used within their environment, with each role’s associated tasks and responsibilities This should then be used by data owners and security personnel when determining who should have access to specific resources and the type of access Separation of duties helps prevent mistakes and minimize conflicts of interest that can take place if one person is performing a task from beginning to end For instance, a programmer should not be the only one to test her own code Another person with a different job and agenda should perform functionality and integrity testing on the Organizational Role Core Responsibilities Control Group Obtains and validates information obtained from analysts, administrators, and users and passes it on to various user groups Systems Analyst Designs data flow of systems based on operational and user requirements Application Programmer Develops and maintains production software Help Desk/Support Resolves end-user and system technical or operations problems IT Engineer Performs the day-to-day operational duties on systems and applications Database Administrator Creates new database tables and manages the database Network Administrator Installs and maintains the LAN/WAN environment Security Administrator Defines, configures, and maintains the security mechanisms protecting the organization Tape Librarian Receives, records, releases, and protects system and application files backed up on media such as tapes or disks Quality Assurance Can consist of both Quality Assurance (QA) and Quality Control (QC) QA ensures that activities meet the prescribed standards regarding supporting documentation and nomenclature QC ensures that the activities, services, equipment, and personnel operate within the accepted standards Table 12-1 Roles and Associated Tasks CISSP All-in-One Exam Guide 1030 programmer’s code, because the programmer may have a focused view of what the program is supposed to accomplish and thus may test only certain functions and input values, and only in certain environments Another example of separation of duties is the difference between the functions of a computer user and the functions of a security administrator There must be clear-cut lines drawn between system administrator duties and computer user duties These will vary from environment to environment and will depend on the level of security required within the environment System and security administrators usually have the responsibility of performing backups and recovery procedures, setting permissions, adding and removing users, and developing user profiles The computer user, on the other hand, may be allowed to install software, set an initial password, alter desktop configurations, and modify certain system parameters The user should not be able to modify her own security profile, add and remove users globally, or make critical access decisions pertaining to network resources This would breach the concept of separation of duties Job rotation means that, over time, more than one person fulfills the tasks of one position within the company This enables the company to have more than one person who understands the tasks and responsibilities of a specific job title, which provides backup and redundancy if a person leaves the company or is absent Job rotation also helps identify fraudulent activities, and therefore can be considered a detective type of control If Keith has performed David’s position, Keith knows the regular tasks and routines that must be completed to fulfill the responsibilities of that job Thus, Keith is better able to identify whether David does something out of the ordinary and suspicious (Refer to Chapter for further examples pertaining to job rotation.) Least privilege and need to know are also administrative-type controls that should be implemented in an operations environment Least privilege means an individual should have just enough permissions and rights to fulfill his role in the company and no more If an individual has excessive permissions and rights, it could open the door to abuse of access and put the company at more risk than is necessary For example, if Dusty is a technical writer for a company, he does not necessarily need to have access to the company’s source code So, the mechanisms that control Dusty’s access to resources should not let him access source code This would properly fulfill operations security controls that are in place to protect resources Least privilege and need to know have a symbiotic relationship Each user should have a need to know about the resources that he is allowed to access If Mike does not have a need to know how much the company paid last year in taxes, then his system rights should not include access to these files, which would be an example of exercising least privilege The use of new identity management software that combines traditional directories, access control systems, and user provisioning within servers, applications, and systems is becoming the norm within organizations This software provides the capabilities to ensure that only specific access privileges are granted to specific users and it often includes advanced audit functions that can be used to verify compliance to legal and regulatory directives A user’s access rights may be a combination of the least-privilege attribute, the user’s security clearance, the user’s need to know, the sensitivity level of the resource, and the mode in which the computer operates A system can operate in different modes depending on the sensitivity of the data being processed, the clearance level of the users, and Chapter 12: Operations Security 1031 what those users are authorized to The mode of operation describes the conditions under which the system actually functions These are clearly defined in Chapter Mandatory vacations are another type of administrative control, though the name may sound a bit odd at first Chapter touches on reasons to make sure employees take their vacations Reasons include being able to identify fraudulent activities and enabling job rotation to take place If an accounting employee has been performing a salami attack by shaving off pennies from multiple accounts and putting the money into his own account, a company would have a better chance of figuring this out if that employee is required to take a vacation for a week or longer When the employee is on vacation, another employee has to fill in She might uncover questionable documents and clues of previous activities, or the company may see a change in certain patterns once the employee who is committing fraud is gone for a week or two It is best for auditing purposes if the employee takes two contiguous weeks off from work to allow more time for fraudulent evidence to appear Again, the idea behind mandatory vacations is that, traditionally, those employees who have committed fraud are usually the ones who have resisted going on vacation because of their fear of being found out while away Security and Network Personnel The security administrator should not report to the network administrator, because their responsibilities have different focuses The network administrator is under pressure to ensure high availability and performance of the network and resources and to provide the users with the functionality they request But many times this focus on performance and user functionality is at the cost of security Security mechanisms commonly decrease performance in either processing or network transmission because there is more involved: content filtering, virus scanning, intrusion detection prevention, anomaly detection, and so on Since these are not the areas of focus and responsibility of many network administrators, a conflict of interest could arise The security administrator should be within a different chain of command from that of the network personnel, to ensure that security is not ignored or assigned a lower priority The following list lays out tasks that should be carried out by the security administrator, not the network administrator: • Implements and maintains security devices and software Despite some security vendors’ claims that their products will provide effective security with “set it and forget it” deployments, security products require monitoring and maintenance in order to provide their full value Version updates and upgrades may be required when new capabilities become available to combat new threats, and when vulnerabilities are discovered in the security products themselves • Carries out security assessments As a service to the business that the security administrator is working to secure, a security assessment leverages the knowledge and experience of the security administrator to identify vulnerabilities in the systems, networks, software, and in-house developed products used by a business These security assessments enable the business to understand the risks it faces, and make sensible business decisions about CISSP All-in-One Exam Guide 1032 products and services it considers purchasing, and risk mitigation strategies it chooses to fund versus risks it chooses to accept, transfer (by buying insurance), or avoid (by not doing something it had earlier considered doing, but isn’t worth the risk or risk mitigation cost) • Creates and maintains user profiles and implements and maintains access control mechanisms The security administrator puts into practice the security policies of least privilege, and oversees accounts that exist, along with the permissions and rights they are assigned • Configures and maintains security labels in mandatory access control (MAC) environments MAC environments, mostly found in government and military agencies, have security labels set on data objects and subjects Access decisions are based on comparing the object’s classification and the subject’s clearance, as covered extensively in Chapter It is the responsibility of the security administrator to oversee the implementation and maintenance of these access controls • Sets initial passwords for users New accounts must be protected from attackers who might know patterns used for passwords, or might find accounts that have been newly created without any passwords and take over those accounts before the authorized user accesses the account and changes the password The security administrator operates automated new password generators, or manually sets new passwords, and then distributes them to the authorized user so attackers cannot guess the initial or default passwords on new accounts, and so new accounts are never left unprotected • Reviews audit logs While some of the strongest security protections come from preventive controls (such as firewalls that block unauthorized network activity), detective controls such as reviewing audit logs are also required The firewall blocked 60,000 unauthorized access attempts yesterday The only way to know if that’s a good thing or an indication of a bad thing is for the security administrator (or automated technology under his control) to review those firewall logs to look for patterns If those 60,000 blocked attempts were the usual low-level random noise of the Internet, then things are (probably) normal, but if those attempts were advanced and came from a concentrated selection of addresses on the Internet, a more deliberate (and more possibly successful) attack may be underway The security administrator’s review of audit logs detects bad things as they occur and, hopefully, before they cause real damage Accountability You can’t prove that I did it Response: Ummm, yes we can Users’ access to resources must be limited and properly controlled to ensure that excessive privileges not provide the opportunity to cause damage to a company and its resources Users’ access attempts and activities while using a resource need to be properly monitored, audited, and logged The individual user ID needs to be included Chapter 12: Operations Security 1033 in the audit logs to enforce individual responsibility Each user should understand his responsibility when using company resources and be accountable for his actions Capturing and monitoring audit logs helps determine if a violation has actually occurred or if system and software reconfiguration is needed to better capture only the activities that fall outside of established boundaries If user activities were not captured and reviewed, it would be very hard to determine if users have excessive privileges or if there has been unauthorized access Auditing needs to take place in a routine manner Also, someone needs to review audit and log events If no one routinely looks at the output, there really is no reason to create logs Audit and function logs often contain too much cryptic or mundane information to be interpreted manually This is why products and services are available that parse logs for companies and report important findings Logs should be monitored and reviewed, through either manual or automatic methods, to uncover suspicious activity and to identify an environment that is shifting away from its original baselines This is how administrators can be warned of many problems before they become too big and out of control (See Chapters 3, 6, and 10 for auditing, logging, and monitoring issues.) When monitoring, administrators need to ask certain questions that pertain to the users, their actions, and the current level of security and access: • Are users accessing information and performing tasks that are not necessary for their job description? The answer would indicate whether users’ rights and permissions need to be reevaluated and possibly modified • Are repetitive mistakes being made? The answer would indicate whether users need to have further training • Do too many users have rights and privileges to sensitive or restricted data or resources? The answer would indicate whether access rights to the data and resources need to be reevaluated, whether the number of individuals accessing them needs to be reduced, and/or whether the extent of their access rights should be modified Clipping Levels I am going to keep track of how many mistakes you make Companies can set predefined thresholds for the number of certain types of errors that will be allowed before the activity is considered suspicious The threshold is a baseline for violation activities that may be normal for a user to commit before alarms are raised This baseline is referred to as a clipping level Once this clipping level has been exceeded, further violations are recorded for review Most of the time, IDS software is used to track these activities and behavior patterns, because it would be too overwhelming for an individual to continually monitor stacks of audit logs and properly identify certain activity patterns Once the clipping level is exceeded, the IDS can e-mail a message to the network administrator, send a message to his pager, or just add this information to the logs, depending on how the IDS software is configured The goal of using clipping levels, auditing, and monitoring is to discover problems before major damage occurs and, at times, to be alerted if a possible attack is underway within the network CISSP All-in-One Exam Guide 1034 NOTE The security controls and mechanisms that are in place must have a degree of transparency This enables the user to perform tasks and duties without having to go through extra steps because of the presence of the security controls Transparency also does not let the user know too much about the controls, which helps prevent him from figuring out how to circumvent them If the controls are too obvious, an attacker can figure out how to compromise them more easily Assurance Levels When products are evaluated for the level of trust and assurance they provide, many times operational assurance and life-cycle assurance are part of the evaluation process Operational assurance concentrates on the product’s architecture, embedded features, and functionality that enable a customer to continually obtain the necessary level of protection when using the product Examples of operational assurances examined in the evaluation process are access control mechanisms, the separation of privileged and user program code, auditing and monitoring capabilities, covert channel analysis, and trusted recovery when the product experiences unexpected circumstances Life-cycle assurance pertains to how the product was developed and maintained Each stage of the product’s life cycle has standards and expectations it must fulfill before it can be deemed a highly trusted product Examples of life-cycle assurance standards are design specifications, clipping-level configurations, unit and integration testing, configuration management, and trusted distribution Vendors looking to achieve one of the higher security ratings for their products will have each of these issues evaluated and tested The following sections address several of these types of operational assurance and life-cycle assurance issues not only as they pertain to evaluation, but also as they pertain to a company’s responsibilities once the product is implemented A product is just a tool for a company to use for functionality and security It is up to the company to ensure that this functionality and security are continually available through responsible and proactive steps References • NIST Security Configuration Checklists Program for IT Products http:// csrc.nist.gov/checklists/ • An Introduction to Computer Security: The NIST Handbook http://csrc.nist.gov/ publications/nistpubs/800-12/ • “The Operations Security Connection,” by Arion N Pattakos, PM (Jan.–Feb 1999) www.au.af.mil/au/awc/awcgate/dau/pattakjf.pdf Operational Responsibilities Operations security encompasses safeguards and countermeasures to protect resources, information, and the hardware on which the resources and information reside The goal of operations security is to reduce the possibility of damage that could result from unauthorized access or disclosure by limiting the opportunities of misuse Chapter 12: Operations Security 1035 Some organizations may have an actual operations department that is responsible for activities and procedures required to keep the network running smoothly and to keep productivity at a certain level Other organizations may have a few individuals who are responsible for these things, but no structured department dedicated just to operations Either way, the people who hold these responsibilities are accountable for certain activities and procedures and must monitor and control specific issues Operations within a computing environment may pertain to software, personnel, and hardware, but an operations department often focuses on the hardware and software aspects Management is responsible for employees’ behavior and responsibilities The people within the operations department are responsible for ensuring that systems are protected and continue to run in a predictable manner The operations department usually has the objectives of preventing recurring problems, reducing hardware and software failures to an acceptable level, and reducing the impact of incidents or disruption This group should investigate any unusual or unexplained occurrences, unscheduled initial program loads, deviations from standards, or other odd or abnormal conditions that take place on the network Unusual or Unexplained Occurrences Networks, and the hardware and software within them, can be complex and dynamic At times, conditions occur that are at first confusing and possibly unexplainable It is up to the operations department to investigate these issues, diagnose the problem, and come up with a logical solution One example could be a network that has hosts that are continually kicked off the network for no apparent reason The operations team should conduct controlled troubleshooting to make sure it does not overlook any possible source for the disruption and that it investigates different types of problems The team may look at connectivity issues between the hosts and the wiring closet, the hubs and switches that control their connectivity, and any possible cabling defects The team should work methodically until it finds a specific problem Central monitoring systems and event management solutions can help pinpoint the root cause of problems and save much time and effort in diagnosing problems NOTE Event management means that a product is being used to collect various logs throughout the network The product identifies patterns and potentially malicious activities that a human would most likely miss because of the amount of data in the various logs Deviations from Standards In this instance, “standards” pertains to computing service levels and how they are measured Each device can have certain standards applied to it: the hours of time to be online, the number of requests that can be processed within a defined period of time, bandwidth usage, performance counters, and more These standards provide a baseline that is used to determine whether there is a problem with the device For example, if a device usually accepts approximately 300 requests per minute, but suddenly it is only able to accept three per minute, the operations team would need to investigate the CISSP All-in-One Exam Guide 1036 deviation from the standard that is usually provided by this device The device may be failing or under a DoS attack, or be subject to legitimate business use cases which had not been foreseen when the device was first implemented Sometimes the standard needs to be recalibrated so it portrays a realistic view of the service level it can provide If a server was upgraded from a Pentium II to a Pentium III, the memory was quadrupled, the swap file was increased, and three extra hard drives were added, the service level of this server should be reevaluated Unscheduled Initial Program Loads (a.k.a Rebooting) Initial program load (IPL) is a mainframe term for loading the operating system’s kernel into the computer’s main memory On a personal computer, booting into the operating system is the equivalent to IPLing This activity takes place to prepare the computer for user operation The operations team should investigate computers that reboot for no reason—a trait that could indicate the operating system is experiencing major problems, or is possessed by the devil Asset Identification and Management Asset management is easily understood as “knowing what the company owns.” In a retail store, this may be called inventory management, and is part of routine operations to ensure that sales records and accounting systems are accurate, and that theft is discovered While these same principles may apply to an IT environment, there’s much more to it than just the physical and financial aspect A prerequisite for knowing if hardware (including systems and networks) and software are in a secure configuration is knowing what hardware and software are present in the environment Asset management includes knowing and keeping up-to-date this complete inventory of hardware (systems and networks) and software At a high level, asset management may seem to mean knowing that the company owns 600 desktop PCs of one manufacturer, 400 desktop PCs of another manufacturer, and 200 laptops of a third manufacturer Is that sufficient to manage the configuration and security of these 1200 systems? No Taking it a level deeper, would it be enough to know that those 600 desktop PCs from manufacturer A are model 123, the 400 desktop PCs from manufacturer B are model 456, and the 200 laptops are model C? Still no To be fully aware of all of the “moving parts” that can be subject to security risks, it is necessary to know the complete manifest of components within each hardware system, operating system, hardware network device, network device operating system, and software application in the environment The firmware within a network card inside a computer may be subject to a security vulnerability; certainly the device driver within the operating system which operates that network card may present a risk Operating systems are a relatively well-known and fairly well manageable aspect of security risk Less known and increasingly more important are the applications (software): Did an application include a now out-of-date and insecure version of a Java Runtime Environ- CISSP All-in-One Exam Guide 1094 A double-blind test (stealth assessment) is also a blind test to the assessor as mentioned previously, plus the security staff is not notified This enables the test to evaluate the network’s security level and the staff’s responses, log monitoring, and escalation processes, and is a more realistic demonstration of the likely success or failure of an attack Targeted tests can involve external consultants and internal staff carrying out focused tests on specific areas of interest For example, before a new application is rolled out, the team might test it for vulnerabilities before installing it into production Another example is to focus specifically on systems that carry out e-commerce transactions and not the other daily activities of the company It is important that the team start off with only basic user-level access, to properly simulate different attacks The team needs to utilize a variety of different tools and attack methods, and look at all possible vulnerabilities, because this is how actual attackers will function The following sections cover common activities carried out in a penetration test Wardialing As touched on earlier, wardialing allows attackers and administrators to dial large blocks of phone numbers in search of available modems Several free and commercial tools are available to dial all of the telephone numbers in a phone exchange (for example, all numbers from 212-555-0000 through 212-555-9999) and make note of those numbers answered by a modem Wardialers can be configured to call only those specific exchanges and their subsets that are known to belong to a company They can be smart, calling only at night when most telephones are not monitored, to reduce the likelihood of several people noticing the odd hang-up phone calls and thus raising the alarm Wardialers can call in random order so nobody notices the phones are ringing at one desk after another after another, and thus raise an alarm Wardialing is a mature science, and can be accomplished quickly with low-cost equip- Testing Oneself Some of the same tactics an attacker may use when wardialing may be useful to the system administrator, such as wardialing at night to reduce disruption to the business Be aware, when performing wardialing proactively, that dialing at night may also miss some unauthorized modems that are attached to systems that are turned off by their users at the end of the day Wardialers can be configured to avoid certain numbers or blocks of numbers, so the system administrator can avoid dialing numbers known to be voice-only, such as help desks This can also be done on more advanced PBXes, with any number assigned to a digital voice device that is configured to not support a modem Any unauthorized modems identified by wardialing should be investigated and either brought into compliance or removed, and staff who installed the unauthorized modems retrained or disciplined Chapter 12: Operations Security 1095 ment Wardialers can go so far as to fingerprint the hosts which answer, similar to a network vulnerability scanner, and attempt a limited amount of automated penetration testing, returning a ready-made compromise of the environment to the attacker Finally, some PBXes (phone systems) or telephony diagnostic tools may be able to identify modem lines and report on them Other Vulnerability Types As noted earlier, vulnerability scans find the potential vulnerabilities Actual penetration testing is required to identify those vulnerabilities that can actually be exploited in the environment and cause damage Commonly exploited vulnerabilities include: • Kernel flaws These are problems that occur below the level of the user interface, deep inside the operating system Any flaw in the kernel that can be reached by an attacker, if exploitable, gives the attacker the most powerful level of control over the system • Countermeasure Ensure that security patches to operating systems—after sufficient testing—are promptly deployed in the environment to keep the window of vulnerability as small as possible CISSP All-in-One Exam Guide 1096 • Buffer overflows Poor programming practices, or sometimes bugs in libraries, allow more input than the program has allocated space to store it This overwrites data or program memory after the end of the allocated buffer, and sometimes allows the attacker to inject program code and then cause the processor to execute it This gives the attacker the same level of access as that held by the program that was attacked If the program was run as an administrative user or by the system itself, this can mean complete access to the system • Countermeasure Good programming practice, automated source code scanners, enhanced programming libraries, and strongly typed languages that disallow buffer overflows are all ways of reducing this extremely common vulnerability • Symbolic links Though the attacker may be properly blocked from seeing or changing the content of sensitive system files and data, if a program follows a symbolic link (a stub file that redirects the access to another place) and the attacker can compromise the symbolic link, then the attacker may be able to gain unauthorized access (Symbolic links are used in Unix and Linux type systems.) This may allow the attacker to damage important data and/or gain privileged access to the system A historical example of this was to use a symbolic link to cause a program to delete a password database, or replace a line in the password database with characters that, in essence, created an unpassworded root-equivalent account • Countermeasure Programs and especially scripts must be written to assure that the full path to the file cannot be circumvented • File descriptor attacks File descriptors are numbers many operating systems use to represent open files in a process Certain file descriptor numbers are universal, meaning the same thing to all programs If a program makes unsafe use of a file descriptor, an attacker may be able to cause unexpected input to be provided to the program, or cause output to go to an unexpected place with the privileges of the executing program • Countermeasure Good programming practices, automated source code scanners, and application security testing are all ways of reducing this type of vulnerability • Race conditions Race conditions exist when the design of a program puts it in a vulnerable condition before assuring that those vulnerable conditions are mitigated Examples include opening temporary files without first ensuring the files cannot be read, or written to, by unauthorized users or processes, and running in privileged mode or instantiating dynamic load library functions without first verifying that the dynamic load library path is secure Either of these may allow an attacker to cause the program (with its elevated privileges) to read or write unexpected data, or perform unauthorized commands Chapter 12: Operations Security 1097 • Countermeasure Good programming practices, automated source code scanners, and application security testing are all ways of reducing this type of vulnerability • File and directory permissions Many of the previously described attacks rely on inappropriate file or directory permissions—that is, an error in the access control of some part of the system, on which a more secure part of the system depends Also, if a system administrator makes a mistake that results in decreasing the security of the permissions on a critical file, such as making a password database accessible to regular users, an attacker can take advantage of this to add an unauthorized user to the password database, or an untrusted directory to the dynamic load library search path • Countermeasure File integrity checkers, which should also check expected file and directory permissions, can detect such problems in a timely fashion, hopefully before an attacker notices and exploits them Many, many types of vulnerabilities exist and we have covered some, but certainly not all, here in this book The previous list includes only a few specific vulnerabilities you should be aware of for exam purposes Postmortem Once the tests are over and the interpretation and prioritization are done, management will have in its hands a Booke of Doome showing many of the ways the company could be successfully attacked This is the input to the next cycle in the remediation strategy There exists only so much money, time, and personnel, and thus only so much of the total risk can be mitigated Balancing the risks and risk appetite of the company, and the costs of possible mitigations and the value gained from each, management must direct the system and security administrators as to where to spend those limited resources An oversight program is required to assure that the mitigations work as expected, and that the estimated cost of each mitigation action is closely tracked by the actual cost of implementation Any time the cost rises significantly, or the value is found to be far below what was expected, the process should be briefly paused and reevaluated It may be that a risk-versus-cost option initially considered less desirable will now make more sense than continuing with the chosen path Finally, when all is well, and the mitigations are underway, everyone can breathe easier Except maybe for the security engineer who has the task of monitoring vulnerability announcements and discussion mailing lists, as well as the early warning services offered by some vendors To put it another way, the risk environment keeps changing Between tests, monitoring may make the company aware of newly discovered vulnerabilities that would be found the next time the test is run, but which are too high risk to allow to wait that long And so another smaller cycle of mitigation decisions and actions must be taken And then it is time to run the tests again Table 12-3 provides an example of a testing schedule that each operations and security department should develop and carry out CISSP All-in-One Exam Guide 1098 Test Type Frequency Benefits Network Scanning Continuously to quarterly - Enumerates the network structure and determines the set of active hosts and associated software - Identifies unauthorized hosts connected to a network - Identifies open ports - Identifies unauthorized services Wardialing Annually - Detects unauthorized modems and prevents unauthorized access to a protected network War Driving Continuously to weekly - Detects unauthorized wireless access points and prevents unauthorized access to a protected network Virus Detectors Weekly or as required - Detects and deletes viruses before successful installation on the system Log Reviews Daily for critical systems - Validates that the system is operating according to policy Password Cracking Continuously to same frequency as expiration policy - Verifies the policy is effective in producing passwords that are more or less difficult to break - Verifies that users select passwords compliant with the organization’s security policy Vulnerability Scanning Quarterly or bimonthly (more often for high risk systems), orwhenever the vulnerability database is updated - Enumerates the network structure and determines the set of active hosts and associated software - Identifies a target set of computers to focus vulnerability analysis - Identifies potential vulnerabilities on the target set - Validates operating systems and major applications are upto-date with security patches and software versions Penetration Testing Annually - Determines how vulnerable an organization’s network is to penetration and the level of damage that can be incurred - Tests the IT staff’s response to perceived security incidents and their knowledge and implementation of the organization’s security policy and the system’s security requirements Integrity Checkers Monthly and in case of a suspicious event - Detects unauthorized file modifications Table 12-3 Example Testing Schedules for Each Operations and Security Department We have covered the assurance mechanisms in this chapter or earlier ones These are methods used to make sure the operations department is carrying out its responsibilities correctly and securely References • NIST Security Self-Assessment Guide for Information Technology Systems, by Marianne Swanson, NIST Special Publication 800-26 (Nov 2001) http:// csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf • Computer Security course, Module 16, “Vulnerability Analysis,” Polytechnic University (Nov 2003) http://isis.poly.edu/courses/cs681/Lectures/ module_9.pdf Chapter 12: Operations Security 1099 • Indiana University Advanced Networking Management Lab DDoS Resources www.anml.iu.edu/ddos/tools.html • “DDoS: A Look Back from 2003,” presentation by Dave Dittrich, University of Washington http://staff.washington.edu/dittrich/talks/I2-ddos.ppt • “Password Cracking, Sniffing, and Man-in-the-Middle,” Prof Henry Owen, Georgia Tech University http://users.ece.gatech.edu/~owen/Academic/ ECE4112/Fall2004/Lab2.ppt Summary Operations security involves keeping up with implemented solutions, keeping track of changes, properly maintaining systems, continually enforcing necessary standards, and following through with security practices and tasks It does not much good for a company to develop a strong password policy if, after a few months, enforcement gets lax and users can use whatever passwords they want It is similar to working out and staying physically fit Just because someone lifts weights and jogs for a week does not mean he can spend the rest of the year eating jelly donuts and expect to stay physically fit Security requires discipline day in and day out, sticking to a regime, and practicing due care Quick Tips • Facilities that house systems that process sensitive information should have physical access controls to limit access to authorized personnel only • Data should be classified, and the necessary technical controls should be put into place to protect its integrity, confidentiality, and availability • Hacker tools are becoming increasingly more sophisticated while requiring increasingly less knowledge by the attacker about how they work • Quality assurance involves the verification that supporting documentation requirements are met • Quality control ensures that an asset is operating within accepted standards • System and audit logs should be monitored and protected from unauthorized modification CISSP All-in-One Exam Guide 1100 • Repetitive errors can indicate lack of training or issues resulting from a poorly designed system • Sensitive data should not be printed and left at stand-alone printers or fax devices • Users should have the necessary security level to access data and resources, but must also have a need to know • Clipping levels should be implemented to establish a baseline of user activity and acceptable errors • Separation of responsibilities and duties should be in place so that if fraud takes place, it requires collusion • Sensitive information should contain the correct markings and labels to indicate the corresponding sensitivity level • Contract and temporary staff members should have more restrictive controls put upon their accounts • Access to resources should be limited to authorized personnel, applications, and services and should be audited for compliance to stated policies • Change control and configuration management should be put in place so changes are approved, documented, tested, and properly implemented • Activities that involve change management include requesting a change, approving a change, documenting a change, testing a change, implementing a change, and reporting to management • Systems should not allow their bootup sequences to be altered in a way that could bypass operating system security mechanisms • Potential employees should have background investigations, references, experience, and education claims checked out • Proper fault-tolerant mechanisms should be put in place to counter equipment failure • Antivirus and IDS signatures should be updated on a continual basis • System, network, policy, and procedure changes should be documented and communicated • When media is reused, it should contain no residual data • Media holding sensitive data must be properly purged, which can be accomplished through zeroization, degaussing, or media destruction • Life-cycle assurance involves protecting a system from inception to development to operation to removal • The key aspects of operations security include resource protection, change control, hardware and software controls, trusted system recovery, separation of duties, and least privilege Chapter 12: Operations Security 1101 • Least privilege ensures that users, administrators, and others accessing a system have access only to the objects they absolutely require to complete their job • Vulnerability assessments should be done on a regular basis to identify new vulnerabilities • The operations department is responsible for any unusual or unexplained occurrences, unscheduled initial program loads, and deviations from standards • Standards need to be established that indicate the proper startup and shutdown sequence, error handling, and restoration procedures • A teardrop attack involves sending malformed fragmented packets to a vulnerable system • Improper mail relay configurations allow for mail servers to be used to forward spam messages • Phishing involves an attacker sending false messages to a victim in the hopes that the victim will provide personal information that can be used to steal their identity • A browsing attack occurs when an attacker looks for sensitive information without knowing what format it is in • A fax encryptor encrypts all fax data leaving a fax server • A system can fail in one of the following manners: system reboot, emergency system restart, and system cold start • The main goal of operations security is to protect resources • Operational threats include disclosure, theft, corruption, interruption, and destruction • Operations security involves balancing the necessary level of security with ease of use, compliance, and cost constraints Questions Please remember that these questions are formatted and asked in a certain way for a reason Keep in mind that the CISSP exam is asking questions at a conceptual level Questions may not always have the perfect answer, and the candidate is advised against always looking for the perfect answer Instead, the candidate should look for the best answer in the list Which of the following best describes operations security? A Continual vigilance about hacker activity and possible vulnerabilities B Enforcing access control and physical security C Taking steps to make sure an environment, and the things within it, stay at a certain level of protection D Doing strategy planning to develop a secure environment and then implementing it properly CISSP All-in-One Exam Guide 1102 Which of the following describes why operations security is important? A An environment continually changes and has the potential of lowering its level of protection B It helps an environment be functionally sound and productive C It ensures there will be no unauthorized access to the facility or its resources D It continually raises a company’s level of protection What is the difference between due care and due diligence? A Due care is the continual effort of ensuring that the right thing takes place, and due diligence is the continual effort to stay compliant to regulations B Due care and due diligence are in contrast to the “prudent person” concept C They mean the same thing D Due diligence involves investigating the risks, while due care involves carrying out the necessary steps to mitigate these risks Why should employers make sure employees take their vacations? A They have a legal obligation B It is part of due diligence C It is a way for fraud to be uncovered D To ensure the employee does not get burnt out Which of the following best describes separation of duties and job rotation? A Separation of duties ensures that more than one employee knows how to perform the tasks of a position, and job rotation ensures that one person cannot perform a high-risk task alone B Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud and ensure that more than one person knows the tasks of a position C They are the same thing, but with different titles D They are administrative controls that enforce access control and protect the company’s resources If a programmer is restricted from updating and modifying production code, what is this an example of? A Rotation of duties B Due diligence C Separation of duties D Controlling input values Why is it important to control and audit input and output values? A Incorrect values can cause mistakes in data processing and be evidence of fraud Chapter 12: Operations Security 1103 B Incorrect values can be the fault of the programmer and not comply with the due care clause C Incorrect values can be caused by brute force attacks D Incorrect values are not security issues What is the difference between least privilege and need to know? A A user should have least privilege that restricts her need to know B A user should have a security clearance to access resources, a need to know about those resources, and least privilege to give her full control of all resources C A user should have a need to know to access particular resources, and least privilege should be implemented to ensure she only accesses the resources she has a need to know D They are two different terms for the same issue Which of the following would not require updated documentation? A An antivirus signature update B Reconfiguration of a server C A change in security policy D The installation of a patch to a production server 10 If sensitive data are stored on a CD-ROM and are no longer needed, which would be the proper way of disposing of the data? A Degaussing B Erasing C Purging D Physical destruction 11 If SSL is being used to encrypt messages that are transmitted over the network, what is a major concern of the security professional? A The network segments that have systems that use different versions of SSL B The user may have encrypted the message with an application layer product that is incompatible with SSL C Network tapping and wiretapping D The networks that the message will travel that the company does not control 12 What is the purpose of SMTP? A To enable users to decrypt mail messages from a server B To enable users to view and modify mail messages from a server C To transmit mail messages from the client to the mail server D To encrypt mail messages before being transmitted CISSP All-in-One Exam Guide 1104 13 If a company has been contacted because its mail server has been used to spread spam, what is most likely the problem? A The internal mail server has been compromised by an internal hacker B The mail server in the DMZ has private and public resource records C The mail server has e-mail relaying misconfigured D The mail server has SMTP enabled 14 Which of the following is not a reason fax servers are used in many companies? A They save money by not needing individual fax devices and the constant use of fax paper B They provide a secure way of faxing instead of having faxed papers sitting in bins waiting to be picked up C Faxes can be routed to employees’ electronic mailboxes D They increase the need for other communication security mechanisms 15 If a company wants to protect fax data while it is in transmission, which of the following are valid mechanisms? A PGP and MIME B PEM and TSL C Data link encryption or fax encryptor D Data link encryption and MIME 16 What is the purpose of TCP wrappers? A Monitor requests for certain ports and control access to sensitive files B Monitor requests for certain services and control access to password files C Monitor requests for certain services and control access to those services D Monitor requests to system files and ensure they are not modified 17 How network sniffers work? A They probe systems on a network segment B They listen for ARP requests and ICMP packets C They require an extra NIC to be installed and configured D They put the NIC into promiscuous mode 18 Which of the following is not an attack against operations? A Brute force B Denial-of-Service C Buffer overflow D ICMP Sting 19 Why should user IDs be included in data captured by auditing procedures? A They show what files were attacked Chapter 12: Operations Security 1105 B They establish individual accountability C They are needed to detect a Denial-of-Service attack D They activate corrective measures 20 Which of the following controls requires separate entities, operating together, to complete a task? A Least privilege B Data hiding C Dual control D Administrative 21 Which of the following would not be considered an operations media control task? A Compressing and decompressing storage materials B Erasing data when its retention period is over C Storing backup information in a protected area D Controlling access to media and logging activities 22 How is the use of clipping levels a way to track violations? A They set a baseline for normal user errors, and any violations that exceed that threshold should be recorded and reviewed to understand why they are happening B They enable the administrator to view all reduction levels that have been made to user codes, which have incurred violations C They disallow the administrator to customize the audit trail to record only those violations deemed security related D They enable the administrator to customize the audit trail to capture only access violations and Denial-of-Service attacks 23 Tape library management is an example of operations security through which of the following? A Archival retention B The review of clipping levels C Resource protection D Change management 24 A device that generates coercive magnetic force for the purpose of reducing magnetic flux density to zero on media is called: A Magnetic saturation B Magnetic field C Physical destruction D Degausser CISSP All-in-One Exam Guide 1106 25 Which of the following controls might force a person in operations into collusion with personnel assigned organizationally within a different function for the sole purpose of gaining access to data he is not authorized to access? A Limiting the local access of operations personnel B Enforcing auditing C Enforcing job rotation D Limiting control of management personnel Answers C All of these are necessary security activities and procedures—they just don’t all fall under the operations umbrella Operations is about keeping production up and running in a healthy and secure manner Operations is not usually the entity that carries out strategic planning It works at an operational, day-to-day level, not at the higher strategic level A This is the best answer because operations has the goal of keeping everything running smoothly each and every day Operations implements new software and hardware and carries out the necessary security tasks passed down to it As the environment changes and security is kept in the loop with these changes, there is a smaller likelihood of opening up vulnerabilities D Due care and due diligence are legal terms that not just pertain to security Due diligence involves going through the necessary steps to know what a company’s or individual’s actual risks are, while due care involves carrying out responsible actions to reduce those risks These concepts correspond with the “prudent person” concept C Many times, employees who are carrying out fraudulent activities not take the vacation they have earned because they not want anyone to find out what they have been doing Forcing employees to take vacations means that someone else has to that person’s job and possibly uncover any misdeeds B Rotation of duties enables a company to have more than one person trained in a position and can uncover fraudulent activities Separation of duties is put into place to ensure that one entity cannot carry out a critical task alone C This is just one of several examples of separation of duties A system must be set up for proper code maintenance to take place when necessary, instead of allowing a programmer to make changes arbitrarily These types of changes should go through a change control process and should have more entities involved than just one programmer A There should be controls in place to make sure the data input into a system and the results generated are in the proper format and have expected values Improper data being put into an application or system could cause bad output and security issues, such as buffer overflows C Users should be able to access only the resources they need to fulfill the duties of their positions They also should only have the level of permissions Chapter 12: Operations Security 1107 10 11 12 13 14 15 16 and rights for those resources that is required to carry out the exact operations they need for their jobs and no more This second concept is more granular than the first, but they have a symbiotic relationship A Documentation is very important for data processing and networked environments This task often gets pushed to the back burner or is totally ignored If things are not properly documented, employees will forget what actually took place with each device If the environment needs to be rebuilt, for example, it may be done incorrectly if the procedure was poorly or improperly documented When new changes need to be implemented, the current infrastructure may not be totally understood Continually documenting when virus signatures are updated would be overkill The other answers contain events that certainly require documentation D One cannot properly erase data held on a CD-ROM If the data are sensitive and you need to ensure no one has access to the same, the media should be physically destroyed D This is not a great question, but could be something that you run into on the exam Let’s look at the answers Different SSL versions are usually not a concern, because the two communicating systems will negotiate and agree upon the necessary version There is no security violation issue here SSL works at the transport layer; thus, it will not be affected by what the user does, as stated in answer B SSL protects against network tapping and wiretapping Answer D talks about the network segments the company does not own You not know at what point the other company will decrypt the SSL connection because you not have control of that environment Your data could be traveling unencrypted and unprotected on another network C Simple Mail Transfer Protocol (SMTP) is the protocol used to allow clients to send e-mail messages to each other It lets different mail servers exchange messages C Spammers will identify the mail servers on the Internet that have relaying enabled and are “wide open,” meaning the server will forward any e-mail messages it receives These servers can be put on a black list, which means other mail servers will not accept mail from them D The other three answers provide reasons why fax servers would be used instead of individual fax machines: ease of use, they provide more protection, and their supplies may be cheaper C This is the best answer for this question The other components could provide different levels of protection, but a fax encryptor (which is a data link encryptor) provides a higher level of protection across the board because everything is encrypted Even if a user does not choose to encrypt something, it will be encrypted anyway before it is sent out the fax server C This is a technology that wraps the different services available on a system What this means is that if a remote user makes a request to access a service, this product will intercept this request and determine whether it is valid and legal before allowing the interaction to take place CISSP All-in-One Exam Guide 1108 17 D A sniffer is a device or software component that puts the NIC in promiscuous mode, meaning the NIC will pick up all frames it “sees” instead of just the frames addressed to that individual computer The sniffer then shows the output to the user It can have capture and filtering capabilities 18 D The first three choices are attacks that can directly affect security operations There is no such attack as an ICMP Sting 19 B For auditing purposes, the procedure should capture the user ID, time of event, type of event, and the source workstation Capturing the user ID allows the company to hold individuals accountable for their actions 20 C Dual control requires two or more entities working together to complete a task An example is key recovery If a key must be recovered, and key recovery requires two or more people to authenticate to a system, the act of them coming together and carrying out these activities is known as dual control This reduces the possibility of fraud 21 A The last three tasks fall under the job functions of an individual or department responsible for controlling access to media Compressing and decompressing data does not 22 A Clipping levels are thresholds of acceptable user errors and suspicious activities If the threshold is exceeded, it should be logged and the administrator should decide if malicious activities are taking place or if the user needs more training 23 C The reason to have tape library management is to have a centralized and standard way of protecting how media is stored, accessed, and destroyed 24 D A degausser is a device that generates a magnetic field (coercive magnetic force) that changes the orientation of the bits held on the media (reducing magnetic flux density to zero) 25 A If operations personnel are limited in what they can access, they would need to collude with someone who actually has access to the resource This question is not very clear, but it is very close to the way many CISSP exam questions are formatted ... or have deployed external technology such as secured dial-in/dial-back modems attached to serial console ports, or remote Keyboard Video Mouse (KVM) switches attached to graphic consoles Fix... system to its original state before the change was implemented Chapter 12: Operations Security 1047 Change Control Documentation Failing to document changes to systems and networks is only asking... from changing those device selections and the order in which they are used If the user or attacker can change the bootable devices selections or order, and can cause the system to reboot (which