Chapter 8: Communications and Operations Management

2

Objectives

Author useful standard operating procedures Implement change control processes Develop an incident response program Protect against malware Advocate for formal backup & restore procedures Manage portable storage devices

3

Objectives Cont.

Secure the transport, reuse & disposal of media Protect the integrity of information published on

publicly-available systems Recognize the unique security requirements of

email and email systems Write policies and procedures to support

operational security

4

Standard Operating Procedures

SOPs provide directions to improve communication, reduce training time, and improve work consistency

SOPs should be documented to protect the company from the pitfalls of institutional knowledge If a business process is only known by one employee,

and that employee becomes unavailable, how is this process going to be performed successfully?

5

Standard Operating Procedures Cont. SOPs should be written in as simple a style

as possible for all to clearly understand the procedures

SOPs should include all steps of a given procedure

SOPs should not be overly detailed and should remain clear

6

Standard Operating Procedures Cont. If a procedure contains less than 10 steps, it

should be presented in step format If a procedure contains 10 steps or more, but

few decisions, it should be presented in a graphical format or a hierarchical format

If a procedure requires many decisions, then it should be presented as a flowchart

7

Standard Operating Procedures Cont. Once a procedures has been researched,

documented, reviewed and tested, it should be authorized by the information system owner

The integrity of the SOP documents must be protected so that employees don’t get to follow instructions that have been maliciously tampered with

8

Standard Operating Procedures Cont. The change management process must be

defined so that the SOPs mirror the evolution of the business processes

All revisions of the SOP documents must be reviewed and approved by the information system owner

9

Operational Change Control

Change control: internal procedure by which only authorized changes are made to software, hardware, network access privileges or business processes

Change control process Analysis of the need

What is the current situation? What is the goal of the change? What is the impact of the change?

10

Operational Change Control Cont.

Change control process (cont.): Formal request for change

Who is authorized to make the request? To whom should the request be made? Who should approve the change?

Review of the request by the information owner What are the reasons prompting the request for change? Specifically, what changes are requested?

Authorization

11


Change Control Authorization Once authorized, the actual change process must

be monitored and documented, whether successful or not. This documentation should include the following: Who requested the change? Who approved the change? What specific changes were made? Was the change successful? If not, was the system recovered?

12


Version control is important for all policy and procedure documents, to ensure that all employees are relying upon the latest information uniformly across the organization

13

Incident Response Program

The right time to develop an Incident Response program is before an incident actually occurs

Risk-free, therefore incident-free, environments do not exist

Risk management is the formal process according to which risk is identified, assessed and mitigated by implementing one or more controls

14

Incident Response Program Cont.

Incidents can be caused to malicious actions or simple errors/accidents

An incident response plan is a roadmap of reporting, responding and recovery actions

Incident response procedures are step-by-step implementations to come back to normal

An incident response plan coupled with incident response procedures form an incident response program

15


Incident Classification Just as the origin of incidents varies, so does their

severity levels All foreseeable incidents should be identified,

reviewed and assigned a severity level Severity levels should be assigned by executive

management and organized in tiers Different identified severity levels may have

different handlers

16


Incident Handler A designated incident handler (IH) is one or more

people responsible for: Responding to a specific incident Investigating a specific incident Overseeing recovery efforts Documenting the resolution

17


The IH is responsible for responding to a specific incident

Within the designated timeframe By assembling the right team of individuals to resolve the

issue Managing problem resolution

18


The IH is responsible for investigating a specific incident Identifying and assessing the evidence Maintaining the chain of evidence Protecting access to the evidence

19


The IH is responsible for overseeing the recovery efforts Identifying the employee(s) with the relevant skills Managing the team

20


The IH is responsible for documenting the resolution of that incident

All steps taken to deal with the incident should be documented

A final report should be created based on that documentation

The final report should be analyzed and reviewed Analysis and review may bring new information and

ideas on how to deal with similar incidents

21

Incident Severity Level

Classifying Incidents by Severity Levels Tier 1:

Most serious Considered a major incident Requires immediate response Could have long-term implications for the company Example: Any violation of the Law

22

Incident Severity Level Cont.

Tier 2: Serious Considered a major incident Requires response within 2 to 4 hours of detection Defined as

Incursion on non-critical systems or information Detection of precursor to a focused attack Believed threat of imminent attack

Example: Compromise of a user password

23


Tier 3: Less severe Should be handled within one working day Defined as a problem that can:

Be resolved by system user or operator Should not involve any damage to the system or company

data Example: Excessive bandwidth use

24


Tier 4: Proactive high priority Requires response within 3 business days Defined as:

Threat of future attack Detection of reconnaissance (exploration)

Example: Potential exploit

25


Tier 5: Proactive low priority Unspecified response time required Defined as:

Unsubstantiated rumor or security incident

26

Incident Reporting, Response, and Handling Procedures

Goal: make procedures easy so that all employees can use them The employee who discovers an incident may not be

trained or an IT technician! Procedures mean consistency & accuracy in the

way incidents are reported Any discovered incident should be reported immediately The culture of the company needs to incorporate this

point so that employees don’t feel like they may be ridiculed if they are wrong

27

Incident Reporting, Response, and Handling Procedures Cont. Incident Response Procedures

Who is responsible to handle an incident? Who is the designated incident handler?

Within what timeframe should the response come?

Should external resources be used? Law enforcement 3rd-party contractors

Compliance experts Forensic experts

Legal counsel

28

Incident Reporting, Response, and Handling Procedures Cont. Incident Handling Procedures

Focus on: Containment

Limit the scope and magnitude of the incident Eradication

Problem eliminated Vulnerabilities identified and addressed

Recovery Return to full operational status

29

Incident Reporting, Response, and Handling Procedures Cont. Incident Handling Procedures

Different handling procedures should be created for perceived types of incidents It is impossible to have procedures for ALL incident

types The nature of the incident will dictate differences

in containment, eradication and recovery procedures

30

Incident Reporting, Response, and Handling Procedures Cont. Analyzing Incidents & Malfunctions

Goal: after an incident has been resolved, what can be learned about the incident / malfunction so that it does not happen again?

Goal: while the incident is still vivid in employees’ memory, an analysis of the actual resolution process will yield accurate details and results

31

Incident Reporting, Response, and Handling Procedures Cont. Reporting Suspected or Observed Security

Weaknesses Employees MUST report all perceived or real

security weaknesses Failure to do so WILL be viewed as a malicious

act Employees, through daily use of information

systems, can come in contact with weaknesses unknown to the developers

32

Incident Reporting, Response, and Handling Procedures Cont. Testing Suspected or Observed Security

Weaknesses Employees MUST NOT test suspected or

observed security weaknesses: their responsibility is to REPORT those weaknesses immediately

Conducting unauthorized testing of vulnerabilities is viewed as a malicious act

33

Malicious Software

Also known as Malware. Types of malware include: Virus: a piece of malicious code that needs a host

file to replicate Worm: a piece of malicious code that does not

need a host file, and targets a known vulnerability Spyware: malicious code installed on a user’s

machine unbeknownst to them, which monitors their activity. Spyware virulence levels vary based on which spyware is installed

34

Malicious Software Cont.

Trojan Horse: potentially destructive, malicious code that masquerades as a legitimate & benign application. Most Trojans are of the RAT variety – Remote Access Trojan – which allow an unauthorized user to gain admin-level access to the infected system.

Key Logger: application that runs discreetly on a computer and records all keystrokes into a text file

35

Malicious Software Cont.

Logic Bomb: malicious code that is loaded but lies dormant until a certain pre-determined condition is met.

36

Malware Controls

Users should not be able/allowed to install software to their company-owned machines

Antivirus solutions should be installed on all computers in the organization AV software must be updated every day Different solutions from different vendors should be

deployed Two parts:

The engine The definition files

37

Malware Controls Cont.

Regular port scans should be run on servers and workstations, as some malicious code will open specific, known ports. Port scans can help detect an infected machine A port is to a computer address what an extension is to

a phone number. One phone number may have different extensions that allow the caller to communicate with different people/departments. A computer may have a single address, but many ports, that allow another computer to interact with different services on that PC

38

Malware Controls Cont.

Security awareness is gained through training. All employees should be trained and understand: What malware is Why it is important to update the antivirus solution How a machine can get infected The responsibility to alert IT of any suspected machine

infection

39

Information System Backup

Why back up data? Company may be mandated to do so Failure to back up threatens data availability and

data integrity Lost/corrupt data can also have a negative impact

on the company: Financially Legally PR-wise

40

Defining a Backup Strategy

The following aspects should be considered when the strategy is designed: Reliability Speed Simplicity Ease of use Security of the stored information

41

Defining a Backup Strategy Cont.

The grandfather-father-son strategy: Based on a 3-week rotation Separate tapes for daily, weekly, monthly & quarterly

backups Requires:

4 daily tapes (labeled Monday-Thursday) 5 weekly tapes (labeled Week1-Week5) 3 monthly tapes (labeled Month A-C)

42

The Importance of Test Restores

If the company relies on backup to protect data integrity & availability, then it needs to be sure that the information stored on the backup media is restorable in case of an incident

Just as it is important that backup would take place according to a set schedule, test restores should also be officially scheduled

43

The Importance of Test Restores Cont.

The test restore strategy should be: Tested Documented Officially approved

Once approved, an updated copy of the test restore strategy should be stored with the backup tapes at the remote location

44

Managing Portable Storage

Portable Storage Devices Portable Storage Devices (PSDs) are

transportable drives or disks that can be moved easily from one computer to another

Also known as removable media Includes:

Recordable CD ROMs & DVDs USB “thumbdrives” USB & FireWire hard drives MP3 players

45

Managing Portable Storage Cont.

Risks: data confidentiality is threatened by PSD’s because: They can be easily lost – along with the data they

contain An MP3 player looks like an MP3 player – not like

the 20GB hard drive w/ a USB connector that it is Thumbdrives are cheap, small & easy to conceal,

yet offer big storage room USB drives are small, and install automatically on

most operating systems

46


Reality: not all PSDs are bad, and some can have a legitimate use in the company

This impacts the way the policy that manages the use of PSDs must be written. It cannot simply deny the use of all PSDs

47


Controlling non-company-owned removable media is a growing concern

There is no true “network perimeter” anymore Reminder: most hacking attacks originate

from inside the network The policy should clearly indicate what non-

company-owned items are not allowed on company premises, such as MP3 players, phones w/ a digital camera and PDAs

48


Controlling company-owned removable media that leaves the company is also a growing concern

The policy should recognize the risk of loss of confidentiality of data, along with the financial, legal, and PR ramification associated with the loss/theft of a PSD

A formal risk assessment should be conducted

49


A policy should answer the following questions: Who is allowed to leave the company premises

with a PSD? What data should never be placed on a PSD? What is the approved procedure to protect data

stored on a PSD? Encryption types

What is the procedure to report the loss/theft of a company-owned PSD?

50

Storing Removable Media

Any media, removable or not, that contains sensitive information should be stored securely. It is especially more important with removable media because of its portability, which usually means a small form factor that makes the device easy to conceal – and therefore steal

This media may include CD ROMs, DVDs, backup tapes and various disks such as floppies and Zips

51

Storing Removable Media Cont.

Backup tapes should be securely stored at a remote location for safekeeping

Backup tapes should be kept in a locked room, the access to which is limited to the authorized few and logged

Backup tapes should be protected from theft, but also environmental threats such as fires and floods. They should also be protected from sprinkler systems and other anti-fire tools

52

Storing Removable Media Cont.

If a tape must be disposed of, it must be sanitized prior to being thrown away so that the data it contains cannot be retrieved by unauthorized users

53

Secure Reuse and Disposal of Media

The information security policy must include a section about the approved method of removing no longer needed information and discarding media

Reminder: reformatting a hard drive is not enough to destroy the data it contains!

Even if a drive is defective, it is not safe to throw it away without sanitizing its contents

Secure disposal = destroying data

54

Secure Reuse and Disposal of Media Cont.

Zerotization: the act of overwriting each sector on each track of each platter of a hard drive with zeros

Randomization: the act of overwriting each sector on each track of each platter of a hard drive with random characters

Special software can be purchased to sanitized hard drive before they are disposed

55


The information security policy should include an inventory of all media, along with the respective destruction method that pertains to each media type listed

Sanitization of media can be handled in-house or be out-sourced. If the latter, the 3rd-party company chosen must be reputable, legitimate and must pass a due diligence background check. Note that even when outsourcing, the media must be secured internally until it is picked up by the contractor for destruction purposes

56


Note that even when outsourcing sanitization tasks, the media must be secured internally until it is picked up by the contractor for destruction purposes

Whether out-sourced or not, media destruction / sanitization should be logged and an audit trail should be created

57

Security of Media While in Transit

All media must be secured at all times, whether it is on company premises or in transit

Maintaining security of data while in transit protects the confidentiality, integrity and availability of the data

Media shipment can take place either as an internal process, or as an out-sourced process

If the latter, a reputable courier company must be selected to handle the shipping tasks

58

Security of Media While in Transit Cont.

It is recommended that the courier, whether internal or 3rd-party, use some form of authorized identification scheme when they take possession of, or deliver the media

Media must be physically protected while in transport

Media while in transport must be placed in a locked, tamper-evident container

Media cannot be dropped off. It should be handed out in person to an authorized recipient

59

Securing Data on Publicly Available Systems

Only unclassified information should ever be posted on a publicly available system

Even if information is taken off the site, websites such as archive.org & google.com still make it available for – free – review

A policy should be created that clearly indicates what information is allowed to be posted on a publicly available system

60

Publishing Data and Respecting the Law

Publishing content on the Internet carries an inherent legal responsibility for the content and the publisher

Therefore there is a need for a policy that clearly dictates what content may be published to a publicly-available system in accordance with all local, state and federal laws, in order to protect the company from potential litigation

61

The Need for Penetration Testing

A machine directly connected to the Internet is an automatic potential target

Companies must show diligence in securing these internet-facing machines

A Pen Test is a live test of the security defense of such an internet-facing host to identify what attack types a certain site/host are vulnerable to, prior to an actual attack being launched

62

Securing E-mail

E-mail is, by default, an insecure way to transmit information

Unless optional encryption is added to the e-mail solution, no confidential information should EVER be sent via e-mail

Inherently, e-mail does not employ ANY encryption, and all information sent is sent in clear text

63

Securing E-mail Cont.

Employees should not commit any information to email that they would not feel comfortable writing on company letterhead

Employees must be trained to understand the risks and responsibilities associated with using e-mail as a business tool in a corporate environment

64


Like faxes, letters and/or phone calls, e-mails can: Be intercepted and read by unauthorized parties Be considered a legal, binding document And should be considered a formal business

communication tool

65


Unlike faxes, letters and/or phone calls, E-mails are routed in an unpredictable way E-mails are sent without “tone” and can lead to

misunderstandings E-mails can be stored permanently for later

retrieval It is difficult to tell if someone else read the

content of an e-mail

66


Outgoing attachments may contain hidden information, which senders should be aware of especially if they are: Forwarding an e-mail to another party Using e-mails and attachments as “boilerplate” Using the change tracking feature in a word

processor application Sending a document originally created by another

author, whose name will remain attached to the properties of the file being forwarded

67


Incoming attachments may contain a malicious payload: Virus Worm Trojan Other malicious scripts Hoax

Users must be trained to be suspicious towards attachments

68


Common e-mail-related mistakes Hitting the wrong button: using “reply all” as

opposed to “reply” or “forward” instead of “reply” Sending an e-mail to the wrong e-mail address

because it is close to the intended recipient’s Leaving an entire string of replies in an e-mail

forwarded to a third person who should not have been privy to some of the information discussed in earlier e-mails

Training users is paramount to e-mail security

69


Compromising the e-mail server A Denial of Service attack against an e-mail is

attack against the availability of the service The e-mail server should be set up so that it does

not allow open relay of SMTP traffic. Failure do to so implies two issues: The e-mail server will be used by unscrupulous

spammers The domain name used for e-mail purposes will be

blacklisted

70

Summary

Day-to-day activities can have a huge impact on the security of the network and the data it contains. SOPs are important in providing a consistent framework across the company.

Change must be managed. Incidents will occur, so the company must be ready with a plan, and employees must be trained. Information can be compromised in many ways, including through the use of malware, removable media, attacks on publicly-available servers.

Sound backup strategies should be developed, tested, authorized and implemented. E-mail, while being a fantastic business tool, is also a double-edge sword because of its inherent lack of built-in security and must be treated as such.

Chapter 8: Communications and Operations Management

Documents

Transcript of Chapter 8: Communications and Operations Management