Domain10 Operations Security
-
Upload
drilling-moneytree -
Category
Documents
-
view
224 -
download
0
Transcript of Domain10 Operations Security
-
8/10/2019 Domain10 Operations Security
1/25
CISSP Essentials:
Mastering the Common Body of Knowledge
Class 10:
Operations security
Lecturer Shon Harris, CISSP, MCSE
President, Logical Security
-
8/10/2019 Domain10 Operations Security
2/25
CISSP Essentials Library:
www.searchsecurity.com/CISSPessentials
Class 10 Quiz:www.searchsecurity.com/Class10quiz
Class 10 Spotlight:
www.searchsecurity.com/Class10spotlight
CISSP Essentials:
Mastering the Common Body of Knowledge
-
8/10/2019 Domain10 Operations Security
3/25
Operations security objectives
Operations responsibilities
Operations personnelConfiguration management
Media access protection
System recovery
Facsimile security
Vulnerability and penetration
testing
Attack types
-
8/10/2019 Domain10 Operations Security
4/25
Computer operations
Operations responsibilities System administration
Routine activities required to keep systems and networks upand running
Fixing hardware and software issues
Applying patches and hotfixes
Maintaining security mechanisms
Backups and recovery
Media library
Configuration management
Controlling and maintaining remote access
Maintaining input\output controls
Contingency planning
Variance detection
Incident handling
Penetration testing
Licensing issues
Unusual or unexplained occurrences
Deviations from standards
Unscheduled initial program loads
-
8/10/2019 Domain10 Operations Security
5/25
Personnel
Operators in a mainframe environment Monitor execution of system
Control flow of jobs Mount input/output volumes
Initial Program Load (IPL)
Rename/relabel resources
Reassign ports/lines
Personnel controls Administrative controls Separation of duties
Job rotation
Activity logging
Mandatory vacations
Need-to-know
Least privilege
These are the people with the most privileged access!
-
8/10/2019 Domain10 Operations Security
6/25
Security operations personnel
Security administrator Implements and maintains security devices and
software
Carries out security assessments
Creates and maintains user profiles
Implements and maintains access control mechanisms
Configures and maintains security labels in MACenvironments
Best if this is a different role than a networkadministrator
The security administrator should not report to the networkadministrator!
Should report to a security officer
Separate chains of command should exist to avoid conflicts ofinterest
-
8/10/2019 Domain10 Operations Security
7/25
Some threats to computer operations
Threats
User errors and omissions
Internal fraud
Loss of system and network capabilities
Malicious hackers
Malicious code
Collusion
Two or more people coming together to carry out
fraudulent activities
Espionage
Software and hardware malfunctions
Physical facility or system attacks
-
8/10/2019 Domain10 Operations Security
8/25
Controlling change
Configuration management
Performed after a change has been approvedthrough a change control process
Ensures that the changes to production systems
are done properly
Ensures that changes do not take place unintentionallyor unknowingly
Security issues
Identifying, controlling, accounting for and auditing
changes made to the baseline TCB
Documentation and maintenance of documents
pertaining to system and software changes
Reflects changes in contingency plans
-
8/10/2019 Domain10 Operations Security
9/25
Agenda
Fault-tolerance mechanisms
RAID Disk duplexing
Disk shadowing (mirroring)
Software check pointing
Redundant servers
Clustering
Backups
Dual backbones
Redundant power
Mesh network topology instead of
star, bus or ring
-
8/10/2019 Domain10 Operations Security
10/25
-
8/10/2019 Domain10 Operations Security
11/25
Backups
Online backups Real-time, or near real-time, backups
Usually used for critical databases
Electronic vaulting technology
Batch backups Frequency of backup depends upon how often data
changes
Backing up of
Data
Software products
Databases
Utility programs
-
8/10/2019 Domain10 Operations Security
12/25
Backup types
Full backup All files are backed up
Fastest restoration process
Takes the longest to perform backup
Incremental backup Backs up files that have changed since last backup
Backups can be performed quickly, but restorationtakes longer
Full backup must be restored first and then each incremental backup
Differential backup Backs up files that have changed since last full backup
For restoration, full backup is restored and thendifferential backup is restored
-
8/10/2019 Domain10 Operations Security
13/25
Agenda
Remote access
Fax security
Vulnerability and penetration
testing
Honeypots
-
8/10/2019 Domain10 Operations Security
14/25
Before carrying out vulnerability testing
Things that need to be agreed upon Goals of the assessment
Evaluates the true security posture of an environment
Identifies as many vulnerabilities as possible
Test how systems react to certain circumstances and attacks
Written agreement from management
Protects the tester Ensures there are no misunderstandings
Explaining testing ramifications
Vulnerable systems could be knocked offline
Production could be negatively affected
Results from test are just a snapshot in time As the environment changes, new vulnerabilities can arrive
-
8/10/2019 Domain10 Operations Security
15/25
Vulnerability assessments
Types of assessments Personnel
Reviews employee tasks and identifies vulnerabilities
Social engineering
Employee policies and procedures
Physical
Facility and perimeter protection mechanisms Interior protection mechanisms
Protection of server room, wiring closets, sensitive systems,assets, etc.
Dumpster diving
Protection mechanisms for man-made, natural or technical threats
System and network
Automated scanning product
Identifies system vulnerabilities
Some may attempt to exploit vulnerabilities
-
8/10/2019 Domain10 Operations Security
16/25
Step in attack Explanation Example
Reconnaissance Intelligence work of obtaining
information, either passively or
actively
Passively = Sniffing traffic,
eavesdropping
Actively = ARIN and Whois
databases, examining Web
site HTML code, socialengineering
Scanning Identifying systems that are running
and the services active on them
Ping sweeps and port scans
Gaining access Exploiting identified vulnerabilities
to gain unauthorized access
Exploiting a buffer overflow,
brute forcing a password,logging onto a system
Maintaining access Uploading malicious software to
ensure re-entry is possible
Installing a Trojan horse that
implements a backdoor on a
system
Covering tracks Carrying out activities to hide ones
malicious activities
Deleting or modifying data in
system and application logs
-
8/10/2019 Domain10 Operations Security
17/25
Penetration testing
Attempting to break in Passive reconnaissance
Footprinting Sniffing
Perform active reconnaissance Scanning systems Map the network, and enumerate resources
and accounts Exploit identified vulnerabilities
Operating system and application attacks Buffer overflows -- remote and local
Sending malformed packets
Sending invalid data types
Denial of service Elevate privileges Configure a re-entry point
Backdoor
Install rootkit
-
8/10/2019 Domain10 Operations Security
18/25
Protection mechanism - Honeypot
Honeypot
Usually placed in a DMZ Must not be connected to internal network
Sacrificial lamb system on the network
The goal is that hackers will attack this
system instead of production systems Can gather data for possible prosecution
It is enticing because many ports are open
and services are running
Could be just emulating services
-
8/10/2019 Domain10 Operations Security
19/25
Agenda
Unauthorized disclosure
It can happen intentionally orunintentionally
Companies need to be aware of both
threats and protect themselves
Social engineering
Object reuse issues
Keyboard loggers
Emanation leakage
-
8/10/2019 Domain10 Operations Security
20/25
Data leakage - Social engineering
Characteristics Convincing people that you are authorized to access
sensitive data Skillful lying with the goal of obtaining information
Kevin Mitnicks attack of choice
Examples: Spoofing e-mail
Impersonating a repair person to gain access to segments in the facility Calling an administrator impersonating a user who needs his password
Calling users and impersonating the administrator to have them give outor change passwords
Impersonating a law enforcement agent inquiring about certain securitydefenses or recent violations
-
8/10/2019 Domain10 Operations Security
21/25
-
8/10/2019 Domain10 Operations Security
22/25
Object reuse
Ways of implementing object reuse protection
Degaussing
Machine that works as a large magnet
Returns electrons to their original state, meaning the polarization of electrons
is changed
Returning magnetic flux to initial state or zero
Zeroization
Software tool that writes NULL values continually over media
Government use requires tool to write NULL values over media seven times
Physical destruction
If media cannot be properly erased any other way
-
8/10/2019 Domain10 Operations Security
23/25
Data leakage Keystroke logging
Keystroke monitoring
Software logger tools
After a system is compromised, a logger can be uploaded
Data (usually credentials) is saved for hacker or sent to hacker for
unauthorized access
Physical loggers
Connector between keyboard and computer Holds all data that user types in
Attacker plants logger and retrieves it at a later time
-
8/10/2019 Domain10 Operations Security
24/25
Controlling data leakage - TEMPEST
TEMPEST
U.S. government started a studyon how data can be leaked and
captured through electrical signals
TEMPEST went from a study to a
standard for equipment vendors
Equipment has a metal mesh to reduce the devices
radiation
Faraday cage
TEMPEST equipment is expensive and specialized
Selling and purchasing this type of equipment is highly controlled by
the government
-
8/10/2019 Domain10 Operations Security
25/25
CISSP Essentials:
Mastering the Common Body of Knowledge
Lecturer Shon Harris, CISSP, MCSE
President, Logical Security
www.LogicalSecurity.com
Register for previous classes at the CISSP EssentialsLibrary:
www.searchsecurity.com/CISSPessentials