Operations Security is concerned with threats to a production operating environment.
So operations security is about people, data, media, hardware, and the threats associated with each of these in a production environment.
One fundamental aspect of operations security is ensuring that controls are in place to inhibit people either inadvertently or intentionally compromising the confidentiality, integrity, or availability of data or the systems and media holding that data. Administrative Security provides the means to control people’s operational access to data.
Administrative personnel controls :
- least privilege – the principle of least privilege dictates that persons have no more than the access that is strictly required for the performance of their duties.
- need to know – only people with a valid need to know certain information in order to perform their job functions, should have access to that information.An extension to the principle of least privilege in MAC environments is the concept of compartmentalization. Compartmentalization, a method for enforcing need to know, goes beyond the mere reliance upon clearance level and necessitates simply that someone requires access to information.
- separation of duties – prescribes that multiple people are required to complete critical or sensitive transactions.The goal of separation of duties is to ensure that in order for someone to be able to abuse their access to sensitive data or transactions; they must convince another party to act in concert. Collusion is the term used for the two parties conspiring to undermine the security of the transaction.
- rotation of duties – also known as job rotation or rotation of responsibilities, provides an organization with a means to help mitigate the risk associated with any one individual having too many privileges.Rotation of duties simply requires that critical functions or responsibilities are not continuously performed by the same single person without interruption.
- mandatory leave – an additional operational control that is closely related to rotation of duties is that of mandatory leave, also known as forced vacation.
- non-disclouse agreement (NDA) – is a work-related contractual agreement that ensures that, prior to being given access to sensitive information or data, an individual or organization appreciates their legal responsibility to maintain the confidentiality of sensitive information.
- background checks – also known as background investigations or preemployment screening; are an additional administrative control commonly employed by many organizations.
Sensitive information/media security
Wherever the data exists, there must be processes that ensure the data is not destroyed or inaccessible (a breach of availability), disclosed, (a breach of confidentiality) or altered (a breach of integrity).
Perhaps the most important step in media security is the process of locating sensitive information, and labeling or marking it as sensitive.
People handling sensitive media should be trusted individuals who have been vetted by the organization.
When storing sensitive information, it is preferable to encrypt the data. Encryption of data at rest greatly reduces the likelihood of the data being disclosed in an unauthorized fashion due to media security issues.
The term data remanence is important to understand when discussing media sanitization and data destruction. Data remanence is data that persists beyond noninvasive means to delete it.
Wiping, also called overwriting or shredding, writes new data over each bit or block of file data.
By introducing an external magnetic field through use of a degausser, the data on magnetic storage media can be made unrecoverable.
- Patch management – One of the most basic, yet still rather difficult, tasks associated with maintaining strong system security configuration is patch management, the process of managing software updates.
- Vulnerability management – Vulnerability scanning is a way to discover poor configurations and missing patches in an environment. While it might seem obvious, it bears mentioning that vulnerability scanning devices are only capable of discovering the existence of known vulnerabilities. The term vulnerability management is used rather than just vulnerability scanning to emphasize the need for management of the vulnerability information.
- Change management – In order to maintain consistent and known operational security, a regimented change management or change control process needs to be followed. The purpose of the change control process is to understand, communicate, and document any changes with the primary goal of being able to understand, control, and avoid direct or indirect negative impact that the change might impose.
Continuity of operation
Three basic types of backups exist:
- full backup – is the easiest to understand of the types of backup; it simply is a replica of all allocated data on a hard disk. Full backups contain all of the allocated data on the hard disk, which makes them simple from a recovery standpoint in the event of a failure.
- incremental backup – one alternative to exclusively relying upon full backups is to leverage incremental backups. Incremental backups only archive files that have changed since the last backup of any kind was performed. Since fewer files are backed up, the time to perform the incremental backup is greatly reduced.
- differential backup – while the incremental backup only archived those files that had changed since any backup, the differential method will back up any files that have been changed since the last full backup.
The goal of a Redundant Array Inexpensive Disks (RAID) is to help mitigate the risk associated with hard disk failures.
Three terms that are important to understand with respect to RAID are:
- mirroring – is the most obvious and basic of the fundamental RAID concepts, and is simply used to achieve full data redundancy by writing the same data to multiple hard disks.
- striping – is a RAID concept that is focused on increasing the read and write performance by spreading data across multiple hard disks. With data being spread amongst multiple disk drives, reads and writes can be performed in parallel across multiple disks rather than serially on one disk.
- parity – is a means to achieve data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance.
RAID 0: Striped Set As is suggested by the title, RAID 0 employs striping to increase the performance of read and writes. By itself, striping offers no data redundancy so RAID 0 is a poor choice if recovery of data is the reason for leveraging RAID.
RAID 1: Mirrored Set This level of RAID is perhaps the simplest of all RAID levels to understand. RAID 1 creates/writes an exact duplicate of all data to an additional disk. The write performance is decreased, though the read performance can see an increase.
RAID 2: Hamming Code RAID 2 is not considered commercially viable for hard disks and is not used. This level of RAID would require either 14 or 39 hard disks and a specially designed hardware controller, which makes RAID 2 incredibly cost prohibitive. RAID 2 is not likely to be tested.
RAID 3: Striped Set with Dedicated Parity (byte level) Striping is desirable due to the performance gains associated with spreading data across multiple disks. However, striping alone is not as desirable due to the lack of redundancy. With RAID 3 data, at the byte level, is striped across multiple disks, but an additional disk is leveraged for storage of parity information, which is used for recovery in the event of a failure.
RAID 4: Striped Set with Dedicated Parity (block level) RAID 4 provides the exact same configuration and functionality as that of RAID 3, but stripes data at the block, rather than byte, level.
RAID 5: Striped Set with Distributed Parity One of the most popular RAID configurations is that of RAID 5, Striped Set with Distributed Parity. Again with RAID 5 there is a focus on striping for the performance increase it offers, and RAID 5 leverages a block level striping. Like RAIDs 3 and 4, RAID 5 writes parity information that is used for recovery purposes. However, unlike RAIDs 3 and 4, which require a dedicated disk for parity information, RAID 5 distributes the parity information across multiple disks.
RAID 6: Striped Set with Dual Distributed Parity While RAID 5 accommodates the loss of any one drive in the array, RAID 6 can allow for the failure of two drives and still function. This redundancy is achieved by writing the same parity information to two different disks.
The most common example of this in-built redundancy is systems or devices which have redundant onboard power in the event of a power supply failure. In addition to redundant power, it is also common to find redundant network interface cards (NICs), as well as redundant disk controllers.
Some applications and systems are so critical that they have more stringent uptime requirements than can be met by standby redundant systems, or spare hardware. These systems and applications typically require what is commonly referred to as a high-availability (HA) or failover cluster. A high-availability cluster employs multiple systems that are already installed, configured, and plugged in, such that if a failure causes one of the systems to fail then the other can be seamlessly leveraged to maintain the availability of the service or application being provided.
Incident response management
Incident handling or incident response are the terms most commonly associated with how an organization proceeds to identify, react, and recover from security incidents.
Computer Security Incident Response Team (CSIRT) is a term used for the group that is tasked with monitoring, identifying, and responding to security incidents.
Phases of incident responses :
- detection – one of the most important steps in the incident response process is the detection phase. Detection is the phase in which events are analyzed in order to determine whether these events might comprise a security incident.
- containment – is the point at which the incident response team attempts to keep further damage from occurring as a result of the incident.This phase is also typically where a binary (bit by bit) forensic backup is made of systems involved in the incident.
- eradication – involves the process of understanding the cause of the incident so that the system can be reliably cleaned and ultimately restored to operational status later in the recovery phase.
- recovery – involves cautiously restoring the system or systems to operational status.
- reporting – is the one most likely to be neglected in immature incident response programs. This fact is unfortunate because the reporting phase, if done right, is the phase that has the greatest potential to effect a positive change in security posture. The goal of the reporting phase is to provide a final report on the incident, which will be delivered to management.