CISSP - Security Operations Tutorial

1 Domain 07—Security Operations

Hello and welcome to Domain 7 of the CISSP (read as C-I-S-S-P) certification course offered by Simplilearn. This domain provides an introduction to the Security Operations. Let us explore the objectives of this domain in the next screen.

2 Objectives

After completing this lesson, you will be able to: After completing this domain, you will be able to: ?Discuss how to conduct logging and monitoring activities. ?Describe the concepts of foundational security operations. ?Discuss how to conduct incident response. ?Explain how to implement recovery strategies. Let us discuss a scenario highlighting the importance of security operations in the next screen.

3 Importance of Security Operations—Case Study

Kevin, as a part of his preparation for the CISSP exam read the Operational Security policy of Nutri Worldwide Inc. There were clear guidelines on the operations. One of these was escalation matrix that listed the steps that operations personnel should follow when they do not have the authorization to perform a specific action. The policy also clearly outlined the roles and responsibilities, and the level and scope of the operations Personnels’ authorization. It also defined the disciplinary actions to be taken in case of breaches. Kevin understood that an important role the policy played was to act as a deterrent against deliberate misconfigurations. Let us discuss the concepts of investigations in the following screen.

4 Introduction to Investigations

Investigation refers to a process of investigating something or someone. Information is an asset and has a value attached. With rise in crimes related to information, it is recommended for the organizations to have expert who can investigate the computer related crimes. Digital investigations involve investigations of all crimes using computer and related technologies and where the evidence exists in electronic or digital form, in storage or on wire. Investigation of computer crime is also known as computer forensics, i.e., the Information is collected from computer system such that it is admissible in a court of law. We will understand investigation challenges in the next screen.

5 Investigation Challenges

Due to the nature of information that is stored on the computer, investigating and prosecuting computer criminal cases have unique issues. Some of the common investigation challenges faced by the investigators are as follows: Investigators and prosecutors have a compressed period for the investigation. The information is intangible. There may be difficulty in gathering the evidence. The investigation may interfere with the normal conduct of the business of an organization. Data associated with the criminal investigation may be located on a common computer, which is used for the normal conduct of business. In many instances, an expert or specialist is required to retrieve data. Locations involved in the crime may be geographically separated by long distances in different jurisdictions it may result in differences in laws, attitude towards computer crimes, or definitions of computer crimes as well as difficulty in obtaining search warrants, lack of cooperation, etc. In the next screen, we will discuss the primary activities of an investigation.

6 Investigations—Primary Activities

An investigator performs the following primary activities at the start of his investigations: The first activity is to identify and gather evidence, which means the right identification of the crime scene, evidence, and potential containers of evidence. Some of the important considerations are: Size of the storage may be a big challenge as a lot of data is present to examine. Determining the beginning point of an investigation such as, emails, web accesses, Stored data, Inappropriate access, etc. Gathering evidence and following the lead. The next activity is to preserve evidence. Some ways to preserve evidence are copying on hard drives, capturing the contents of memory on a running system or the main storage on a mobile device such as a smartphone. The forensic investigator must follow several principles of evidence preservation including, recordkeeping, use of reliable tools, evidence safekeeping, working in isolation, etc. The third one is establish a chain of custody. Whenever evidence is created, moved, stored, or transferred to another custodian, proper records must be kept and evidence is safeguarded to ensure its integrity. The last activity is present findings. Interpreting the output from the examination and analysis based on findings of fact and articulating these in a format appropriate for the intended audience such as, court brief, executive memo, or report. The findings may include the following: Explains the reason for the investigation Shows the chain of evidence Details on data that is found, and what it means Contains only the facts, no speculation or anything about motives We will cover evidence in the following screen.

7 Crime Scene

A crime scene is the environment where the potential evidence may exist. The security professional must understand the crime scene before starting to identify and collect the evidence. Some of the best practices for evidence handling at crime scene are: Identification of crime scene, Protecting the environment, Identifying evidence, Identifying potential sources of evidence, Evidence collection, and Reduce the degree of contamination. Only individuals with adequate knowledge of crime scene analysis should be allowed to handle the crime scene. As the evidence is very critical, the individual must follow a proper documentation process. This ensures minimum amount of disruption, corruption, or destruction of evidence. Let us discuss forensic investigation guidelines in the following screen.

8 Forensic Investigation Guidelines

A forensic investigator must act in an ethical, diligent, and careful way while investigating a computer crime. Any improper act may hamper the investigation process and the evidence may not be accepted in the court of law. There are many best practices and guidelines developed by many international entities. Following are the best practices for investigation developed by the Australian Computer Emergency Response Team or AusCERT. Minimize handling or corruption of original data, account for any changes and keep detailed logs of your actions, comply with the five rules of evidence, do not exceed knowledge, follow local security policy and obtain written permission, capture an accurate image of the system as possible, be prepared to testify, ensure actions are repeatable, work fast and proceed from volatile to persistent evidence, and do not run any programs on the affected system. Let us take a look at the incidence response terminologies in the following screen.

9 Incident Response Terminologies

The common incident response terminologies are as follows: An event is an observable change to the normal behavior of a system, environment, process, workflow, or person. There are three basic types of events and they are: Normal. A normal event does not affect critical components or require change controls prior to the implementation of a resolution. Normal events do not require the participation of senior personnel or management notification of the event. Escalation. An escalated event affects critical production systems or requires that implementation of a resolution that must follow a change control process. Escalated events require the participation of senior personnel and stakeholder notification of the event. Emergency. It is an event which may impact the health or safety of human beings and breach primary controls of critical systems. It could materially affect component performance, or because of the impact to component systems, prevent activities, which protect or may affect the health or safety of the individuals. The event may be deemed an emergency as a matter of policy or by declaration by the available incident coordinator. Computer security and information technology personnel must handle emergency events according to well-defined computer security incident response plan. Incident is an adverse event or series of events that negatively affects the company or impacts its security posture, requiring a methodological approach to manage the incident, impacts the security or ability of an organization to conduct normal business. Incident response is the practice of detecting a problem, determining its cause, minimizing the damage, resolving the problem, and documenting each step of the response for future reference. We will understand the incident response goals in the next screen.

10 Incident Response Goals

The major goals of incident response are: To reduce the potential impact to the organization by providing an effective and efficient means of dealing with the situation; To provide management with sufficient information to decide on an appropriate course of action; To maintain or restore business continuity; To defend against future attacks; and To deter attacks through investigation and prosecution. We will look into the incident response team in the next screen.

11 Incident Response Team

An incident response team or emergency response team or ERT (read as E-R-T) is a group of people who prepare for and respond to any emergency incidents, such as a natural disaster or an interruption of business operations. Incident response teams are common in corporations as well as in public service organizations. This team is generally composed of specific members designated before an incident occurs, although under certain circumstances the team may be an ad-hoc group of willing volunteers. Incident response team members are trained and prepared to fulfill the roles required by the specific situation. For example, to serve as incident commander in the event of a large-scale public emergency. Individual team members can be trained in various aspects of the response, such as medical assistance or first aid, hazardous materials spills, hostage situations, information systems attacks, or disaster relief. The team already has a defined protocol or set of actions to perform to mitigate the negative effects of the incident. The incident response team should have the following basic items available: A list of outside agencies and resources to contact or report to. Roles and responsibilities outlined. A call tree to contact the defined roles and outside entities. Detailed steps on how to secure and preserve evidence. A list of items that should be included on the report for management and the courts. A description of how the different systems should be treated in a particular situation, for example, the systems should be removed from both the Internet and the network and powered down. In the following screen, we will discuss Incident response procedures.

12 Incident Response Procedures

Security incident response should follow a structured model, so that staff and management will not overlook important steps as the incident plays out. The various phases of security incident response are as follows. Incident Declaration Triage Phase Investigative Phase Containment Phase Analysis and Tracking Phase Recovery and Repair Phase Post Incident Phase The first phase is Incident Declaration. A security incident will be declared when trained individuals become aware that a policy violation has occurred. Security incidents can be triggered by several events including: Apparent malfunctions or outages, such as system malfunctions, slowness, or failures that are initially attributed to defects may actually be the actions of malware or an attacker. The organization will realize this only after the evaluation of an engineer. Threat or vulnerability alerts. The nature of a specific threat or vulnerability alert received from a product vendor or security organization may prompt the declaration of a security incident, if the threat is thought to be active or imminent. News media. On occasion, an organization learns about a security incident in its own environment through the news media. Customer notification. A user or customer may be experiencing difficulties that may be caused by a security policy violation. The second phase is Triage Phase. When an event has been reported by employees or detected by automated security controls, the first stage carried out by the incident response team is triage. Triage phase is very similar to triage conducted by medics when treating people who are injured. Information is collected to investigate its severity and set priorities on how to deal with the incident. This begins with an initial screening of the reported event. A member of the incident response team should be responsible for reviewing an alert to determine if it is a real incident or a false positive. If the event is a real incident, incidents should be categorized according to their level of potential risk, the source whether it’s internal or external, its rate of growth, and the ability to contain the damage. This, determines the notifications that are required during the escalation process, and sets the scope and procedures for the investigation.

13 Incident Response Procedures (contd.)

The triage and investigative phases are concerned with the identification of evidence that will lead the response team closer to knowledge of the incident’s root cause. Investigation is the closer study of information that is thought to be related to the cause of the incident, whereas triage is the search for substantive information. Containment phase is performed to halt the incident and to prevent its spread. In some cases, containment may be performed in stages, sometimes early in the incident in the form of disconnecting a system from the network, and again later in the form of stopping unwanted processes. The response team may need to take its last forensic samples prior to commencing containment activities that may alter the pristine or pre-action state of the system. Analysis and tracking phase is a deeper study of the information that is directly related to the incident. Analysis helps to determine the actual cause for the incident. Another important objective of analysis is the determination of the steps needed to begin containment and recovery operations.

14 Incident Response Procedures (contd.)

Recovery and repair phase is the process of restoring a system to its pre-incident condition. Depending upon the nature of the incident, recovery may involve one or more of the following activities: Repairing or replacing hardware Reinstalling operating system or application software Reconfiguring operating system or application software Removing unwanted programs and data Restoring damaged or missing data from backup media

15 Incident Response Procedures (contd.)

The final phase of security incident response is post incident phase which is the debriefing of the response team and management. The purpose of the debriefing is to reflect on the incident itself and the organization’s response to it, and to learn from these activities. Some of the improvements that can be identified in the debriefing include: Weakness of the technical architecture. Defect in a technical control. Weakness of business processes and procedures. Ways to improve security incident response handling.

16 Business Scenario

One of the critical firewalls of Nutri Worldwide Inc. had failed. The users were unable to login to the company’s web application. The company had implemented incident management process few years back. Kevin Butler, Security Administrator, was assigned the task of resolving the issue. He began working on the task and came to know that a similar kind of incident had happened a year back and the problem was successfully resolved. He then tried to resolve the issue by trial and error method as the solution was not documented. The issue was escalated to next level as he was unable to resolve the issue within the given time frame. Question: Which important step of incident response procedure was missed when the earlier issue was handled? Answer: The Post Incident phase or Domains Learnt step was probably missing as the documentation of the resolution was absent.

17 Evidence

The exact requirements for the admissibility of evidence vary across legal systems and between different cases. At a more generic level, evidence should have some probative value, be relevant to the case at hand, and meet the following criteria, often called the five rules of evidence: Evidence should be authentic Evidence should be accurate Evidence should be complete Evidence should be convincing Evidence should be admissible in court of law If a piece of evidence is found to be sufficient, reliable, and relevant to the case, it must also be legally permissible, which means that it was obtained in a legal manner. It must be sufficient in a way that it must be persuasive enough to convince a reasonable person of the validity of the evidence To be reliable or competent, it must be consistent with the facts—factual and not circumstantial. The evidence must not have been tampered with or modified. Relevant evidence must have reasonable and sensible relationship to the findings. Evidence is relevant when it is related to the crime, it can provide information describing the crime, it can provide information regarding the motives of the perpetrator, it can verify what has occurred, or it can determine the time of occurrence of the crime. In the next screen, we will discuss evidence lifecycle.

18 Evidence Lifecycle

The gathering, control, storage, and preservation of evidence are extremely critical in any legal investigation. The major types of computer evidence are computer printouts, plotter outputs, display screens, and magnetic or optical storage. The evidence life cycle covers the evidence gathering and application process. This life cycle has the following components: Discovery and recognition of the evidence. Protection of the evidence. Recording or proper documentation of the evidence. Collection or proper storage of the evidence. The process involves the following activities: collect all relevant storage media, make an image of the hard disk before removing power, print out the screen, or avoid degaussing equipment. Identification is required in a way of tagging or marking the evidence. Preservation of the evidence is very important to ensure the protection of the collected evidence. This can be done by, protecting the magnetic media from erasure, and storing the evidence in a proper and safe environment. Transportation of the evidence from storage to court of law. Presentation in the court of law. Returning the evidence to the owner. We will cover the major components of chain of evidence in the following screen.

19 Chain of Evidence

As the evidence involved in a computer crime may be intangible and subject to easy modification without a trace, evidence must be carefully handled and controlled throughout its entire life cycle. Specifically, there is a chain of evidence that one must follow and protect. The major components of chain of evidence are as follows: Location of evidence when obtained Time evidence obtained Identification of individual(s) who discovered evidence Identification of individual(s) who secured evidence Identification of individual(s) who controlled evidence and individual(s) who maintained possession of that evidence Chain of custody shows how evidence was collected, analyzed, transported, and preserved, to be presented as evidence in court. It helps protect the integrity and reliability of the evidence. It is the effective process of documenting the complete journey of the evidence during the life of the case; and shows control of the evidence, from the time it is collected, to the time it is presented in the court. In the next screen, we will discuss the types of evidence.

20 Types of Evidence

Legal evidence can be classified into the following types: Best evidence is the original or primary evidence. Courts prefer the best evidence possible. Original documents, for example, signed contracts, are preferred over copies. Evidence should be relevant, authentic, accurate, complete, and convincing. The best evidence rule prefers evidence that meets these criteria. Secondary evidence, when compared to the best evidence, is not viewed as reliable and strong in proving innocence, guilt, or liability in civil cases. Oral evidence, such as a witness’s testimony, and copies of original documents are placed in the secondary evidence category. Direct evidence can prove a fact all by itself and does not need backup information to refer. When direct evidence is used, presumptions are not required. An example of direct evidence is the testimony of a witness who saw a crime occurs. Although this oral evidence would be secondary in nature, i.e., a case could not rest on it alone; it is also a direct evidence, i.e., the lawyer does not necessarily need to provide other evidence to back it up. Direct evidence is often based on information gathered from a witness’s five senses. Conclusive evidence is irrefutable and cannot be contradicted. Conclusive evidence is strong by itself and does not require corroboration. Circumstantial evidence can prove an intermediate fact that can then be used to deduce or assume the existence of another fact. This type of fact is used for the judge or jury to assume the existence of a primary fact logically. For example, if a suspect told a friend that he was going to bring down eBay’s web site, a case could not rest on that piece of evidence alone because it is circumstantial. However, this evidence can cause the jury to assume him the suspect, because hours later eBay’s website crashed, and he could be considered the one who committed the crime. Corroborative evidences are supporting evidences used to help prove an idea or point. It cannot stand on its own; it is used as a supplementary tool. The opinion rule dictates that the witness must testify to the facts of the issue only and not her opinion. It is different from expert witnesses, where the expert is used primarily for her educated opinion. Most lawyers call in expert witnesses to testify and help the defending or prosecuting sides. Expert witnesses can help the jury to understand the case better. The following are the two types of opinions: An expert who can offer an opinion based on personal expertise and facts, and a non-expert who can testify only to facts. Hearsay evidence or third party is not based on personal, firsthand knowledge of the witness, but is obtained from another source. Under the U.S. Federal Rules of Evidence (803), hearsay evidence is generally not admissible in court. Computer-generated records and other business records fall under the category of hearsay evidence because these records cannot be proven accurate and reliable. This inadmissibility is known as the hearsay rule. However, there are certain exceptions to the hearsay rule for records that are: Made during the regular conduct of business and authenticated by witnesses familiar with their use Relied upon in the regular course of business Made by a person with the knowledge of the records Made by a person with information transmitted by a person with knowledge Made at or near the time of occurrence of the act being investigated In the custody of the witness on a regular basis In the next screen, we will understand the role of computer forensics.

21 Computer Forensics Procedure

Computer forensics is the standardized way of doing scientific analysis and examination of data held or retrieved from computer storage media such that in a court of law the information will be admissible as evidence. An investigator can perform various assessments using computer forensics. Digital forensic assessments, such as media analysis, disk imaging, cross-drive analysis, content analysis, live analysis, steganography, etc. Network analysis includes analysis of network logs and network activity for use as potential evidence from email, etc. Software analysis, such as reverse engineering of code that was used to perform the attack, malicious code review, what’s left over after the attack, and exploit review to check which files were damaged and what data was taken.

22 Requirements for Investigation Types

A security practitioner must understand certain requirements of the investigative phases, such as: First Responder’s role: The role of First Responder in any computer crime is very crucial as evidence is mostly intangible. Precautions must be taken to ensure that the data is not modified or deleted from the system or media, accidently or intentionally. To maintain the viability of the case in court of law, the First Responder should exercise due care during search and seizure of computer equipment. Information: Information about crime plays a vital role in any investigation process. Accumulation of information is the most critical component of investigating computer crime. Instrumentation: Instrumentation in computer crimes involves finding out inconsistencies by tracking and analyzing records and logs. Interviewing: Interviewing is the process which helps the investigator to gain insight into the motives and may be the possible techniques employed in executing the computer crime. Let us discuss logging and monitoring activities in the following screen.

23 Logging and Monitoring Activities

Maintaining desired security posture in an organization is important for a security practitioner. It can be achieved by employing defense-in-depth through policies, technologies, and processes. There are many tools which can help the security practitioner to access the security posture of the organization. The following can be used for proper logging and monitoring activities: Intrusion Detection and Prevention, Security Information and Event Management or SIEM (Read as: S-I-E-M), Continuous Monitoring, and Egress Monitoring. Let us discuss Intrusion Detection System in the following screen.

24 Intrusion Detection System

Intrusion Detection Systems (IDSs) are different from traditional firewall products as they are designed to detect a security breach. Intrusion detection is the process of detecting an unauthorized use of, or attack upon, a computer, network, or telecommunications infrastructure. IDSs are designed to aid in mitigating the damage caused by hacking, or breaking into sensitive computer and network systems. The intent of the IDS tool is to spot suspicious activity on the network and sound an alarm by flashing a message on the network manager’s screen, possibly sending a page, or even reconfiguring a firewall’s ACL setting. The IDS tools can look for sequences of data bits that might indicate a questionable action or event, or monitor system log and activity recording files. Although different types of IDS products are available, they all have three common components: sensors, analyzers, and administrator interfaces. The sensors collect traffic and user activity data and send them to an analyzer, which looks for suspicious activity. If the analyzer detects an activity, it is programmed to deem as fishy, it sends an alert to the administrator’s interface. IDSs come in two main types: network-based, which monitors network communications, and host-based, which can analyze the activity within a particular computer system. A Network-based IDS (NIDS) uses sensors, which are host computers, with the necessary software installed, or dedicated appliances—each with its Network Interface Card (NIC) in promiscuous mode. When an NIC is put into promiscuous mode, the NIC driver captures all traffic, makes a copy of all packets, and passes one copy to the TCP stack and another copy to an analyzer to look for specific patterns. An NIDS monitors network traffic and cannot “see” the activity going on inside a computer. To monitor the activities within a computer system, a company would need to implement a host-based IDS. A Host-based IDS (HIDS) can be installed on individual workstations and/or servers to watch for inappropriate or anomalous activity. HIDSs are usually used to ensure users do not delete system files, reconfigure important settings, or put the system at risk in any other way. Whereas the NIDS understands and monitors the network traffic, a HIDS’s universe is limited to the computer. A HIDS does not understand or review network traffic, and a NIDS does not “look in” and monitor a system’s activity. Each has its own job and they don’t interfere with the other. HIDS and NIDS can be one of the following types : Signature based - Knowledge is accumulated by the IDS vendors about specific attacks and how they are carried out. Models of how the attacks are carried out are developed are called signatures. Each identified attack has a signature, which is used to detect an attack in progress or determine if one has occurred within the network. Signature-based IDSs are the most popular IDS products today, and their effectiveness depends upon regularly updating the software with new signatures, as with antivirus software. Statistical anomaly - A statistical anomaly based IDS is a behavioral-based system. Behavioral-based IDS products do not use predefined signatures, but rather are put in a learning mode to build a profile of an environment’s “normal” activities. After this profile is built, all future traffic and activities are compared to it. Anything that does not match the profile is seen as an attack, in response to which the IDS sends an alert Protocol anomaly - Unusual format of behavior of protocols Traffic anomaly - Most behavioral-based IDSs have traffic anomaly–based filters, which detect changes in traffic patterns, as in DoS attacks or a new service that appears on the network. Once a profile is built that captures the baselines of an environment’s ordinary traffic, all future traffic patterns are compared to that profile. Rule based - A rule-based IDS founded on an expert system, the IDS gathers data from a sensor or log, and the inference engine uses its preprogrammed rules on it. If the characteristics of the rules are met, an alert or solution is provided. Stateful matching: In a state-based IDS, the initial state is the state prior to the execution of an attack, and the compromised state is the state after successful penetration. The IDS has rules that outline which state transition sequences should sound an alarm. The activity that takes place between the initial and compromised state is what the state-based IDS looks for, and it sends an alert if any of the state-transition sequences match its preconfigured rules. Model based: Models of attack scenarios are built and then captured data is compared to the models to uncover malicious activities In the next screen, we will look at Intrusion Prevention System. In the next screen, we will look at Access Control Monitoring.

25 Intrusion Prevention System

The goal of an IPS is to detect this activity and not allow the traffic to gain access of the target in the first place. The IPS is placed inline in the network as it can drop packets on the fly. All traffic flows through the IPS. More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking traffic from the offending IP address. An IPS is a preventative and proactive technology, whereas an IDS is a detective technology. In computer terminology, a honeypot is a trap (set up as a sacrificial lamb) set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. It consists of a computer, data, or a network site that seems to contain information or a resource of value to attackers and appears to be part of a network; however, it is isolated and monitored. The system is not locked down and has open ports and services are enabled. This is to entice a would-be attacker to this computer instead of attacking authentic production systems on a network. If the system only has open ports and services an attacker might want to take advantage of, this would be an example of enticement. If the system has a web page indicating that the user can download files, and once downloaded, the administrator charges this user with trespassing, it would be entrapment. A packet or network sniffer is a computer program or a part of computer hardware that can intercept and log traffic passing over a digital network or part of a network. As data streams flow across the network, the sniffer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications. Traffic being transferred over a network medium is transmitted as electrical signals, encoded in binary representation. The sniffer needs to have a protocol-analysis capability to recognize the different protocol values and properly interpret their meaning. The sniffer needs access to a network adapter that works in promiscuous mode and a driver that captures the data. This data can be overwhelming, so it must be properly filtered. The filtered data is stored in a buffer, and this information is displayed to a user and/or captured in logs.

26 Security Information and Event Management (SIEM)

Security Information and Event Management or SIEM is a set of technologies involved in analysis and correlation of information collected and aggregated about access controls and some system activities. It is a term for software products and services combining Security Information Management or SIM (Read as: S-I-M) and Security Event Management or SEM (Read as: S-E-M). SIEM provides real-time analysis of security alerts generated by network hardware and applications. It is sold as software, appliances or managed services. It is also used to log security data and generate reports for compliance purposes. Some of the reasons for collecting logs are as follows: Regulation Requirements, Compliance Requirements, Non-Repudiation and Internal Accountability, Risk Management Functions, Performance Monitoring and Trending, Event Correlation, Incident Response, Root Cause Analysis, and Forensic Investigations. Let us discuss the characteristics of SIEM in the following screen.

27 Security Information and Event Management (SIEM)—Characteristics

Some of the characteristics of SIEM are as follows: Raw information is stored from various systems logs; Information is aggregated in a single repository; Information is normalized to make comparisons more meaningful; It processes, maps, and extracts target information by analytical tools; acts as an alerting tool; acts as a reporting tool; provides near real-time reporting; used as a decision support system for security operation centers; complex and expensive to implement; and can be vulnerable to attacks. Let us discuss Continuous Monitoring in the following screen.

28 Continuous Monitoring

Continuous Monitoring System must meet the organization’s security requirements. The security architect must design and implement continuous monitoring program that protects the organization’s critical information assets. The security practitioner must be acquainted with Continuous Monitoring as a Service (CMaaS). The United States federal government initiated the need for CMaaS to focus on cyber-defense. There are many agencies that offer CMaaS such as, General Services Administration or GSA and Federal Acquisition Service or FAS. A security architect or security practitioner can take a look at CMaaS services offered by different vendors to find a suitable one for the organization. Let us discuss Egress Filtering in the following screen.

29 Egress Filtering

Egress filtering prevents any unauthorized or malicious traffic to leave the internal network. Information flowing from internal network to internet is monitored and controlled. TCP/IP (Read as: TCP or IP) packets that are being sent out of the internal network are examined through a router, firewall, or similar edge device. Packets that do not meet security policies are not allowed to pass through; they are denied "egress". Egress filtering helps ensure that unauthorized or malicious traffic never leaves the internal network. It may require policy changes and administrative work whenever a new application requires external network access. It should comply with the standards and regulations. Example: Payment Card Industry Data Security Standard or PCI DSS (Read as: P-C-I D-S-S), requires egress filtering from any server in the card holder environment. Let us discuss Data Leak Prevention in the next screen.

30 Data Leak or Loss Prevention (DLP)

Data Loss or Leak Prevention or DLP (Read as: D-L-P) is a strategy to ensure end users do not send sensitive or critical information outside the corporate network. It is designed to detect potential data breach or data ex-filtration transmissions, and prevent them by monitoring, detecting, and blocking sensitive data while in-use or endpoint actions, in-motion or network traffic, and at-rest or data storage. In data leakage incidents, sensitive data is disclosed to unauthorized personnel either by malicious intent or mistake. Such sensitive data can come in the form of private or company information, intellectual property or IP, financial or patient information, credit-card data, and other information depending on the business and the industry. The key objectives of DLP include locating and cataloging critical information stored throughout the enterprise; monitoring and controlling the sensitive information’s flow across enterprise networks; and monitoring and controlling the flow of sensitive information on end-user systems. Some of the benefits of DLP are as follows: It protects sensitive data and intellectual property of the organization; meets the compliance requirements; and reduces security breaches. Let us discuss Steganography and Digital Watermarking in the following screen.

31 Steganography and Digital Watermarking

Steganography involves concealing the existence of data by hiding it in some other media such as a picture, audio, and video file. It is used to insert digital watermarks on images to identify illegal copies. It is also, used to send secret messages through emails. Steganography process: A very generic description of the parts of the steganography process can explained by the following formula: stego_medium = cover_medium + hidden_data + stego_key The cover_medium is the file in which is intended to hide the hidden_data, which may also be encrypted using the stego_key. The resultant file is the stego_medium, which is similar the cover_medium. Generally, image, video, or audio files are used as the cover_medium and, the stego_medium. Let us discuss a business scenario in the following screen.

32 Business Scenario

The IT Security team at Nutri Worldwide Inc. has recently noticed abnormalities in its accounting and product records. They started an initial assessment of the system log files, and found a large number of suspicious entries. They also noticed some IP addresses sending large amount of data outside the organization’s firewall. The customer care department has also recently received numerous complaints from the customers saying that during order processing, strange messages were being displayed, and often re-directed to some illegitimate looking payment page. Question: In the given scenario, what type of evidence needs to be collected? Answer: The investigator will need to collect evidence from both volatile and non-volatile memories.

33 Secure Provisioning of Resources through Configuration Management

The purpose of Configuration Management or CM is to establish and maintain consistency of a product's performance, functional and physical attributes with its requirements, design, and operational information throughout its life. Configuration Management involves evaluating, coordinating, approving or disapproving, and implementing changes in artifacts that are used to construct and maintain software systems. It enables the management of artifacts such as hardware, software, or documentation from the initial concept through design, implementation, testing, baselining, building, release, and maintenance. The Policy of CM should define the following: Group of artifacts or configuration items; Process for naming of the artifacts; Entering and removing the artifacts in the controlled set; Changing of artifacts under CM, Versioning of artifacts, and Usage of tools to enforce CM. Let us discuss Secure Provisioning of Resources through Configuration Management in the following screen.

34 Secure Provisioning of Resources through Configuration Management (contd.)

The security practitioner must get acquainted with Configuration Management and its implementation to establish a full Configuration Management System within the enterprise. Configuration Management System benefits secure provisioning of many organizational assets which include the following: Physical Assets such as servers, laptops, tablets, and smartphones; Virtual Assets such as Software Defined Networks or SDNs, virtual SAN or vSAN (Read as: v-SAN) systems, and Virtual Machines or VMs; Cloud Assets such as services, fabrics, storage networks, and tenants; and Applications such as workloads in private clouds, web services, and Software as a Service or SaaS (Read as: SaaS). Let us discuss Security Operations in the following screen.

35 Introduction to Security Operations

The term ‘security operations’ refers to the act of understanding and mitigating the vulnerabilities and threats to the computer operations, to support operational activities routinely that enable computer systems to function correctly. The term also refers to the implementation of security controls for normal transaction processing, system administration tasks, and critical external support operations. These controls can include resolving software or hardware problems along with the maintenance of auditing and monitoring processes. In the next screen, we will discuss the concepts of Security Operations.

36 Security Operations Concepts

The three important concepts of security operations domain are: threats, vulnerabilities, and assets. A threat in the security operations domain can be defined as the presence of any potential event that could cause harm by violating security; for example, an operator’s abuse of privileges that violates confidentiality. Vulnerability is defined as a loophole or weakness in a system that enables security to be violated; for example, weak implementation of the separation of duties. An asset is any computing resource or ability such as hardware, software, data, and personnel. In the next screen, we will understand the security operations.

37 Security Operations

Security Operations domain can be considered as a combination of operations security and security operations. Operations security is primarily concerned with the protection and control of information processing assets in centralized and distributed environments. Operations security is a quality of other services. Security operations are primarily concerned with the daily tasks required to keep security services operating reliably and efficiently. Fundamentals of operations security include maintaining operational resilience, protecting valuable assets, controlling system accounts, and managing security services effectively. The following screen will discuss the effects of operations controls on C.I.A.

38 Effects of Operations Controls on C.I.A.

The effects of operations controls on C.I.A. are confidentiality, integrity, and availability. Confidentiality refers to operations controls affecting the secrecy and sensitivity of the information. Integrity refers to data’s accuracy and authenticity depending on the efficient implementation of the operations controls. Availability refers to operations controls affecting the organization’s capability of recovering from failure and fault tolerance level.

39 Business Scenario

Kevin Butler, Security Administrator, was studying the importance of operations security. He was trying to map the controls implemented at his company Nutri Worldwide Inc. to the industry’s best practices. He was overwhelmed when he found that their implementation was at par with the global best practices. The situation at Nutri Worldwide Inc. was quite different many years ago when there were operations related issues such as physical damage to a site or equipment, downtime, and human injury. This had caused a lot of damage to company like loss of employees and public confidence, negative press, and customer doubts, apart from the financial loss. It also created serious compliance issues with the regulators. To mitigate all these issues, the company formulated a strategy to implement all the best practices for operations security. What are the critical aspects of operations security controls? Some of the critical aspects include resource protection, privileged-entity control, and hardware control.

40 Operational Resilience

Now that we have discussed the overview of Operations Security, we will focus on maintaining operational resilience. Resilience is an important quality for any production operation. It is concerned with preparing the IT environment for any potential threat to smooth, steady, and reliable service. In this topic, we will: describe threats to operations, discuss vulnerabilities, and describe controls and protection. For an organization, besides maintaining the expected levels of service availability and integrity daily, it is important to have resilience of critical services. During lean times, operations staff is expected to ensure that there is minimal disruption to the organization’s activities. This includes anticipating such disruptions and deploying key systems and maintaining operational continuity. They are also expected to maintain the processes and procedures to ensure timely detection and response. Resilience is also concerned with preparing the IT environment for any potential threat to smooth, steady, and reliable service. The following screen will cover the threats to operations.

41 Threats to Operations

The unauthorized release of information is a considerable threat. Disclosure may result when a hacker or cracker penetrates a system that contains confidential information. Sensitive information may be leaked through malware infection. It may also be intentionally disclosed by disgruntled employees, contractors, or partners. From an operations perspective, technical solutions intended to protect sensitive information need to be maintained, and the actions of privileged users should be monitored to detect any potential disclosure. Malicious, unintentional, and uncontrollable irreparable damage can result in the destruction of system data and resources. Malicious activity on the part of malware and malicious users can cause loss of a significant amount of information. Errors on the part of users can cause the accidental deletion of important data. Secure operation is intended to prevent destruction of sensitive assets, except when done intentionally as part of an information retention program. Environmental factors as well as the acts of individuals can cause damage to systems and data. Sporadic fluctuations in temperature or line power can cause systems to make errors while writing data. Inappropriate or accidental changes to file or table permissions can cause unintended data corruption. It is important to implement and maintain integrity protection on key systems as well as provide appropriate procedures to ensure that privileged access to high-integrity resources is tightly controlled and monitored. Interruptions in service can also be disruptive to normal business operations. Failure of equipment, services, and operational procedures can cause system components to become unavailable. Denial-of-service attacks and malicious code can also interrupt operations. Any loss of system availability will need to be dealt with, either automatically through technology or manually through strong processes and procedures. Theft is also a common threat. While large-scale thefts within a secure operation may be less likely, component theft is often common in many environments. It is important to prevent these sorts of thefts and coordinate investigations regarding such problems.

42 Threats to Operations (contd.)

A loss incurred unintentionally, either through the lack of operator training or proficiency or by the malfunctioning of the processing procedure of an application is accidental loss. The following are some examples of types of accidental loss: Operator input errors and omissions include manual input transaction errors, entry or data deletion, and faulty data modification. Transaction processing errors include errors that are introduced in the data through faulty application programming or processing procedures. Inappropriate Activities refer to the inappropriate usage of office resources that may lead to job action or dismissal. They may not be direct criminal activities. The types of inappropriate activities include: Availability of Inappropriate Content, which refers to the usage of the company systems to store pornography, entertainment, political, or violent content; Waste of Corporate Resources, which refers to the personal use of hardware or software, such as conducting a private business with a company’s computer system; Sexual or Racial Harassment, which refers to using e-mail or other computer resources to distribute inappropriate material; and Abuse of Privileges or Rights, which refers to usage of unauthorized access levels to violate the confidentiality of sensitive company information. These include computer activities that are intentional and illegal. These activities are conducted for personal financial gain and destruction: Let us first look at Eavesdropping. Data scavenging, traffic or trend analysis, social engineering, economic or political espionage, sniffing, dumpster diving, keystroke monitoring, and shoulder surfing are all types of eavesdropping to gain information or to create a foundation for a later attack. Eavesdropping is a primary cause for the failure of confidentiality. Examples of the types of frauds are collusion, falsified transactions, data manipulation, and other altering of data integrity for gain. Examples of the types of theft are theft of information, trading of secrets for profit, unauthorized disclosure, and physical theft of hardware or software. Sabotage includes denial of service or DoS, production delays, and attacks on data integrity. Examples of external attacks are malicious cracking, scanning, and probing to gain infrastructure information, demon dialing to locate an unsecured modem line, and the insertion of a malicious code or virus.

43 Vulnerabilities

The types of vulnerabilities that exist in the system are traffic and trend analysis, maintenance accounts, initial program load or IPL vulnerabilities, social engineering, and network address hijacking. Traffic and Trend Analysis is the technique employed by an intruder that involves analyzing data characteristics and the patterns of transmissions. Analyzing data characteristics refers to message length and message frequency. The patterns of transmissions refer to the inference of information useful to an intruder, rather than knowledge of the actual transmitted information. Countermeasures for the traffic and trend analysis include padding messages and sending noise. Padding messages mean creating all messages to be a uniform data size by filling empty spaces in the data. Sending noise means transmitting non-informational data elements mixed with real information to disguise the actual message. Maintenance accounts with factory-set or easy passwords provide a method to break into computer systems. Physical access to the hardware by maintenance personnel can also constitute a security violation. The Initial Program Load or IPL presents very specific system vulnerabilities, irrespective of the system being centralized as mainframe type or a distributed LAN type. During the IPL, the operator brings up the facility’s system. This operator has the powerful ability of putting a system into a single-user mode without complete security features. In this state, an operator can load unauthorized programs or data, reset passwords, rename various resources, or reset the system’s time and date. The operator can also reassign the data ports or communication lines to transmit information to a confederate outside the data center. On a LAN, a system administrator can start the boot sequence from a tape, CD-ROM, or floppy disk, and bypass the operating system’s security on the hard drive. Data-scavenging attacks: Data scavenging is the technique of piecing together information from found bits of data. The two common types of data-scavenging attacks are keyboard attacks and laboratory attacks. Keyboard attacks refer to data scavenging through the available resources where normal system users use the keyboard, normal utilities, and tools to glean information. Laboratory attacks refer to planned and orchestrated data scavenging through precise electronic equipment. Social engineering attacks use social skills to obtain information. Common techniques used by an intruder to gain either physical access or system access are: Asserting authority or pulling rank with supported altered identification to enter the facility or system Intimidating or threatening the access control subjects with harsh language or threatening behavior to permit access or release information Praising, flattering, or sympathizing with the subjects to give information or system access Network address hijacking is the ability of an intruder to reroute data traffic from a server or network device to a personal machine, either by device address modification or by network address hijacking. This diversion enables the intruder to capture traffic to and from the devices for data analysis or modification, or to steal the password file from the server and gain access to the user accounts. By rerouting the data output, the intruder can obtain supervisory terminal functions and bypass the system logs. The following screen will focus on controls.

44 Controls

The Operations Security domain is concerned with the controls used to protect hardware, software, and media resources from threats, internal or external intruders, and operators inappropriately accessing resources. It is important to know the restriction of privileges, the resources to be protected, and the controls to be implemented. Major categories of operations security controls are, preventative controls, detective controls, corrective controls, deterrent controls, and application controls. Preventative controls are designed to lower the amount and impact of unintentional errors, which enter the system. They also prevent unauthorized intruders from accessing the system internally or externally. An example of these controls may be pre-numbered forms or a data validation and review procedure to prevent duplications. Detective controls are used to detect an error once it has occurred. Unlike preventative controls, these controls operate after the fact and can be used to track an unauthorized transaction for prosecution or to lessen an error’s impact on the system by identifying it quickly. An example of this type of control is an audit trail. Corrective or Recovery Controls mitigate the impact of a loss event through data recovery procedures. They can be used to recover after damage, such as restoring data that was inadvertently erased from the floppy diskettes. Deterrent controls are used to encourage compliance with external controls, such as regulatory compliance. These controls are meant to complement other controls, such as preventative and detective controls. Deterrent controls are also known as directive controls. Application controls are the controls designed into a software application to minimize and detect the software’s operational irregularities. An example would be selecting values from the dropdown menu.

45 Business Scenario

Hilda Jacobs, General Manager – IT Security, at Nutri Worldwide Inc. was going through the latest audit report. She was relieved that no major non-conformity was reported. The previous year, the regulators had raised a few queries about the lack of operations controls and the company was at the verge of facing de-licensing. Hilda Jacobs and her team worked overtime to make sure that all the required controls were being properly implemented and monitored. User awareness programs were also held to make them aware of their roles in reducing the operations issues. Which type of control is used to bring an organization back to normal working status as efficiently as possible after an incident? It is corrective type of control.

46 Need for Controlling Privileged Accounts

Security operations must maintain strong control over the number and types of accounts used on systems. This requires careful supervision over the management of accounts that are given privileges on IT systems. In this topic, we will discuss the need for controlling privileged accounts; discuss about identity and access management; and describe the types of user accounts and job roles. Accounts with greater privilege are distinct from less privileged user accounts. The need for controlling privileged accounts arise due to the following reasons: Privileged entities typically possess extensive powers on a given system. If a privilege account is compromised the attacker could damage the system. These privileges could be misused by unscrupulous individuals or targeted by external attackers. Security operations is expected to maintain control over these privileged entities, including ensuring they are assigned for legitimate business use and that continued need is being regularly examined. A defined procedure for the creation of the privileged entities on various systems and their continued requirement is needed. Although ordinary user accounts have less privilege, they should be controlled through good account management practices. The following screen will focus on Identity and Access Management.

47 Identity and Access Management

The following are the definitions of identity management and access management Identity management controls the life-cycle process for every account in a system, from the provisioning of the account through to its eventual removal from the system. Access management refers to the assignment of rights or privileges to those accounts to allow them to perform their intended function. Identity and access management or IAM (pronounced as – I-A-M) solutions focus on harmonizing the user provisions and access management across multiple systems with different native access control systems. Managing Accounts Using Groups and Roles Efficient management of users requires the assignment of individual accounts into groups or roles. Groups and roles allow rights and privileges to be assigned to groups or a role as opposed to individual accounts. Individual user accounts can be assigned to one or more groups depending on the access and privileges they require. When groups can be set up according to job functions within the organization, role-based access control or RBAC (pronounced as R-B-A-C) can be used. Under RBAC, individual users are typically assigned a single role corresponding with the rights and privileges to do their jobs. Whether groups or roles are used, security administrators must devise the appropriate assignment of permissions and rights, depending on the access control strategy used. We will learn about the types of accounts in the following screen.

48 Types of Accounts

Privileged and ordinary user accounts are two broad categories of differentiating user accounts. As discussed earlier, privileged entities possess extensive powers on a given system. The following are the four types of accounts with different levels of privilege: Root or built-in administrator accounts are the ‘all-powerful’ default administrative accounts used to manage a device or system. These accounts are generally shared by administrators for performing specialized administrative tasks. Service accounts provide privileged access used by system services and core applications. Systems use a variety of accounts to provide automated services, such as web servers, e-mail servers, and database management systems. Such services require accounts to perform actions on the local system. Administrator accounts are assigned only to individuals requiring administrative access to the system for maintenance activities. Passwords for administrative accounts should be distributed in person Power users are granted greater privileges than normal user accounts when the user must have greater control over the system. However, the administrative access is not required. Ordinary user accounts are assigned to most users. The account is restricted to those privileges that are strictly required, following the principle of least privilege. Access is limited to specific objects following the principle of need-to-know. The following screens will discuss the commonly used roles.

49 Commonly Used Roles

Different user accounts are allocated to individuals assigned to particular job roles. It is important to be able to distinguish between the common types of job roles and their relationship with an operational environment. System administrators enjoy the highest level of privilege on most systems especially in server environments. They are entrusted with managing system operations and maintenance, and ensuring the proper functioning of systems for the users. They perform key maintenance and monitoring tasks on workstations, servers, network devices, databases, and applications. These components require various levels of recurring maintenance to ensure continued operations. For example, system administrators require the ability to affect certain critical operations such as setting the time, boot sequence, system logs, and passwords, software installation, system start up and shut down, adding and removing users, performing backup and recovery, and handling printers and queues.

50 Commonly Used Roles (contd.)

System operators represent a class of users typically found in data center environments where mainframe systems are used. They provide regular operations of the mainframe environment. They ensure scheduled jobs run effectively and troubleshoot problems. They help in loading and unloading tape and taking backups on tape. Operators have elevated privileges, but less than those of system administrators. If misused, these privileges may be used to circumvent the system’s security policy. As such, use of these privileges should be monitored through audit logs. Some of the privileges and responsibilities assigned to operators include implementing the initial program load, monitoring execution of the system, startup and shut down, backup and recovery, mounting disks and tapes, and handling hardware. Security administrators oversee the security operations of a system. The aspects of security operations include account management, assignment of file sensitivity labels, system security settings, and review of audit data. Operating systems and applications such as database management systems and networking equipment contain a significant number of security settings. Security administrators define the security settings of a system. The security administrator can also implement the settings in conjunction with the system administrator or the concerned application manager. It is necessary for the security administrator and system administrator to work together on security settings because an improper configuration can affect the operation of the system or network. The security administrators usua

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*