cissp - 2 operations security

7/23/2019 CISSP - 2 Operations Security

http://slidepdf.com/reader/full/cissp-2-operations-security 1/74

1

Operations Security



Agenda

What is Operations Security?

Key Operational Procedures and

Controls Penetration Testing and Vulnerability

Assessments

Intrusion Detection Common Attacs and !ethodology

2



What is Operations

Security?Operations Security "s# Security OperationsPer ISC$ %Operations Security is primarily concerned &ith

the protection and control o' in'ormation processing assets incentrali(ed and distributed en"ironments# Security

Operations are primarily concerned &ith the daily tassre)uired to eep security ser"ices operating reliable ande*ciently# Operations security is a )uality o' other ser"ices#Security operations is a ser"ice in its o&n right+

Acti"ities that occur a'ter the net&or is designed andimplemented

,outine in -ature

,elies on proper monitoring and reporting to ensurethat as threats e"ol"e. so does the net&or de'ense

Part o' due care and due diligence

3



General Information Security

Principles Simplicity

/ail0Sa'e

Complete

Open Design

Separation o'Pri"ilege

PsychologicalAcceptability

1ayered

De'ense Incident

,ecording



Control Mechanisms

Control !echanisms Protect in'ormation and resources 'rom

unauthori(ed disclosure. modi2cation.and destruction

!ain types o' mechanisms Physical

Administrati"e Technical



General Control Layers

Administrati"e ControlsDe"elopment o' policies. standards. and

proceduresScreening personnel. security a&areness training.

monitoring system and net&or acti"ity. andchange control

Technical Controls1ogical mechanisms that pro"ide pass&ord and

resource management. identi2cation andauthentication. and so't&are con2gurations

Physical ControlsProtecting indi"idual systems. the net&or.

employees. and the 'acility 'rom physical damage



Access Control Functions

Pre"entati"eControls used to pre"ent undesirable e"ents 'rom taing

place

Detecti"e

Controls used to identi'y undesirable e"ents that ha"eoccurred

Correcti"eControls used to correct the e3ects o' undesirable e"ents

Deterrent

Controls used to discourage security "iolations,eco"eryControls used to restore resources and capabilities

CompensationControls used to pro"ide alternati"e solutions



ey Operational

Procedures and Controls /ault !anagement

Con2guration !anagement

System 4ardening

Change Control Trusted ,eco"ery

!edia !anagement

Identity and Access !anagement

!onitoring

Security Auditing and ,e"ie&s

8



Fault Management

Spares

,edundant Ser"ers

5PS

Clustering

,AID

Shado&ing. ,emote 6ournaling. 7lectronic

Vaulting 8ac 5ps

,edundancy o' Sta3

9



Spares

,edundant hard&are

A"ailable in the e"ent that theprimary de"ice becomes

unusable O'ten associated &ith hard

dri"es

4ot. &arm and cold s&appable

de"ices S1As

!T8/ and !TT,

10

Mean time between failure=650 days; Mean time torepair = 12 Hours

Mean time between failure =785 days; Mean time to repair= 16 Hours

Mean time between failure=652 days; Mean time torepair = 24 Hours



!AI"

,AID09 : Dis striping pro"ides noredundancy or 'ault tolerance butpro"ides per'ormance impro"ements'or read;&rite 'unctions

,AID0<: Dis !irroring0Pro"idesredundancy but is o'ten considered to

be the least e*cient usage o' space,AID0=: Dis Striping &ith Parity: /ault

tolerance > Speed

11



!edundant Ser#ers

Primary ser"er mirrors data tosecondary ser"er I' primary 'ails it rolls o"er to secondary

Ser"er 'ault tolerance



Clustering

roup o' ser"ers that are managed as a single system

4igher a"ailability. greater scalability. easier to manageinstead o' indi"idual systems

!ay pro"ide redundancy. load balancing. or both#Acti"e;Acti"eActi"e;Passi"e

Cluster loos lie a single ser"er to the userSer"er 'arm



$ninterrupti%le Po&er

SupplyIssues to Consider

Si(e o' load 5PS can support

4o& long it can support this load @battery duration

Speed the 5PS taes on the load &hen the primary po&er source

'ails Physical space re)uired

Desirable /eatures

1ong battery li'e

,emote diagnostic so't&are

Surge protection and line conditioning

7!I;,/I 2lters to pre"ent data errors caused by electrical noise

4igh !T8/ "alues

Allo& 'or automatic shutdo&n o' system



'ac(ups

8acing up so't&are and ha"ingbacup hard&are is a large part o'net&or a"ailability

It is important to be able to restoredata:

I' a hard dri"e 'ails A disaster taes place

Some type o' so't&are corruption



'ac(ups

/ull bacupArchi"e 8it is reset

Incremental bacup

8acs up all 2les that ha"e been modi2ed since last bacupArchi"e 8it is reset

Di3erential bacup8acs up all 2les that ha"e been modi2ed since last 'ull

bacup

Archi"e 8it is not reset

Copy bacupSame as 'ull bacup. but Archi"e 8it is not reset5se be'ore upgrades. or system maintenance



'ac(ups

Sunday Monday uesday !ednesday "ursday

#ull

#ull

#ull

#ull #ull #ull

Ser$er %ras"&&&&&

'a()ups

needed

to

re(o$er *n( *n( *n(

+iff +iff +iff #ull,s- .

+iff ,w-

#ull,s- .*n( ,m/t/w-

#ull,w-



'ac(up Issues

Critical data needs to be identi2ed 'orbacups

!edia ,otation Scheme rand'ather. /ather. Son

To&er o' 4anoi

8acup schedule needs to be de"eloped

I' restoring a bacup a'ter a compromise.ensure that the bacup material does notcontain the same "ulnerabilities that&ere eBploited



!edundancy of Staff

7liminate Single Point o' /ailure

Cross Training

6ob ,otation !andatory Vacations

Training and 7ducation

19

Configuration Management




• De2ned by ISC$ as %a process o' identi'ying and documentinghard&are components. so't&are and the associated settings#+

• The goal is to mo"e beyond the original design to a hardened.operationally sound con2guration

• Identi'ying. controlling. accounting 'or and auditing changes madeto the baseline TC8

• These changes come about as &e per'orm system hardening tassto secure a system#

Will control changes and test documentation through the

operational li'e cycle o' a system Implemented hand in hand &ith change control

ESSENTIAL to Disaster Recovery

20




"ocumentation !ae

!odel

!AC address

Serial number

Operating System;/irm&are "ersion

1ocation

8IOS or other pass&ords Permanent IP i' applicable

Organi(ational department label

21



System )ardening *'aselining

,emo"ing 5nnecessary Ser"ices

Installing the latest ser"ices pacsand patches

,enaming de'ault accounts

Changing de'ault settings

7nabling security con2gurations lieauditing. 2re&alls. updates. etc

Dont 'orget physical securityE

22



Change Management

Directi"e. Administrati"e Control that shouldbe incorporated into organi(ational policy#

The 'ormal re"ie& o' all proposed changes00

no %on0the0Fy+ changes Only appro"ed changes &ill be implemented

The ultimate goal is system stability

Periodic reassessment o' the en"ironmentto e"aluate the need 'orupgrades;modi2cations

23



+he Change Management

Process ,e)uest Submittal

,is;Impact Assessment

Appro"al or ,eGection o' Change Testing

Scheduling;5ser -oti2cation;Training

Implementation

Validation

Documentation

24



Patch Management

An essential part o' Con2guration and Change !anagement

!ay come as a result o' "endor noti2cation or pen testing

C"e#mitre#org @Common Vulnerability and 7Bposuresdatabase pro"ides standard con"entions 'or no&n

"ulnerabilities -"d#nist#go" 7nables automation o' "ulnerability

management. security measurement. and compliance# -VDincludes databases o' security checlists. security relatedso't&are Fa&s. incorrect con2gurations. product names.

and impact metrics# &&&#cert#go": Online resource concerning common

"ulnerabilities and attacs

25



+rusted !eco#ery

System reboot. emergency systemrestart. system cold start

-o compromise o' protectionmechanisms or possibility o'bypassing them

Preparing system 'or 'ailure and

reco"ering the system /ailure o' system cannot be used to

breach security



Media Managment

Production 1ibraries 4olds so't&are used in production en"ironment

Programmer 1ibraries

4olds &or in progress

Source Code 1ibraries 4olds source code and should be escro&ed

!edia 1ibrary 4ard&are centrally controlled



Controlling Access to

Media , Li%rarian 1ibrarian to control access

1og &ho taes &hat materials out and &hen

!aterials should be properly labeled

!edia must be properly saniti(ed &hennecessary Heroi(ation @Pre"ious DoD standards re)uired

se"en &ipes# Currently. only one is re)uired#

Degaussing @Only good 'or magnetic media Coerci"ity: Amount o' energy re)uired to reduce the

magnetic 2eld to (ero

Physical destruction @The best means o' remo"ingremnants#



Identity and Access

Management Identity !anagement Controls the li'e cycle 'or all accounts in a

system

Access !anagement Controls the assignment o' rights;pri"ileges to

those accounts

Per ISC$. Identity and Access !anagement

solutions %'ocus on harmoni(ing thepro"isioning o' users and managing theiraccess across multiple systems &ithdi3erent nati"e access control systems+#

29



Security Auditing and

!e#ie&s Security ,e"ie& Conducted by system maintenance or

security personnel

oal is determine "ulnerabilities &ithin asystem# Also no&n as a "ulnerabilityassessment

Security Audit Conducted by rd party

Determines the degree to &hich re)uiredcontrols are implemented

30



Security Assessments

1



Security!e#ie&s-.ulnera%ilityAssessments and Penetration+esting Vulnerability Assessment Physical ; Administrati"e; 1ogical

Identi'y &eanesses

Penetration Testing 7thical hacing to "alidate disco"ered &eanesses

,ed Teams @Attac;8lue Teams @De'end

-IST SP J990$ uideline on Security Testing



"egree of no&ledge

Hero Kno&ledge @8lac 8oB Testing: Team has no no&ledge o' the targetand must start &ith only in'ormation

that is publically a"ailable# Thissimulates an eBternal attac

Partial Kno&ledge: The team haslimited no&ledge o' the organi(ation

/ull Kno&ledge: This simulates aninternal attac# The team has 'ullno&ledge o' net&or operations

33



O#ert or Co#ert +esting?

8lind

Double 8lind

Targeted

34



Attac( Methodology

Test Attacs < o' $

1. Reconnaissance WhoIs Database. Company Website. 6ob Search 7ngines. Social -et&oring

2. Footprinting

!apping the net&or @-map IC!P ping s&eeps

D-S (one trans'ers

3. Fingerprinting

Identi'ying host in'ormation

Port scanning4. u!nera"i!ity assess#ent

Identi'ying &eanesses in system con2gurations

Disco"ering unpatched so't&are



+esting Guidelines

Why Test? ,is analysis

Certi2cation

Accreditation

Security architectures

Policy de"elopment

De"elop a cohesi"e. &ell0planned. andoperational security testing program



More reasons to perform

testing ,esponsible approach to o"erall security

8oost companys position in maretplace

Why do these tests &or? 1ac o' a&areness

Policies not en'orced

Procedures not 'ollo&ed DisGointed operations bet&een departments

Systems not patched



Penetration +esting

GoalsChec 'or unauthori(ed hosts connected tothe organi(ations net&or

Identi'y "ulnerable ser"ices

Identi'y de"iations 'rom the allo&ed ser"icesde2ned in the organi(ations security policy

Assist in the con2guration o' the intrusiondetection system @IDS

Collect 'orensics e"idence



Penetration +esting

Issues Three basic re)uirements:De2ned goa!. &hich should be clearly documented 1imited ti#e!ine outlinedApprove( by senior managementL only management should

appro"e this type o' acti"ity

Issue: it could disrupt producti"ity and systems

O"erall purpose is to determine subGects ability to&ithstand an attac and determine e3ecti"eness o'current security measures

Tester should determine e3ecti"eness o' sa'eguardsand identi'y areas o' impro"ement# ))))TESTERS*O+LD NOT ,E T*E ONE S+--ESTIN-REEDIATION. T*IS IOLATES SE/ARATION OFD+TIES)))))



!oles and

!esponsi%ilities Appro"al 'or the tests may need to come'rom as high as the CIO

Customary 'or the testing organi(ation toalert other security o*cers. management.and users

A"oid con'usion and unnecessary eBpense

In some cases. it may be &ise to alert localla& en'orcement o*cials

l f



!ules of /ngagement

Speci2c IP addresses;ranges to be tested Any restricted hosts

A list o' acceptable testing techni)ues

Times &hen testing is to be conducted Points o' contact 'or the penetration testing

team. the targeted systems. and the net&ors

!easures to pre"ent la& en'orcement being

called &ith 'alse alarms 4andling o' in'ormation collected by

penetration testing team

+ f P t ti



+ypes of Penetration

+ests Physical Security Access into building or department

Wiring closets. loced 2le cabinets. o*ces. ser"er room.

sensiti"e areas

,emo"e materials 'rom building

Administrati"e Security 4elp des gi"ing out sensiti"e in'ormation. data on

disposed diss

1ogical Security Attacs on systems. net&ors. communication

A h t + ti



Approaches to +esting

Do not rely on single method o' attacet creati"e

Path o' least resistanceStart &ith usersMsocial engineering is o'ten the

easiest &ay to gain access

8rea the rules7"en i' a company 'ollo&s its o&n policy.

standards and procedures. it does not meanthat there are not "ulnerabilities

Attempt things not eBpected

A h t + ti



Approaches to +esting

Do not rely eBclusi"ely on high0tech toolsDumpster di"ing

Stealth methods may be re)uired

Do not damage systems or data

Do not o"erloo small &eaness insearch 'or the big ones

4a"e a toolit o' techni)ues

0 t ( S i



0et&or( Scanning

1ist o' all acti"e hosts

-et&or ser"ices: IC!P

5DP N TCP Port scanner:

-map

/inger Printing

8anner rabbing

. lnera%ilit Scanning



.ulnera%ility Scanning

Identi'ying:Acti"e hosts on net&orActi"e and "ulnerable ser"ices @ports on hostsApplications

Operating systemsVulnerabilities associated &ith disco"ered OS N

applications!iscon2gured settings

Testing compliance &ith host applicationusage;security policies

7stablishing a 'oundation 'or penetrationtesting

Pass&ord Crac(ing



Pass&ord Crac(ing

oal is to identi'y &ea pass&ords

Pass&ords are generally stored and

transmitted in an encrypted 'orm calleda hash

Pass&ord cracing re)uires capturedpass&ord hashes 4ashes can be intercepted

Can be retrie"ed 'rom the targeted system

Pass&ord Crac(ing



Pass&ord Crac(ing+echni1ues Dictionary attac

8rute 'orce

4ybrid attac

1an!an pass&ord hashes Theoretically all pass&ords are %cracable+

,ainbo& tables

!ogue Infrastructures



!ogue Infrastructures

5nauthori(ed D4CP Ser"ers can be used toredirect hosts to rogue D-S ser"ers

,ogue D-S Ser"ers can direct tra*c to spoo'edhosts

D-S (one trans'er in'ormation contains !5C4in'ormation about a net&or and itscon2guration

Secure physical access to the net&or. re)uire

D4CP ser"ers to re)uire authori(ation. 5serD4CP reser"ations and !AC addressing tocontrol assignment o' IPs. Secure D-S (onetrans'ers only to speci2c hosts

50

War "ialing



War "ialing

oal is to disco"er unauthori(ed modemsPro"ide a means to bypass most or all o' the security

measures in place

Dial large blocs o' phone numbers in search o'

a"ailable modemsShould be conducted at least annuallyShould be per'ormed a'ter0hours

Include all numbers that belong to an

organi(ation. eBcept those that could beimpacted negati"ely

I' remo"al is not possible. bloc inbound calls tothe modem

!eporting



!eporting

Planning ,ules o' engagement

Test plans

Written permission

Disco"ery and Attac Documentation o' logs

Periodic reports

7nd o' test o"erall report Describe the identi2ed "ulnerabilities and ris rating

Re#e#"er0 t$e /en Tester (oes NOT provi(e#itigation a(vice. T$ey si#p!y provi(e a report onea&nesses oun(

Correcti#e Actions 2



Correcti#e Actions , 2of 3 In"estigate and disconnect unauthori(ed hosts

Disable or remo"e unnecessary and "ulnerable ser"ices

!odi'y "ulnerable hosts to restrict access to "ulnerableser"ices to a limited number o' re)uired hosts

@i#e#. host0le"el 2re&all or TCP &rappers !odi'y enterprise 2re&alls to restrict outside access to no&n

"ulnerable ser"ices

Ingress /iltering: -o inbound tra*c allo&ed &ith internal

addresses @spoo2ng

7gress /iltering : -o outbound tra*c allo&ed &ith eBternal

addressing @DDoS

Correcti#e Actions 3



Correcti#e Actions , 3of 35pgrade or patch "ulnerable systems

Deploy mitigating countermeasures

Impro"e con2guration management program and

procedures

Assign a sta3 member to:!onitor "ulnerability alerts;mailing lists7Bamine applicability to en"ironment Initiate appropriate system changes

!odi'y the organi(ations security policies andarchitecture

A!! o t$e a"ove reuire going t$roug$ properc$ange #anage#ent proce(ures

Log !e#ie&s



Log !e#ie&s

/ire&all logs

IDS logs

Ser"er logs

Other logs that are collecting audit data

Snort is a 'ree IDS sensor

1og ,e"ie&s should be conducted "ery're)uently on maGor ser"ers and 2re&alls

"eploy File Integrity



"eploy File IntegrityChec(ersComputes and stores a checsum

Should be recomputed regularly

5sually included &ith any commercial host0based intrusion detection system

,e)uires a system that is no&n to be secure tocreate the initial re'erence database

/alse positi"e alarms

1A-guard is a 'ree&are 2le integrity checer

Watching 0et&or( +raffic



Watching 0et&or( +raffic

Tra*c AnalysisMSide Channel AnalysisWatching tra*c and its patterns to try and determine

i' something special is taing place# /or eBample:A lot o' tra*c bet&een t&o military units may indicate

that an attac is being planned

Tra*c bet&een human resources and head)uarters mayindicate layo3s are around the corner

Tra*c Paddingenerating spurious data in tra*c to mae tra*c

analysis more di*cult

Sending out decoy attacs The amount and nature o' tra*c may be masedAttempt to eep tra*c constant so no in'ormation can

be gained

Protocol Analy4ers



Protocol Analy4ers5Sniffers6 and Pri#acy Promiscuous mode

8ridging ; S&itching can a3ect thePacet Capture

"eploy .irus "etectors



"eploy .irus "etectors

!alicious code detection

T&o primary types:

-et&or in'rastructure 7nd0user machines

5pdate the list o' "irus signatures

!ore sophisticated programs also loo 'or"irus0lie acti"ity in an attempt to identi'yne& or mutated "iruses

Intrusion Detection



Intrusion Detection Systems So't&are is used to monitor a net&or

segment or an indi"idual computer

5sed to detect attacs and other maliciousacti"ity

Dynamic in nature

The t&o main types: -et&or0based

4ost0based systems @TCP Wrappers

+ypes of I"S



+ypes of I"S

-et&or0based IDS!onitors tra*c on a net&or segmentComputer or net&or appliance &ith -IC in promiscuous

modeSensors communicate &ith a central management console

4ost0based IDSSmall agent programs that reside on indi"idual computerDetects suspicious acti"ity on one system. not a net&or

segment

IDS Components:SensorsAnalysis engine!anagement console

I"S Componenets



I"S Componenets

IDS Components: Sensors

Analysis engine

!anagement console

62

Sensor Placement



Sensor Placement

In 'ront o' 2re&alls to disco"erattacs being launched

8ehind 2re&alls to 2nd out aboutintruders &ho ha"e gotten through

On the internal net&or to detectinternal attacs

Analysis /ngine Methods



y g

Pattern !atching ,ule08ased Intrusion Detection

Signature08ased Intrusion Detection

Kno&ledge08ased Intrusion Detection

Pro2le Comparison

Statistical08ased Intrusion Detection Anomaly08ased Intrusion Detection

8eha"ior08ased Intrusion Detection

+ypes of I"S



yp

Signature0basedM!OST CO!!O- IDS has a database o' signatures. &hich are

patterns o' pre"iously identi2ed attacs

Cannot identi'y ne& attacs

Database needs continual updates

8eha"ior0based Compares audit 2les. logs. and net&or beha"ior.

and de"elops and maintains pro2les o' normalbeha"ior

8etter de'ense against ne& attacs

Creates many 'alse positi"es

I"S !esponse Options



p p

Passi"e: Page or e0mail administrator

1og e"ent

Acti"e Send reset pacets to the attacers connections

Change a 2re&all or router AC1 to bloc an IPaddress or range

,econ2gure router or 2re&all to bloc protocolbeing used 'or attac

I"S Issues



!ay not be able to process all pacets on largenet&ors!issed pacets may contain actual attacs IDS "endors are mo"ing more and more to hard&are0based

systems

Cannot analy(e encrypted data

S&itch0based net&ors mae it harder to pic up allpacets

A lot o' 'alse alarms

-ot an ans&er to all prayers2re&alls. anti0"irus so't&are. policies. and other security

controls are still important

/luding I"S , /#asion



gAttac(

/luding I"S , Insertion



gAttac(

)oneypot



Deployment: Pseudo /la&: 1oophole purposely added to operating

system or application to trap intruders

Sacri2cial lamb system on the net&or

Administrators hope that intruders &ill attac this systeminstead o' their production systems

It is enticing because many ports are open and ser"ices

are running

8e care'ul o' 7nticement "s# 7ntrapment

Padded Cell and



.ulnera%ility +ools Concept used in so't&are programming &here a

%sa'e+ en"ironment is created 'or applications andprocesses to run in Similar to a "irtual machine

Concept used in IDS &here identi2ed intruder ismo"ed to a %sa'e+ en"ironment &ithout their no&ing

Simulated en"ironment to eep the intruder happyand busy 4ope'ully lea"e production systems alone

aa: Sel' !utating 4oneypot. Tarpit

/mail .ulnera%ilities



Protocol Weanesses

,elays

Social 7ngineering

Phishing Spoo2ng

Spam

White listing

8lac listing

72

Fa7 .ulnera%ilities



/aB !achine Security Issues Can be used to trans'er sensiti"e data

Paper sitting in bin 'or all to see

Solution: /aB Ser"ers /aB ser"er can route 'aBes to e0mail boBes instead

o' printing

Can disable print 'eature

/aB encryptor encrypts bul data at data lin layer Pro"ides eBtensi"e logging and auditing

Can use public ey cryptography 'or secure trans'ero' material

Agenda !e#ie&



What is Operations Security?

Key Operational Procedures andControls

Penetration Testing and VulnerabilityAssessments

Intrusion Detection

Common Attacs and !ethodology

74

cissp - 2 operations security

Documents