2. Operations SecurityOperations Security
• What happens after the secure network and
systems are built
• Day to day work and use
• Continual maintenance (due care and due
diligence)
• Prudent Person Concept (despite all the
controls in place, operations security still
depends on people using their common sense
and good judgment to uphold IT secuirty
principles)
11/11/16 UNIVERSITY OF WISCONSIN 2
3. Administrative ManagementAdministrative Management
DesignDesign
• Dealing with personal issues (separation of job
duties and job rotation)
• High risk activities are broken up among
various employees
• The organization should have a written
complete and detailed list of duties of personnel
• User and Administrator should have different
access rights on systems
• Backup and redundancy of job functions
• Enforce least privilege and mandatory vacations
11/11/16 UNIVERSITY OF WISCONSIN 3
4. Security and Network PersonnelSecurity and Network Personnel
TasksTasks
• Implements and maintains security devices
and software
• Carries out security assessments
• Creates and maintains user profiles and access
• Configures the security labels in Mandatory
Access Control
• Sets initial password
• Reviews audit logs
11/11/16 UNIVERSITY OF WISCONSIN 4
5. Security and Network PersonnelSecurity and Network Personnel
AccountabilityAccountability
Limit excessive privileges
Enable monitoring, logging and auditing (should
be routine)
Questions which you should ask:
•Are users doing functions which are part
of the job descriptions?
•Are repetitive mistakes being made?
•Do too many users have rights to sensitive
data?
11/11/16 UNIVERSITY OF WISCONSIN 5
6. Clipping LevelsClipping Levels
(Threshold)(Threshold)
• Threshold is a baseline for activities committed
before an alarm is raised
• Once exceeded, violations are recorded for
review
• The purpose is to discover problems before
damage occurs
• Example, you have logged in incorrectly 10
times, your account is locked, reset password
11/11/16 UNIVERSITY OF WISCONSIN 6
7. Assurance LevelsAssurance Levels
Operational Assurance: describes the standards to
which an information system was built. This is
determined during the design process.
Lifecycle Assurance: describes how the
information system is maintained and grown,
while making sure to abide by the original
operational assurance, setting standards and
expectations to be met
Routine audits of active accounts, etc.
11/11/16 UNIVERSITY OF WISCONSIN 7
8. Operational ResponsibilitiesOperational Responsibilities
Duties of staff may include: software, personnel
and software
Management is responsible for managing
personal behavior of employees
The operations people focus on avoiding recurring
issues
All deviations from the norm should be
investigated
11/11/16 UNIVERSITY OF WISCONSIN 8
9. Unusual or UnexplainedUnusual or Unexplained
OccurrencesOccurrences
Steps is such a situation are:
1.Investigate
2.Diagnose
3.Solve
4.Make changes in system to keep issue from
occurring in the future
11/11/16 UNIVERSITY OF WISCONSIN 9
10. Deviations From StandardsDeviations From Standards
Standards = expected service levels of information
systems
It provides a solid baseline, from which deviations
can be investigated
Examples of common problems:
Unscheduled system reboots (Zoinks, Scooby!)
Asset identification and management (where’s my
stuff?)
Systems controls (how did this person gain
access?)
11/11/16 UNIVERSITY OF WISCONSIN 10
11. System HardeningSystem Hardening
Types of controls: Physical, Technical,
Administrative
Physical safeguards:
1.Wiring and networking closets locked
2.Networks in public locations should be
physically un-accessible
3.Removable devices should be locked and
encrypted
11/11/16 UNIVERSITY OF WISCONSIN 11
12. Systems HardeningSystems Hardening
(Continued)(Continued)
Licensing issues: Make sure your company is
using the software in compliance with vendor
contracts and stipulated operating procedures
Make sure you have a Service Level Agreement
(SLA) with your software, hardware and service
providers, indicating acceptable and unacceptable
performance and recovery baseline agreements
11/11/16 UNIVERSITY OF WISCONSIN 12
13. Remote Access SecurityRemote Access Security
Definition: Providing secure information systems
access to remote users
Can help reduce costs, by permitting work
flexibility, but also may expose you to increased
risk. It is a balancing act.
1.All communication via remote access should be
encrypted at all times
2.Generally remote access to critical systems by
end users should not be permitted
3.Administrators must use strong authentication
such as One Time Password device (OTP)
11/11/16 UNIVERSITY OF WISCONSIN 13
14. Configuration and ChangeConfiguration and Change
ManagementManagement
Policies should:
1.Document how all changes are made and
approved
2.Guidelines should be different based upon the
kind of data being managed
3.Disruptions in service must be planned and
approved in advance
4.Contingency plans must be in place to address
planned outages
11/11/16 UNIVERSITY OF WISCONSIN 14
15. Change Control ProcessChange Control Process
Process:
1.Submit request for change to take place
2.Formal approval of the change
3.Formal documentation of the change
4.Assurance of testing must be presented to the
group approving the change
5.Implement the change
6.Report results to management
11/11/16 UNIVERSITY OF WISCONSIN 15
16. Examples of Change ControlledExamples of Change Controlled
EventsEvents
New computers installed
New applications installed
Changes in system configurations implemented
Patches and system updates
New networking equipment installed
Company IT infrastructure merged with that of
another company which was acquired
11/11/16 UNIVERSITY OF WISCONSIN 16
17. Physical Media ControlsPhysical Media Controls
1. Protect from unauthorized access
2. Protect from environmental issues such as
flooding, overheating, etc.
3. Media should be labeled
4. Media should be sanitized when they reach the
end of their use/life.
5. Tracking number, chain of custody of media
6. Location of backups
7. Keep history of any changes to media
(replacements, etc)
11/11/16 UNIVERSITY OF WISCONSIN 17
18. Network and ResourceNetwork and Resource
AvailabilityAvailability
Failsafe measures are very important!
1.Have redundant hardware and software
replacements on hand
2.Implement fault tolerance technologies such as load
balancing login servers
Note the difference between redundancy and
load balancing: Redundancy means having a
backup system which can take over if the primary
system goes down, and load balancing means that two
or more systems are operating in tandem to decrease
resource utilization and dependency on a single point,
which could fail.
11/11/16 UNIVERSITY OF WISCONSIN 18
19. Network and ResourceNetwork and Resource
AvailabilityAvailability
1. Mean Time Between Failures (MTBF) should
be tracked and proactively addressed. “Trend”
your devices, so that you can plan for
replacement and be ready.
2. Understand the Mean Time To Repair
(MTTR), so you can make adequate plans
when a system breaks.
3. Avoid single points of failure, whenever
possible
11/11/16 UNIVERSITY OF WISCONSIN 19
20. Redundant Array ofRedundant Array of
Independent Disks (RAID)Independent Disks (RAID)
RAID 0 = striping of data across several disks. If
any one disk is lost, the missing data can be
determined by looking at points on either side of
missing data. If a disk goes down, pull it and
replace it.
RAID 1 = mirroring of source disk. If a disk goes
down, it can be rebuilt from the mirror disk.
11/11/16 UNIVERSITY OF WISCONSIN 20
21. BackupsBackups
• Steps:
• Document your procedures
• Test and certify restores
• Do continuous incremental online
backups
• Engage is Business Continuity Planning,
keep copies both onsite and offsite, in
case of disaster
11/11/16 UNIVERSITY OF WISCONSIN 21
23. Fax SecurityFax Security
• There is no such thing as a
secure Fax
• Never use a Fax for a sensitive
communication!
11/11/16 UNIVERSITY OF WISCONSIN 23
24. Vulnerability TestingVulnerability Testing
Goals:
1.Evaluate your company’s true and actual
security posture vs your company’s stated and or
assumed security posture
2.Confirms known vulnerabilities and identifies
new vulnerabilities
3.Tests how your company reacts to attacks of
information systems
11/11/16 UNIVERSITY OF WISCONSIN 24