Presentation is loading. Please wait.

Presentation is loading. Please wait.

CISSP Guide to Security Essentials

Published byHubert Crawford Modified over 5 years ago

Similar presentations

Presentation on theme: "CISSP Guide to Security Essentials"— Presentation transcript:

1 CISSP Guide to Security Essentials
Operations Security CISSP Guide to Security Essentials Chapter 7

2 Objectives Applying security concepts to computer and business operations Records management security controls Backups Anti-virus software and other anti-malware controls

3 Objectives (cont.) Remote access
Administrative management and control of information security Resource protection Incident management

4 Objectives (cont.) High availability architectures
Vulnerability management Change management and configuration management Operations attacks and countermeasures

5 Applying Security Operations Concepts

6 Security Operations Concepts
Need to know Least privilege Separation of duties Job rotation Monitoring of special privileges

7 Security Operations Concepts (cont.)
Records management controls Backups Anti-virus and anti-malware Remote access

8 Flow of Control From chapter 1 Policy Guidelines Processes Procedures
Recordkeeping

9 Need to Know Individual personnel should have access to only the information that they require in order to perform their stated duties Independent of security clearance This reduces risk, but can be an administrative burden

10 Least Privilege Users should have the fewest or lowest number of privileges required to accomplish their duties Independent of security clearance

11 Separation of Duties High-value or high-risk tasks require two or more different individuals to complete Examples Open a bank vault Issue an arrest warrant Provision a privileged-access computer account Change a firewall rule

12 Job Rotation Move individual workers through a range of job assignments Reduces monotony, risk Reduces likelihood that employees will perform inappropriate or illegal actions if they fear being caught when next job rotation occurs

13 Monitoring of Special Privileges
Privileged users have more power Mistakes have greater impact Record activities Network administrator System administrator Database administrator Application administrator

14 Records Management Controls
Data classification Access management Records retention Backups Data destruction

15 Data Classification Establish sensitivity levels
Establish handling procedures for each level Creation, storage, transmittal, destruction

16 Access Management Policies, procedures, and controls that determine how information is accessed and by whom User account provisioning Privilege management Password management Review of access rights Secure log on

17 Records Retention Policies that specify how long different types of records must be retained (minimums and maximums) Manage risks related to business records Risk of compromise of sensitive information Risk of loss of important information E-Discovery Regulation

18 Backups Protection against loss due to malfunctions, failures, mistakes, and disasters Activities Data restoration Protection of backup media Off-site storage of backup media

19 Data Restoration Periodic testing to ensure that data that is backed up can be restored Same computer Different computer Best way to prove that backups are being performed properly

20 Protection of Backup Media
Backup media contains sensitive information Requires same level of control as original information Keep in locked cabinets Least privilege and need to know

21 Offsite Storage of Backup Media
Reduce risk of loss of backup media in the event of a disaster that destroys data center Fire, flood, sabotage Factors Distance from business location Security of transportation Security of storage center Resilience of storage center against disasters

22 Data Destruction Purpose: ensure that discarded information is truly destroyed and not salvageable by either employees or outsiders

23 Data Destruction (cont.)
Once information has reached the end of its need, its destruction needs to be carried out in a manner that is proportional to its sensitivity Degaussing Shredding Wiping

24 Anti-virus and Anti-malware
Effects of uncontrolled malware Loss of business information Disclosure or compromise of business information Corruption of business information Disruption of business information processing Inability to access business information Loss of productivity Apply defense in depth to protect assets Central anti-malware management

25 Remote Access Connectivity to a network or system from a location away from the network or system, usually from a location apart from the organization’s premises Usually through a VPN

26 Remote Access (cont.) Improves productivity by permitting employees to access business information from any location Risk mitigation Encryption, strong authentication, anti-malware, firewall

27 iClicker Questions

28 Which security operation concept does "User Account Control" implement?
Need to know Least privilege Separation of duties Anti-virus and anti-malware Remote access

29 What security concept makes confidential information less likely to leak out, but can make normal business slow and complex? Need to know Least privilege Separation of duties Job rotation Monitoring of special privileges

30 Which security concept includes labeling files as "confidential" or "unclassified"?
Need to know Least privilege Monitoring of special privileges Records management controls Backups

31 When an administrator shuts down a server, this box appears, asking why the server is being shut down. Which security principle does this implement? Need to know Least privilege Separation of duties Job rotation Monitoring of special privileges

32 Administrative Management and Control

33 ISO 27001 Widely accepted model for top-down security management
Define scope and boundaries Establish a security policy Risk assessments Establish control objectives and activities Security awareness and training Allocate resources Internal audits Monitor and review the security program Enact continual improvement

34 Types of Controls Technical Physical Administrative
Such as firewalls and antivirus software Physical Locks, guards, etc. Administrative Such as policies and audits See link Ch 7a for a good discussion, and link CISSP 12 for good whitepapers on all ten CISSP domains

35 Categories of Controls
Detective Deterrent Preventive Corrective Recovery Compensating

36 Employing Resource Protection

37 Resource Protection Facilities Water and sewage Electricity
Fire alarms and suppression Environmental controls Communications Security controls

38 Resource Protection (cont.)
Hardware Servers Workstations Network devices Wireless networks Printers, copiers Cabling

39 Resource Protection (cont.)
Software requires control and management Licensing Access control Source code (preventing disclosure) Intellectual property Security Source code control Software development lifecycle

40 Resource Protection (cont.)
Documentation May contain trade secrets and sensitive information Processes, procedures, and instructions Version control Access control

41 Incident Management

42 Incident An Incident is A Security Incident is
An unexpected event that results in an interruption of normal operations A Security Incident is An event in which security policy has been violated OR Unauthorized access to a system or information An event that prevents legitimate access to a system or information

43 Incident Management Incident declaration Triage Investigation Analysis
Containment Recovery Debriefing See chapter 6 for details

44 High Availability Architectures

45 Fault Tolerance Makes devices less prone to failure
Multiple power supplies Multiple network interfaces Multiple processor units RAID (Redundant Array of Inexpensive / Independent Disks)

46 Clustering A group of two or more servers that operate functionally as a single logical server Active-active mode Active-passive mode Failover: when active status is transferred Geo-cluster – servers located at great distances from one another

47 Replication Data changes are transmitted to a counterpart storage system An adjunct to clustering, makes current data available to all cluster nodes

48 Business Continuity Management
A management activity where analysis is performed to better understand the risks associated with potential disaster scenarios, and the steps that can be taken to reduce the impact of a disaster should one occur

49 Vulnerability Management

50 Vulnerability Management
Penetration testing Application scanning Patch management Code reviews

51 Penetration Testing A scan of many or all TCP / IP “ports” on one or more target systems Followed by locating and exploiting vulnerabilities Mimics the actions of a hacker who scans a system or network for active, exploitable ports and services

52 Application Scanning The process of performing security tests on an application (usually, but not always, a web-based application) in order to find vulnerabilities in the application code itself

53 The ‘new’ OWASP Top Ten (2010 rc1)
This is the new proposed Top 10 list. The items in Red are new. Some of the existing items moved around.

54 Code Reviews Manual and automated inspections of software source code
Examine and validate approved changes Detection of inappropriate changes, unsafe code, security issues

55 Patch Management The process – usually assisted with management tools – to manage the installation of patches on target systems Reduces risks associated with malware, hacking attacks that exploit weaknesses Don't just put on all available patches Analyze and test them first and only put on the ones that pass a risk analysis

56 Change Management

57 Change Management Prepare the change Circulate and review the change
Discuss and agree to the change Perform the change Recordkeeping

58 Configuration Management

59 Configuration Management
Configuration of hardware, software components Configuration management database (CMDB) Automated tools

60 Operations Attacks and Countermeasures

61 Attacks on Operations Social engineering Sabotage
Theft and Disappearance Extortion Bypass Circumventing security measures Denial of service

62 iClicker Questions

63 The Army banned all use of USB flash drives
The Army banned all use of USB flash drives. What category of control was this? Technical Physical Administrative Detective Corrective

64 What type of control is a burglar alarm?
Detective Deterrent Preventive Corrective Recovery

65 After a security incident is declared, a security officer interviews employees in the affected department to quickly identify clues that may help understand what happened. Which process is being performed? Triage Investigation Analysis Containment Recovery

66 A data entry worker threatened to post confidential medical records on the Internet and demanded money. What sort of attack was that? Social engineering Sabotage Theft and Disappearance Extortion Bypass

67 This license plate is intended to protect the driver from automated ticketing cameras. What vulnerability would make this possible? Injection XSS CSRF Insecure cryptography Unvalidated redirects

Download ppt "CISSP Guide to Security Essentials"

Similar presentations

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Security Controls – What Works

Security Controls – What Works
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Chapter 10: Computer Controls for Organizations and Accounting Information Systems

Chapter 10: Computer Controls for Organizations and Accounting Information Systems
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
ISA 562 1 Topic 9: Operations Security ISA 562 Internet Security Theory & Practice.

ISA Topic 9: Operations Security ISA 562 Internet Security Theory & Practice.
Security Operations. 2 Domain Objectives Protection and Control of Data Processing Resources Media Management Backups and Recovery Change Control Privileged.

Security Operations. 2 Domain Objectives Protection and Control of Data Processing Resources Media Management Backups and Recovery Change Control Privileged.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2015 Operations Security.

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2015 Operations Security.
Prepared by: Dinesh Bajracharya Nepal Security and Control.

Prepared by: Dinesh Bajracharya Nepal Security and Control.

Similar presentations

Ads by Google