Chapter 9: Security Operations and Administration PDF
Document Details
Uploaded by Deleted User
2023
David Kim, Michael G. Solomon
Tags
Summary
This chapter details topics including security operations, security administration, controlling access, documentation, and procedures.
Full Transcript
CHAPTER 9 Security Operations and Administration Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com. Learning Objective(s) and Key Concepts Learning Objective(s) Key Concepts...
CHAPTER 9 Security Operations and Administration Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com. Learning Objective(s) and Key Concepts Learning Objective(s) Key Concepts Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Explain the role of security Role of security administration operations, security policies, within an organization security audits, testing, and Compliance and professional ethics monitoring in an IT infrastructure. Components of an IT security policy infrastructure and data classification standards Change management and configuration management The system life cycle (SLC) and the system development life cycle (SDLC) Security Administration The group of individuals responsible for planning, designing, implementing, and monitoring an organization’s security plan Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Physical location where they work is often referred to as the security operations center (SOC) Organizations must identify and document information assets, and then assign responsibility of each one to a person or position Controlling Access Identification Assertions made by users about who they are Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Authentication The proving of that assertion Authorization The permissions a legitimate user or process has on the system Accountability Tracking or logging what authenticated and unauthenticated users do while accessing the system Documentation, Procedures, and Guidelines The most common documentation requirements include: Sensitive assets list Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com The organization’s security process The authority of the persons responsible for security The policies, procedures, and guidelines adopted by the organization An organization must comply with rules on two levels: Regulatory compliance Organizational compliance Disaster Assessment and Recovery The security administration team: Handles incidents, disasters, and other interruptions Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Forms an incident response team, comprising individuals responsible for responding to incidents and investigating security breaches Manages the emergency operations groups, which is responsible for protecting sensitive data in the event of natural disasters, equipment failure, and other potential emergencies Security Outsourcing Advantages High level of expertise that an organization alone might not have Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Disadvantages The outsourcing firm might not possess internal knowledge You will not develop in-house capability or talent and need to continue to pay for these services indefinitely Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Outsourcing Considerations Adherence to policy Data security Ownership Privacy Risk Common Outsourcing Agreements Service-level agreement (SLA) Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Blanket purchase agreement (BPA) Memorandum of understanding (MOU) Interconnection security agreement (ISA) Compliance Event logs Records of actions that an organization’s operating system or application software Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com creates, showing which user or system accessed data or a resource and when Compliance liaison Makes sure that all personnel are aware of and comply with the organization’s policies Remediation Fixing something that is broken or defective, and, with computer systems, it refers to fixing security vulnerabilities Professional Ethics Set the example Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Encourage adopting ethical guidelines and standards Inform users through security awareness training Common Fallacies About Ethics Users think: Computers should prevent abuse Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com They have the right to explore security vulnerabilities as a form of free speech or expression Their actions may cause only minor damage and that a little damage will not bother anyone If it’s easy to break in, it must be all right to do so Hacking is okay if what they do is not damaging If they are not making any money or advancing themselves by hacking into a system, they must not be committing a crime Information should be free and that it’s okay to look through somebody’s system to obtain information Codes of Ethics A code of ethics helps ensure professionalism Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Internet Architecture Board (IAB) statement of policy List of unethical and unacceptable online practices, specifically related to activities involving the Internet Professional requirements/privacy principles An organization should collect only what it needs. An organization should not share its information. An organization should keep its information up to date. An organization should use its information only for the purposes for which it was collected. An organization should properly destroy its information when it is no longer needed. Personnel Security Principles Limiting access Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Separation of duties Job rotation Mandatory vacations Security training Security awareness Social engineering The Infrastructure for an IT Security Policy Policies Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Standards Procedures Baselines Guidelines Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com The Security Policy Environment Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com The Security Policy Hierarchy Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Systematic Actions Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Baseline Corporate Configuration Data Classification Standards Data owner Person who owns the data or someone the owner assigns Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Responsible for classifying data System owner Person or group that manages the infrastructure Classifying information criteria Value Sensitivity Criticality Information Classification Objectives To identify information protection requirements Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com To identify data value in accordance with organization policy To ensure that sensitive and/or critical information is provided appropriate protection/controls To lower costs by protecting only sensitive information To standardize classification labeling throughout the organization To alert employees and other authorized personnel to protection requirements To comply with privacy law and regulations Examples of Classification U.S. government (standardized) Unclassified Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Restricted Confidential Secret Top Secret Private sector (not standardized) Public (low) Private (medium) Confidential (high) Classification Procedures Critical to effective data classification Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Determine the scope and process Conduct a business impact analysis to evaluate all the organization’s data Data value is determined according to: Exclusive possession (trade secrets and intellectual property) Utility (usefulness) Cost to create or re-create the data Liability (protection regulations) Convertibility/negotiability (financial information) Operational impact (if data is unavailable) Threats to the information Risks Assurance Internal and external auditors Should review organization’s information-classification status during regular audit Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com process Evaluate level of compliance with classification policy and procedures to ensure compliance Information security personnel Should regularly visit workstations and other areas where users might leave unprotected classified materials When violations occur, submit appropriate reports to supervisors and managers Configuration Management The process of managing all changes to computer and device configurations Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Evaluates the impact a modification might have on security Security professionals responsible for: Ensuring adequate review of all system changes Ensuring that configuration changes will not cause unintended consequences for security Hardware Inventory and Configuration Chart Decision to roll out a new patch, service pack, or release will be complicated if you can’t find, update, and test every affected device Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Have an up-to-date map or layout of the configuration of the hardware components Regularly check for any available vendor upgrades, patches, and service packs The Change Management Process Configuration control Management of the baseline settings for a system device Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Change control Management of changes to the configuration Change Control Management Communicate change management procedures and standards effectively Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Reactive or proactive Reactive: Management responds to changes in the business environment Proactive: Management initiates the change to achieve a desired goal Occurs on a continuous, regularly scheduled, release, or program-by-program basis Change Control Committees Ensure changes are: changes are: Properly tested Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Authorized Scheduled Communicated Documented Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Change Control Procedures Change Control Issues Peer reviews Ensure that a peer or other expert double-checks all changes before you put them Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com into production Back-out plans Ensure that if the change doesn’t work properly, a plan exists to restore the system to a known good condition Documentation Keep documentation current to reflect the true system’s design Application Software Security Processes for software development: System life cycle (SLC) Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com System development life cycle (SDLC) Steps are similar; key differences: SLC includes operations and disposal SDLC ends with the transition to production The System Life Cycle Project initiation and planning Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Functional requirements and definition System design specification Build (develop) and document Acceptance testing Implementation (transition to production) Operations and maintenance Disposal Testing Application Software (1 of 2) Test for all expected and unexpected actions Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Test that errors are handled correctly Perform tests to verify maximum load on the system, including: Transaction volume Memory allocation Network bandwidth Response times Keep production or sensitive data secure during testing Testing Application Software (2 of 2) Thoroughly evaluate any change to your environment. Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Formalize the process for procuring new equipment. Follow the guidance in your data policies. Review a system throughout its life cycle to ensure that it meets its specified security (certification). Make sure management officially accepts the system (accreditation). Systems Procurement To ensure that new equipment does not expose the environment to new vulnerabilities: Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Evaluate various solutions that are available. Evaluate vendors in terms of maintenance, support, and training. Use the Common Criteria to ensure that you simplify the evaluation process. Monitor vendor contracts and SLAs. Correctly install equipment and formally accept it at the end of the project. Follow the organization’s procurement procedures to ensure a fair purchasing process. Monitor systems and equipment to identify those that are reaching the end of their life span so that you can schedule them for replacement. Software Development and Security Application must properly perform the following tasks: Checks user authentication to the application Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Checks user authorization (privilege level) Has procedures for recovering database integrity in the event of system failure Handles errors and exceptions consistently and does not allow any error or exception to go unhandled Validates all input Defines secure configuration baselines Provides guidance on hardening your application Provides and applies frequent patches Software Development Models The two most widely accepted models for software development Waterfall model Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Agile development method Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com The Waterfall Model Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com The Agile Software Development Method Summary Role of security administration within an organization Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Compliance and professional ethics Components of an IT security policy infrastructure and data classification standards Change management and configuration management The system life cycle (SLC) and the system development life cycle (SDLC)
