Lecture 07 - Operations Security PDF

CSSY1208 Introduction to Information Security Lecture 07 - Operations Security 1 Textbook : The Basics of Information Security Understanding the Fundamentals of InfoSec in Theory and Practice Second Edition, Jason Andress Elsevier Publication Referenced Book : Cryptography and Network Security 6th Edition, William Stallings, Pearson Publication Outline CHAPTER-7-Operations Security Introduction Origins of operations security The operations security process Identification of critical information Analysis of threats Analysis of vulnerabilities Assessment of risks Application of countermeasures Haas’ Laws of operations security Operations security in our personal lives. 3 INTRODUCTION Operations security, known in military and government circles as OPSEC, is, at a high level, a process that we use to protect our information. Although we have discussed certain elements of operations security previously, such as the use of encryption to protect data, such measures are only a small portion of the entire operations security process. 4 OPSEC Methodology Practice OPSEC practices include what kind of information we disclose in social media, what tell our friends and family, and how we handle data. The entire process involves not only putting countermeasures in place, but before doing so, carefully identifying what exactly we need to protect, and what we need to protect it against. (Identify assests, and theats analysis before putting countermeasures). If we jump directly to putting protective measures in place, we might not be directing our efforts toward the information assets that are actually the most critical items to protect. It is important to remember when putting security measures in place that we should be implementing security measures that are relative to the value of what we are protecting. If we apply the same level of security to everything, we may be overprotecting some things that are not of high value 5 and under protecting things of much greater value. OPSEC unclassified and classified Data  The three main items of information that constitute an identity: a name, an address, and identity number.  Individually: these items are completely useless. We could take any one of them in isolation and put it up on a billboard for the world to see, and not be any worse for having done so.  In combination: these three items are sufficient for an attacker to steal our identity and use it for all manners of fraudulent activities.  This is the foundation of OPSEC as the focus in on unclassified data that when correlated becomes data that should be classified. 6 OPSEC : Business 1. In the late 1970s and early 1980s, some of the OPSEC concepts that were used in the world of the military and government were beginning to take root in the commercial world. 2. The ideas of industrial espionage and spying on our business competition in order to gain a competitive advantage have been around since the beginning of time. 3. but as such security concepts were becoming more structured in the military world, and they were becoming more structured in the business world as well. 4. In the business world your adversary is your competitor who might looking for destroying your reputation or offering a better products for the purpose of occupying your customers or consumers sharing. 7 The Operations Security Process The operations security process: 1. Identify what information we have that needs protection 2. Analyze the threats. 3. Analyze the vulnerabilities that might impact it. 4. Assess the risk. 5. Develop methods of mitigation for those threats and vulnerabilities, as shown in Figure. Although the process is relatively simple, it is very effective and time tested. 8 Identification of critical information The initial step, and, arguably, the most important step in the operations security process, is to identify our most critical information assets. Although we could spend a great deal of time identifying every little item of information that might importance, this is not the goal in this step of the operations security process. Example (identify our most critical, relevant information assets):  For a soft drink company it might be our secret recipe.  For an application vendor it might be our source code.  For a military operation it might be our attack timetable.  and so on. For These are the assets that most need protection and will cause us the most harm if exposed, and these are the assets we should be identifying. 9 OPSEC : Analysis of threats A threat is something that has the potential to cause us harm. Analysis of threats:  In the case of analyzing threats to our information assets, we would start with the critical information we identified in the previous step.  With the list of critical information, we can then begin to look at what harm or financial impact might be caused by critical information being exposed, and who might exploit the exposure. 10 OPSEC : Analysis of threats example  For instance, if we are a software company that has identified the source code of one of our main products as an item of critical information.  We might determine that the chief threats of such an exposure could be exposure to attackers and to our competition.  If the source code were exposed to attackers, they might be able to determine the scheme we use to generate license keys for our products in order to prevent piracy and use access to the source code to develop a utility that could generate legitimate keys, thus costing us revenue to software piracy.  In the case of our competitor, they might use access to our source code to copy features for use in their own applications, or they might copy large portions of our application and sell it themselves. 11 Analysis of vulnerabilities Vulnerabilities are weaknesses that can be used to harm us. In the case of analyzing the vulnerabilities in the protections we have put in place for our information assets, we will be looking at :  how the processes that interact with these assets are normally conducted.  where we might attack in order to compromise them (attack Critical Info). 12 Analysis of vulnerabilities example 1. When we look at vulnerabilities, we might find that our security controls on the source code with which we are concerned are not very strict, and that it is possible to access, copy, delete, or alter it without any authorization beyond that needed to access the operating system or network shares. 2. This might make it possible for an attacker who has compromised the system to copy, tamper with, or entirely delete the source code. 3. or might render the files vulnerable to accidental alteration while the system is undergoing maintenance. 13 Assessment of risks Assessment of risks in terms of deciding what issues we really need to be concerned about during the operations security process. It is important to note again that we need a matching threat and vulnerability to constitute a risk. Example, if our source code were subject to very stringent security requirements that would make it a near impossibility for it to be released in an unauthorized manner. 14 Assessment of risks example 1. To go back to our software source code example, we had determined that we had seen (a threat) in the potential for our application source code being exposed in an unauthorized manner. 2. Furthermore, we found that we had a threat in the poor controls on access and configuration/version management to our source code, and a lack of policy in how exactly it was controlled. (Vulnerability) 3. These two matching issues could potentially lead to the exposure of our critical information to our competitors or attackers ( Risk). 15 Application of countermeasures  Once we have discovered what risks to our critical information might be present, we would then put measures in place to mitigate them. Such measures are referred to in operations security as countermeasures.  In order to constitute a risk, we need a matching set of threats and vulnerabilities. When we construct a countermeasure for a particular risk, in order to do the bare minimum, we need only to mitigate either the threat or the vulnerability. 16 Application of countermeasures example 1. In the case of our source code example, the threat was that our source code might be exposed to our competitors or attackers, and the vulnerability was the poor set of security controls we had in place to protect it. the threat. We can, however, put measures in place to mitigate the vulnerability. 2. If we institute stronger measures on controlling access to the code and also put policy in place to lay out a set of rules for how it is to be handled, we will largely remove this vulnerability. 3. Once we have broken the threat/vulnerability pair, we will likely no longer be left with much in the way of a serious risk. 17 Haas’ Laws of operations security As a Briefer, viewpoint the operations security process, we can look at the Laws of OPSEC, developed by Kurt Haas while he was employed at the Nevada Operations Office of the DOE. First law Second law This law refers to the This law of operations security need to develop an discusses the need to evaluate our awareness of both the information assets and determine actual and potential what exactly we might consider to threats that our critical be our critical information. This data might face. This law second law equates to the first step maps directly to the second in the operations security process. step in the operations Third law process. security This law is an overall reference to the necessity of the operations security process. If we do not take steps to protect our information from the dragon (our adversaries or competitors), they win by default. 18 Operations security in our personal lives It can also be of great use in our personal lives. Although we might not formally perform the entire OPSEC process through all the steps to protect our personal data. For example, if we will be going on vacation for several weeks and will be leaving behind an empty house for the whole time, We might take a few minutes to think about the indicators that the house is unoccupied and vulnerable:  Told everyone on Facebook we were going  Posts to twitter while we are on vacation about what we are doing  No noise coming from the house when we would normally be home  Newspapers building up in the driveway or stopped  Mail building up in the mailbox  No car in the driveway  No people coming and going 19 Thank You

Lecture 07 - Operations Security PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue