Security Operations and Administration.pdf

Full Transcript

Course: CYB 205
Professor : Stacy Nicholson

Topic :Security Operations and Administration
Security Operations and Administration

Areas to cover includes:
▪ Security concepts
▪ Security controls
▪ Code of ethics overview
▪ Physical control security
▪ Security awareness
Security Operations and Administration

▪ Security operations and administration involve a range of tasks
related to identifying an organization’s information assets and the
necessary documentation for implementing policies, standards,
procedures, and guidelines.
▪ The primary goal is to ensure confidentiality, integrity, and
availability of information
Accountability

▪ The ability to trace every action taken on a system back to an
individual user without any ambiguity and without allowing the user
to deny responsibility for that action.

▪ There are two prerequisites for ensuring accountability:

1. Identification
2. Authentication
Accountability Conti.

1. Identification
▪ Each use must have a unique identifier such as username
▪ Shared or generic accounts should be avoided as the system
cannot distinguish them.

2. Authentication
▪ Strong authentication prevents unauthorized users from gaining
access
▪ Also prevents users from denying their activity.
Accountability Conti

▪ Access control systems must track user activity carefully to enforce
accountability through use of auditing mechanisms.

▪ Note that logs must be kept secure where they can't be modified by
individuals accessing the system in question.
Key Principles of Information Security

1. Need to know
▪ Limits information access
▪ Access is based on a case-by-case basis
▪ Accessing information requires an individual to demonstrate a
valid business need.
Note:
▪ Having the right security credentials and clearance does not
automatically grant individuals access to sensitive
information in organizations that enforce need to know.
Key Principles of Information Security

▪ Least Privilege
▪ The minimum set of privileges required for an individual to perform
their job functions should be given to them.
▪ Limits system permissions

An organizations can choose to follow a least privilege approach and
supplement it with emergency access procedures that allow IT staff to
upgrade their own privileges in an emergency.
Separation of Duties and Responsibilities

▪ Separation of Duties
▪ No single person should possess two permissions that, in
combination, allow them to perform a sensitive operation.

▪ Permissions should be separated and held by two different groups
of people.

▪ Account reviews and audits should inspect permissions to ensure
that separation of duties is properly enforced.
Data Security Roles

Concepts surrounding data ownership and stewardship.

Four-tiered model of roles includes :
1. Data Owner
▪ These are business leaders with total responsibility for data. They set
polices and guidelines for their data assets, use and data security.

▪ At the highest level, the data owner for a particular datasets is a senior
level official who bears overall responsibility for that data.

▪ For example, an organization's vice president for human resources might
be the data owner for employment information.
Data Security Roles Cont.

2. Data Stewards
▪ Manage the day-to-day data governance activities. They delegate
responsibilities by the data owner.

▪ For example, a data steward might make day-to-day decisions
about who can access the dataset.

3. Data Custodian
▪ Individuals who store and process the information and are often IT
staff members.
Data Security Roles Cont.

4. Data Users
▪ Individuals who work with data on a regular basis.

▪ Examples: analysts, customer service representatives, managers,
and others in an organization

▪ They must protect data from unauthorized disclosure

▪ Data users must work within the rules set by data owners and data
stewards
Limiting Data Collection

▪ Limiting data collection reduces the risk of information being misused
or lost.
▪ Privacy principles, requires that organization provide individuals with
notice of the information they collect, the ways that they use it, and
obtain consent of those individuals for that use.
▪ Organizations should never collect information that falls outside of
the disclosures that they've made to individuals, even if it's easy to do
so, or seems to be incidental to the approved purpose.
▪ New consent must be obtained before collecting od new information
Code of Ethics Overview

▪ Protect society, the common good, necessary public trust and
confidence, and the infrastructure.

▪ Act honorably, honestly, responsibly and legally.

▪ Provide diligent and competent service to principals

▪ Advance, and protect the profession.
Security Controls

▪ Security controls are the procedures and mechanisms that an
organization puts in place to manage security risks, protect data and
infrastructure important to an organization.
▪ Any safeguard or countermeasure used to avoid, detect, counteract,
or minimize security risks to physical property, information, computer
systems, or other assets is considered a control.
▪ These controls are crucial in ensuring the confidentiality, integrity,
and availability of information in information security. These security
controls include data, physical , cloud, cybersecurity security control ,
etc.
Security Controls Cont.

▪ Example : Home Security
▪ Lock on doors
▪ Burglar alarm designed to detect intrusions,
▪ Security cameras to record activity inside your home.
▪ Neighborhood watch
▪ Automatic light switches to deter a burglar by simulating human
activity
▪ Defense in depth – use of multiple security controls.
Defense in Depth

▪ Defense in depth involves the use of multiple layers of security
controls and protocols to protect an organization's environment and
critical assets instead of relying on a single protective measure.

▪ Defense in depth is a way to prevent attacks that make it past your
initial security measures as no single security measure can prevent all
attacks

▪ The overall goal is to applying multiple overlapping controls to
achieve the same objective.

▪ Security professionals categorize security controls into similar groups
using different categories
Security Controls Grouping

▪ Categorize controls by their purpose or mechanism of
action.
▪ This includes preventing, detecting, correcting, or
deterring security issues.

▪ Preventive controls - stop a security issue from occurring
in the first place.
▪ Example - A firewall that blocks unwanted network traffic

▪ Detective controls - identify potential security breaches
that require further investigation.
▪ Example: network intrusion detection systems (NIDS)
Security Controls Grouping Conti.

▪ Corrective controls remediate security issues that
have already occurred.

▪ Example: If an attacker breaks into a system and
wipes out critical information, restoring that
information from backup is an example of a
corrective control.

▪ Deterrent controls are designed to discourage an
attacker from even attempting an attack in the first
place.

▪ Example: posting guard dogs inside the fence to
deter intruders.
Security Controls Grouping Conti.

▪ Categorize controls is by their mechanism of action.
▪ Controls are group either technical, administrative or physical
controls.

▪ Technical controls - use of technology to achieve security objectives.
▪ Examples: firewalls, intrusion prevention systems, password policies,
session timeouts, data loss prevention systems, and anti-malware
software, etc.
Administrative Controls

▪ Administrative controls use human-driven processes to manage
technology in a secure manner
▪ These include User access reviews
▪ Log monitoring
▪ Security policies, standards, and procedures
▪ Background checks
▪ Conducting security awareness training
▪ Etc.
Physical Controls Security

▪ Physical controls safeguard the physical facilities.
▪ Thes include man traps, cameras and locks to help protect the
security of information, offices and other physical facilities

▪ Visitor management
▪ Describe who may authorize visitor access
▪ How visitors may behave in your facilities.
▪ Explain the role of visitor escorts
▪ Etc.
▪ Visitors access to secure areas should be logged.
▪ All visitors should wear a badge that clearly identify them a visitor.
Security Controls

▪ False Positive Errors ▪ False Negative Errors
▪ occurs when a control activates ▪ occurs when a control fails to
in a situation where it shouldn’t trigger in a situation where it
should.
▪ Example: a false negative
▪ Example: a false positive would would occur if an actual
occur when a detective control, security incident takes place
such as an intrusion detection and the system fails to detect it,
system, issues of false alarm. giving administrators a false
sense of safety
Security Awarenesses

Security Training Security Awareness
▪ Keeps the lessons learned
▪ Provides users with the during a security training top
knowledge they need to protect of mind for employees.
the organization's security. ▪ Awareness doesn't require a
commitment of time to sit
▪ Security training may use a down and learn new material.
variety of delivery techniques, but
the bottom-line goal is to impart ▪ Instead, a variety of different
knowledge. method is used to reinforced
awareness such as : posters,
videos, email messages, and
similar techniques.