CSSLP Tutorial: Module 07,Part 02 – Operation security controls




In part two of this last module, the main content is centered around not only looking at the secure start up, having the product in a secure environment and hardening of the system as part of the process, but also we are also going to be focusing our discussion towards the operations security controls and maintenance.

The operations and maintenance of our product is the day to day sort of processes as to what we will need to monitor.  There may also need to be periodic patches, updates, upgrades, especially as time goes on. Was the software to be resilient enough so that it does the work it is supposed to do and be also able to bounce back if something happens to it.  Alternatively, we also would like it to shut down gracefully in a secure manner if there’s faults or errors, where it is capable of recoverability as to some if not all of its functionality.  Part of that is monitoring and providing maintenance software such as patches and so on.

When we install the software, the system may be fully secure, however, the application is being installed not just into the system.  There is also the environment to consider.  As risk changes, as the threats change over time, we can find that our very secure system is not longer in that same situation because of the change in the environment, the change in the risks or threats.

Operations and maintenance as relates to security is often referred to as opsec.  This is due to the op part of operations and also where the sec from security are linguistically mashed together. We want some sort of assurance that the software is going to work as expected.  We want to make sure that its state of security doesn’t get compromised and that it continues to function in a predictable manner.  We also don’t want it to affect negatively the production environment. So, not only are we talking about understanding the opsec, for security sake, but we are also talking about understanding elements which will need monitoring: hardware, software,media/ media usage, and people.

First, is the hardware.  Second, we will discuss the software and its implications. Then there is a discussion of media and media usage and what to do with it when it has outlived its purpose. Primarily, we will look at possibilities for recycling, for sort of rezoning and then just simply destroying the media with its potentially sensitive information.  Last, operations and operations security of course relates to the people on the team.   This gets into the possibilities for when a team member has been trained poorly as opposed to a team member who has been trained well.

Starting with hardware, it tends to be a very very large topic. There are a lot of components which can fall under the umbrella category of hardware.  For example, obviously, we’re talking about the CPU’s but also we are talking about individual servers, the monitors, the keyboard, the cases as well as network devices like the routers, switches, firewalls, obtrusion detection system, any other communication devices such as voice systems, smart phones, fax machines and so on.  When talking about the controlling the hardware, we are really focusing on the points of vulnerability with these various devices.  Routers that use the default administrative accounts is fairly unsecure and represent a point of vulnerability.  General configurations that are easier to use are actually points of vulnerabilities, because if you don’t change them to match your business or organization, they are the same types of configuring as what everyone knows comes out of the box and it just makes it that much easier for an attacker to threaten your system.

In addition to the configurations and passwords, we also need to be careful and selective about where the actual physical devices are located.  We need to make sure that they are inaccessible to the general public.  In some cases, if the physical thing is there and someone can access it by putting their hands on it, then by sheer physical possession, they are able to make changes like some sort of mechanism intercept request to the router, set up an impersonation, regardless of how secure their passwords and configurations are.

When it comes to software, some of these same ideas apply. We might have either software that’s been developed in house, or even outsourced proprietary software that‘s been created by a third party.  In either case, the OS comes from known vendors and that the default port numbers are ones everybody uses and knows. For example, web traffic is going to use port 80. ENS traffic is going to use port 53.  Therefore, when somebody else has access like the third party, you may think of rerouting traffic to a  different port to limit their ability to get in to modifying the entire system.  This can become a little complicated if not keeping track, however, it can be a useful tool when dealing with software.

When it comes to media and media usage as it relates to operational security, there has to be an understanding of all the various types of medial.  For example, there are USB, Tapes, Hard drives, (Both internally and externally), optical devices, DVDR’s, CD’s, and so on.  There are so many different forms of data.  We also have solid state devices. SO, we have lots of places where we can store information.   We have to be careful on how we cleanse the media if we are going to reuse or recycle the drive for another set of files.

The only way to really make sure that the confidential information( or sensitive information) is gone is by physically moving the information by destruction of the media by incineration or by physically shredding the device.

As opposed to the complete obliteration of the media, another option is  zerionization, and yet another is the degousing process.  First, there are all types of media.  For example, there are USB, Tapes, Hard drives, DVDR’s, CD’s and so on.  Second, if we are going to reuse a media, we have to be very careful about how it’s sanitized.  There’s a standard called NIST SP  800-88 that gives all the aspects and specifics related to sanitizing media.  It’s probably an alright thing to do for a thumb drive, for example if it doesn’t contain sensitive information.  Although media can be reused when sanitized,  really the best bet is to destroy or incinerate the media.  This is the best way to ensure product remnants are no longer available.  However, there are times we don’t have that as an option.  So, zeroization is where there are overriding zeroes, again and again and again onto the device.   Then these will then override any of the data that’s on the media. 

However, with the right tools the information can still be gathered and collected off of even through the zeroized process.  So, again the best bet is the physical destruction of the media, especially if there is sensitive information still remaining on the device.  The second option is degousing where  we basically expose the media to a large magnet.  This then erases the cylinders, tracks, and sections which are all part of what forms the format of the drive.   After a degousing, then a low level format of the drive is needed. However, this literally takes hours and hours and hours to do.  Typically, it is much easier to go through the physical destruction of the media.

The last element of operations and security involve the people who are on the team.  The people who are on our network are also a part of this last element.  The people who work on the application and in our organization can be our biggest asset but also they can be our greatest weakness.  The human factor is part of where they are essentially our last line of defense.  If somehow a person is trying to get into our organization, either physically or virtually,  like through network applications as in, for the purpose of posing a threat or an attack, it usually is another person who notices and realizes that something’s not right.  People can bring that human element of judgement that will bring in an additional layer  or level of surveillance and observation. On the other hand, 85% of loss for fraud  within an organization is initiated by someone internally.

So, the person who is in-house, and knows the weaknesses of the system is the one more likely to tap into it for fraudulent purposes. Users also don’t have to maliciously intend on creating damage to the system, but through social engineering our users can be tricked into giving out sensitive information. This is where making sure that our users, all our people who work for the organization are trained as to what to look for in these situations.  So, not only trained to do the job but also trained for the purpose of again being that last layer of judgement and surveillance against potential threat and possible attack.