Security Operations Concepts | CISSP For Dummies

The topic of security operations covers a wide variety of concepts, which we describe in this section. The common theme to these concepts is the mission of protecting the integrity and confidentiality of information assets. Information is protected through the controls and the reduction of threats and vulnerabilities.

Antivirus and malware management

When it comes to viruses - and also worms and Trojan horses - the Internet is a real cesspool of diseases forever seeking fresh victims. Viruses are constantly on the loose, and any organization lacking a strong, multilayer, antivirus defense will regularly experience virus infections and suffer the consequences. Thus, the desktop and server support teams will spend a lot of time rebuilding systems. Downtime and productivity suffer as well: Employees can’t use their workstations for a period of time, and then after they access their computers again, they have to spend extra time rebuilding their data.

To counter the threat of viruses and other malicious code, an organization must develop an effective antivirus program consisting of enterprise-wide mechanisms to automatically push new signature files (the data containing signatures of all known viruses) to all desktop systems and Windows-based servers. Each organization should also seriously consider implementing antivirus mechanisms on its file, e-mail, and Web proxy servers. Spam and spyware filters, whether installed on workstations or centrally, should also be considered.

Cross-Reference As long as the world is filled with hackers (and crackers), malicious code and viruses will remain important security risks that must be guarded against. Viruses, worms, and Trojan horses are all examples of malicious code. We cover these topics in detail in Chapter 7.

Making backups of critical information

Murphy’s Law has taken up residence in businesses and IT organization throughout the world. Things can and do go wrong, ranging from innocent mistakes, bugs in software, hardware failures, and full-blown disasters such as floods and hurricanes. More often than you think, users will make requests to have files restored (or, out of embarrassment, they’ll take the extra time to rebuild them as best they can). These users range from desktop users to computer operations and database administrators. No matter how computer savvy a person is, equipment can fail, mistakes can happen, and data can disappear.

Management must be absolutely sure that all critical data is backed up as frequently as due care prescribes. Data that changes frequently may need to be backed up more than once per day - if it’s not mirrored or replicated on other online storage systems. Data that doesn’t change so frequently can be backed up somewhat less often . . . say, weekly or even monthly.

Cross-Reference Performing backups is a form of due care; in other words, every IT organization should be performing them. See Chapter 12, in which we discuss due care and due diligence.

Need-to-know

One of the classic concepts of information security is need-to-know. This principle states that only people with a need to know should have access to certain information.

The most difficult challenge with managing need-to-know is the use of controls that enforce need-to-know. Also, information owners need to be able to distinguish I need-to-know from I want-to-know, I want to feel important, and I’m-just-curious.

Least privilege

Least privilege is similar to need-to-know, but least privilege applies more to functionality and not so much with access to data. The principle of least privilege states that persons should have the ability to perform only the tasks (or have access to only the data) that they require to perform their primary job and no more.

To give an individual more privileges and access than required is an invitation for trouble. Offering the temptation to be able to perform more than one requires may sooner or later result in an abuse of privilege.

An example of least privilege is the computer operator who manages a system’s print queues. In the UNIX world, for administrative functions such as printing, the user must attain superuser privileges that give the person using it absolute power and control on a system. In UNIX, the root account is generally used to control the print queue. Although most organizations just give the root password to people who manage limited tasks such as managing printing and print queues, a much better approach is to give the root account to the user who manages the print queues.

Instant Answer The principle of least privilege states that persons should have the fewest privileges necessary for them to perform their tasks.

Privileged functions

When we mention privileged functions, we sometimes refer to superuser or administrative userids that have the ability to perform all available functions on a system. In this regard, access to privileged functions must be reserved to only those persons whose responsibilities include the management of those systems. Developers, users, and others shouldn’t have access to privileged functions.

But the term privileged functions has its place in the Application Layer, as well. In a financial application, for instance, you might consider the function of approving payments or printing checks as privileged functions. Privileged functions don’t just refer to root (on UNIX) or Administrator (on Windows).

Privacy

Talk about a hot topic. Privacy has become the buzzword of the new millennium and the subject of new laws in many states and countries.

Organizations must use caution when collecting and storing personal or private information from employees, partners, and customers. Each item of personal or private information should only be collected when a true business need to do so exists. Further, although a justifiable reason may exist to collect and use this information, an organization must also justify keeping the information as well as justifying every possible subsequent use of the information after it’s stored.

Another issue is data aggregation. Aggregation occurs when organizations piece together bits and pieces of personal data from various sources, resulting in profiles on people that contain enough to easily perpetrate identity theft.

Accumulation of privileges

In larger organizations, people tend to transfer from job to job or department to department. Along the way, they’ll need new access and privileges to do their new jobs. Rarely, however, will access they no longer require actually be taken away. Instead, they accumulate privileges, and over a period of many years an employee can have far more access and privileges than

they need. We call this accumulation of privileges, and it’s a real problem in these days of data security regulation, where auditors are sniffing around in our basements and attics looking for reasons to write us up. Auditors love to discover and expose employees who have access to lots and lots of things they don’t need.

Remember Security is now the law

In the good old days (often we strain to recall what was goodabout them), data security was a good idea, and it was more difficult to sell data security as an activity that an organization should invest resources in. Today, organizations are required by law to protect information. A few of the more prominent U.S. data security laws are the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Financial Services Modernization Act (GLBA), the Federal Information Security Management Act (FISMA), the Digital Millennium Copyright Act (DMCA), and section 404 of Sarbanes-Oxley Act. Many U.S. states have enacted privacy laws, most notably California’s SB 1386. In Europe, Directive 95/46/EC regulates the processing of personal information. Many other countries have passed laws regulating the protection, use, and flow of information.

The primary consideration when handling private information is the scourge of identity theft cases. In the United States alone, well over 1,000,000 cases of identity theft are reported each year.

Instant Answer One of the primary privacy concerns is the increase in the incidents of identity theft.

Data aggregation is the act of combining data from several sources in order to construct more complete profiles on individuals or objects.

Legal requirements

An organization may be bound by national, state, or local ordinances to perform certain functions to protect privacy and ensure security. In fact, ordinances can be so detailed that they specify particular methods for collecting data, storing data, and using collected information.

Illegal activities

Most organizations need to have a fraud detection capability to ensure that employees and customers aren’t trying to cheat the organization out of goods, services, or cash. A fraud detection system analyzes transactions and provides a list of possibly fraudulent transactions that can be reviewed by security and systems professionals within the organization.

Organizations also need to examine their business processes and the roles and responsibilities of key personnel as they execute those processes. Among other things, business processes should make it difficult for employees to defraud the organization through collusion - it should be as difficult as possible for employees to work together for their illicit personal gain.

Record retention

Organizations are bound by law to collect and store certain pieces of information, as well as to keep it for specified periods of time. An organization must be aware of legal requirements and ensure that it’s in compliance with all applicable regulatory bodies.

Organizations that want to retain information longer than required by law should firmly establish why such information should be kept longer. Nowadays, just having information can be thought of as a liability, given all the laws governing security and privacy.

Handling sensitive information

Sensitive information such as financial records, employee data, and information about customers must be handled according to these guidelines:

Instant Answer Marking: This refers to the words that must appear on documents containing sensitive information. An example marking might read Company confidential, handle according to instructions.
Handling: The organization should have established procedures for the handling of marked documents. These procedures detail how such documents may be transported, faxed, e-mailed, and sent over networks.
Storage: Similar to the handling guideline, the organization must have procedures and requirements specifying how marked information must be stored.
Destruction: Sooner or later, a document with sensitive information must be destroyed. The organization must have procedures detailing how to destroy sensitive information that is retained, regardless of whether the data is in a hard copy format or is saved as an electronic file.

Remote access

Mature technology exists today that provides the capability for employees to remotely access applications and data from any location outside of the organization’s building(s). Remote access is a powerful capability that improves productivity that permits employees to be productive even when they are traveling or home with a sick child.

The sword cuts both ways, however. Remote access bypasses physical security controls such as key card and metal keys. Hackers who obtain the secrets necessary to remotely access a company’s network can cause considerable trouble for the organization.