Security School for CISSP Training: Domain Spotlight on operations security

The operations department has responsibilities that pertain to everything that takes place to keep a network, computer system, applications and environment up and running in a secure and protected manner. Domain 10 of the Common Body of Knowledge addresses the process of understanding these operations from a competitor's/enemy's/hacker's viewpoint and then developing and applying countermeasures to mitigate identified threats.

Security School: Training for CISSP® Certification

[Return to Lesson/Domain 10 home page.]
[Register for Lesson/Domain 10 webcast on operations security.]
[Return to the Security School for CISSP® Training table of contents.]

The operations department has responsibilities that pertain to everything that takes place to keep a network, computer system, applications and environment up and running in a secure and protected manner. After the network is setup is when operations kicks in, which includes the continual day-to-day maintenance of an environment. These activities are routine in nature and enable the environment, systems and applications to continue to run correctly and securely.

Operation security is the process of understanding these operations from a competitor's/enemy's/hacker's viewpoint and then developing and applying countermeasures to mitigate identified threats. A company cannot provide any level of protection for itself unless it is providing the necessary operation security methodologies, technologies and procedures. This domain covers:

  • Operations personnel
  • Configuration management
  • Media access protection
  • System recovery
  • Facsimile security
  • Vulnerability and penetration testing
  • Attack types

Network operations and systems managers have a daunting task. Not only must they assure that that their company can access what it needs to run on a daily basis, they must plan for capacity growth to anticipate performance bottlenecks, as well as service development and organizational testing. They also need to identify cost-effective technology solutions, and lobby for budget and resources in political atmospheres that too often relegates them to the status of "plumber." Organizations are beginning to understand that without a sound infrastructure, their business will not run.

Operations within a computing environment can pertain to software, personnel and hardware, but an operations department often focuses on the hardware and software aspects. Management is responsible for employees' behavior and responsibilities. The people within the operations department are responsible for ensuring that systems are protected and that they continue to run in a predictable manner.

The operations department usually has the objectives of preventing reoccurring problems, reducing hardware failures to an acceptable level, and reducing the impact of hardware failure or disruption. This group should investigate any unusual or unexplained occurrences, unscheduled initial program loads, deviations from standards, or other odd or abnormal conditions that take place on the network.

The concept of separation of duties, covered at length in Domain 1, is paramount to protecting companies from administrator misuse. Allocating parts of critical infrastructure tasks to several members of an operations team insures that no one person has the opportunity for wrongdoing that could go unnoticed. Separation of duties also extends to the managers themselves. No administrator should be responsible for tactical execution on the systems they are responsible for monitoring and assuring. Periodic job rotation is also a good strategy for detecting wrongdoers' activities. Operational management is additionally responsible for setting the levels of security access to different systems, applications and services. In every case, the rule of least privilege should apply, whenever possible. Operations management should depend heavily on information from business divisions as to the functional priority of systems, the value of their data, and who has a need to know. Too often, the quality of this information is poor -- or not forthcoming at all -- forcing the administrator to make a best guess as to the security level that should be applied.

Security professionals and administrators are accountable for the proper control of system and resource use. Robust logging creates a solid baseline history of system use and network performance against which unexpected changes can be compared. Logging is also necessary to ensure traceability to the source of system problems or deliberate hacks. Many companies do robust logging, but fail to review logs. Log parser tools are considered essential for limiting the amount of information presented to an administrator during review, making the reviewing task time efficient. Regular log review can reveal unauthorized access to information, repetitive mistakes requiring further user training, whether security controls are working and that access levels are appropriate.

Operational activities
Operations personnel do most of the hands-on work of securing the enterprise and ensure data availability. For instance, they must ensure the proper securing of backup media and the proper disposal or recycled systems and devices. As a set of full backup tapes essentially represents the complete intellectual property of the company, losing control over this media can be very serious. Residual data left on discarded systems and media also poses some degree of risk, and operations personnel should understand if degaussing, zeroization, or physical destruction is necessary.

Operations personnel should conduct an operational assurance assessment to determine if the architecture of the product, and its embedded features and functions will solve the business problem without compromising the infrastructure and security protections. They may also conduct a life cycle assurance assessment -- inspecting the specifications and documentation to determine that the product was built well, and conforms to enterprise quality and security standards. In the rush to solve a business problem, companies sometimes breeze past the product evaluation stage or ignore operational recommendations and concerns, only to discover the solution does not integrate well with existing technology or provides inadequate security. This may not seem very important, until we remember that security is only as strong as its weakest link. A solution vulnerable to security attacks weakens every other system it is interfaced with. Purchasing outside solutions, or employing internal ones without due diligence to security is a common and serious problem, and operations personnel must be diligent and precise in their evaluations to impress upon management the potential serious consequences of a poor investment decision.

The best way to think about a network is as one big distributed system. A change in one part of the system can have unexpected results in another. You would want to have a way to back out of a change to a known good state, should unexpected problems occur. Therefore, a managed process must be in place to control changes to environments, and every change should be meticulously recorded, so that changes can be rolled back easily if problems occur.

While a functional change might not seem to have any residual effects, security levels can be inadvertently compromised. Operations personnel are responsible for ensuring the proper testing of changes to ensure that not only does the functional change work, but that security levels within the affected system, as well as those of interfacing systems have not been degraded as a result. Operations personnel must also plan and test for system recovery, as it is during failure modes that security controls built into systems could be rendered ineffective. Operations personnel should additionally engage in application monitoring. Automated tools can help discover anomalies in the use of systems and network resources that can indicate wrongdoing, or a problem that could result in security vulnerability. There are many network appliances and utilities available that help simplify this task.

A prevalent vector for malware entry tends to be e-mail. E-mail is the way the corporation communicates both inside and outside the corporate perimeter Security professionals must understand how e-mail systems and common protocols such as SMTP, POP and IMAP work.

In short, every device connected to the network, whether inward or outward facing, whether used in business, or simply used in system administration, poses some level of security threat to organizations. Each must be evaluated and controlled.

Hacking and countermeasures
The volume of network attacks is growing every day, in part because of the proliferation of free tools that can be used by anyone who has even a little knowledge. Most good operations personnel have shored up their perimeters with firewalls and DMZs, and can recognize most types of common attacks when they are happening. "Hardening" systems can reduce non-essential functions and ports that could be used as attack channels. Some administrators will apply TCP wrappers or network sniffers to monitor traffic in and out of the perimeter, while others will apply sophisticated vulnerability scanning tools that map networks and test devices and systems for known vulnerabilities. All of these are good approaches for detecting possible attacks. Sadly, some security failures cannot be recognized in real time by any of these measures.

There are several ways that information can become available to others for whom it was not intended, which can bring about unfavorable results. Sometimes this is done intentionally, but it can also be done unintentionally. Information can be disclosed unintentionally when one falls prey to attacks that specialize in social engineering, covert channels, malicious code and electrical airwave sniffing.

Keystroke monitoring is a process whereby computer system administrators view or record both the keystrokes entered by a computer user and the computer's response during a user-to- computer session. Examples of keystroke monitoring would include viewing characters when typed by users, reading users' electronic mail and viewing other recorded information typed by users. Some forms of routine system maintenance record user keystrokes; this could constitute keystroke monitoring if the keystrokes are preserved along with the user identification such that an administrator can determine the keystrokes entered by specific users.

These are just a few things that operations security personnel must understand, implement, and keep track of to ensure that the network, and components within it, is properly secured. Although information security encompasses a lot more than technology, technology is still a huge component that must be properly controlled.

[Return to Lesson/Domain 10 home page.]
[Register for Lesson/Domain 10 webcast on operations security.]
[Return to the Security School for CISSP® Training table of contents.]

CISSP® is a registered certification mark of the International Information Systems Security Certification Consortium, Inc., also known as ISC(2).

Read more on IT risk management