7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 1/74
1
Operations Security
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 2/74
Agenda
What is Operations Security?
Key Operational Procedures and
Controls Penetration Testing and Vulnerability
Assessments
Intrusion Detection Common Attacs and !ethodology
2
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 3/74
What is Operations
Security?Operations Security "s# Security OperationsPer ISC$ %Operations Security is primarily concerned &ith
the protection and control o' in'ormation processing assets incentrali(ed and distributed en"ironments# Security
Operations are primarily concerned &ith the daily tassre)uired to eep security ser"ices operating reliable ande*ciently# Operations security is a )uality o' other ser"ices#Security operations is a ser"ice in its o&n right+
Acti"ities that occur a'ter the net&or is designed andimplemented
,outine in -ature
,elies on proper monitoring and reporting to ensurethat as threats e"ol"e. so does the net&or de'ense
Part o' due care and due diligence
3
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 4/74
General Information Security
Principles Simplicity
/ail0Sa'e
Complete
Open Design
Separation o'Pri"ilege
PsychologicalAcceptability
1ayered
De'ense Incident
,ecording
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 5/74
Control Mechanisms
Control !echanisms Protect in'ormation and resources 'rom
unauthori(ed disclosure. modi2cation.and destruction
!ain types o' mechanisms Physical
Administrati"e Technical
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 6/74
General Control Layers
Administrati"e ControlsDe"elopment o' policies. standards. and
proceduresScreening personnel. security a&areness training.
monitoring system and net&or acti"ity. andchange control
Technical Controls1ogical mechanisms that pro"ide pass&ord and
resource management. identi2cation andauthentication. and so't&are con2gurations
Physical ControlsProtecting indi"idual systems. the net&or.
employees. and the 'acility 'rom physical damage
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 7/74
Access Control Functions
Pre"entati"eControls used to pre"ent undesirable e"ents 'rom taing
place
Detecti"e
Controls used to identi'y undesirable e"ents that ha"eoccurred
Correcti"eControls used to correct the e3ects o' undesirable e"ents
Deterrent
Controls used to discourage security "iolations,eco"eryControls used to restore resources and capabilities
CompensationControls used to pro"ide alternati"e solutions
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 8/74
ey Operational
Procedures and Controls /ault !anagement
Con2guration !anagement
System 4ardening
Change Control Trusted ,eco"ery
!edia !anagement
Identity and Access !anagement
!onitoring
Security Auditing and ,e"ie&s
8
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 9/74
Fault Management
Spares
,edundant Ser"ers
5PS
Clustering
,AID
Shado&ing. ,emote 6ournaling. 7lectronic
Vaulting 8ac 5ps
,edundancy o' Sta3
9
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 10/74
Spares
,edundant hard&are
A"ailable in the e"ent that theprimary de"ice becomes
unusable O'ten associated &ith hard
dri"es
4ot. &arm and cold s&appable
de"ices S1As
!T8/ and !TT,
10
Mean time between failure=650 days; Mean time torepair = 12 Hours
Mean time between failure =785 days; Mean time to repair= 16 Hours
Mean time between failure=652 days; Mean time torepair = 24 Hours
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 11/74
!AI"
,AID09 : Dis striping pro"ides noredundancy or 'ault tolerance butpro"ides per'ormance impro"ements'or read;&rite 'unctions
,AID0<: Dis !irroring0Pro"idesredundancy but is o'ten considered to
be the least e*cient usage o' space,AID0=: Dis Striping &ith Parity: /ault
tolerance > Speed
11
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 12/74
!edundant Ser#ers
Primary ser"er mirrors data tosecondary ser"er I' primary 'ails it rolls o"er to secondary
Ser"er 'ault tolerance
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 13/74
Clustering
roup o' ser"ers that are managed as a single system
4igher a"ailability. greater scalability. easier to manageinstead o' indi"idual systems
!ay pro"ide redundancy. load balancing. or both#Acti"e;Acti"eActi"e;Passi"e
Cluster loos lie a single ser"er to the userSer"er 'arm
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 14/74
$ninterrupti%le Po&er
SupplyIssues to Consider
Si(e o' load 5PS can support
4o& long it can support this load @battery duration
Speed the 5PS taes on the load &hen the primary po&er source
'ails Physical space re)uired
Desirable /eatures
1ong battery li'e
,emote diagnostic so't&are
Surge protection and line conditioning
7!I;,/I 2lters to pre"ent data errors caused by electrical noise
4igh !T8/ "alues
Allo& 'or automatic shutdo&n o' system
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 15/74
'ac(ups
8acing up so't&are and ha"ingbacup hard&are is a large part o'net&or a"ailability
It is important to be able to restoredata:
I' a hard dri"e 'ails A disaster taes place
Some type o' so't&are corruption
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 16/74
'ac(ups
/ull bacupArchi"e 8it is reset
Incremental bacup
8acs up all 2les that ha"e been modi2ed since last bacupArchi"e 8it is reset
Di3erential bacup8acs up all 2les that ha"e been modi2ed since last 'ull
bacup
Archi"e 8it is not reset
Copy bacupSame as 'ull bacup. but Archi"e 8it is not reset5se be'ore upgrades. or system maintenance
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 17/74
'ac(ups
Sunday Monday uesday !ednesday "ursday
#ull
#ull
#ull
#ull #ull #ull
Ser$er %ras"&&&&&
'a()ups
needed
to
re(o$er *n( *n( *n(
+iff +iff +iff #ull,s- .
+iff ,w-
#ull,s- .*n( ,m/t/w-
#ull,w-
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 18/74
'ac(up Issues
Critical data needs to be identi2ed 'orbacups
!edia ,otation Scheme rand'ather. /ather. Son
To&er o' 4anoi
8acup schedule needs to be de"eloped
I' restoring a bacup a'ter a compromise.ensure that the bacup material does notcontain the same "ulnerabilities that&ere eBploited
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 19/74
!edundancy of Staff
7liminate Single Point o' /ailure
Cross Training
6ob ,otation !andatory Vacations
Training and 7ducation
19
Configuration Management
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 20/74
Configuration Management
• De2ned by ISC$ as %a process o' identi'ying and documentinghard&are components. so't&are and the associated settings#+
• The goal is to mo"e beyond the original design to a hardened.operationally sound con2guration
• Identi'ying. controlling. accounting 'or and auditing changes madeto the baseline TC8
• These changes come about as &e per'orm system hardening tassto secure a system#
Will control changes and test documentation through the
operational li'e cycle o' a system Implemented hand in hand &ith change control
ESSENTIAL to Disaster Recovery
20
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 21/74
Configuration Management
"ocumentation !ae
!odel
!AC address
Serial number
Operating System;/irm&are "ersion
1ocation
8IOS or other pass&ords Permanent IP i' applicable
Organi(ational department label
21
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 22/74
System )ardening *'aselining
,emo"ing 5nnecessary Ser"ices
Installing the latest ser"ices pacsand patches
,enaming de'ault accounts
Changing de'ault settings
7nabling security con2gurations lieauditing. 2re&alls. updates. etc
Dont 'orget physical securityE
22
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 23/74
Change Management
Directi"e. Administrati"e Control that shouldbe incorporated into organi(ational policy#
The 'ormal re"ie& o' all proposed changes00
no %on0the0Fy+ changes Only appro"ed changes &ill be implemented
The ultimate goal is system stability
Periodic reassessment o' the en"ironmentto e"aluate the need 'orupgrades;modi2cations
23
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 24/74
+he Change Management
Process ,e)uest Submittal
,is;Impact Assessment
Appro"al or ,eGection o' Change Testing
Scheduling;5ser -oti2cation;Training
Implementation
Validation
Documentation
24
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 25/74
Patch Management
An essential part o' Con2guration and Change !anagement
!ay come as a result o' "endor noti2cation or pen testing
C"e#mitre#org @Common Vulnerability and 7Bposuresdatabase pro"ides standard con"entions 'or no&n
"ulnerabilities -"d#nist#go" 7nables automation o' "ulnerability
management. security measurement. and compliance# -VDincludes databases o' security checlists. security relatedso't&are Fa&s. incorrect con2gurations. product names.
and impact metrics# &&&#cert#go": Online resource concerning common
"ulnerabilities and attacs
25
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 26/74
+rusted !eco#ery
System reboot. emergency systemrestart. system cold start
-o compromise o' protectionmechanisms or possibility o'bypassing them
Preparing system 'or 'ailure and
reco"ering the system /ailure o' system cannot be used to
breach security
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 27/74
Media Managment
Production 1ibraries 4olds so't&are used in production en"ironment
Programmer 1ibraries
4olds &or in progress
Source Code 1ibraries 4olds source code and should be escro&ed
!edia 1ibrary 4ard&are centrally controlled
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 28/74
Controlling Access to
Media , Li%rarian 1ibrarian to control access
1og &ho taes &hat materials out and &hen
!aterials should be properly labeled
!edia must be properly saniti(ed &hennecessary Heroi(ation @Pre"ious DoD standards re)uired
se"en &ipes# Currently. only one is re)uired#
Degaussing @Only good 'or magnetic media Coerci"ity: Amount o' energy re)uired to reduce the
magnetic 2eld to (ero
Physical destruction @The best means o' remo"ingremnants#
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 29/74
Identity and Access
Management Identity !anagement Controls the li'e cycle 'or all accounts in a
system
Access !anagement Controls the assignment o' rights;pri"ileges to
those accounts
Per ISC$. Identity and Access !anagement
solutions %'ocus on harmoni(ing thepro"isioning o' users and managing theiraccess across multiple systems &ithdi3erent nati"e access control systems+#
29
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 30/74
Security Auditing and
!e#ie&s Security ,e"ie& Conducted by system maintenance or
security personnel
oal is determine "ulnerabilities &ithin asystem# Also no&n as a "ulnerabilityassessment
Security Audit Conducted by rd party
Determines the degree to &hich re)uiredcontrols are implemented
30
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 31/74
Security Assessments
1
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 32/74
Security!e#ie&s-.ulnera%ilityAssessments and Penetration+esting Vulnerability Assessment Physical ; Administrati"e; 1ogical
Identi'y &eanesses
Penetration Testing 7thical hacing to "alidate disco"ered &eanesses
,ed Teams @Attac;8lue Teams @De'end
-IST SP J990$ uideline on Security Testing
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 33/74
"egree of no&ledge
Hero Kno&ledge @8lac 8oB Testing: Team has no no&ledge o' the targetand must start &ith only in'ormation
that is publically a"ailable# Thissimulates an eBternal attac
Partial Kno&ledge: The team haslimited no&ledge o' the organi(ation
/ull Kno&ledge: This simulates aninternal attac# The team has 'ullno&ledge o' net&or operations
33
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 34/74
O#ert or Co#ert +esting?
8lind
Double 8lind
Targeted
34
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 35/74
Attac( Methodology
Test Attacs < o' $
1. Reconnaissance WhoIs Database. Company Website. 6ob Search 7ngines. Social -et&oring
2. Footprinting
!apping the net&or @-map IC!P ping s&eeps
D-S (one trans'ers
3. Fingerprinting
Identi'ying host in'ormation
Port scanning4. u!nera"i!ity assess#ent
Identi'ying &eanesses in system con2gurations
Disco"ering unpatched so't&are
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 36/74
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 37/74
+esting Guidelines
Why Test? ,is analysis
Certi2cation
Accreditation
Security architectures
Policy de"elopment
De"elop a cohesi"e. &ell0planned. andoperational security testing program
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 38/74
More reasons to perform
testing ,esponsible approach to o"erall security
8oost companys position in maretplace
Why do these tests &or? 1ac o' a&areness
Policies not en'orced
Procedures not 'ollo&ed DisGointed operations bet&een departments
Systems not patched
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 39/74
Penetration +esting
GoalsChec 'or unauthori(ed hosts connected tothe organi(ations net&or
Identi'y "ulnerable ser"ices
Identi'y de"iations 'rom the allo&ed ser"icesde2ned in the organi(ations security policy
Assist in the con2guration o' the intrusiondetection system @IDS
Collect 'orensics e"idence
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 40/74
Penetration +esting
Issues Three basic re)uirements:De2ned goa!. &hich should be clearly documented 1imited ti#e!ine outlinedApprove( by senior managementL only management should
appro"e this type o' acti"ity
Issue: it could disrupt producti"ity and systems
O"erall purpose is to determine subGects ability to&ithstand an attac and determine e3ecti"eness o'current security measures
Tester should determine e3ecti"eness o' sa'eguardsand identi'y areas o' impro"ement# ))))TESTERS*O+LD NOT ,E T*E ONE S+--ESTIN-REEDIATION. T*IS IOLATES SE/ARATION OFD+TIES)))))
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 41/74
!oles and
!esponsi%ilities Appro"al 'or the tests may need to come'rom as high as the CIO
Customary 'or the testing organi(ation toalert other security o*cers. management.and users
A"oid con'usion and unnecessary eBpense
In some cases. it may be &ise to alert localla& en'orcement o*cials
l f
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 42/74
!ules of /ngagement
Speci2c IP addresses;ranges to be tested Any restricted hosts
A list o' acceptable testing techni)ues
Times &hen testing is to be conducted Points o' contact 'or the penetration testing
team. the targeted systems. and the net&ors
!easures to pre"ent la& en'orcement being
called &ith 'alse alarms 4andling o' in'ormation collected by
penetration testing team
+ f P t ti
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 43/74
+ypes of Penetration
+ests Physical Security Access into building or department
Wiring closets. loced 2le cabinets. o*ces. ser"er room.
sensiti"e areas
,emo"e materials 'rom building
Administrati"e Security 4elp des gi"ing out sensiti"e in'ormation. data on
disposed diss
1ogical Security Attacs on systems. net&ors. communication
A h t + ti
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 44/74
Approaches to +esting
Do not rely on single method o' attacet creati"e
Path o' least resistanceStart &ith usersMsocial engineering is o'ten the
easiest &ay to gain access
8rea the rules7"en i' a company 'ollo&s its o&n policy.
standards and procedures. it does not meanthat there are not "ulnerabilities
Attempt things not eBpected
A h t + ti
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 45/74
Approaches to +esting
Do not rely eBclusi"ely on high0tech toolsDumpster di"ing
Stealth methods may be re)uired
Do not damage systems or data
Do not o"erloo small &eaness insearch 'or the big ones
4a"e a toolit o' techni)ues
0 t ( S i
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 46/74
0et&or( Scanning
1ist o' all acti"e hosts
-et&or ser"ices: IC!P
5DP N TCP Port scanner:
-map
/inger Printing
8anner rabbing
. lnera%ilit Scanning
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 47/74
.ulnera%ility Scanning
Identi'ying:Acti"e hosts on net&orActi"e and "ulnerable ser"ices @ports on hostsApplications
Operating systemsVulnerabilities associated &ith disco"ered OS N
applications!iscon2gured settings
Testing compliance &ith host applicationusage;security policies
7stablishing a 'oundation 'or penetrationtesting
Pass&ord Crac(ing
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 48/74
Pass&ord Crac(ing
oal is to identi'y &ea pass&ords
Pass&ords are generally stored and
transmitted in an encrypted 'orm calleda hash
Pass&ord cracing re)uires capturedpass&ord hashes 4ashes can be intercepted
Can be retrie"ed 'rom the targeted system
Pass&ord Crac(ing
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 49/74
Pass&ord Crac(ing+echni1ues Dictionary attac
8rute 'orce
4ybrid attac
1an!an pass&ord hashes Theoretically all pass&ords are %cracable+
,ainbo& tables
!ogue Infrastructures
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 50/74
!ogue Infrastructures
5nauthori(ed D4CP Ser"ers can be used toredirect hosts to rogue D-S ser"ers
,ogue D-S Ser"ers can direct tra*c to spoo'edhosts
D-S (one trans'er in'ormation contains !5C4in'ormation about a net&or and itscon2guration
Secure physical access to the net&or. re)uire
D4CP ser"ers to re)uire authori(ation. 5serD4CP reser"ations and !AC addressing tocontrol assignment o' IPs. Secure D-S (onetrans'ers only to speci2c hosts
50
War "ialing
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 51/74
War "ialing
oal is to disco"er unauthori(ed modemsPro"ide a means to bypass most or all o' the security
measures in place
Dial large blocs o' phone numbers in search o'
a"ailable modemsShould be conducted at least annuallyShould be per'ormed a'ter0hours
Include all numbers that belong to an
organi(ation. eBcept those that could beimpacted negati"ely
I' remo"al is not possible. bloc inbound calls tothe modem
!eporting
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 52/74
!eporting
Planning ,ules o' engagement
Test plans
Written permission
Disco"ery and Attac Documentation o' logs
Periodic reports
7nd o' test o"erall report Describe the identi2ed "ulnerabilities and ris rating
Re#e#"er0 t$e /en Tester (oes NOT provi(e#itigation a(vice. T$ey si#p!y provi(e a report onea&nesses oun(
Correcti#e Actions 2
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 53/74
Correcti#e Actions , 2of 3 In"estigate and disconnect unauthori(ed hosts
Disable or remo"e unnecessary and "ulnerable ser"ices
!odi'y "ulnerable hosts to restrict access to "ulnerableser"ices to a limited number o' re)uired hosts
@i#e#. host0le"el 2re&all or TCP &rappers !odi'y enterprise 2re&alls to restrict outside access to no&n
"ulnerable ser"ices
Ingress /iltering: -o inbound tra*c allo&ed &ith internal
addresses @spoo2ng
7gress /iltering : -o outbound tra*c allo&ed &ith eBternal
addressing @DDoS
Correcti#e Actions 3
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 54/74
Correcti#e Actions , 3of 35pgrade or patch "ulnerable systems
Deploy mitigating countermeasures
Impro"e con2guration management program and
procedures
Assign a sta3 member to:!onitor "ulnerability alerts;mailing lists7Bamine applicability to en"ironment Initiate appropriate system changes
!odi'y the organi(ations security policies andarchitecture
A!! o t$e a"ove reuire going t$roug$ properc$ange #anage#ent proce(ures
Log !e#ie&s
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 55/74
Log !e#ie&s
/ire&all logs
IDS logs
Ser"er logs
Other logs that are collecting audit data
Snort is a 'ree IDS sensor
1og ,e"ie&s should be conducted "ery're)uently on maGor ser"ers and 2re&alls
"eploy File Integrity
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 56/74
"eploy File IntegrityChec(ersComputes and stores a checsum
Should be recomputed regularly
5sually included &ith any commercial host0based intrusion detection system
,e)uires a system that is no&n to be secure tocreate the initial re'erence database
/alse positi"e alarms
1A-guard is a 'ree&are 2le integrity checer
Watching 0et&or( +raffic
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 57/74
Watching 0et&or( +raffic
Tra*c AnalysisMSide Channel AnalysisWatching tra*c and its patterns to try and determine
i' something special is taing place# /or eBample:A lot o' tra*c bet&een t&o military units may indicate
that an attac is being planned
Tra*c bet&een human resources and head)uarters mayindicate layo3s are around the corner
Tra*c Paddingenerating spurious data in tra*c to mae tra*c
analysis more di*cult
Sending out decoy attacs The amount and nature o' tra*c may be masedAttempt to eep tra*c constant so no in'ormation can
be gained
Protocol Analy4ers
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 58/74
Protocol Analy4ers5Sniffers6 and Pri#acy Promiscuous mode
8ridging ; S&itching can a3ect thePacet Capture
"eploy .irus "etectors
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 59/74
"eploy .irus "etectors
!alicious code detection
T&o primary types:
-et&or in'rastructure 7nd0user machines
5pdate the list o' "irus signatures
!ore sophisticated programs also loo 'or"irus0lie acti"ity in an attempt to identi'yne& or mutated "iruses
Intrusion Detection
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 60/74
Intrusion Detection Systems So't&are is used to monitor a net&or
segment or an indi"idual computer
5sed to detect attacs and other maliciousacti"ity
Dynamic in nature
The t&o main types: -et&or0based
4ost0based systems @TCP Wrappers
+ypes of I"S
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 61/74
+ypes of I"S
-et&or0based IDS!onitors tra*c on a net&or segmentComputer or net&or appliance &ith -IC in promiscuous
modeSensors communicate &ith a central management console
4ost0based IDSSmall agent programs that reside on indi"idual computerDetects suspicious acti"ity on one system. not a net&or
segment
IDS Components:SensorsAnalysis engine!anagement console
I"S Componenets
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 62/74
I"S Componenets
IDS Components: Sensors
Analysis engine
!anagement console
62
Sensor Placement
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 63/74
Sensor Placement
In 'ront o' 2re&alls to disco"erattacs being launched
8ehind 2re&alls to 2nd out aboutintruders &ho ha"e gotten through
On the internal net&or to detectinternal attacs
Analysis /ngine Methods
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 64/74
y g
Pattern !atching ,ule08ased Intrusion Detection
Signature08ased Intrusion Detection
Kno&ledge08ased Intrusion Detection
Pro2le Comparison
Statistical08ased Intrusion Detection Anomaly08ased Intrusion Detection
8eha"ior08ased Intrusion Detection
+ypes of I"S
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 65/74
yp
Signature0basedM!OST CO!!O- IDS has a database o' signatures. &hich are
patterns o' pre"iously identi2ed attacs
Cannot identi'y ne& attacs
Database needs continual updates
8eha"ior0based Compares audit 2les. logs. and net&or beha"ior.
and de"elops and maintains pro2les o' normalbeha"ior
8etter de'ense against ne& attacs
Creates many 'alse positi"es
I"S !esponse Options
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 66/74
p p
Passi"e: Page or e0mail administrator
1og e"ent
Acti"e Send reset pacets to the attacers connections
Change a 2re&all or router AC1 to bloc an IPaddress or range
,econ2gure router or 2re&all to bloc protocolbeing used 'or attac
I"S Issues
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 67/74
!ay not be able to process all pacets on largenet&ors!issed pacets may contain actual attacs IDS "endors are mo"ing more and more to hard&are0based
systems
Cannot analy(e encrypted data
S&itch0based net&ors mae it harder to pic up allpacets
A lot o' 'alse alarms
-ot an ans&er to all prayers2re&alls. anti0"irus so't&are. policies. and other security
controls are still important
/luding I"S , /#asion
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 68/74
gAttac(
/luding I"S , Insertion
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 69/74
gAttac(
)oneypot
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 70/74
Deployment: Pseudo /la&: 1oophole purposely added to operating
system or application to trap intruders
Sacri2cial lamb system on the net&or
Administrators hope that intruders &ill attac this systeminstead o' their production systems
It is enticing because many ports are open and ser"ices
are running
8e care'ul o' 7nticement "s# 7ntrapment
Padded Cell and
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 71/74
.ulnera%ility +ools Concept used in so't&are programming &here a
%sa'e+ en"ironment is created 'or applications andprocesses to run in Similar to a "irtual machine
Concept used in IDS &here identi2ed intruder ismo"ed to a %sa'e+ en"ironment &ithout their no&ing
Simulated en"ironment to eep the intruder happyand busy 4ope'ully lea"e production systems alone
aa: Sel' !utating 4oneypot. Tarpit
/mail .ulnera%ilities
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 72/74
Protocol Weanesses
,elays
Social 7ngineering
Phishing Spoo2ng
Spam
White listing
8lac listing
72
Fa7 .ulnera%ilities
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 73/74
/aB !achine Security Issues Can be used to trans'er sensiti"e data
Paper sitting in bin 'or all to see
Solution: /aB Ser"ers /aB ser"er can route 'aBes to e0mail boBes instead
o' printing
Can disable print 'eature
/aB encryptor encrypts bul data at data lin layer Pro"ides eBtensi"e logging and auditing
Can use public ey cryptography 'or secure trans'ero' material
Agenda !e#ie&
7/23/2019 CISSP - 2 Operations Security
http://slidepdf.com/reader/full/cissp-2-operations-security 74/74
What is Operations Security?
Key Operational Procedures andControls
Penetration Testing and VulnerabilityAssessments
Intrusion Detection
Common Attacs and !ethodology
74