Operational Security
April OttoLAN Design and Installation
Overview What is Operational Security What is Computer Security Hardening Physical Security with Access Controls Minimizing Social Engineering Securing the Physical Environment Protecting Against Environmental Dangers Backups Personnel/Business Continuity Disaster Recovery References
What is Operational Security?
“It is a process for identifying, controlling, and protecting generally unclassified information, which if it becomes known to a competitor or adversary, could be used to our disadvantage”.
– Provided by the Interagency OPSEC Support Staff
Operational Security cont…
For government operations and the general public alike, operational security follows five co-dependent phases:
• 1. Identifying Critical Information
• 2. Analysis of the Threat
• 3. Analyzing Vulnerabilities
• 4. Analyzing Risk involved
• 5. Employing Countermeasures
Identifying Critical Information
Examining what it is that needs to be kept from an adversary
• Critical information is anything an adversary needs to achieve their goals
– What am I trying to protect and how much is it worth to me?
– What do I need to protect against?– How much time, effort, and money am I willing
to expend to obtain adequate protection?
Analysis of the Threat
Examining how the threat might come– What kind of adversary?
• Insider/Outsider, Foreign Intelligence/Gov. Agencies
– Will the adversary send corporate or state sponsored spies? Will they read open source literature? Or espionage/eavesdropping, etc?
– Will it be by natural causes such as fires, dust, earthquakes, humidity, water, bugs, smoke, explosions, etc.
Analyzing Vulnerabilities Which adversary is interested in which data and
how would he go about obtaining it?– Interception of transmitted signals, dumpster diving
Does the company directly or indirectly do anything to give away data?– Example: websites with company information, goals,
organizational charts, job announcements, personal information found in trash, etc
Can an adversary find a security vulnerability?• We must look at our systems the way an adversary would.
– Example: Anthrax mailings, suspended ceilings, insufficient lighting, dead-end hallways
Analyzing Risk Involved
What am I trying to protect and is it worth it to me?– In order to protect something, the cost of
securing an asset is weighed against the cost of losing that asset.
– Most companies are not willing to pay more than necessary to protect their assets.
• If they can afford to lose a certain asset then they will pay less or put less emphasis on protecting it.
Employing Protective Measures
Protective measures are put in place to thwart an adversary from completing his task.– Some of the solutions commonly put in place are:
• Disruption of collecting information
• Preventing the adversary from accurately interpreting data
• Making it as simple to understand on the inside and as complex as possible for outsiders.
• Or eliminating indicators and vulnerabilities altogether.
What is computer security?
The three main pillars to security are:– Confidentiality
– Integrity &
– Availability
These pillars are protected by:– Products
– People &
– Procedures• Operational Security addresses the procedures needed to be in
place in order to provide protection.
Hardening Physical Security with Access Controls
Primary Goal of physical security:– Prevent unauthorized users from reaching
equipment to use, steal, or vandalize– Most security personnel tend to focus on
preventing attackers from reaching a computer electronically.
• Physical security is oftentimes forgotten about. And it is equally if not more important than its counterpart.
Hardening Physical Security cont…
Identity management– Biometrics
• Scanning of hand geometry, fingerprints, retinas, voice, etc
– Authentication • An approach to finding out if someone is who they claim to be
• Providing usernames and passwords
– Physical barriers• Rack mounted servers – preset locks – deadbolt locks – cipher
locks – layered protection measures
Minimizing Social Engineering
This is also a form of identity management. It allows personnel to require certain clearances before giving out information.
In order to minimize occurrences, a strong security policy along with plenty of training is needed
• These policies should outline what information can be given out and under what circumstances
– Examples: Shoulder surfing – dumpster diving – smooth tricking, deceiving, manipulating and persuasion techniques.
Minimizing Social Engineering cont…
Some businesses hire actors who attempt to enter a building by pretending to be repair personnel or authorized visitors who forgot their pass.
Securing the Physical Environment
Again, a strong written policy is needed• Id the physical assets you are protecting
• Id the physical areas they are located
• Id the security perimeter including any holes
• Id the attacks you are protecting against; likelihood
• Id the security defense and ways of improving it
• Id the value of information you are protecting
The most important part of the written policy is keeping it private; secure
Securing the Physical Environment cont…
Relocate the access point Substitute 802.11a for 802.11b Have appropriate alarms, other protective
measures and fire extinguishers in place Locks Encrypting data – make it virtually useless Destroy ‘old’ materials before discarding
Protecting against Environmental Dangers
Fire – proper fire extinguishers, automatically cut power if water sprinkler system triggers
Smoke – no smoking in computer rooms, use smoke detectors
Dust – clean/replace air filters, cover computers, keep computer rooms as dust-free as possible
Earthquakes – physically attach computer to surface, avoid placing computers on high surfaces, avoid placing heavy objects near computers
Protecting against Environmental Dangers cont…
Explosions – keep backups in blast-proof vaults off-site, keep computers away from windows
Food/Drink – observe ventilation holes or spaces where food or drink could be poured into/onto computer
Vandalism – examine whether network cables have been severed, if network connectors are intact, if computer screens are cracked, monitor all utilities such as phone service, water, natural gas, electricity, etc
Backups
Having and maintaining backups is extremely important because disasters, accidents and attacks cannot be predicted.
Backups are the only protection against data loss– They are also beneficial to compare what the
intruder changed and what he could not get to.
The Role of Backups
Archival information User error System software error Hardware & Software failure Electronic break ins and vandalism Theft Natural disasters
Basic Types of Backups
Level Zero Backups– Copy of original system before being used
Full Backup– Copies all files
Differential Backup– Copies all files since last full backup
Incremental Backup– Copies all files changed since last full backup
Which Backup Do I Use?
It depends on the importance and time sensitivity of your data– How quickly do you need to resume operations after a
complete loss of the main system? After a partial loss?
– What data do you need restored first? Second? Last?
– What will cause the biggest loss if it is not available?
– How much are you willing or able to spend?
Backups tend to prove their worth
Personnel Security
Personnel is the backbone to an organization. They hold a lot of power, access controls, and authorization codes to numerous important data
Personnel/employees are the #1 threat to security for this reason.
Personnel Security cont… To keep them in check, a company must:
– Administer background checks before hiring
– Go deeper by doing intensive investigations on those background checks
– Periodically ‘recheck’ them after being hired
– Give them initial training as well as ongoing training and awareness
– Performance Reviews and Monitoring
– Provide auditing access
– Employ least privilege and separation of duties practices.
– Have a defined set of actions for how to handle departure.
Business Continuity Business continuity is the process of assessing risks
and developing a management strategy for how the organization will continue to run in the event that risks materialize
Personnel is very important in this process as they are the backbone of an organization. They all play important but often times very different roles and a plan is needed should something compromise those roles.– Significant absenteeism of staff – will this impact your ability to
operate?– Death or incapacitation of staff – can every member of your
organization be replaced?
Understanding Business Continuity
This concept is not only concerned with recovering after a disaster, but also anything that could affect the continuity of service over the long run.– For example:
• Power outages
• Shortages of staffing in specialized areas
• Disaster takes out your system, how do you face angry users? Would it ruin your reputation?
Planning for Disaster Recovery
Have backups in place Have a defined disaster recovery plan &
policy Use Fault tolerance
– the ability to endure failures in a system– Having a redundant system. Protection-in-
depth. Minimum consequence of component failures.
*Always have a system or backup that can regain functionality if the system before it goes down.
Some information provided by: Books:
– Security+ Guide to Network Security Fundamentals • Mark Ciampa 2nd edition.
– Guide to Networking Essentials• Greg Tomsho, Tittel, Johnson 5th edition.
Websites:– www.searchsecurity.com– OPSEC website
• http://www.ioss.gov/
Academics:– COSC 352– COSC 316– CRIM 321