Operations Security

Operations SecurityIS 380Class 3What is operations security about?Due care/Due diligenceConfiguration managementFault toleranceAccountabilityKeep currentPatchUpdateSecurity scansPersonnel issuesSeparation of dutiesJob rotationLeast privilegeMandatory vacationsSecurity vs. Network personnelSecurity admin should be in a different departmentConflict of interestRolesSecurity devices/softwareAssessmentsNew accountsAudit logs

AccountabilityAchieved through auditingLook for failure firstAlso look for successLogs that are not reviewed might as well not be capturedClipping levels are your baselineP10555Operations (department)Operations security reduce damage, limit opportunity for misuseKeep network running smoothlyPrevent reoccurring problems Root cause analysisUnscheduled Initial Program Loads (IPL)Central monitoring systemsEvent management solutionsp10566Asset ManagementInventory hardware and softwareAsset tagsVersions of softwareFirmware revisionsAutomated solutionsAltirisTivoli asset managementP10587Configuration managementShould be addressed in a policyProvides a record for rollback is anything goes wrongProvides a check against safeguards being removedOnly works if everyone follows the procedureSoftware:TripwireRecoverySystem reboot controlledEmergency system restart uncontrolled failureSystem cold startSecure system operationBoot sequence locked downSystem logging cant be bypassedDisable forced shutdownDisable rerouting output for all but adminsInput / Output controlLimit accepted values

System hardeningLock network closets/cabinetsUPS and AC?Disconnect unused network jacks at the switchEncrypt laptops, thumb drives, etc.Uninstall unnecessary softwareDisable if you cant uninstallRemote AdministrationUseful in an emergencySSH not TelnetConcern about security of Communication channelhome computers

Change controlRequest for change to take placeApproval of the changeDocumentation for the changeTested and presentedImplementationReport change to managementP106714Document Change ControlWhen changes took placeTroubleshootingDocument fixes for repeatabilityP106915MediaSanitize - erase Purging when it leaves secure locationZeroization overwriting with different patternsDegaussing use a big electromagnetDestruction shred, crush, burn

Deleting data does not make it unrecoverableData remanence

Data leakageNegligence is the leading causeLatest gadgetsMalware includedCompany reputationState/Federal lawsDealing with failuresTrusted recovery, e.g. make sure the firewall fails closedAvoid single points of failureUse clustering*/RAID/backupsTest the backup systemHave SLAs

*Do NOT use Microsoft ClusteringP107918RAIDRAID0 striped; speed, no fault toleranceRAID 1 Mirroring (1/2 total space)RAID5 parity stripe [x*(N-1)]RAID6 two parity stripes [x*(N-2)]Huge drive sizes take a while to rebuildRAID10 RAID 1 and RAID 0 speed and redundancyDatabasesHot SwapingOther drive technologiesMAID Massive array of independent disks- Massive, but infrequently usedSAN multiple computers connecting to back-end storage networkServer technologies Clustering one server can failNetwork Load balancing load distributedGrid computing computers join and leave.SETI at homeFolding at homeMainframesExpensiveHighly reliableMassive I/O capabilitiesHigh quantities of general processing

EmailSMTP forwarding e-mailPOP accessing or sending*stored E-mailsIMAP super POP. Access as folders. High server utilization.E-mail relaying security issues*No one uses POP to send e-mailHackingHacking/CrackingPenetration TestingScript kiddieP110224Know your enemyPenetration testing allows you to simulate an attackVulnerability scanning toolsGet permission from senior management in writingThe more thorough you are, the more likely you will cause an impact to productionSome types of attacksOS fingerprintingnmapNetwork sniffingWiresharkSession hijackingPassword crackingJohn the ripperBackdoorsBack orifice, NetBus

Slamming and CrammingSlamming changing service provider without consentCramming adding on chargesp111027Vulnerability scanIdentify hostsIdentify active/vulnerable portsIdentify applications, grab bannersIdentify OS (patch level too)Identify vulnerabilities of OS and appsFind misconfiguration(s)Test for compliance with security policyDetermine route/severity for penetration testGet out of jail free cardP111328EnumerationEnumerationInformation gathering phaseFigure out the infrastructure Google, properly leveraged, has more intrusion potential than any hacking tool Adrian LamoEnumeration ToolsWHOIS - www.dnsstuff.comPort scanners (Nmap, etc)Web searches What public information is availableWar dialingGoogle Hacking - KeywordsSite: Inurl:Numrange:Link: - All sites linked to a given site

http://www.sans.org/mentor/GoogleCheatSheet.pdf Google hacking - GroupsSearch via email addressKeyword insubject:Keyword author:Google hacking - NotesDocuments may be cached long after they are removed from the webNon-linked web pages are availableSystem profiling is also possible i.e. server at

More enumeration toolswww.netcraft.comhttp://ws.arin.net/whoishttp://web-sniffer.net

Penetration testDiscovery - footprint/reconnaissance)Enumeration port scans, etcVulnerability mappingExploitationReport to Management

Zero knowledgePartial knowledgeFull knowledgeP111536Penetration test (cont)ExternalInternal

Blind test public knowledge, staff aware of testDouble Blind test security staff unawareTargeted test specific area of interestConsultants, weak link, etc.P111637What to look for in operationsUnusual or unexplained occurrencesDeviations from standardsUnusual network trafficUnexpected rebooting/IPL

PostmortemUse results for remediationMake sure remediation actually fixes problemRA/cost effectiveTest againp112039In-Class workUse the tools on StevensonWho is the contact for Stevensons web site?What IP addresses do they own?What kind of systems are they running?What is Stevensons DNS server called?What kind of technical information about stevenson can be found in google groups?