week 13 – advanced topics on security
TRANSCRIPT
Week13–AdvancedTopicsonSecurity
26/11/2015 1COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
ITServiceDelivery
26/11/2015 2COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
ITILProcess
26/11/2015 3
http://www.mitsm.de/itil-wiki/process-descriptions-english/main-page
COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
SecurityOperations
26/11/2015 75COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
OperationsSecurityOperationsSecurityisusedtoidentifythecontrolsoverhardware,media,andtheoperatorswithaccessprivilegestoanyoftheseresources.
Auditandmonitoringisthemechanisms,tools andfacilitiesthatpermitstheidentificationofsecurityeventsforreportingtoappropriateparties. (ISC2 StudyGuide)
26/11/2015 76COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
ITDepartmentOrganization
26/11/2015 77COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
ITDepartmentOrganization
Programmer
Analyst/Programmer
System Analyst
IT Development Manager
Systems Programmer
Technical Manager
Operator
Shift Supervisor Production Support
IT Operations Manager
Chief Information Officer
26/11/2015 78COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
OrganizationofComputerOperations1. ITOperationsManagement
2. Input/outputcontrol
3. Dataentry
4. Computeroperations
5. Productioncontrolandscheduling
6. Librarymanagementandchangemanagement
26/11/2015 79COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
1.ITOperationsManagementITOperationsManagementhastheoverallresponsibilityfordevelopingcomputeroperationsstandardsandprocedures forefficientandeffective operations
ITManagementisalsoresponsible forensuringthattherearesufficientITresources tomeetthecurrentandfuturebusinessneeds
26/11/2015 80COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
1.ITOperationsManagementMeanstomanageandcontrolIToperations◦ Recruitsufficientcomputeroperators◦ Organizecommunicationbetweenshifts◦ Provideoperationsdocumentationtosupportcomputeroperations◦ Setupprocessingchecklistsandpriorities
26/11/2015 81COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
1.ITOperationsManagement◦ Obtainandreview:◦ Hardwareandsoftwareproblemreport◦ Statisticsofscheduledandunscheduledsystemdowntime
◦ Re-runjobsandthereasons◦ CPUutilization◦ Computerstorageutilization◦ SLAachievement
26/11/2015 82COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
2.Input/Output ControlDataInputControl◦ Receivesourcedocumentsforbatchdataentry◦ Authenticatethesourcedocuments◦ Usebatchandcontroltotalstoensureallsourcedocumentsareprocessed◦ Inputthedatainatimelymanner
26/11/2015 83COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
2.Input/Output ControlDataOutputControl◦ Outputisproducedintheproperformatanddistributedtotheappropriateusersinasecuremanner
◦ Controlofproductionreportdistribution◦ Predefinedreportrecipients◦ Checkcompletenessbeforedistribution◦ Recipientcheckallreportsreceived
26/11/2015 84COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
2.Input/Output Control◦ Restrictaccesstospooledreportstoprevent
◦ Compromiseconfidentiality◦ Unauthorizedreportdeletion
◦ Computergenerationofnegotiableinstruments◦ Sequencecontrol◦ Detectionofmissingofnegotiableinstruments
◦ Inventoryofsensitive andcriticalstationaries◦ Keepinasecurelocation◦ Properlyrecorded◦ Stocktakingonaregularbasis
26/11/2015 85COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
3.DataEntryEnterdatabyusingdataentrydevicetocreatedatafileforsubsequentprocessing
Keyverificationisacommoncontroltechniqueforverifyingtheaccuracyofinputteddata
Sufficientaudittrailforcheckingwhenrequired
26/11/2015 86COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
4.ComputerOperationsCarryoutad-hocandscheduledcomputerjobs
Guidedbyoperationprocedurestoensurecomputeroperationsarecarriedinaefficientandeffectivemanner
Exampleofoperationprocedures◦ Systemstartupandshutdownprocedures◦ Errorhandlingprocedures◦ Databackupandrestoreprocedures
26/11/2015 87COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
4.ComputerOperationsOperationtasks◦ Restartandshutdowncomputers◦ Runningandmonitoringcomputerjobs◦ Reportprinting◦ Backup/restoreofsystemanddatafiles◦ Housekeeping◦ Controlaccesstothedataprocessingcentreandcomputingfacilities◦ Participateindisasterrecoverytesting
26/11/2015 88COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
4.ComputerOperations◦ Maintainregistersandoperationalstatistics formeasuringSLAachievement◦ Reportequipmentfailuresandoperatingerrors◦ Ensureanadequatesupplyofcomputerconsumables
26/11/2015 89COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
5.ProductionControlandSchedulingSchedulecomputerjobsprocessingsequence, forbothad-hocandroutinejobs
Definetheconditionsforstarting/re-startingajob
Definejobdependencies
Ensurealljobsarecompletelyprocessed
Manualprocessingofscheduled joborusingjobschedulingsoftware
26/11/2015 90COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
5.ProductionControlandSchedulingManual◦ Relyonoperatortorunajob◦ Usejobprocessingchecklistforcontrollingjobprocessing◦ Manualjobmonitoringandlogging◦ Jobprocessingrecordsreviewbysupervisortoensurecomputerjobsareaccuratelyandcompletelyprocess
◦ Effectiveforsimplebatchjobs
26/11/2015 91COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
5.ProductionControlandScheduling◦ Automatic(JobScheduling Software)◦ Automaticprocessingofbatchjobs◦ Setuponce◦ Controljobdependence◦ Errordetectionandlogging
26/11/2015 92COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
6.LibraryManagementandChangeManagementManagecomputertapes/cartridgesmovement◦ Recordingofreceiving,lending,removingofcomputertapes/cartridges◦ Regularstocktakingtodetectmissingofcomputertapes/cartridges◦ Properaudittrailofcomputertapes/cartridgesmovement
26/11/2015 93COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
6.LibraryManagementandChangeManagementManageproductionsoftwareinventory◦ Softwareversioncontrol◦ Jobcontrollanguageandprocessingparametercontrol◦ Computersourceandobjectcontrol(e.g.synchronization)◦ Loggingofaddition,deletion andupdatingofsoftwareinventory
26/11/2015 94COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
OperationsAdministration
26/11/2015 95COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
OperationsAdministration1. Backgroundchecking
2. Segregationofduties
3. JobRotation
4. Leastprivilege
5. Needtoknow
26/11/2015 96COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
1.BackgroundCheckVerificationchecksbeforeemployinganoperationsstafffor◦ HKID◦ Availabilityofsatisfactorycharacterreferences◦ Checkingoftheapplicant’scurriculumvitae◦ Confirmationofclaimedacademicandprofessionalqualifications
26/11/2015 97COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
2.SegregationofDutiesEnsurecriticalstagesofaprocessarenotunderthecontrolofasingleindividual
Errorsandirregularitiesperformedbyoneusercanbedetectedbyanotheruser
Potentialdamagecanbeminimized
26/11/2015 98COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
2.SegregationofDutiesAppropriatesegregationofdutiesbetween◦ Users◦ ITdevelopers◦ Datacenterstaff
Achievedby◦ Policies◦ Procedures◦ Organizationstructure
Sothatnooneindividualcanperformunauthorizedactivities
26/11/2015 99COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
2.SegregationofDutiesIncomputeroperations,thefollowingdutiescanbedefined◦ ProductionControl◦ DataEntry◦ Librarian◦ Operator◦ SystemProgrammer
26/11/2015 100COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
2.SegregationofDutiesInsoftwareprogramming,thefollowingfunctiongroupscanbedefined◦ SystemAnalyst◦ Programmer◦ DatabaseAdministrator◦ SecurityOfficer◦ QualityAssurance
26/11/2015 101COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
2.SegregationofDuties
System Analyst IT Developer Data Entry Computer Operator LibrarianSystem Analyst X XIT Developer X X XData Entry X XComputer Operator X X XLibrarian X X
X means imcompatible duties
26/11/2015 102COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
3.JobRotationAdetectivecontrol
Requireoperationsstafftorotatetheirjobdutiesonaregularbasisforallowinganotherstafftodetectanomalies
Havinghumanresourcespolicytorequireoperationsstafftotakeannualleaveforatleast2consecutiveweeks
26/11/2015 103COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
4.LeastPrivilegePreventivecontrol
Onlytheminimumaccessprivilegeisgrantedtoperformatask
Purposeofleastprivilegeistoensurethatataskcanonlybeperformedbyauthorizeduser
Forexample◦ “SuperUser”privilegeisnotgrantedtoOperationsstaff
26/11/2015 104COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
5.NeedToKnowPreventivecontrol
Onlythoseuserswhoneedtoperformataskisprovidedwiththeinformationandknowledgeforprocessingthetask
Thiscanbeachievedbyrestrictinguserstoaccessoperationsmanual,systemdocuments,etc.
Reducetheriskofunauthorisedsystemaccess
26/11/2015 105COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
OperationsControlsChangecontrols
Problemmanagement
Capacitymanagement
Documentcontrols
Mediahandling
Operationsacceptancetest
Audittrails
Viruscontrols
26/11/2015 106COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
Physical(Environmental)Security
26/11/2015 115COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
PhysicalSecurityPhysicalfacilityisthebuildingorvehiclehousingthesystemandnetworkcomponents
Thephysicalcharacteristicsofthesestructuresandvehiclesdeterminethelevelofphysicalthreatssuchasfireandunauthorisedaccess
Thefacility’sgeographiclocationdeterminethecharacteristicsofnaturalthreatssuchasearthquakes andflooding
26/11/2015 116COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
PhysicalSecurity
26/11/2015 117
NaturalEnvironmental
Threats
Floods,fire,earthquake…
SupplySystemThreats
Poweroutages,communicationinterruptions,…
ManmadeThreats
Explosions,disgruntledemployees,fraud,…
PoliticallyMotivatedThreats
Strikes,riots,civildisobedience,…
COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
PhysicalSecurityElementforPhysicalSecurityMeasures
Determent◦ Convincepeoplenottoattack
Detection◦ Alarms,guards,andothermeansofdetectingattacks
Delay◦ Elementsthatslowdownanattacker,e.g. locks&safes
Response◦ Guardsoracalltothepolice
26/11/2015 118COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
PhysicalSecurity- ControlsAdministrativecontrols◦ facilityselection,facilityconstructionandmanagement,personnelcontrol,evacuationprocedure,systemshutdownprocedure, firesuppressionprocedure,handlingproceduresforotherexceptionssuchashardwarefailure,bombthreats,etc.
Physicalcontrols◦ facilityconstructionmaterial,keyandlock,accesscardandreader,fence,lighting,etc.
Technicalcontrols◦ physicalaccesscontrolandmonitoring system,intrusiondetectionandalarmsystem,firedetectionandsuppressionsystem,uninterruptedpowersupply,heating/ventilation/airconditioningsystem(HVAC),diskmirroring,databackup,etc.
26/11/2015 119COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
SecurityConsiderations0fPhysicalSecurity◦ Whatarethesecurityconsiderationsinprotecting theequipmentwhentheygointothecloud?
◦ AccessControl◦ Whohaveaccesstotheserversandstoragedevices?
◦ AgainstHazards◦ Fireandsmokesensors◦ Fireextinguishers◦ Watersensorandraisedfloors◦ UPS
◦ AgainstAttacks◦ Fastrecoveryatabackupsite
◦ RetiringDevices◦ Defineretirementprocessoffailedorusedstoragedevices
26/11/2015 120COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
SecurityConsiderations0fPhysicalSecurity - AccessControlAccessControlandAuditing◦ Lockandkey◦ Accesscardandreader◦ Fence◦ Lighting◦ DoorwayandMan-trap
AccessMonitoringandIntrusionDetection◦ Patrolforce/securityguard◦ Technicalaccessmonitoringcontrols◦ AlarmSystem
26/11/2015 121COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
PhysicalAccessSecurityAccesscontrolfacility◦ Fence,GateandTurnstile◦ Mantrap◦ Lighting◦ CCTV◦ Guards
26/11/2015 139COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
Fence,GateandTurnstileFenceandgate◦ Marktheboundaryofafacilityfordeterringunauthorizedaccess◦ Mustbetallenoughforstoppingadetermined intruder
Turnstileisarevolvinggatethatrestrictthenumberofuserstoenterorleaveafacilityatatimeforpedestrian trafficcontrol
26/11/2015 140COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
MantrapMantrapconsistsofasetofdoubledoorswhereoneofthedoorscanbeopenedatatimeforaccesscontrol
Foradditionalsecurity,personenteringandleavingafacilitycanbemonitoredandcontrolledbyaguard
26/11/2015 141COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
LightingOneofthemostbasic(andcheapest) componentsofasecuritysystem
Carefullydesignedandcoordinatedinteriorandexteriorlightingsystemscanexertasignificantdeterrenteffect
26/11/2015 142COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
ClosedCircuitTelevision(CCTV)
Forpreventinganddetectingofabnormalevents
LocateCCTVinstrategicpointssuchas:◦ EntriestoDataCentre◦ Unmannedmachinerooms
Liveevents shouldberecordedandretainedforfutureanalysisand/orprosecution
26/11/2015 143COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
GuardsGoodforcontrollingphysicalaccessandperimeter security,e.g.registervisitors,escortingvisitors
Willbemoreeffective ifsupplementedbylockeddoorsandCCTV
Goodforsituation(e.g.duringemergency)whichrequiremakingimmediatelyjudgmentsanddecisions
Guardsmustbetrainedsothattheycanperformtheirworkeffectively
26/11/2015 144COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
AccessControlSystemTherearethreetypesofuserauthenticationmethodsforcontrollinguseraccess:◦ Somethinganindividualknows(e.g.password)◦ somethinganindividualpossesses (e.g.smartcard)◦ somethinganindividualhas(e.g.fingerprint)
Thesemethodscanbeusedaloneorincombination
26/11/2015 145COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
ProgrammableLockProgrammablelockrequireusertoenterapatternofdigits(lockcombination)onthenumerickeypadfordeterminingwhetheraccessisallowed
Programmablelockcanbemechanicallyorelectronicallybased
Suitableforareaswithlowaccesssecuritycontrolsaspasswordcanbeobtainedbyobservinganauthorised userenteringthelockcombination
26/11/2015 146COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
MemoryCardMemorycardstore,butnotprocessinformation
Memorycardissignificantlymoresecurethanpassword,especiallyifmemorycardmustbepresented forenteringandleavingthecontrolledareas
Moreadministrativeoverhead formanagingthememorycards,e.g.lostcardshandling
26/11/2015 147COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
BiometricsSystemsBiometricssystemidentifypeoplebyauniquehumancharacteristicssuchassizeandshapeofahand,fingerprint,voice,iris,etc.
BenefitsofBiometrics foraccesscontrol◦ Moresecureassharing/stealing ofaccesscardiseliminated◦ Administrativetimeforhandlinglostcardisreduce◦ Convenience
26/11/2015 148COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
SecurityAccessControlHandGeometryReader
26/11/2015 151COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
NetworkOperationCentreClosed-circuitTVSurveillanceSystem(CCTV)
26/11/2015 152COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
SecurityOperationCenter
26/11/2015 153COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
ComputerRoomAirConditioningCRAC
26/11/2015 154
Configuredwithafail-safeback-upsystemandwithtemperatureandhumiditycontrol
COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
UninterruptiblePowerSupply(UPS)
26/11/2015 155COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
FM200FireSuppressionSystemandPre-ActionSprinklerSystem
26/11/2015 156COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
Cages,RacksandCabinets
26/11/2015 157COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
CloudComputing
26/11/2015 158COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
GridComputingGridcomputingisthefederationofcomputerresources frommultiplelocationstoreachacommongoal.
Thegridcanbethoughtofasadistributedsystemwithnon-interactiveworkloadsthatinvolvealargenumberoffiles.
USThastwosupercomputerduring1994- 1996
26/11/2015 159COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
Top500Supercomputersites
26/11/2015 160COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
WhatisCloudComputing?
26/11/2015 161COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
LargeScaleCloudComputing
26/11/2015 162COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
3ServiceModelsofCloudComputing
SaaS (Software-as-a-Service)◦ Theconsumerusestheprovider’sapplicationsonacloudinfrastructure◦ E.g.GoogleApps,Salesforce
PaaS(Platform-as-a-Service)◦ Theconsumerdeployconsumer-createdoracquiredapplicationsontothecloudinfrastructure◦ E.g.WindowsAzure,GoogleAppEngine
IaaS (Infrastructure-as-a-Service)◦ Theconsumerprovisionprocessing,storage,networks,andotherfundamentalcomputingresources◦ E.g.AmazonEC2,GoGrid
26/11/2015 163COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
5EssentialCharacteristicsofCloudComputing
Broadnetworkaccess◦ Ubiquitous– canbeaccessedeverywhere
Rapidelasticity◦ Highlyscalable,evenappearedas“unlimited”totheusers
Measuredservice◦ Payperuse(“Taxi”metaphor)
On-demandself-services◦ Userscanrequest theserviceautomaticallywithouthumaninteractionwiththeserviceprovider
Resourcespooling◦ Sharedresourcepool,userhasnocontrolovertheexactlocationoftheprovidedresources
26/11/2015 164COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
TerminologyofcloudcomputingPublicCloud◦ Thecloudinfrastructureisownedbyanorganizationsellingcloudservices
PrivateCloud◦ Thecloudinfrastructureisoperatedsolelyforasingleorganization
CommunityCloud◦ Thecloudinfrastructureissharedbyseveralorganizationshavingsimilarrequirements
HybridCloud◦ Thecloudinfrastructureisacompositionoftwoormoreclouds(private,community,orpublic)
26/11/2015 165COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
Amazon
26/11/2015 166COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
WindowsAzure
26/11/2015 167COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
CloudrelatedthreatsIsolationrisk
De-perimeterization
Roles&responsibilities issues
26/11/2015 COPYRIGHT©RICCIIEONGFORUSTTRAINING2015 168
De-perimeterizationForresterResearchproposedZero-Trustarchitecture◦ Nodefaulttrustforanyentityincludingusers,devices,applicationsandpackets
◦ Keeptheconceptofprotectingcompartmentalizedifferentsegments tothenetwork
VLAN(VirtualLocalAreaNetwork)canbeusedforsegmentthenetworkbutcannotenforcethecontrolbasedonthreatsordetectedprivilegedinformation
26/11/2015 COPYRIGHT©RICCIIEONGFORUSTTRAINING2015 169
CloudSecurity
26/11/2015 170COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
Finalwords
26/11/2015 COPYRIGHT©RICCIIEONGFORUSTTRAINING2015 171
WhatelseyouhavetolearnITILProcess◦ OperationSecurity◦ ChangeManagement◦ ProblemManagement◦ CapacityManagement◦ …
SecureApplicationProgrammingPractices
ITSecurityPoliciesandSecurityManagement
PhysicalSecurity
26/11/2015 COPYRIGHT©RICCIIEONGFORUSTTRAINING2015 172
Whatyoucanlearnfromexam?…
26/11/2015 COPYRIGHT©RICCIIEONGFORUSTTRAINING2015 173
PrepareforFutureHottopicsinITSecurityField◦ IdentityManagement◦ OnlineFraudDetection◦ MobileandCloudSecurityArchitectureDesign◦ CloudSecurityimplementation◦ SoftwareDefinedNetwork◦ ApplicationSecurity◦ IoT Security
26/11/2015 174COPYRIGHT©RICCIIEONGFORUSTTRAINING2015
PrepareforCertificateISC2◦ CISSP◦ SSCP◦ CSSLP◦ CCSP◦ CCFP
CSA◦ CCSK
ISACA◦ CISA◦ CSX
EC-Council◦ CEH
SANS◦ GCFA◦ GCFE◦ GREM◦ GWAPT◦ …
26/11/2015 COPYRIGHT©RICCIIEONGFORUSTTRAINING2015 175
SecurityrelatedworkinHKindustry
• Security Administrator
• Security Assessor/ Security Auditor
• Security Applications Developer
• Security Architect
Design Implementation
OperationsReview
26/11/2015 176COPYRIGHT©RICCIIEONGFORUSTTRAINING2015