Anchor | ||||
---|---|---|---|---|
|
Table of Contents
- Operations SecurityGetting Started | Operations SecurityOverview | Operations SecurityResources | Operations SecurityStandards
- Operational Procedures and Responsibilities (ISO 12.1)
- Protection from Malware (ISO 12.2)
- Operations Security Backups (ISO 12.3)
- Logging and Monitoring (ISO 12.4)
- Control of Operational Software (ISO 12.5)
- Technical Vulnerability Management (ISO 12.6)
- Information Systems Audit Considerations (ISO 12.7)
Anchor | ||||
---|---|---|---|---|
|
Tip | ||
---|---|---|
| ||
Operations security involves planning and sustaining the day-to-day “rubber meets the road” processes that are critical to maintaining the security of institutions’ information environments. The extent and complexity of security operations will vary between institutions based on institutional risk tolerances and resource levels. However, each of the control areas in this chapter must be addressed in some manner to help mitigate common ubiquitous risks. The most important aspect of operations security is that the operations themselves need to be repeatable, reliable, and consistently performed. If you are just starting an information security program or looking to evaluate and improve operations security then the following approach can be very helpful:
|
Operations SecurityTop of page
Anchor | ||||
---|---|---|---|---|
|
Overview
To be effective in reducing information security risk and ensuring correct computing, the security program needs to include operational procedures, controls, and well-defined responsibilities. These are complemented and often necessitated by formal policies, procedures, and controls which are necessary to protect exchange of data and information through any type of communication media or technology.
...
- Operational Procedures and Responsibilities (important operational processes include: Change Management; Capacity Management; Separation of Development, Test, and Operations Environments)
- Protection from Malware
- Backups
- Logging and Monitoring
- Control of Operational Software
- Technical Vulnerability Management
- Information System Audit Considerations
Operations Security Top of page
Anchor | ||||
---|---|---|---|---|
|
Operational Procedures and Responsibilities (ISO 12.1)
Panel | ||
---|---|---|
| ||
Objective: To ensure the effective operation and security of information processing facilities. |
Documented Operating Procedures
Key Question: Do we have a procedures that are readily available, periodically updated, and consistently executed?
...
- University of Texas Network Operations Manual (PDF)
- University of Houston Information Security Resources and Operations Manual
- EDUCAUSE: Shared Data Centers: Something Old and Something New
- EDUCAUSE: The EITS Analysis Committee: A Grassroots Effort at Standardized Documentation and Diagramming Templates
- EDUCAUSE: Business Continuity Management Discussion
Change Management Procedures
Key Question: Do we have a formal method for classifying, evaluating, and approving changes?
...
- Clemson CCIT Change Management Page
- Indiana University UITS Change Management
- Stanford Change Management System
- Oregon State Change Management Policy
- EDUCAUSE Presentation: Inform, Engage, and Educate: How to Communicate Major Service and System Updates and Changes to the Campus
- The Visible Ops Handbook
Capacity Management Procedures
Key Question: Do we monitor resource utilization and establish projections of capacity requirements to ensure that we maintain service performance levels?
...
Apache JMeter load testing tool for web services and a variety of other protocols)
- IBM partnership with North Carolina Central University (NCCU) and NC State University to create the "greenest" cloud computing Data Center (Capacity Management emphasis)
Operations Security Top of page
Anchor | ||||
---|---|---|---|---|
|
Protection from Malware (ISO 12.2)
Panel | ||
---|---|---|
| ||
Objective: To protect the confidentiality, integrity, and availability (CIA) of information technology resources and data. |
...
- Managing Malware
- Tools and Methods for Managing SNORT Sensors in Distributed Environments
- DNS Sinkholing to Reduce Network Compromises
- Symantec Corporation and Temple University - Securing a Free and Open University Environment
- FireEye, Inc. and University of California, Berkeley - Combating Stealth Malware and Botnets in Higher Education
- Using OSSEC Open-Source, Host-Based Intrusion Detection
- Web Application Firewalls at SCSU: Why and How
- University of Albany's IP Blocker: Elevating IDS to IPS
- Malware Detection and Mitigation with Passive DNS and Blackhole DNS (seminar)
- A Gentle Introduction to Bro
- VirusTotal (Free Scanning Tool That Uses Multiple AV Engines)
Operations Security Top of page
Anchor | ||||
---|---|---|---|---|
|
Backups (ISO 12.3)
Panel | ||
---|---|---|
| ||
Objective: To ensure the integrity and availability of information processed and stored within information processing facilities. |
...
- University of Iowa Backup and Recovery Policy
- East Carolina University SYSTEM Server Disaster Recovery Plan
- Disaster Recovery Planning: How to Build It, How to Test It
- Preparing for Big Data: Strategic Storage Planning at Lehigh University
- Next-Generation Backup: Simpler and Cheaper, with Disaster Recovery Capability
Operations Security Top of page
Anchor | ||||
---|---|---|---|---|
|
Logging and Monitoring (ISO 12.4)
Panel | ||
---|---|---|
| ||
Objective: To detect unauthorized activities occurring that may have a detrimental effect upon information processing facilities. |
...
- EDUCAUSE: Improving Security Event Correlation and Analysis Using Intelligent Agents
- EDUCAUSE: REN-ISAC and CSI2---The Security Event System
- E-Discovery Toolkit
- Critical Log Review Checklist for Security Incidents
Operations Security Top of page
Anchor | ||||
---|---|---|---|---|
|
Control of Operational Software (ISO 12.5)
Panel | ||
---|---|---|
| ||
Objective: To ensure the integrity of operating systems. |
...
Operations Security Top of page
Anchor | ||||
---|---|---|---|---|
|
Technical Vulnerability Management (ISO 12.6)
Panel | ||
---|---|---|
| ||
Objective: To prevent exploitation of technical vulnerabilities. |
...
Campus Case Study: Enhancing Application Security with a Web Application Firewall - UC, Irvine
Technical Vulnerability Scanning
Depending on the size and structure of the institution, the approach to vulnerability scanning might differ. Small institutions that have a good understanding of IT resources throughout the enterprise might centralize vulnerability scanning. Larger institutions are more likely to have some degree of decentralization, so vulnerability scanning might be the responsibility of individual units. Some institutions might have a blend of both centralized and decentralized vulnerability assessment. Regardless, before starting a vulnerability scanning program, it is important to have authority to conduct the scans and to understand the targets that will be scanned.
Vulnerability scanning tools and methods are often somewhat tailored to varied types of information resources and vulnerability classes. The table below shows several important vulnerability classes and some relevant tools.
Common Types of Technical Vulnerabilities | Relevant Assessment Tools |
---|---|
Application Vulnerabilities | Web Application Scanners (static and dynamic), Web Application Firewalls |
Network Layer Vulnerabilities | Network Vulnerability Scanners, Port Scanners, Traffic Profilers |
Host/System Layer Vulnerabilities | Authenticated Vulnerability Scans, Asset and Patch Management Tools, Host Assessment and Scoring Tools |
Common Challenges
"Scanning Can Cause Disruptions." IT operations teams are quite reasonably very sensitive about how vulnerability scans are conducted and keen to understand any potential for operational disruptions. Often legacy systems and older equipment can have issues even with simple network port scans; To help with this issue, it can often be useful to build confidence in scanning process by partnering with these teams to conduct risk evaluations before initiating or expanding a scanning program. It is also often important to discuss the “scan windows” when these vulnerability assessments will occur to ensure that they do not conflict with regular maintenance schedules.
"Drowning In Vulnerability Data and False Positives." Technical vulnerability management practices can produce very large data-sets. It is important to realize that just because a tool indicates that a vulnerability is present that there are frequently follow-up evaluations needed validate these findings. Reviewing all of these vulnerabilities is usually infeasible for many teams; For this reason, it is very important to develop a vulnerability prioritization plan before initiating a large number of scans. These priority plans should be risk driven to ensure that teams are spending their time dealing with the most important vulnerabilities in terms of both likelihood of exploitation and impact.
Operations SecurityTop of page
Anchor | ||||
---|---|---|---|---|
|
Information Systems Audit Considerations (ISO 12.7)
Panel | ||
---|---|---|
| ||
Objective: Minimize the impact of audit activities on operational systems. |
...
Any and all audit activity, to assess an operational system, should always be managed to minimize any impact on the system during required hours of operation. Any testing of operational systems that could pose an adverse effect to the system should be conducted during off hours.
Operations Security Top of page
Anchor | ||||
---|---|---|---|---|
|
Resources
Operations Security Top of page
Anchor | ||||
---|---|---|---|---|
|
Standards
27002:2013 Information Security Management | 800-100: Information Security Handbook: A Guide for Managers | APO12.01 | Req 2 | ID.BE-4 | 45 CFR 164.308(a)(5)(ii)(B) |
Operations SecurityTop of page
...
Questions or comments? Contact us.
...