Domain 7: Security Operations: Security Operations Concepts
Sensitive Information Procedures
Access control and its use in preventing unauthorized access to sensitive data is important for organizational security. It follows that the secure handling of sensitive information is critical. Although we tend to think in terms of the company's information, it is also critical that the company protect the private information of its customers and employees as well. A leak of users' and customers' personal information causes at a minimum embarrassment for the company and possibly fines and lawsuits. Regardless of whether the aim is to protect company data or personal data, the key is to apply the access control principles to both sets of data.
Managing Accounts, Groups, and Roles
Devices, computers, and applications implement user and group accounts and roles to allow or deny access. User accounts are created for each user needing access. Group accounts are used to configure permissions on resources. User accounts are added to the appropriate group accounts to inherit the permissions granted to that group. User accounts can also be assigned to roles. Roles are most often used by applications.
Job Rotation
From a security perspective, job rotation refers to the training of multiple users to perform the duties of a position to help prevent fraud by any individual employee. The idea is that by making multiple people familiar with the legitimate functions of the position, the higher the likelihood that unusual activities by any one person will be noticed. This is often used in conjunction with mandatory vacations, in which all users are required to take time off, allowing another to fill their position while gone, which enhances the opportunity to discover unusual activity. Beyond the security aspects of job rotation, additional benefits include: ■ Trained backup in case of emergencies ■ Protection against fraud ■ Cross training of employees Rotation of duties, separation of duties, and mandatory vacations are all administrative controls.
Need to Know/Least Privilege
In regard to allowing access to resources and assigning rights to perform operations, always apply the concept of least privilege (also called need to know). In the context of resource access, that means that the default level of access should be no access. Give users access only to resources required to do their job, and that access should require manual implementation after the requirement is verified by a supervisor. Discretionary access control (DAC) and role-based access control (RBAC) are examples of systems based on a user's need to know. To ensure least privilege requires that the user's job be identified and each user be granted the lowest clearance required for their tasks. Another example is the implementation of views in a database. Need-to-know requires that the operator have the minimum knowledge of the system necessary to perform his task.
Information Life Cycle
In security operations, security professionals must understand the life cycle of information, which includes creation, distribution, usage, maintenance, and disposal of information. After information is gathered, it must be classified to ensure that only authorized personnel can access the information.
Monitor Special Privileges
Inevitably some users, especially supervisors or those in the IT support department, will require special rights and privileges that other users do not possess. For example, it might be required that a set of users who work the Help Desk might need to be able to reset passwords or perhaps make changes to user accounts. These types of rights carry with them a responsibility to exercise the rights responsibly and ethically. Although in a perfect world we would like to assume that we can expect this from all users, in the real world we know this is not always true. Therefore, one of the things to monitor is the use of these privileges. Although we should be concerned with the amount of monitoring performed and the amount of data produced by this monitoring, recording the exercise of special privileges should not be sacrificed, even if it means regularly saving the data as a log file and clearing the event gathering system.
Separation of Duties what type of control?
It is considered a preventive administrative control
the implementation of views in a database is an example of?
Need-to-know
Record Retention
Proper access control is not possible without auditing. This allows us to track activities and discover problems before they are fully realized. Because this can sometimes lead to a mountain of data to analyze, only monitor the most sensitive of activities, and retain and review all records. Moreover, in many cases companies are required by law or regulation to maintain records of certain data. Most auditing systems allow for the configuration of data retention options. In some cases the default operation is to start writing over the older records in the log when the maximum log size is full. Regular clearing and saving of the log can prevent this from happening and avoid the loss of important events. In cases of extremely sensitive data, having a server shut off access when a security log is full and cannot record any more events is even advisable.
another concept of dual control is?
Separation of Duties
Service-Level Agreements
Service-level agreements (SLAs) are agreements about the ability of the support system to respond to problems within a certain timeframe while providing an agreed level of service. They can be internal between departments or external to a service provider. By agreeing on the quickness with which various problems are addressed, some predictability is introduced to the response to problems, which ultimately supports the maintenance of access to resources. The SLA should contain a description of the services to be provided and the expected service levels and metrics that the customer can expect. It also includes the duties and responsibilities of each party of the SLA. It lists the service specifics, exclusions, service levels, escalation procedures, and cost. It should include a clause regarding payment to the customers resulting from a breach of the SLA. While SLAs can be transferable, they are not transferable by law. Metrics that should be measured include service availability, service levels, defect rates, technical quality, and security. SLAs should be periodically reviewed to ensure that the business needs, technical environment, or workloads have not changed. In addition, metrics, measurement tools, and processes should be reviewed to see if they have improved.
Separation of Duties
The concept of separation of duties prescribes that sensitive operations be divided among multiple users so that no one user has the rights and access to carry out the operation alone. Separation of duties is valuable in deterring fraud by ensuring that no single individual can compromise a system. It is considered a preventive administrative control. An example would be one person initiating a request for a payment and another authorizing that same payment. This is also sometimes referred to as dual control
Service account
These accounts are used to run system services and applications. Therefore, security professionals can limit the service account's access to the system. Always research the default user accounts that are used. Make sure that you change the passwords for these accounts on a regular basis. Use of these accounts should always be audited.
Power user accounts:
These accounts have more privileges and permissions than normal user accounts. These accounts should be reviewed on a regular basis to ensure that only users who need the higher-level permissions have these accounts. Most modern operating systems limit the abilities of the power users or even remove this account type entirely.
Regular administrator accounts:
These administrator accounts are created and assigned only to a single individual. Any user who has an administrative account should also have a regular account to use for normal day-to-day operations. Administrative accounts should only be used when performing administrative-level duties, and use of these accounts should always be audited.
Regular user accounts
These are the accounts users use while performing their normal everyday job duties. These accounts must strictly follow the principle of least privilege.
Root or built-in administrator account:
These are the most powerful accounts on the system. It is best to disable such an account after you have created another account with the same privileges because most of these account names are well known and can be used by attackers. If you decide to keep these accounts, most vendors suggest that you change the account name and give it a complex password. Root or administrator accounts should be used only when performing administrative duties, and use of these accounts should always be audited.
Cross training of employees Rotation of duties, separation of duties, and mandatory vacations are all what type of controls?
administrative controls.
Need-to-know requires that the operator have the what?
minimum knowledge of the system necessary to perform his task
In the context of resource access, that means that the default level of access should be?
no access
Discretionary access control (DAC) and role-based access control (RBAC) are examples of
systems based on a user's need to know.
When examining accessing access control procedures and policies, the following questions need to be answered?
■ Is data available to the user that is not required for his job? ■ Do too many users have access to sensitive data?
Security professionals should understand the following accounts:
■ Root or built-in administrator account: These are the most powerful accounts on the system. It is best to disable such an account after you have created another account with the same privileges because most of these account names are well known and can be used by attackers. If you decide to keep these accounts, most vendors suggest that you change the account name and give it a complex password. Root or administrator accounts should be used only when performing administrative duties, and use of these accounts should always be audited. ■ Service account: These accounts are used to run system services and applications. Therefore, security professionals can limit the service account's access to the system. Always research the default user accounts that are used. Make sure that you change the passwords for these accounts on a regular basis. Use of these accounts should always be audited. ■ Regular administrator accounts: These administrator accounts are created and assigned only to a single individual. Any user who has an administrative account should also have a regular account to use for normal day-to-day operations. Administrative accounts should only be used when performing administrative-level duties, and use of these accounts should always be audited. ■ Power user accounts: These accounts have more privileges and permissions than normal user accounts. These accounts should be reviewed on a regular basis to ensure that only users who need the higher-level permissions have these accounts. Most modern operating systems limit the abilities of the power users or even remove this account type entirely. ■ Regular user accounts: These are the accounts users use while performing their normal everyday job duties. These accounts must strictly follow the principle of least privilege.
