1 / 50

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011. Operations Security. Domain Objectives. Protection and Control of Data Processing Resources Media Management Backups and Recovery Change Control Privileged Entity Control. Control Categories. Preventive

justine-roy
Télécharger la présentation

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dr. Bhavani ThuraisinghamThe University of Texas at Dallas (UTD)June 2011 Operations Security

  2. Domain Objectives • Protection and Control of Data Processing Resources • Media Management • Backups and Recovery • Change Control • Privileged Entity Control

  3. Control Categories • Preventive • Detective • Corrective • Deterrent • Recovery • Directive • Compensating

  4. Application-related Controls • Transaction • Input • Processing • Output • Test • Supervision / balancing • Job-flow • Logging • Licensing

  5. Operations Security Focus Areas • Auditors • Support staff • Vendors • Security • Programmers • Operators • Engineers • Administrators

  6. Domain Agenda • Resource Protection • Continuity of Operations • Change Control Management • Privileged Entity Control

  7. Facility Support Systems • The support systems in centralized and decentralized operation centers must be protected • Hardware • Software • Storage media • Cabling • Physical security

  8. Facility Support Systems (cont.) • Fire protection • HVAC • Electrical power goals

  9. Facility Support Systems (cont.) • Water • Communications • Alarm systems

  10. Media Management • Storage • Encryption • Retrieval • Disposal

  11. Object Reuse • Securely reassigned • Disclosure • Contamination • Recoverability

  12. Clearing of Magnetic Media • Overwriting • Degaussing • Physical destruction

  13. Media Management Practices • Sensitive Media Controls • Destroying • Marking • Labeling • Handling • Storing • Declassifying

  14. Misuse Prevention

  15. Records Management • Consideration for records management program development • Guidelines for developing a records management program • Records retention

  16. Domain Agenda • Resource Protection • Continuity of Operations • Change Control Management • Privileged Entity Control

  17. Adequate Software & Data Backup • Operations controls ensure adequate backups of: • Data • Operating systems • Applications • Transactions • Configurations • Reports • Backups must be tested • Alternate site recovery plan

  18. Fault Tolerance • Hardware failure is planned for • System recognizes a failure • Automatic corrective action • Standby systems • Cold – configured, not on, lost connections • Warm – On, some lost data or transactions (TRX) • Hot – ready – failover

  19. RAID – Redundant Array of Independent Discs • Hardware-based • Software-based • Hot spare

  20. RAID Level 0 • Two or more disks • No redundancy • Performance only

  21. RAID Level 1 • Exact copy (or mirror) • Two or more disks • Fault tolerant • 200% cost

  22. RAID Level 2 • Striping of data with error correcting codes (ECC) • Requires more disks than RAID 3/4/5 • Not used, not commercially viable

  23. RAID Level 3 • Byte level stripes • 1 drive for parity • All other drives are for data

  24. RAID Level 4 • Block level stripes • 1 drive for parity • All other drives are for data

  25. RAID Level 5 • Block level stripes • Data and parity interleaved amongst all drives • The most popular RAID implementation

  26. RAID Level 6 • Block level stripes • All drives used for data AND parity • 2 parity types • Higher cost • More fault tolerant than RAID implementations 2 - 5

  27. RAID Level 0+1 • Mirroring and striping • Higher cost • Higher speed

  28. RAID Level 10 • Mirroring and striping • Higher cost • Higher speed

  29. Redundant Array of Independent Taps (RAIT) • Using tapes not disk • Rea-time mirroring

  30. Hot Spares • Waiting for disaster • Global • Dedicated

  31. Backup Types • File image • System image • Data mirroring • Electronic vaulting • Remote journaling • Database shadowing • Redundant servers • Standby services

  32. System Recovery – Trusted Recovery • Correct implementation • Failures don’t compromise a system’s secure operation

  33. Types of Trusted Recovery • System reboot • Emergency system restart • System cold start

  34. Fail Secure • Cause little or no harm to personnel • System remains secure

  35. Operational Incident Handling • First line of defense • Logging, tracking and analysis of incidents • Escalation and notification

  36. Incident Response Team Benefits • Protection of assets • Profitability • Regulations • Avoiding downstream damage • Limit exposure Priorities • Life safety • Labeled data • Communication • Reduce disruption

  37. Contingency Plans • Business continuity plans and procedures • Power failure • System failure • Denial of service • Intrusions • Tampering • Communication • Production delay • I/O errors

  38. Domain Agenda • Resource Protection • Continuity of Operations • Change Control Management • Privileged Entity Control

  39. Change Control Management • Business and technology balance • Defines • Process of changes • Ownership of changes • Changes are reviewed for impact on security

  40. Change Control Committee Responsibilities Management • Business impact • Regulations • Risk management • Approval • Accreditation Technical • Request process • Functional impact • Access control • Testing • Rollback • Certification

  41. Change Control Procedures • Request • Impact assessment • Approval • Build/test • Implement • Monitor

  42. Configuration Management Elements • Hardware inventory • Hardware configuration chart • Software • Firmware • Documentation requirements • Testing

  43. Patch Management • Knowledge of patches • Testing • Deployment • Zero-day challenges

  44. Protection of Operational Files • Library Maintenance • Backups • Source code • Object code • Configuration files • Librarian

  45. Domain Agenda • Resource Protection • Continuity of Operations • Change Control Management • Privileged Entity Control

  46. Operator Privileges • Data input and output • Data maintenance • Labeling • Inventory

  47. Administrator Privileges • Systems administrators • Network administrators • Audit highly-privileged accounts

  48. Security Administrator Privileges • Security administration include: • Policy • Development • Implementation • Maintenance and compliance • Vulnerability assessments • Incident response

  49. Control Over Privileged Entities • Review of access rights • Supervision • Monitoring/audit

  50. Domain Summary • Resource Protection • Continuity of Operations • Change Control Management • Privileged Entity Control

More Related