5. Security Operations

Data Handling

Goes through a life cycle as users create, use, share, modify data

Model: create, store, use, share, archive, destroy

Classification

Process of recognizing organizational impacts if there is a compromise

1. Dictates rules/restrictions about how info is used, stored, shared

2. Keeps the value, importance of data, info from leaking

3. Before attacking labels: Assessments

4. Came from laws, regulations, contracts, business expectations

5. Leads to better design, implementation of processes

Labeling

Implementing controls to protect classified info

1. Highly restricted: Could put future existence at risk

   • Could lead to loss of life, injury, property damage, litigation

2. Moderately restricted: Loss of advantage, revenue, disruption

3. Low sensitivity: Internal use, minor disruptions, delays, impacts

4. Unrestricted public data: Published, dissemination, disclosure

Retention

Data should only be kept for as long as it's beneficial

1. Data retention policy: No data kept beyond required life

2. Data destruction performed when assets reach retention limits

   • Asset inventory, retention period, destruction requirements

   • Periodic review of records to reduce volume of stored info

   • Records retention policy: Length of required retention

Policies should guarantee:

1. Personnel understand retention requirements

2. Appropriate documentation retention requirements exist

3. Everything retains info in accordance with schedule

Destruction: Can be done by one of several means:

1. Clearing device, overwriting, zeroizing

2. Purging: Reduce chance residual physical effects will be recovered

3. Physical destruction: Mechanical shredding, etched in acid, burned

Logging & Monitoring Security Events

Captures signals generated by events

Events: Actions that take place in the environment that cause change user IDs, activities, dates/times, device/location identity

Logging/Monitoring

Event Logging Best Practices:

Ingress monitoring (inner): Surveillance of inbound traffic, access

• Firewalls, gateways, remote authentication servers

• IDS/IPS, SIEM

• Anti-malware

Egress monitoring (outer): Regulates data leaving the environment

• Email, portable media,

• FTP, websites, API's: Application Programming Interfaces

---

Encryption

Hiding data in ways only intended recipients understand it

Protects info by keeping it secret, unintelligible and transform plaintext

1. Confidentiality: Messages can't be understood by anyone but intended

2. Integrity: Hash functions & digital signatures: Verify no alteration

Symmetric

Uses same key in both encryption/decryption processes

• Two parties communicating need to share knowledge of key

• Someone who compromises comms could intercept the key

• Key distribution is difficult: MITM

• Out-of-Band key distribution: Sending through a diff channel

  • Bulk data: Backups, HDDs, portable media

  • Messages traversing communications channels

  • Streaming large-scale, time-sensitive data

Asymmetric

Uses one key to encrypt, different key to decrypt

• User would need to generate key pair

• Usually PKI: Public Key Infrastructure

• One half of key pair kept secret

• Other half can be given freely

Problems: Extremely slow compared to symmetric

Hashing

Takes data and returns fixed-length result called hash value.

Hash function: Alg used to perform the transformation

To be useful, a hash function must demonstrate 5 things: 

1. Easy to compute hash value

2. Nonreversible: Infeasible to reverse process

3. Content integrity: Infeasible to modify

4. Unique: Infeasible to find diff messages that hash the same value

5. Deterministic: Same input will always generate same hash with alg

Configuration Management

Only authorized changes happen

Identification

Baseline ID of a system, interfaces, documentation

Baseline: Min level of protection used as a reference point

Change Control

Process for requesting changes to a baseline through its components

Audit

Verification: Validation process, may involve testing

Audit process:

1. Validates in-use baselines

2. Matches sum of baseline + approved changes in sequence Inventory

3. Makes catalog of all info assets org is aware of

Common Security Policies

Data Handling/Password

Appropriate use of data:

• Defines if data for company use, is restricted by role, or made public

• Proper classification helps comply with laws and regulations

Password Policy: Expectations of systems, users, passwords

AUP

Acceptable Use Policy: Acceptable use of network, protects from legal

• Should detail approved use of assets, every employee signs

• Data access, disclosure, retention, internet & device use

BYOD/Privacy

BYOD: Bring Your Own Device

Privacy Policy: Personnel understand handling sensitive info

• Which info considered PII/ePHI, punitive measures for failure

Change Management

Focuses on making decisions with approval

Three major activities:

1. Deciding change

2. Making change

3. Confirming change accomplished

Change Management

RFC

Request For Change: Moves through various development & test stages

Approval

Assignment to proper change authorization process

Rollback

Verifying rollback procedures