This simple study booklet is based directly on the ISC² CBKdocument.

This guide does not replace in any way the outstanding value of the CISSP Seminar and the fact that you must have been involved into the security field for at least a few years if you intend to take the CISSP exam. This booklet simply intend to make your life easier and to provide you with a centralized resource for this particular domain of expertise.

This guide was created by Clement Dupuis on 5th April 1999

WARNING:

As with any security related topic, this is a living document that will and must evolve as other people read it and technology evolves. Please feel free to send me comments or input to be added to this document. Any comments, typo correction, etc… are most welcome and can be send directly to: cdupuis@uniconseil.com

DISTRIBUTION AGREEMENT:

This document may be freely read, stored, reproduced, disseminated, translated or quoted by any means and on any medium provided the following conditions are met:

• Every reader or user of this document acknowledges that he his aware that no guarantee is given regarding its contents, on any account, and specifically concerning veracity, accuracy and fitness for any purpose. Do not blame me if some of the exam questions are not covered or the correct answer is different from the content of this document. Remember: look for the most correct answer, this document is based on the seminar content, standards, books, and where and when possible the source of information will be mentioned.

• No modification is made other than cosmetic, change of representation format, translation, correction of obvious syntactic errors.

• Comments and other additions may be inserted, provided they clearly appear as such. Comments and additions must be dated and their author(s) identifiable. Please forward your comments for insertion into the original document.

• Redistributing this document to a third party requires simultaneous redistribution of this licence, without modification, and in particular without any further condition or restriction, expressed or implied, related or not to this redistribution. In particular, in case of inclusion in a database or collection, the owner or the manager of the database or the collection renounces any right related to this inclusion and concerning the possible uses of the document after extraction from the database or the collection, whether alone or in relation with other documents.

Operations security is used to identify the controls over hardware, media, and the operators with access privileges to any of these resources.

The professional should fully understand :

• What resources must be protected and privileges that must be restricted to attain Operations Security.

• The control mechanisms that are available and their relative capabilities.

• The potential for abuse or access to IT/IS systems.

• The appropriate controls, and the practices of good practice regarding Operations Security.

• Administrative Management
• Separation of Duties and Responsabilities
• Job Rotation

• Concepts
• Anti-Virus Management
• Backup of Critical Information
• Changes in Workstation/Location
• Need –to-know/Least Privilege
• Privileged Operations Functions
• Record Retention
• Sensitive Information and Media
• Marking
• Handling
• Storage
• Destruction

• Resource Protection
• Communications Hardware/Software
• Due Care/Due Diligence
• Legal Requirements
• Media Management
• Privacy and Protection
• Processing Equipment

• Types of attacks

• Violations, Breaches, and Reporting

• Define Access Control Mechanisms

Hardware and Software elements and procedures to enable authorized access and prevent unauthorized access.

Security safeguards designed to detect and prevent unauthorized access, and to permit authorized access in an IT product.

• Define Configuration Management

Controlling modifications to system Hardware, Firmware, Software, and Documentation.

Protect against improper modification.

The management of security features and assurances through control of changes made to a system’s hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the development and operational life of a system.

• Define Contingency Management

Establishing actions to be taken before, during, and after threatening incident.

Includes documented and tested procedures.

Ensure availability of critical systems

Maintain continuity of operations

• Define Contingency Plan

Documented actions for emergency response, backup operations, and post-disaster recovery.

A plan for emergency response, backup operations, and post-disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation. Synonymous with "disaster plan" and "emergency plan."

• Define Continuity of Operations

Maintenance of essential DP services after major outage.

• Define Operations Security

Controls over Hardware, Media, and Operators with access

Protects against asset threats

Baseline or selective mechanism

• Define and Describe Possible Recovery Procedures

Recovery procedures are actions to restore Data Processing capability after outage/disruption.

Possible recovery procedures are :

Reboot System, Get running in single-user mode

Recover all files systems active at time of failure

Restore missing/damaged files and database from most recent backup

Check Security Critical Files

Types of System Recovery

Operating systems' responses to failures can be classified into three general categories: (1) system reboot, (2) emergency system restart, and (3) system cold start [14].

System reboot is performed after shutting down the system in a controlled manner in response to a TCB failure. For example, when the TCB detects the exhaustion of

space in some of its critical tables, or finds inconsistent object data structures, it closes all objects, aborts all active user processes, and restarts with no user process in execution. Before restart, however, the recovery mechanisms make a best effort to correct the source of inconsistency. Occasionally, the mere termination of all processes frees up some important resources, allowing restart with enough resources available. Note that system rebooting is useful when the recovery mechanisms can determine that TCB and user data structures affecting system security and integrity are, in fact, in a consistent state.

Emergency system restart is done after a system fails in an uncontrolled manner in response to a TCB or media failure. In such cases, TCB and user objects on nonvolatile storage belonging to processes active at the time of TCB or media failure may be left in an inconsistent state. The system enters maintenance mode, recovery is performed automatically, and the system restarts with no user processes in progress after bringing up the system in a consistent state.

System cold start takes place when unexpected TCB or media failures take place and the recovery procedures cannot bring the system to a consistent state. TCB and user objects may remain in an inconsistent state following attempts to recover automatically. Intervention of administrative personnel is now required to bring the system to a consistent state from maintenance mode.

• Define Security Perimeter as it Pertains to IT/IS

Boundary where security controls protects assets.

Boundary where security controls are in effect to protects assets.

• Define and Describe System High Security Mode

System and all peripherals protected IAW requirements for highest security level of material in system. Personnel with access have security clearance but not need-to-know.

http://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-004-85.html describe it as :

The mode of operation in which system hardware/software is only trusted to provide need-to-know protection between users. In this mode, the entire system, to include all components electrically and/or physically connected, must operate with security measures commensurate with the highest classification and sensitivity of the information being processed and/or stored. All system users in this environment must possess clearances and authorizations for all information contained in the system, and all system output must be clearly marked with the highest classification and all system caveats, until the information has been reviewed manually by an authorized individual to ensure appropriate classifications and caveats have been affixed.

The National Security Institude (http://nsi.org/Library/Compsec/sec0.html#TOC) defines it as :

Iinformation that is protected at the highest classification level of the data in the system, the system-high level. Thus, the information is not readily accessible by persons not cleared to the system-high level, even though the information being sought may be of a lower classification level and thereby releasable to the requester.

• Identify the three (3) Critical Aspects of Operations Controls

The three critical Aspects of Operations Controls are

1. Resource Protection, 2. Privileged-entity control, 3. Hardware Control

• Define the Operational Security Issues of Threat, Vulnerability, and Assets

NOTE : I am not sure what they want from this question???

Threat : an action or event that might prejudice security (ITSEC)

Threat : Sequence of circumstances and events that allows a (human or other) agent to cause and information-related misfortune by exploiting a vulnerability in a system operation, or facility (NCSC TG-004 – Teal Green Book)

Vulnerability :

A weakness in system security procedures, system design, implementation, internal controls, that could be exploited to violate system security policy. (NCSC TG-004)

Threat :

A threat is an accidental or deliberate action, event, or condition with the potential to compromise the quality, utility, or functionality of network services and operations. A threat is the result of the exploitation of a vulnerability. For example, if a system is vulnerable because a default password is used, then it is a potential threat that an unauthorized user could exploit the vulnerability of the default password and impersonate another user. Some of threats are :

Denial of Service

Impersonating a User

Disclosure of Information

Message Stream or Data Modification

Traffic analysis

• Identify Resources that Must be Protected to Achieved Operations Security

• Password Files
• Application program libraries
• Source code
• Vendor Software
• Operating System
• Libraries
• Utilities
• Directories
• Address tables
• Proprietary Packages
• Communication Software and Hardware
• Main Storage
• Disk and tape storage media
• Processing equipment
• Standalone Computers
• Printers
• People
• Sensitive/critical data
• Files
• Programs
• System Utilities
• System logs/audit trails
• Violation report
• Backup files (all)
• Sensitive Forms/printouts

• Identify and Define Appropriate System Administrator Privileges

• Server Startup and Shutdown
• File system(s)
• Database(s)
• Application(s)
• Reset
• Time/Date
• Operating System Log(s)

• Identify and Define Appropriate Operator Privileges

• Initial Program Load
• Program Starts OS controlled from console
• Operator could load wrong program
• Bypass Label Processing
• Rename/Relabel resources
• Reset
• Time/Date
• Passwords
• Reassign Ports/Lines

• Define the Elements of Performing a Violation Analysis

• Type of violation
• Repetitive mistakes
• Individuals exceeding their authority
• Too many people with unrestricted access
• Where it is occuring
• Patterns indicating serious intrusion attempts
• Hacker/disgruntled employees
• Clipping Level
• Establish baseline violation count to ignore normal user errors

• Define Potential Abuses to Operations Security

• Fraud
• Rejected transaction example :
• Erroneous transaction entered and rejected
• Perpetrator handles rejects
• Replaces with apparently valid transaction but ‘’Pay to’’ account is changed
• Interference with Operations
• Denial of service
• Production delays
• Conversion to personal use
• Computing time
• Vendor Software
• Unauthorized access/disclosure
• Off-hours
• Audit trail/System log corruption

• Define Potential Input/Output Controls that can be used to Attain Operations Security

• Input
• Data Counted
• Online transactions recorded and timestamped
• Data Entered
• Data Edited
• Output
• Control totals compared with input counts
• Ensure output reaches proper people
• Restrict access to printed output storage areas
• Print heading and trailing banners with recipientès names and locations
• Require signed receipt before releasing sensitive output
• Print ‘’No output’’ with banners when report is empty

• Define Potential Hardware Controls that can be used to Attain Operations Security

Hardware/area locks and alarms

• Operator terminals
• Servers/Routers rooms
• Modem/Circuits rooms
• Magnetic media rooms/Cabinets
• Sensitive
• Critical

• Identify Potential Hardware and Software Exposures

Data Center

• Device Address Modification
• Rerouting Output
• Obtaining supervisory terminal functions
• Bypassing system Logs
• System shutdown/downtime
• Shutdown handled from console/operations area
• IPL from tape
• Initial program load without security
• I/O system generation
• Terminals/printers/disks and tape drives
• Network
• Server bootup sequence from tape, CD, or Floppy Disk
• Bypass OS security
• ‘’HighJack’’ server’s network address
• Capture traffic to and from server
• Modify user/application data
• Steal password file/table from the server
• Gain access to OS or application user accounts

• Identify the Characteristics of Change Control Management

Authorizes changes to production systems

• New applications
• Modify existing applications
• Remove old applications

Uses input from problem management to initiate changes.

Security function can block a change

• Adversely affects security of applications/data

Should be extended to include network hardware and servers

• Define Potential Media Controls employed to attain Operations Security

• Media Library
• Mag tape/disk, diskette, optical disk, etc.
• Volume label required
• Human and machine readable form
• Date created
• Date to be destroyed (or retention period)
• Who created
• Volume/File name
• Volume/File version
• Classification
• Audit trail
• Who checked out and when
• Separation of responsabilities
• Controlled by media librarian
• No programmers/operators
• Backup procedures
• Original copy
• Copy on-site (away from computers)
• Copy off-site

• Define and Describe Threats and Countermeasures to Media Library

• Errors and omissions : can be alleviated by a sound training and awareness program.
• Fraud and theft (from inside or outside) : proper access control can be used to reduce such risks
• Employee sabotage
• Loss of physical and infrastructure support
• Malicious Hackers/Crackers
• Industrial espionage
• Malicious Code
• Foreign Government espionage

• Distinguish Between Characteristics of Separation of Duties and Rotation of Duties

The Operator and administrator functions must be separated because Combination of functions creates greater security risks. The rotation of duties is used to interrupt opportunity to create collusion to subvert operation for fraudulent purposes.

Brown Book :

The primary purpose behind the separation of the Operator and Administrator functions is to limit the potential damage that untrusted, or errant, code can inflict on the information the TCB uses to enforce the security policy. Any code executed with Operator or Administrator privileges has the ability to change the TCB data structures, thus affecting the enforcement of policy. Through the application of the principal of least privilege and the separation of Operator and Administrator functions so that they are prevented from executing untrusted code, the TCB data structures can be protected. The principle of least privilege requires that each subject be granted the most restrictive set of privileges needed for the specific task. In the case of the operator and administrator functions, the privileges need to be established at a low level of granularity so that the proceses that

implement those functions do not have unnecessary privileges.

• Identify TCSEC Levels Appropriate to Trusted Facility Management

System must support separate operator and administrator roles (b2)

System must clearly identify functions of security administrator to perform security-related functions (B3 and A1)

• Define Procedures to be Performed during a Trusted Recovery Process

Before allowing user access

• Reboot system
• Get running in single user mode
• Recover all filesystems active at time of failure
• Restore missing/damaged files and databases from most recent backup
• Check security critical files

• Define Environmental Contamination Control.

• Identify Type, Typical Sources, and Potential for Damages of Common Contaminants