1 Dominio de Operación de la Seguridad Preparación de certificación CISSPIRM Junio 2005
2 Dominio de Operación de la Seguridad [Generalidades]En éste dominio involucra a todo lo necesario para mantener una red, una computadora, una aplicación o un ambiente, ejecutandose de una manera segura y protegida. Este dominio toma lugar despues de que la red es desarrollada e implementada. Incluye el mantenimiento rutinario de un ambiente y de las actividades que deberán ser establecidas al día a día o semana a semana. El implementar mejoras a la seguridad (safeguards / countermeasures), no garantiza tener un ambiente seguro, es necesario el continuo mantenimiento para asegurar un nivel apropiado de seguridad en nuestro ambiente tecnológico. Es necesario mantener las tareas operativas de la seguridad.
3 Seguridad Operativa Continuo esfuerzo de asegurar que las politicas, procedimientos, estándares y guías están en lugar y ejecutandose. Due Care & Due Diligence > “Prudent Person” Responsable, Cuidadoso, Cauteloso y Práctico Esfuerzo y Disciplina Puede también tener defectos y responsabilidades legales en su ejecución.
4 Seguridad Operativa Responsabilidad Legal Ejecutiva (Due Diligence)Asegurar que los recursos se encuentren protegidos. Medidas de seguridad implementadas (en lugar). Los mecanismos de seguridad sean probados y garantizar que provean el nivel necesario de protección.
5 Gerencia Administrativa [Administrative Management]Separation of Duties Asegurar que una persona que actuando sola, no pueda comprometer la seguridad de la compañía de algún modo. Actividades de Alto Riesgo, pueden ser divididas en diferentes partes y distribuidas a personas diferentes, asi la compañía no tendrá la necesidad de crear confianza en personas individuales altos niveles de peligrosidad. En caso de fraude tendría que existir complicidad entre las diversas personas involucradas en los procesos, para poder haber sido realizado, mas de una persona estarían invlocradas en en la actividad fraudulenta. Es una medida preventiva que forza la colusión para poder realizar algon contra las politicas. También previene los errores que puedan ocurrir derivado de que una sola persona ejecute una tarea de principio a fin.
6 Gerencia Administrativa [Administrative Management]Job Rotation Es también considerada actividad preventiva. Mas de una persona puede realizar las tareas de una posición de trabajo. Esto permite que la compañía tenga mas de una persona comprenda las tareas y responsabilidades de un puesto de trabajo específico, lo cual permite tener respaldo y redundancia, en caso de que una persona se ausente o deje la compañía. Ayuda también a detectar actividad fraudulenta. “El menor privilegio (least privilege)” y “Necesidad de Conocimiento (Need-to-Know)” Tipos de control administrativo también que pueden ser también implementados en un ambiente de operación. No mas privilegio de los necesarios para el cuimplimiento de una función. No contar con acceso a más información de la necesaria para el cumplimiento de una función. Vacaciones Mandatorias.
7 Responsabilidad (Accountability)accountable 1 (of a person, organization, or institution) required or expected to justify actions or decisions; responsible. 2 explicable; understandable.
8 Responsabilidad (Accountability)Los intentos de acceso y la actividad realizada mientra es ocupado un recurso, necesita ser propiamente monitoreada, auditada y registrada (logged) Cada User ID cada distinto empleado, necesita ser incluido en registros de auditoría (audit logs), para poder hacer cumplir responsabilidades individuales. Cada usuario débe comprender su reponsablidad cuado utiliza un recurso de la compañía y de que son auditadas sus acciones. Capturar y monirorear registros de auditoria ayudan a deteminar si una violación a ocurrido o si un sistema o una reconfiguración del software es necesaria para la mejora de los controles o de la modificación de los derechos o permisos de los mismos. La auditoría necesita realizarse de una manera rutinaria. La auditoria puede realizarse de una manera manual o automática. En ocasiones es necesario un análisis manual, de los registros, para poder actividad sospechosa. Existen productos de varias compañias, que su funcion es analizar los registros y reportar hallazgos importantes.
9 Responsabilidad (Accountability)Are users accesing information and performing tasks that are not necesary for their job description? Are repetitive mistakes being made? Do too many users have rights and privileges to sensitive or restrictivd data or resources?
10 Operational assuranceProduct Evaluation Operational assurance Enfocado a la arquitectura de el producto. Caraterísticas adheridas. Funcionalidad del producto que permita o habilite al usuario a mantener los niveles necesarios de protección mientras es utilizado Separación de privilegios Auditoria y monitoreo Recuperaciòn confiable en caso de falla del producto. Life cycle assurance Enfocado a como fue desarrollado, y como se mantiene el producto. Estándares de aseguramiento del ciclo de vida: Especificaciones de diseño Configuración de los Clipping Levels Pruebas de Integración y Unidad Administración de Configuraciones
11 Clipping Levels Product EvaluationEstablecer el umbral permitido de cierto tipo de errores. El umbral de errores considerados, permite determinar actividad sospechosa. Herramientas como IDS, ayuda a detectar dicha actividad y alarmar o prevenir a los involucrados. Permite detectar ataques o problemas con la infraestructura tecnológica.
12 1 6 2 5 3 4 Change Management Requerimiento de CambioReporte del Cambio a la gerencia 2 Aprobación del Cambio 5 Implementación 3 Documentación del Cambio 4 Pruebas y presentación de resultados
13 Change Management DocumentationNuevas computadoras instaladas Nuevas aplicaciones instaladas Diferencias de configuraciones implementadas Parches y Actualizaciones instaladas Integraciones de nuevas tecnologías Actualización de politicas, procedimientos y estándares Nuevas regulaciones y requerimientos Identificación e implementación de fixes para los problemas de la red o sistemas Cambios de configuración de red Nuevos dispositivos integrados a la red
14 Control de Medios Los medios y dispositivos, en un ambiente operativo requieren una variedad de controles para asegurar que la integridad, confidencialidad y disponibilidad de la información que es almacenada en ellos no sean comprometidos. Control de accesos lógicos, administrativos y técnicos. Control de acceso físico. Control de seguridad física. Librería de Media de almacenamiento (respaldos). La media utilizada debe ser correctamente etiquetada. La fecha de creación. La persona quién creó el respaldo. El periodo de retención. La calsificación de la información. Nombre de volumen o versión.
15 Control de Medios La media deberá ser propiamente borrada, cuando sea necesario. Cuando una media es limpiada en lo relacionado a su contenido, se le llama SANITIZAR (SANITIZADO), (sanitized). Existen varios metodos para para la sanitización: Overwriting (zeroization) Degaussing Destruction El borrar los archivos, no hace que la información desaparezca totalmente, esto solo elimina ciertos apuntadores, sin embargo la información continua viva en la media.
16 Control de los Sistemas.Asegurar los controles que determinan que las ciertas instrucciones sean ejecutadas en un correcto contexto de seguridad. Los sistemas tienen mecanismos para restringir la ejecución de ciertos tipos de instrucciones, que solo pueden tener lugar cuando el sistema operativo se encuentre en un estado administrativo o de supervisión. Esto permite y ayuda a que los sistemas se ejecuten de una manera predecible estable. Muchas de las instrucciones de Input/output, son definidas como privilegiadas y solemente pueden ser ejecutadas por los procesos del kernel del sistema operativo.
17 Recuperación Confiable.System Reboot. Emergency System Restart. System Cold Start.
18 Input & Output Controls.Las aplicaciones deberán se programadas para aceptar solo ciertos tipos de datos o valores a ser introducidos, es necesario establecer controles que revisen la recepción de valores hacia la aplicación.
19 Pruebas de Penetración.Serie de procedimientos diseñados para probar la posibilidad de evadir, los controles de seguridad de un sistema. Como objetivo tiene, medir la resistencia de una organización a un ataque y descubrir las brechas de seguridad aún existentes en el ambiente. Las organizaciones necesitan determinar las efectividad de sus controles de seguridad. Las pruebas de penetración, emulan los mismos métodos que pueden usar los atacantes reales. Se debe de buscar alinear las pruebas a las mas recientes tecnicas de hackeo. El tipo de prueba, depende de un objetivo especifico.
20 Otros temas de Seguridad Operativa.Security Facsimile Security (FAX Systems Security) Hack and Attack Methods
21 Preguntas de examen…
22 1. Which of the following is the BEST way to handle obsolete magnetic tapes before disposing of them ? Degaussing the tapes Initializing the tape labels Erasing the tapes Overwriting the tapes
23 2. Which of the following is not a component of a Operations Security "triples"? Risk Asset Vulnerability Threat
24 3. Which of the following questions is less likely to help in assessing controls over production? Are confidentiality or security agreements required for employees assigned to work with sensitive information? Is media sanitized for reuse? Are audit trails used for receipt of sensitive inputs/outputs? Are there processes for ensuring that only authorized users pick up, receive, or deliver input and output information and media?
25 4. According to the Orange Book, which security level is the first to require trusted recovery?
26 5. Operation security requires the implementation of physical security to control which of the following? evacuation procedures contingency conditions incoming hardware unauthorized personnel access
27 6. According to the Orange Book, which security level is the first to require a system to support separate operator and system administrator roles? B1 B2 B3 A1
28 7. Which of the following are functions that are compatible in a properly segregated environment? Application programming and data entry Security administration and quality assurance Security administration and application programming Security administration and data entry
29 8. Intrusion Detection (ID) and Response is not a: reactive control. detective control. preventive control. monitoring control.
30 9. It is a violation of the "separation of duties" principle when which of the following individuals access the security systems software? security analyst systems auditor systems programmer security administrator
31 10. Which of the following is not a technique used for monitoring? Violation processing (using clipping levels) Intrusion detection Penetration testing Countermeasures testing
32 11. Notifying the appropriate parties to take action in order to determine the extent of the severity of an incident and to remediate the incident's effects includes: Intrusion Detection (ID) and Response Intrusion Protection (IP) and Response Intrusion Evaluation (IE) and Response Intrusion Recognition (IR) and Response
33 12. Which of the following statements pertaining to ethical hacking is incorrect? Ethical hackers should never use tools that have the potential of exploiting vulnerabilities in the organization's IT system. An organization should use ethical hackers who do not sell auditing, consulting, hardware, software, firewall, hosting, and/or networking services. Testing should be done remotely Ethical hacking should not involve writing to or modifying the target systems.
34 13. Which of the following is NOT an element of software control? anti-virus management secure software development software testing safe software storage
35 14. Which of the following is not concerned with configuration management? Documentation They all are concerned with configuration management. Hardware Software
36 15. Which of the following is a detective control? Back-up procedures Segregation of duties Audit trails Physical access control
37 16. Which of the following are NOT a countermeasure to traffic analysis? Covert channel analysis Padding messages Eavesdropping Sending noise
38 17. Which of the following is the lowest TCSEC class wherein the systems must support separate operator and system administrator roles? A2 A1 B1 B2
39 18. Which of the following rules is less likely to support the concept of least privilege? Permissions on tools that are likely to be used by hackers should be as restrictive as possible. Only data to and from critical systems and applications should be allowed through the firewall. Administrators should use regular accounts when performing routine operations like reading mail. The number of administrative accounts should be kept to a minimum.
40 19. Which of the following Operation Security controls is intended to prevent unauthorized intruders from internally or externally accessing the system, and to lower the amount and impact of unintentional errors that are entering the system? Detective Controls Directive Controls Corrective Controls Preventative Controls
41 20. Which of the following focuses on the basic features and architecture of a system? level A1 covert channel assurance life cycle assurance operational assurance
42 21. Which of the following functions is less likely to be performed by a typical security administrator? Reviewing audit data Setting or changing file sensitivity labels Setting user clearances and initial passwords Adding and removing system users
43 22. This type of control is used to ensure that transactions are properly entered into the system once. Elements of this type of control may include counting data and time stamping it with the date it was entered or edited? Output Controls Processing Controls Input Controls Input/Output Controls
44 23. Which of the following refers to the data left on the media after the media has been erased? semi-hidden remanence recovery sticky bits
45 24. Fault tolerance countermeasures are designed to combat threats to which of the following? design reliability. backup and retention capability. an uninterruptible power supply. data integrity.
46 25. What should a company do first when disposing of personal computers that once were used to store confidential data? Low level format the hard disk Delete all data contained on the hard disk Demagnetize the hard disk Overwrite all data on the hard disk with zeroes
47 26. According to the Orange Book, which security level is the first to require configuration management? B1 A1 B3 B2
48 27. Which of the following is true related to network sniffing? Sniffers take over network connections. Sniffers alter the source address of a computer to disguise and exploit weak authentication methods. Sniffers send IP fragments to a system that overlap with each other. Sniffers allow an attacker to monitor data passing across a network.
49 28. The high availability of multiple all-inclusive, easy-to-use hacking tools that do not require much technical knowledge has brought a growth in the number of which type of attackers? Black hats Phreakers Script kiddies White hats
50 29. Which of the following logical access exposures involves changing data before, or as it is entered into the computer? Data diddling Viruses Trojan horses Salami techniques
51 30. Which of the following is not an Orange Book-defined life cycle assurance requirement? Security testing Design specification and testing Trusted distribution System integrity
52 31. What is the main objective of proper separation of duties? To ensure that audit trails are not tampered with. To ensure that no single individual can compromise a system. To ensure access controls are in place. To prevent employees from disclosing sensitive information.
53 32. Which of the following is NOT a media viability control used to protect the viability of data storage media? marking handling storage clearing
54 33. Which of the following exposures associated with the spooling of sensitive reports for offline printing could be considered the MOST serious? Other unauthorized copies of reports could be printed Sensitive data may be read by operators Output would be lost in case of system failure Data can be altered without authorization
55 34. What is the most secure way to dispose of information on a CD-ROM? Physical destruction Sanitizing Physical damage Degaussing
56 35. What best describes a scenario when an employee has been shaving off pennies from multiple accounts and depositing the funds into his own bank account? Data diddling Trojan horses Salami techniques Data fiddling
57 36. The concept of the Trusted Computing Base (from the Orange Book) includes which of the following? trusted computer operators and system managers trusted software only trusted hardware only trusted hardware and software
58 37. When backing up an applications system's data, which of the following is a key question to be answered first? What records to backup How to store backups Where to keep backups When to make backups
59 38. Which of the following is the most commonly used technique to gather security-related information like passwords? Dumpster diving Shoulder surfing Social engineering Network sniffers
60 39. Who is responsible for setting user clearances to computer-based information? Security administrators Data custodians Data owners Operators
61 40. The primary reason for enabling software audit trails is which of the following? Improve system efficiency. Provide useful information to track down processing errors. Improve response time for users. Establish responsibility and accountability.
62 41. Which of the following ensures that a TCB is designed, developed, and maintained with formally controlled standards that enforces protection at each stage in the system's life cycle? operational assurance covert timing assurance life cycle assurance covert storage assurance
63 42. Which of the following questions is less likely to help in assessing controls over audit trails? Does the audit trail provide a trace of user actions? Are incidents monitored and tracked until resolved? Is access to online logs strictly controlled? Is there separation of duties between security personnel who administer the access control function and those who administer the audit trail?
64 43. Which TCSEC (Orange Book) level requires the system to clearly identify functions of security administrator to perform security-related functions? B3 B2 B1 C2
65 44. Physically securing backup tapes from unauthorized access is obviously a security concern and is considered a function of the: Telecommunications and Network Security Domain. Operations Security Domain Analysis. Business Continuity Planning and Disater Recovery Planning. Operations Security Domain.
66 45. The continual effort of making sure that the correct polices, procedures and standards are in place and being followed is described as what? Due care Due diligence Due practice Due concern
67 46. Which of the following should be performed by an operator? Adding and removal of users Installing system software Changing profiles Approving changes
68 47. Which of the following questions is less likely to help in assessing identification and authentication controls? Are inactive user identifications disabled after a specified period of time? Is there a process for reporting incidents? Is a current list maintained and approved of authorized users and their access? Are passwords changed at least every ninety days or earlier if needed?
69 48. Which of the following is a communication path that is not protected by the system's normal security mechanisms? A maintenance hook A covert channel A protection domain A trusted path
70 49. Which of the following should not be performed by an operator? Handling hardware Mounting disk or tape Data entry Backup and recovery
71 50. Which of the following are functions that are compatible in a properly segregated environment? Security administration and systems programming Systems analyst and application programming Database administration and systems security Data entry and job scheduling
72 51. Which of the following in not a critical security aspect of Operations Controls? Environmental controls Operators using resources Data media used Controls over hardware 52. The number of violations that will be accepted or forgiven before a violation record is produced is called which of the following? forgiveness level acceptance level water level clipping level
73 53. Ensuring that printed reports reach proper users and that receipts are signed before releasing sensitive documents are examples of: Information flow controls Asset controls Output controls Deterrent controls 54. Which of the following is the most reliable, secure means of removing data from magnetic storage media such as a magnetic tape, or a cassette? Degaussing Buffer overflow Certification Parity Bit Manipulation
74 55. This baseline sets certain thresholds for specific errors or mistakes allowed and the amount of these occurrences that can take place before it is considered suspicious? Checkpoint level Threshold level Clipping level Ceiling level 56. What setup should an administrator use for regularly testing the strength of user passwords? A password-cracking program is unethical; therefore it should not be used. A networked workstation so that the live password database can easily be accessed by the cracking program. A standalone workstation on which the password database is copied and processed by the cracking program. A networked workstation so the password database can easily be copied locally and processed by the cracking program.
75 57. In what way can violation clipping levels assist in violation tracking and analysis? Clipping levels enable a security administrator to customize the audit trail to record only those violations which are deemed to be security relevant. Clipping levels enable a security administrator to view all reductions in security levels which have been made to usercodes which have incurred violations. Clipping levels set a baseline for normal user errors, and violations exceeding that threshold will be recorded for analysis of why the violations occurred. Clipping levels enable the security administrator to customize the audit trail to record only actions for users with access to usercodes with a privileged status. 58. Which one of the following functions provides the least effective organizational reporting structure for the Information Systems Security function? Corporate security IS operations IS quality assurance IS resource management
76 59. Which of the following are functions that are compatible in a properly segregated environment? Systems programming and job control analysis. Application programming and computer operation. System development and systems maintenance. Access authorization and database administration. 60. Which of the following security controls might force an operator into collusion with personnel assigned organizationally within a different function in order to gain access to unauthorized data? Enforcing regular password changes Management monitoring of audit logs Limiting the local access of operations personnel Job rotation of operations personnel
77 61. An electrical device (AC or DC) which can generate coercive magnetic force for the purpose of reducing magnetic flux density to zero on storage media or other magnetic media is called: magnetic remanence. a degausser. magnetic saturation. a magnetic field. 62. Operations Security seeks to primarily protect against which of the following? object reuse compromising emanations facility disaster asset threats
78 63. Which of the following yellow-book defined types of system recovery happens after a system fails in an uncontrolled manner in response to a TCB or media failure and the system cannot be brought to a consistent state? Emergency system restart System reboot Recovery restart System cold start 64. Which of the following files should the security administrator be restricted to READ only access? Security parameters User profiles System log User passwords
79 65. When two operators review and approve the work of each other, this is known as? Twin Control Two-man Control Dual Control Two-fold Control 66. What is the essential difference between a self-audit and an independent audit? Tools used Results Competence Objectivity
80 67. Which of the following is not an example of an operational control? backup and recovery contingency planning operations procedures audit trails 68. This type of vulnerability enables the intruder to re-route data traffic from a network device to a personal machine. This diversion enables the intruder to capture data traffic to and from the devices for analysis or modification, or to steal the password file from the server and gain access to user accounts: Network Address Hijacking Network Address Translation Network Address Sniffing Network Address Supernetting
81 70. A periodic review of user account management should not determine:69. Which trusted facility management concept implies that two operators must review and approve the work of each other? Segregation control Dual control Double control Two-man control 70. A periodic review of user account management should not determine: Conformity with the concept of least privilege. Strength of user-chosen passwords. Whether active accounts are still being used. Whether management authorizations are up-to-date.
82 71. Which of the following is used to interrupt opportunity to create collusion to subvert operation for fraudulent purposes? Rotation of duties Principle of least privilege Separation of duties Principle of need-to-know 72. What security procedure forces an operator into collusion with an operator of a different category to have access to unauthorized data? Enforcing regular password changes. Job rotation of people through different assignments. Limiting the specific accesses of operations personnel. Management monitoring of audit logs.
83 73. What is the main issue with media reuse? Data remanence Degaussing Media destruction Purging 74. Hardware availability reports allow the identification of the following problems except for: User dissatisfaction Excessive operating systems maintenance Inadequate training for operators Inadequate hardware facilities
84 75. When it comes to magnetic media sanitization, what difference can be made between clearing and purging information? Clearing renders information unrecoverable against a laboratory attack and purging renders information unrecoverable to a keyboard attack. They both involve rewriting the media. Clearing renders information unrecoverable by a keyboard attack and purging renders information unrecoverable against laboratory attack. Clearing completely erases the media whereas purging only removes file headers, allowing the recovery of files.