244 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
ngerprinting may oer a clue to the source system. Passive OS ngerprinting is
also known as TCP/IP stack ngerprinting because certain parameters within the
TCIP/IP stack, specically layer 4, are congurable and the standard default values
may vary from OS to OS. Collecting and reviewing these values provides insight
into the source OS of the bot. Note: is same concept applies to an adversary seek-
ing to understand your OS types. Firewalls may be congured to take advantage of
OS ngerprinting to detect a botnet attack.
Rate-based IPSs monitor network behavior, establish a baseline of normal
behavior, and detect variations from normal. ese variations may oer insight into
an active attack including denial of service or distributed denial of service attacks
from botnets.
Outbound Traffic and Exfiltration
Exltration is a military term for exiting and is the opposite of inltration. Data
exltration is the unauthorized transmission of data out of the organization. Some
malware will search for les that contain key words in the title or content and then
send that le to a predened location. erefore, monitoring outbound trac is a
concern for security operations. Compliance reasons for monitoring outbound traf-
c include potential damage to enterprise reputation, loss of proprietary informa-
tion, and potential legal liabilities. For example, if a botnet penetrates the enterprise
networks and sends out spam with illegal material (e.g., child pornography), the
enterprise may be held liable for negligence in preventing the outbound message.
Use security software to monitor outbound trac using content ltering. Upon
detection, the software can generate an alert to the security department or Help
Desk, and may even initiate an auto lockdown of the source system. Monitoring
data in transit that is in plain-text format is dicult enough because of the volume
of data to check. Monitoring encrypted transmissions or peer-to-peer applications
is particularly dicult.
Web Application Firewalls
An application rewall is a software-based rewall that limits access of software appli-
cations to operating system services; this may include hardware access. Hardware
rewalls restrict data ow across the network, but do not control the activity on a
system like the execution of an operating system command.
Web application rewalls (WAFs) are safeguards for Web sites to protect them
against attacks. WAFs are deep packet-inspection rewalls and are designed to pre-
vent attacks that network rewalls and IDSs do not address. ough available for
about 10 years, WAFs are not widely deployed and only recently found a growth
market with introduction of the Payment Card Industry Data Security Standard.
WAFs look for attack signatures for specic attacks as well as abnormal behavior
that does not t into normal trac patterns.
Overseeing Compliance of Security Operations ◾ 245
© 2011 by Taylor & Francis Group, LLC
WAF operations involve looking for data attacks that use special characters or
wild cards to change data. Also, WAFs look for logic content attacks, which go
after command strings or logic statements, and for targeted attacks, which focus on
accounts, les, or hosts.
Many businesses provide an on-line presence for customer convenience, includ-
ing banking and other nancial transactions, order placement that includes entry of
credit card information, and the entry of PII to facilitate transaction completion and
order fulllment. e addition of WAFs is part of a comprehensive security program
that is necessary to comply with legislation governing the protection of PII.
Operating Systems
Operating system installations out of the box include many technical vulnerabili-
ties. ese include standard user accounts, default passwords, default software
application activation, default use of background processes, and default congu-
ration settings. Without modication, these oer easy exploitation points for an
attacker with knowledge of that OS. erefore, research the OS choices for your
organization for commonly known vulnerabilities and how to eliminate those vul-
nerabilities, and otherwise congure the operating system to be more secure. Make
these changes part of a standard software image or include them in procedures for
OS installation.
Eliminating vulnerabilities inherent in default installations is the rst step. An
additional step is to harden the OS by eliminating all unnecessary functions, i.e.,
all functions not explicitly required for the OS to produce the required business
result. Limiting OS boot-up functions, processes, background jobs, and utilities
vastly reduces the vulnerabilities of the OS and of the software applications run-
ning on the OS. Moreover, limiting OS functionality makes it easier to monitor
and detect anomalies on the OS, e.g., detecting an unauthorized utility as a clue to
a potential intruder.
While no legislation is likely to dictate how to protect operating systems, and no
legislation should, the legislation will imply this need. Internal policies will reect
the intent of legislative direction, and OS installation and conguration standards
will provide direction on how to implement and enforce policy. Situational aware-
ness services and mechanisms that include vulnerability scanning and log analysis
will provide monitoring of congurations to ensure that the production systems
conform to enterprise standards. is is the path from external compliance require-
ments to internal compliance requirements to compliance enforcement to compli-
ance monitoring.
System Hardening
System hardening is the elimination of known vulnerabilities, exploits, and gener-
ally turning o or uninstalling unnecessary functions. Each operating system, each
246 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
version of the same operating system, and each patch release of the same operating
system may have a dierent procedure for hardening the system.
Disabling unused services will require OS parameter changes at the kernel or
registry level, or modications to services that initiate or run at startup. Some oper-
ating systems (e.g., Microsoft) will provide all administrator software as part of the
standard installation process. is is good in that it provides the administrator with
everything he or she may need, but it is bad in that it provides every inherent vul-
nerability that malware may exploit. Other operating systems (e.g., UNIX) provide
only the bare essentials in the standard installation and require the administrator
to install any other applications needed.
Disable unnecessary ports and protocols that may respond to connection requests
or port probes, or invoke connections that are not part of the system’s core function,
e.g., disable port 80 if the system will not initiate HTTP connections. Change stan-
dard account names like “Administrator” to resemble the common user ID structure.
Change all standard passwords for any installation out of the box. Disable all unnec-
essary accounts. In general, when in doubt, disable or uninstall and wait for a reason
to enable or reinstall. Users will let you know if they need a particular functionality.
Environment
In a given environment, people perform processes using technology to produce results.
Security operations environments subject to compliance or in support of compli-
ance management include the following:
◾ Physical security
− Campus
− Building
− Lobby
− Loading dock
− Floor
− Room
− Oce
− Workstation
− Windows
− Special purpose areas
• Data center
• Wiring closet
• External service demarcation points
◾ Phone
◾ Data
◾ Water
◾ Electric
Overseeing Compliance of Security Operations ◾ 247
© 2011 by Taylor & Francis Group, LLC
◾ Secure facilities according to government standard
◾ Secure facilities according to legislative mandate
◾ Secure facilities according to internal standards
Despite the focus on cyber security, physical security remains a critical factor in
an enterprise security management program. Physical security starts with the perim-
eter of the campus and of the building, including driveways, landscaping, lighting,
entrance gates, doors, loading docks, and windows. Loading docks are especially
important because there may be high trac of nonenterprise personnel. Invited
guests come through the front door, but most intruders will not. However, personal
experience in physical security testing shows that if you look like you belong or that
you are there for some particular reason, you are rarely challenged even if entering
through the front door; a suit, tie, briefcase, and obscured badge holder of conform-
ing design go a long way as challenge deterrents.
Physical Security
e scope of information and information technology security includes all infor-
mation in any form. is means information on computers, tapes, and disk drives,
as well as on paper, in le cabinets, or in briefcases. Physical security is every bit as
important as cyber security; why bother breaking through the rewall when all you
have to do is walk through the loading dock to the data center with a thumb drive
or steal backup tapes?
Legislative compliance for the protection of PHI and PII applies to physical
security. Additionally, the safeguard against crime and corporate espionage is good
business practice if these threats apply to your organization. Consider that if you
have something worth stealing, then someone is likely willing to go to some lengths
to steal it. e point of security is to make the cost of stealing it prohibitively high
in both the expertise required to steal it and the equipment costs to perpetrate the
theft. For example, if the Board of Directors or the CFO of the organization hold
sensitive meetings about strategy and nance, then consider holding those meet-
ings in an inside, windowless room to prohibit eavesdropping through the glass.
HIPAA Physical Safeguard Requirements
HIPAA Physical Safeguards include the following:
◾ Evaluation
− Facility Access Controls
− Contingency Operations
− Facility Security Plan
− Access Control and Validation Procedures
− Maintenance Records
248 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
◾ Workstation
◾ Workstation Security
◾ Device and Media Controls
− Disposal
− Media Reuse
− Accountability
◾ Data Backup and Storage
Similar to cyber access controls, facility access controls require the issuance
of an identity credential (e.g., a picture identity card). Policy may state the need
to present the identity credential upon access to an automated card reader or to a
security card or both. e access privileges associated with the identity credential
may restrict access to certain parts of the facility, e.g., the average employee does
not need access to the data center or to wiring closets; therefore, only privileged
individuals or privileged roles have access to these areas.
Physical safeguards address the need for contingency operations within cold,
warm, or hot backup sites. A facility security plan establishes emergency proce-
dures, e.g., pre-established meeting places in the event of building evacuation, a call
plan to notify of emergency or establish whereabouts, and emergency responsibili-
ties such as safely powering down critical equipment.
HIPAA is especially sensitive to workstation placement and display screen vis-
ibility. Processing PHI on a PC visible through a heavily traveled public area (e.g.,
shopping mall) violates the PHI protection requirements of HIPAA. Physical secu-
rity also addresses device and media controls that include media disposal, media
reuse, accountability, and data backup and storage.
Media disposal includes the discarding of old backup tapes, hard drives, thumb
drives, laptops, and any other device that may store enterprise data. Consider
engaging a disposal service to apply the appropriate technology and procedures for
preparing the media for disposal. Degaussing may be ne in some cases; in other
cases nothing less than physical destruction is acceptable. Media reuse within the
organization is a good cost-saving method; however, be sure the media is appropri-
ately erased, reformatted, or degaussed according to the previous use. Passing on
old storage media to HR is ne, but not if it still has the CEO’s strategic plans still
stored on it.
Provide accountability for media possession and location. For example, the issu-
ance of laptops requires tracking who has them, who is accountable for their safety
and whereabouts, and actually tracking the location (e.g., on enterprise property or
o enterprise property) is prudent to track a valuable physical asset. More impor-
tantly, track the business use of the asset to understand the business implications of
asset damage or loss. Losing a laptop is bad enough; losing a laptop with client PII
is far worse. Controlling and tracking data backups will help discern if the loss of
primary data is the loss of the only copy (i.e., knowing there is a backup) and how
old the backup is compared to the date of data loss.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.