Chapter 8. Communications and Operations Security

Section 11 of ISO 27002:2013, “Communications Security,” and Section 15 of ISO 27002:2013, “Operations Security,” focus on information technology (IT) and security functions, including standard operating procedures, change management, malware protection, data replication, secure messaging, and activity monitoring. These functions are primarily carried out by IT and information security data custodians such as network administrations and security engineers. Many companies outsource some aspect of their operations. Section 15 of ISO 27002:2013, “Supplier Relationships,” focuses on service delivery and third-party security requirements.

The Security Education, Training, and Awareness model (SETA) introduced in Chapter 6, “Human Resources Security,” is particularly appropriate for this domain. Data owners need to be educated on operational risk so they can make informed decisions. Data custodians should participate in training that focuses on operational security threats so that they understand the reason for implementing safeguards. Users should be surrounded by a security awareness program that fosters everyday best practices. Taken together, SETA will enhance policy acceptance and stewardship. Throughout the chapter, we cover policies, processes, and procedures recommended to create and maintain a secure operational environment.

It is not uncommon for an employee to become so important that losing that individual would be a huge blow to the company. Imagine that this person is the only one performing a critical task, no one has been cross-trained, and no documentation as to how he performs this task exists. The employee suddenly becoming unavailable could seriously injure the organization. Having proper documentation of operating procedures is not a luxury: It is a business requirement.

The four common SOP formats are simple step, hierarchical, flowchart, and graphic. As shown in Table 8.1, two factors determine what type of SOP to use: how many decisions the user will need to make and how many steps are in the procedure. Routine procedures that are short and require few decisions can be written using the simple step format. Long procedures consisting of more than ten steps, with few decisions, should be written in a hierarchical format or in a graphic format. Procedures that require many decisions should be written in the form of a flowchart. It is important to choose the correct format. The best-written SOPs will fail if they cannot be followed.

As illustrated in Table 8.2, the simple step format uses sequential steps. Generally, these rote procedures do not require any decision-making and do not have any sub-steps. The simple step format should be limited to ten steps.

As illustrated in the New User Account Creation Procedure example, shown in Table 8.3, the hierarchical format is used for tasks that require more detail or exactness. The hierarchical format allows the use of easy-to-read steps for experienced users while including sub-steps that are more detailed as well. Experienced users may only refer to the sub-steps when they need to, whereas beginners will use the detailed sub-steps to help them learn the procedure.

Pictures truly are worth a thousand words. The graphic format, shown in Figure 8.1, can use photographs, icons, illustrations, or screenshots to illustrate the procedure. This format is often used for configuration tasks, especially if various literacy levels or language barriers are involved.

A flowchart, shown in Figure 8.2, is a diagrammatic representation of steps in a decision-making process. A flowchart provides an easy-to-follow mechanism for walking a worker through a series of logical decisions and the steps that should be taken as a result. When developing flowcharts, you should use the generally accepted flowchart symbols. ISO 5807:1985 defines symbols to be used in flowcharts and gives guidance for their use.

Change needs to be controlled. Organizations that take the time to assess and plan for change spend considerably less time in crisis mode. The change control process starts with an RFC (Request for Change). The RFC is submitted to a decision-making body (generally senior management). The change is then evaluated and, if approved, implemented. Each step must be documented. Not all changes should be subject to this process. Matter of fact, doing so would negate the desired effect and in the end significantly impact operations. There should be an organization policy that clearly delineates the type(s) of change that the change control process applies to. Additionally, there needs to be a mechanism to implement “emergency” changes.

Requestor name and contact information

Description of the proposed change

Justification of why the proposed changes should be implemented

Impact of not implementing the proposed change

Alternatives to implementing the proposed change

Cost

Resource requirements

Timeframe

Taking into consideration the preceding information as well as organizational resources, budget, and priorities, the decision makers can choose to continue to evaluate, approve, reject, or defer until a later date.

Messages about the change include the following:

The current situation and the rationale for the change

A vision of the organization after the change takes place

The basics of what is changing, how it will change, and when it will change

The expectation that change will happen and is not a choice

Status updates on the implementation of the change, including success stories

Messages about how the change will affect the employee include the following:

The impact of the change on the day-to-day activities of the employee

Implications of the change on job security

Specific behaviors and activities expected from the employee, including support of the change

Procedures for getting help and assistance during the change

Projects that fail to communicate are doomed to fail.

Throughout the implementation process, all actions should be documented. This includes actions taken before, during, and after the changes have been applied. Changes should not be “set and forget.” Even a change that appears to have been flawlessly implemented should be monitored for unexpected impact.

Some emergency situations require organizations to bypass certain change controls in order to recover from an outage, incident, or unplanned event. Especially in these cases, it is important to document the change thoroughly, communicate the change as soon as possible, and have it approved post-implementation.

The patching process can be unpredictable and disruptive. Users should be notified of potential downtime due to patch installation. Whenever possible, patches should be tested prior to enterprise deployment. However, there may be situations where it is prudent to waive testing based on the severity and applicability of the identified vulnerability. If a critical patch cannot be applied in a timely manner, senior management should be notified of the risk to the organization.

NIST Special Publication 800-40 Revision 3, Guide to Enterprise Patch Management Technologies, published July 2013, is designed to assist organizations in understanding the basics of enterprise patch management technologies. It explains the importance of patch management and examines the challenges inherent in performing patch management. The publication also provides an overview of enterprise patch management technologies and discusses metrics for measuring the technologies’ effectiveness and for comparing the relative importance of patches.

Malware has become the tool of choice for cybercriminals, hackers, and hacktivists. It has become easy for attackers to create their own malware by acquiring malware toolkits, such as Zeus, SpyEye, and Poison Ivy, and customizing the malware produced by those toolkits to meet their individual needs. Many of these toolkits are available for purchase, whereas others are open source, and most have user-friendly interfaces that make it simple for unskilled attackers to create customized, high-capability malware. Unlike most malware several years ago, which tended to be easy to notice, much of today’s malware is specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time and eventually leading to exfiltration of sensitive data and other negative impacts. The term advanced persistent threats (APTs) is generally used to refer to this approach.

NIST Special Publication 800-83, Revision 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, published in July 2012, provides recommendations for improving an organization’s malware incident prevention measures. It also gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones.

A virus is malicious code that attaches to and becomes part of another program. Generally, viruses are destructive. Almost all viruses attach themselves to executable files. They then execute in tandem with the host file. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected email attachments. One of the most famous examples of a virus outbreak was the Melissa virus (also known as Mailissa, Simpsons, Kwyjibo, and Kwejeebo), which was first identified on March 26, 1999. Melissa was distributed as an email attachment that, when opened, disabled a number of safeguards and, if the user had the Microsoft Outlook email program, caused the virus to be re-sent to the first 50 people in each of the user’s address books. Melissa caused Microsoft to shut down incoming email. Intel, Dell, and a number of federal agencies reported being affected.

A worm is a piece of malicious code that can spread from one computer to another without requiring a host file to infect. Worms are specifically designed to exploit known vulnerabilities, and they spread by taking advantage of network and Internet connections. As of 2013, the 2003 worm W32/SQL Slammer (aka Slammer and Sapphire) still holds the record for the fastest spreading worm. It infected the process space of Microsoft SQL Server 2000 and Microsoft SQL Desktop Engine (MSDE) by exploiting an unpatched buffer overflow. Once running, the worm tried to send itself to as many other Internet-accessible SQL hosts as possible. Microsoft had released a patch six months prior to the Slammer outbreak.

A Trojan is malicious code that masquerades as a legitimate benign application. For example, when a user downloads a game, he may get more than he expected. The game may serve as a conduit for a malicious utility such as a keylogger or screen scraper. A keylogger is designed to capture and log keystrokes, mouse movements, Internet activity, and processes in memory such as print jobs. A screen scraper makes copies of what you see on your screen. A typical activity attributed to Trojans is to open connections to a command and control server (known as a C&C). Once the connection is made, the machine is said to be “owned.” The attacker takes control of the infected machine. In fact, cybercriminals will tell you that once they have successfully installed a Trojan on a target machine, they actually have more control over that machine than the very person seated in front of and interacting with it. Once “owned,” access to the infected device may be sold to other criminals. Trojans do not reproduce by infecting other files, nor do they self-replicate. Trojans must spread through user interaction, such as opening an email attachment or downloading and running a file from the Internet. Examples of Trojans include Zeus and SpyEye. Both Trojans are designed to capture financial website login credentials and other personal information.

Bots (also known as robots) are snippets of code designed to automate tasks and respond to instructions. Bots can self-replicate (like worms) or replicate via user action (like Trojans). A malicious bot is installed in a system without the user’s permission or knowledge. The bot connects back to a central server or command center. An entire network of compromised devices is known as a botnet. One of the most common uses of a botnet is to launch distributed denial of service (DDoS) attacks.

Ransomware is a type of malware that takes a computer or its data hostage in an effort to extort money from victims. There are two types of ransomware: Lockscreen ransomware displays a full-screen image or web page that prevents you from accessing anything in your computer. Encryption ransomware encrypts your files with a password, preventing you from opening them. The most common ransomware scheme is a notification that authorities have detected illegal activity on your computer and you must pay a “fine” to avoid prosecution and regain access to your system.

A rootkit is a set of software tools that hides its presence in the lower layers of the operating system’s application layer, the operating system kernel, or in the device basic input/output system (BIOS) with privileged access permissions. Root is a Unix/Linux term that denotes administrator-level or privileged access permissions. The word kit denotes a program that allows someone to obtain root/admin-level access to the computer by executing the programs in the kit—all of which is done without end-user consent or knowledge. The intent is generally remote C&C. Rootkits cannot self-propagate or replicate; they must be installed on a device. Because of where they operate, they are very difficult to detect and even more difficult to remove.

Spyware is a general term used to describe software that without a user’s consent and/or knowledge tracks Internet activity such as searches and web surfing, collects data on personal habits, and displays advertisements. Spyware sometimes affects the device configuration by changing the default browser, changing the browser home page, or installing “add-on” components. It is not unusual for an application or online service license agreement to contain a clause that allows for the installation of spyware.

Impact the distribution channel by training users not to clink links embedded in email, open unexpected email attachments, irresponsibly surf the Web, download games or music, participate in peer-to-peer (P2P) networks, and allow remote access to their desktop.

Configure the firewall to restrict access.

Do not allow users to install software on company-provided devices.

Do not allow users to make changes to configuration settings.

Do not allow users to have administrative rights to their workstations. Malware runs in the security context of the logged-in user.

Do not allow users to disable (even temporarily) anti-malware software and controls.

Disable remote desktop connections.

Apply operating system and application security patches expediently.

Enable browser-based controls, including pop-up blocking, download screening, and automatic updates.

Implement an enterprise-wide antivirus/anti-malware application. It is important that the anti-malware solutions be configured to update as frequently as possible because many new pieces of malicious code are released daily.

Real-time firewall detection of suspicious file downloads.

Real-time firewall detection of suspicious network connections.

Host and network-based intrusion detection systems or intrusion prevention systems (IDS/IPS).

Review and analysis of firewalls, IDS, operating systems, and application logs for indicators of compromise.

User awareness to recognize and report suspicious activity.

Help desk (or equivalent) training to respond to malware incidents.

The core of AV software is known as the “engine.” It is the basic program. The program relies on virus definition files (known as DAT files) to identify malware. The definition files must be continually updated by the software publisher and then distributed to every user. This was a reasonable task when the number and types of malware were limited. New versions of malware are increasing exponentially, thus making research, publication, and timely distribution a next-to-impossible task. In their 2013 “State of Malware” report, McAfee Labs researchers announced that they are cataloging upwards of 100,000 new malware samples each day—that is 69 new pieces of malware a minute or about one new threat every second. Complicating this problem is the phenomena of single-instance malware—that is, variants only used one time. The challenge here is that DAT files are developed using historical knowledge, and it is impossible to develop a corresponding DAT file for a single instance that has never been seen before. The third challenge is the sophistication of malware—specifically, blended threats. A blended threat occurs when multiple variants of malware (worms, viruses, bots, and so on) are used in concert to exploit system vulnerabilities. Blended threats are specifically designed to circumvent AV and behavioral-based defenses.

Backed-up or replicated data should be stored at an off-site location, in an environment where it is secure from theft, the elements, and natural disasters such as floods and fires. The backup strategy and associated procedures must be documented.

Just as proper attention must be paid to designing and testing the replication or backup solution, the accessibility or restore strategy must also be carefully designed and tested before being approved. Accessibility or restore procedures must be documented. The only way to know whether a replication or backup operation was successful and can be relied upon is to test it. It is recommended that test access or restores of random files be conducted at least monthly.

Current email architecture is strikingly similar to the original design. Consequently, email servers, email clients, and users are vulnerable to exploit and are frequent targets of attack. Organizations need to implement controls that safeguard the CIA of email hosts and email clients. NIST Special Publication 800-45, Version 2, Guidelines on Electronic Mail Security, published in February 2007, recommends security practices for designing, implementing, and operating email systems on public and private networks.

Encryption protocols can be used to protect both authentication and contents. Encryption protects the privacy of the message by converting it from (readable) plaintext into (scrambled) cipher text. We will be examining encryption protocols in depth in Chapter 10, “Information Systems Acquisition, Development, and Maintenance.” Encrypted email is often referred to as “secure email.” As we discussed in Chapter 5, “Asset Management,” email-handling standards should specify the email encryption requirements for each data classification. Most email encryption utilities can be configured to auto-encrypt based on preset criteria, including content, recipient, and email domain.

Keep this in mind in the following situations:

If you recycle documents by making changes and sending them to new recipients (that is, using a boilerplate contract or a sales proposal).

If you use a document created by another person. In programs such as Microsoft Office, the document might list the original person as the author.

If you use a feature for tracking changes. Be sure to accept or reject changes, not just hide the revisions.

Malware can easily be embedded in common attachments such as PDF, Word, and Excel files or even a picture. Not allowing any attachments would simplify email security; however, it would dramatically reduce the usefulness of email. Determining which types of attachments to allow and which to filter out must be an organizational decision. Filtering is a mail server function and is based on the file type. The effectiveness of filtering is limited because attackers can modify the file extension. In keeping with a defense-in-depth approach, allowed attachments should be scanned for malware at the mail gateway, email server, and email client.

A hyperlink is a word, phrase, or image that is programmatically configured to connect to another document, bookmark, or location. Hyperlinks have two components—the text to display (such as www.goodplace.com) and the connection instructions. Genuine-looking hyperlinks are used to trick email recipients into connecting to malware distribution sites. Most email client applications have the option to disable active hyperlinks. The challenge here is that hyperlinks are often legitimately used to direct the recipient to additional information. In both cases, users need to be taught to not click on links or open any attachment associated with an unsolicited, unexpected, or even mildly suspicious email.

In addition to outside threats, consideration needs to be given to both the malicious and unintentional insider threat. If an employee decides to correspond with a customer via personal email or if an employee chooses to exfiltrate information and send it via personal email, there would be no record of the activity. From both an HR and a forensic perspective, this would hamper an investigation and subsequent response.

It is easy to mistakenly send email to the wrong address. This is especially true with email clients that auto-complete addresses based on the first three or four characters entered. All users must be made aware of this, and must pay strict attention to the email address entered in the To field, along with the CC and BCC fields when used.

The consequence of choosing Reply All instead of Reply can be significant. The best-case scenario is embarrassment. In the worst cases, confidentiality is violated by distributing information to those who do not have a “need to know.” In regulated sectors such as healthcare and banking, violating the privacy of patients and/or clients is against the law.

Forwarding has similar implications. Assume that two people have been emailing back and forth using the “reply” function. Their entire conversation can be found online. Now suppose that one of them decides that something in the last email is of interest to a third person and forwards the email. In reality, what that person just did was forward the entire thread of emails that had been exchanged between the two original people. This may well have not been the person’s intent and may violate the privacy of the other original correspondent.

In a response to the deluge of spam and email malware distribution, blacklisting has become a standard practice. A blacklist is a list of email addresses, domain names, or IP addresses known to send unsolicited commercial email (spam) or email-embedded malware. The process of blacklisting is to use the blacklist as an email filter. The receiving email server checks the incoming emails against the blacklist, and when a match is found, the email is denied.

Correlation ties individual log entries together based on related information.

Sequencing examines activity based on patterns.

Signature compares log data to “known bad” activity.

Trend analysis identifies activity over time that in isolation might appear normal.

A common mistake made when analyzing logs is to focus on “denied” activity. Although it is important to know what was denied, it is much more important to focus on allowed activity that may put the organization at risk.

Firewall logs can be used to detect security threats such as network intrusion, virus attacks, DoS attacks, anomalous behavior, employee web activities, web traffic analysis, and malicious insider activity. Reviewing log data provides oversight of firewall administrative activity and change management, including an audit trail of firewall configuration changes. Bandwidth monitoring can provide information about sudden changes that may be indicative of an attack.

Web server logs are another rich source of data to identify and thwart malicious activity. HTTP status codes indicating redirection, client error, or server error can indicate malicious activity as well as malfunctioning applications or bad HTML code. Checking the logs for Null Referrers can identify hackers who are scanning the website with automated tools that do not follow proper protocols. Log data can also be used to identify web attacks, including SQL injection, cross-site scripting (XSS), and directory traversal. As with the firewall, reviewing web server log data provides oversight of web server/website administrative activity and change management, including an audit trail of configuration changes.

Authentication server logs document user, group, and administrative account activity. Activity that should be mined and analyzed includes account lockouts, invalid account logons, invalid passwords, password changes, and user management changes, including new accounts and changed accounts, computer management events (such as when audit logs are cleared or computer account names are changed), group management events (such as the creation or deletion of groups and the addition of users to high-security groups), and user activity outside of logon time restrictions. Operational activity, such as the installation of new software, the success/failure of patch management, server reboots, and policy changes, should be on the radar as well.

Corporate history

Qualifications, backgrounds, and reputations of company principals

Financial status, including reviews of audited financial statements

Service delivery capability, status, and effectiveness

Technology and systems architecture

Internal controls environment, security history, and audit coverage

Legal and regulatory compliance, including any complaints, litigation, or regulatory actions

Reliance on and success in dealing with third-party service providers

Insurance coverage

Incident response capability

Disaster recovery and business continuity capability

Documentation requested from a service provider generally includes financial statements, security-related policies, proof of insurance, subcontractor disclosure, disaster recovery, and continuity of operations plan, incident notification, and response procedures, security testing results, and independent audit reports such as an SSAE16.

Security—The system is protected against unauthorized access (both physical and logical).

Availability—The system is available for operation and use as committed or agreed.

Processing integrity—System processing is complete, accurate, timely, and authorized.

Confidentiality—Information designated as confidential is protected as committed or agreed.

Privacy—Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.

SSAE audits must be attested to by a certified public accounting (CPA) firm. SSAE Service organizations that had an SOC 1, SOC 2, or SOC 3 engagement within the past year may register with the AICPA to display the applicable logo.

Performance standards define minimum service level requirements and remedies for failure to meet standards in the contract—for example, system uptime, deadlines for completing batch processing, and number of processing errors. MTTR (or mean time to repair) may be a clause condition in a service level agreement (SLA), along with a standard reference to Tier 1, Tier 2, and Tier 3 performance factors. Security and privacy compliance requirements address the service provider stewardship of information and information systems as well as organizational processes, strategies, and plans. At a minimum, the service provider control environment should be consistent with organizational policies and standards. The agreement should prohibit the service provider and its agents from using or disclosing the information, except as necessary for or consistent with providing the contracted services, and to protect against unauthorized use. If the service provider stores, processes, receives, or accesses non-public personal information (NPPI), the contract should state that the service provider would comply with all applicable security and privacy regulations.

Incident notification requirements should be clearly spelled out. In keeping with state breach notification laws, unless otherwise instructed by law enforcement, the service provider must disclose both verified security breaches and suspected incidents. The latter is often a point of contention. The contract should specify the timeframe for reporting as well as the type of information that must be included in the incident report.

Lastly, the contract should include the types of audit reports it is entitled to receive (for example, financial, internal control, and security reviews). The contract should specify the audit frequency, any charges for obtaining the audits, as well as the rights to obtain the results of the audits in a timely manner. The contract may also specify rights to obtain documentation of the resolution of any deficiencies and to inspect the processing facilities and operating practices of the service provider. For Internet-related services, the contract should require periodic control reviews performed by an independent party with sufficient expertise. These reviews may include penetration testing, intrusion detection, reviews of firewall configuration, and other independent control reviews.

Organizations are dynamic, and change is inevitable. The objective of change control is to ensure that only authorized changes are made to software, hardware, network access privileges, or business processes. A change management process establishes an orderly and effective mechanism for submission, evaluation, approval, prioritization, scheduling, communication, implementation, monitoring, and organizational acceptance of change.

Two mandatory components of a change management process are an RFC (Request for Change) document and a change control plan. Scheduled changes can be exempt from the process as long as they have a preapproved procedure. A good example of this is patch management. A patch is software or code designed to fix a problem. Applying security patches is the primary method of fixing security vulnerabilities in software. Patch management is the process of scheduling, testing, approving, and applying security patches.

Criminals design malware, short for malicious software (or script or code), to exploit device, operating system, application, and user vulnerabilities with the intent of disrupting computer operations, gathering sensitive information, or gaining unauthorized access. A zero-day exploit is one that takes advantage of security vulnerability on the same day that the vulnerability becomes publicly or generally known. Malware categorization is based on infection and propagation characteristics. A virus is malicious code that attaches to and becomes part of another program. A worm is a piece of malicious code that can spread from one computer to another without requiring a host file to infect. A Trojan is malicious code that masquerades as a legitimate benign application. Bots (also known as robots) are snippets of code designed to automate tasks and respond to instructions. An entire network of compromised devices is known as a botnet. Ransomware is a type of malware that takes a computer or its data hostage in an effort to extort money from victims. A rootkit is set of software tools that hides its presence in the lower layers of the operating system application layer, operating system kernel, or in the device BIOS with privileged access permissions. Spyware is a general term used to describe software that, without a user’s consent and/or knowledge, tracks Internet activity such as searches and web surfing, collects data on personal habits, and displays advertisements. Hybrid malware is code that combines characteristics of multiple categories. A blended threat is a when multiple variants of malware (worms, viruses, bots, and so on) are used in concert to exploit system vulnerabilities. An anti-malware defense-in-depth arsenal includes both prevention and detection controls. The most familiar of these is AV software that is designed to detect, contain, and in some cases eliminate malicious software.

Malware, user error, and system failure are among the many threats that can render data unusable. Having multiple copies of data is essential for both data integrity and availability. Data replication is the process of copying data to a second location that is available for immediate or near-time use. Data backup is the process of copying and storing data that can be restored to its original location. In both cases, it is essential to have SOPs for both replication/backup and restoration/recovery. Restoration and recovery processes should be tested to ensure that they work as anticipated.

Email is a primary malware distribution channel. Criminals embed malware in attachments or include a hyperlink to a malware distribution site. Email systems need to be configured to scan for malware and to filter attachments. Users need to be trained not to click email links and not to open unexpected attachments. Organizations should also restrict access to personal web mail applications because they bypass internal email controls. Criminals take advantage of the inherent weaknesses in the email communication system. The vulnerabilities can be traced back to the ARPANET, the precursor to the Internet, which was a US Advanced Research Project Agency (ARPA) project intended to develop a set of communications protocols to transparently connect computing resources in various geographical locations. Because the ARPANET was a trusted network, security controls were not considered. Today’s email system uses essentially the same protocols and processes. Simple Mail Transfer Protocol (SMTP), designed in 1982, is the de facto message transport standard for sending email messages. Common mailbox access protocols Post Office Protocol (now POP3) and Internet Message Access Protocol (IMAP) were developed in 1984 and 1988, respectively. Messages sent using SMTP are transmitted in plaintext and are human readable. Multiple transport and storage encryption options can be used to protect the data from prying eyes. Encryption protects the privacy of the message by converting it from (readable) plaintext into (scrambled) cipher text. The default posture for many email servers is to process and relay any mail sent to the server; this feature is known as open mail relay. Criminals exploit open mail relay to distribute malware, spam, and illegal material such as pornography. A blacklist is a list of email addresses, domain names, or IP addresses known to be compromised or intentionally used as a distribution platform. The process of blacklisting is to use the blacklist as an email filter. Because email servers are Internet facing and are open to receiving packets, they are easy targets for distributed denial of service (DDoS) attacks. The objective of a DDoS attack is to render the service inoperable.

Almost every device and application on a network can record activity. This record of events is known as a log. Logs can be processed either using standard syslog protocols or using SIEM applications. Syslog provides an open framework based on message type and severity. Security information and event management software (SIEM) are commercial applications and often use proprietary processes. Analysis techniques include correlation, sequencing, signature comparison, and trend analysis. Correlation ties individual log entries together based on related information. Sequencing examines activity based on patterns. Signature compares log data to “known bad” activity. Trend analysis identifies activity over time that in isolation might appear normal. The process of configuring the log sources, including log generation, storage, and security, performing analysis of log data, initiating appropriate responses to identified events, and managing the long-term storage of log data is known as log management.

Operational security extends to service providers. Service providers are vendors, contractors, business partners, and affiliates who store, process, transmit, or access company information or company information systems. Service provider internal controls should meet or exceed those of the contracting organization. The conventional wisdom (and in some cases, the regulatory requirement) is that you can outsource the work but not the liability. Due diligence describes the process or methodology used to assess the adequacy of a service provider. SSAE16 audit reports have become the most widely accepted due diligence documentation. SSAE16 reports are independent audits certified by CPA firms. The three audit options are SOC 1, SOC 2, and SOC 3. SOC 1 audits focus on controls that are likely to be relevant to a service provider’s financial statements and condition. SOC 2 and SOC 3 are designed to examine security, CIA, and privacy attributes. Once a vendor is selected, their obligations should be codified in a contract. Service provider contracts should include a number of information security–related clauses, including performance standards, security and privacy compliance requirements, incident notification, business continuity and disaster recovery commitments, and auditing and ongoing monitoring options.

Operations and Communications Security policies include Standard Operating Procedures Documentation Policy, Operational Change Control Policy, Security Patch Management Policy, Malicious Software Policy, Email and Email Systems Security Policy, Security Log Management Policy, and Service Provider Management Policy.

A. It promotes business continuity.

B. The documentation should be approved before publication and distribution.

C. Both A and B.

D. Neither A nor B.

2. Which two factors influence the type of SOP used?

A. Cost and complexity

B. Number of decisions and number of steps

C. Language and age of the workforce

D. Number of warnings and number of exceptions

3. Which of the following formats should be used when an SOP includes multiple decision-making steps?

A. Simple

B. Hierarchical

C. Graphic

D. Flowchart

4. The change control process starts with which of the following?

A. Budget

B. RFC submission

C. Vendor solicitation

D. Supervisor authorization

5. What is the most important message to share with the workforce about “change”?

A. The reason for the change

B. The cost of the change

C. Who approved the change

D. Management’s opinion of the change

6. Which of the following statements best describes the action that should occur prior to implementing a change that has the potential to impact business processing?

A. The impact should be communicated.

B. The change should be thoroughly tested.

C. A rollback or recovery plan should be developed.

D. All of the above.

7. Which of the following is not a part of a malware defense-in-depth strategy?

A. Security awareness

B. Prevention controls

C. Reverse engineering

D. Detection controls

8. Which of the following statements best describes a security patch?

A. A security patch is designed to fix a security vulnerability.

B. A security patch is designed to add security features.

C. A security patch is designed to add security warnings.

D. A security patch is designed to fix code functionality.

9. Which of the following is a component of an AV application?

A. Definition files

B. Handler

C. Patch

D. Virus

10. Which of the following statements best describes the testing of security patches?

A. Security patches should never be tested because waiting to deploy is dangerous.

B. Security patches should be tested prior to deployment, if possible.

C. Security patches should be tested one month after deployment.

D. Security patches should never be tested because they are tested by the vendor.

11. Which of the following operating systems are vulnerable to malware?

A. Apple OS only.

B. Android OS only.

C. Microsoft Windows OS only.

D. Malware is operating system agnostic.

12. Which of the following terms best describes malware that is specifically designed to hide in the background and gather info over an extended period of time?

A. Trojan

B. APT

C. Ransomware

D. Zero-day exploit

13. A _________________ can spread from one computer to another without requiring a host file to infect.

A. virus

B. Trojan

C. worm

D. rootkit

14. _________________ wait for remote instructions and are often used in DDoS attacks.

A. APTs

B. Bots

C. DATs

D. None of the above

15. Which of the following statements best describes a blended threat?

A. A blended threat is designed to be difficult to detect.

B. A blended threat is designed to be difficult to contain.

C. A blended threat is designed to be difficult to eradicate.

D. All of the above.

16. Which of the following statements best describes data replication?

A. Replicated data needs to be restored from tape.

B. Only administrators have access to replicated data.

C. Replicated data is generally available in near or real time.

D. Replication is expensive.

17. Organizations that are considering storing legally protected data in “the cloud” should ________________________.

A. contractually obligate the service provider to protect the data

B. assume that the appropriate security controls are in place

C. give their customers an option as to where data is stored

D. only use cloud storage for data replication

18. Which of the following actions best describes the task that should be completed once backup media such as tape is no longer in rotation?

A. It should be erased and reused.

B. It should be recycled.

C. It should physically be destroyed.

D. It should be labeled as old and put in a supply closet.

19. Which of the following terms best describes the Department of Defense project to develop a set of communications protocols to transparently connect computing resources in various geographical locations?

A. DoDNet

B. ARPANET

C. EDUNET

D. USANET

20. Which of the following terms best describes the message transport protocol used for sending email messages?

A. SMTP

B. SMNP

C. POP3

D. MIME

21. In its native form, email is transmitted in _________.

A. cipher text

B. clear text

C. hypertext

D. meta text

22. Which of the following statements best describes how users should be trained to manage their email?

A. Users should click embedded email hyperlinks.

B. Users should open unexpected email attachments.

C. Users should access personal email from the office.

D. Users should delete unsolicited or unrecognized emails.

23. Open email relay service can be used to do which of the following?

A. Secure messages

B. Ensure message delivery

C. Misappropriate resources

D. Create blacklists

24. Which of the following statements best describes a system log?

A. A system log is a record of allowed and denied events.

B. A system log is a record of problem events only.

C. A system log is a record of user productivity.

D. A system log is a record of system codes.

25. Which of the following statements best describes trend analysis?

A. Trend analysis is used to tie individual log entries together based on related information.

B. Trend analysis is used to examine activity based on patterns.

C. Trend analysis is used to compare log data to known bad activity.

D. Trend analysis is used to identify activity over time.

26. Which of the following statements best describes authentication server logs?

A. Authentication server logs capture user, group, and administrative activity.

B. Authentication server logs capture bad HTML code.

C. Authentication server logs capture SQL injection attempts.

D. Authentication server logs capture web traffic.

27. Which of the following terms best describes the process of assessing a service provider’s reputation, financial statements, internal controls, and insurance coverage?

A. Downstream investigation

B. Standard of care

C. Due diligence

D. Outsource audit

28. SSAE16 audits must be attested to by a _____________.

A. Certified Information System Auditor (CISA)

B. Certified Public Accountant (CPA)

C. Certified Information Systems Manager (CISM)

D. Certified Information System Security Professional (CISSP)

29. Service providers should be required to provide notification of which of the following types of incidents?

A. Confirmed incidents

B. Confirmed incidents by known criminals

C. Confirmed incidents that have been reported to law enforcement

D. Confirmed and suspected incidents

30. Which of the following reasons best describes why independent security testing is recommended?

A. Independent security testing is recommended because of the objectivity of the tester.

B. Independent security testing is recommended because of the expertise of the tester.

C. Independent security testing is recommended because of the experience of the tester.

D. All of the above.

1. SOPs are not restricted to use in IT and information security. Cite three non-IT or security examples where SOP documentation is important.

2. Choose a procedure that you are familiar enough with that you can write SOP documentation.

3. Decide which format you are going to use to create the SOP document.

Exercise 8.2: Researching Email Security

1. Does your personal email application you are currently using have an option for “secure messaging”? If so, describe the option. If not, how does this limit what you can send via email?

2. Does the email application you are using have an option for “secure authentication” (this may be referred to as secure login or multifactor authentication)? If so, describe the option. If not, does this concern you?

3. Does the email application scan for malware or block attachments? If so, describe the option. If not, what can you do to minimize the risk of malware infection?

Exercise 8.3: Researching Metadata

1. Most applications include metadata in the document properties. What metadata does the word processing software you currently use track?

2. Is there a way to remove the metadata from the document?

3. Why would you want to remove metadata before distributing a document?

Exercise 8.4: Understanding Patch Management

1. Do you install operating system or application security patches on your personal devices such as laptops, tablets, and smartphone? If yes, how often. If not, why not?

2. What method do you use (for example, Windows Update)? Is the update automatic? What is the update schedule? If you do not install security patches, research and describe your options.

3. Why is it sometimes necessary to reboot your device after applying security patches?

Exercise 8.5: Understanding Malware Corporate Account Takeovers

1. Hundreds of small businesses across the country have been victims of corporate account takeovers. To learn more, read the following NYT small business article and visit the Krebs on Security blog. If the links are no longer active, Google the topic.

www.nytimes.com/2013/06/14/business/smallbusiness/protecting-business-accounts-from-hackers.html

https://krebsonsecurity.com/category/smallbizvictims

2. Should financial institutions be required to warn small business customers of the dangers associated with cash management services such as ACH and wire transfers? Explain your reasoning.

3. What would be the most effective method of teaching bank customers about corporate account takeover attacks?

1. Do you store your schoolwork on your laptop? If not, where is the data stored? Write a memo explaining the consequences of losing your laptop, or if the alternate location or device becomes unavailable. Include the reasons why having a second copy will contribute to your success as a student. After you have finished step 2 of this project, complete the memo with your recommendations.

2. Research “cloud-based” backup or replication options. Choose a service provider and answer the following questions:

What service/service provider did you choose?

How do you know they are reputable?

What controls do they have in place to protect your data?

Do they reveal where the data will be stored?

Do they have an SSAE16 or equivalent audit report available for review?

Do they have any certifications, such as McAfee Secure?

How much will it cost?

How often are you going to update the secondary copy?

What do you need to do to test the restore/recovery process?

How often will you test the restore/recovery process?

Project 8.2: Developing an Email and Malware Training Program

You are working as an information security intern for Best Regional Bank, who has asked you to develop a PowerPoint training module that explains the risks (including malware) associated with email. The target audience is all employees.

1. Create an outline of the training to present to the training manager.

2. The training manager likes your outline. She just learned that the company would be monitoring email to make sure that data classified as “protected” is not being sent insecurely and that access to personal web-based email is going to be restricted. You need to add these topics to your outline.

3. Working from your outline, develop a PowerPoint training module. Be sure to include email “best practices.” Be prepared to present the training to your peers.

Project 8.3: Developing Change Control and SOPs

The Dean of Academics at ABC University has asked your class to design a change control process specifically for mid-semester faculty requests to modify the day, the time, or the location where their class meets. You need to do the following:

1. Create an RFC form.

2. Develop an authorization workflow that specifies who (for example, the department chair) needs to approve the change and in what order.

3. Develop an SOP flowchart for faculty members to use that includes submitting the RFC, authorization workflow, and communication (for example, students, housekeeping, campus security, registrar).

“Federal Information Security Management Act (FISMA),” accessed on 06/2013, http://csrc.nist.gov/drivers/documents/FISMA-final.pdf.

“Gramm-Leach-Bliley Act,” the official website of the Federal Trade Commission, Bureau of Consumer Protection Business Center, accessed on 05/2013, http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act.

“HIPAA Security Rule,” the official website of the Department of Health and Human Services, accessed on 05/2013, www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/.

“Enterprise Blended Malware Threats Slip through Traditional Defenses,” Blue Ridge Networks, Inc., whitepaper, March 16, 2012, accessed 07/2013, www.blueridge.com/support/downloads/Enterprise%20Blended%20Malware%20Threat%20WP%20v2.pdf.

FFIEC Information Security IT Examination Handbook, accessed 07/2013, www.ffiec.gov/ffiecinfobase/booklets/information_security/information_security.pdf.

FFEIC Information Audit IT Examination Handbook, accessed 07/2013, www.ffiec.gov/ffiecinfobase/booklets/audit/audit.pdf.

“Infographic: The State of Malware 2013,” April 1, 2013, accessed 07/2013, www.mcafee.com/us/security-awareness/articles/state-of-malware-2013.aspx.

“ISO 5807:1985,” ISO, accessed 07/2013, www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=11955.

Kern, Harris. “How to Implement Change Management with These Six Steps,” Yahoo! Voices, May 25, 2009, accessed 07/2013, http://voices.yahoo.com/how-implement-change-management-these-six-3388866.html.

“Management Best Practices Benchmarking Report,” Change Management Learning Center, accessed 07/2013, www.change-management.com/tutorial-communications.htm.

NSA Sixty-Minute Security Guide, accessed 07/2013, www.nsa.gov/snac/support/I33-011R-2006.pdf.

NIST Special Publication 800-42: Guideline on Network Security Testing, accessed 07/2013, http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf.

“Project Documentation Guidelines, Virginia Tech,” accessed 07/2013, www.itplanning.org.vt.edu/pm/documentation.html.

“Service Organization Controls, Managing Risks by Obtaining a Service Auditors Report,” February 2013, American Institute of CPAs, accessed 2013, www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/serviceorganization’smanagement.aspx.

Skoudis, Ed. Malware: Fighting Malicious Code, Prentice Hall, 2003.

Still, Michael and Eric Charles McCreath. “DDoS Protections for SMTP Servers.” International Journal of Computer Science and Security, Volume 4, Issue 6, 2011.

“What Is Ransomware?” Microsoft Protection Center, accessed 07/2013, www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx.

“What Is Spyware,” Microsoft Safety & Security Center, accessed 07/2013, www.microsoft.com/security/pc-security/spyware-whatis.aspx.

“What Is the Difference: Viruses, Worms, Trojans, and Bots,” accessed 07/2013, www.cisco.com/web/about/security/intelligence/virus-worm-diffs.html.

Wieringa, Douglas, Christopher Moore, and Valerie Barnes. Procedure Writing: Principles and Practices, Second Edition, Columbus, Ohio: Battelle Press, 1988.