1 / 28

Operational Security

Operational Security. April Otto LAN Design and Installation. Overview. What is Operational Security What is Computer Security Hardening Physical Security with Access Controls Minimizing Social Engineering Securing the Physical Environment Protecting Against Environmental Dangers Backups

gunda
Download Presentation

Operational Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Operational Security April OttoLAN Design and Installation

  2. Overview • What is Operational Security • What is Computer Security • Hardening Physical Security with Access Controls • Minimizing Social Engineering • Securing the Physical Environment • Protecting Against Environmental Dangers • Backups • Personnel/Business Continuity • Disaster Recovery • References

  3. What is Operational Security? • “It is a process for identifying, controlling, and protecting generally unclassified information, which if it becomes known to a competitor or adversary, could be used to our disadvantage”. • Provided by the Interagency OPSEC Support Staff

  4. Operational Security cont… • For government operations and the general public alike, operational security follows five co-dependent phases: • 1. Identifying Critical Information • 2. Analysis of the Threat • 3. Analyzing Vulnerabilities • 4. Analyzing Risk involved • 5. Employing Countermeasures

  5. Identifying Critical Information • Examining what it is that needs to be kept from an adversary • Critical information is anything an adversary needs to achieve their goals • What am I trying to protect and how much is it worth to me? • What do I need to protect against? • How much time, effort, and money am I willing to expend to obtain adequate protection?

  6. Analysis of the Threat • Examining how the threat might come • What kind of adversary? • Insider/Outsider, Foreign Intelligence/Gov. Agencies • Will the adversary send corporate or state sponsored spies? Will they read open source literature? Or espionage/eavesdropping, etc? • Will it be by natural causes such as fires, dust, earthquakes, humidity, water, bugs, smoke, explosions, etc.

  7. Analyzing Vulnerabilities • Which adversary is interested in which data and how would he go about obtaining it? • Interception of transmitted signals, dumpster diving • Does the company directly or indirectly do anything to give away data? • Example: websites with company information, goals, organizational charts, job announcements, personal information found in trash, etc • Can an adversary find a security vulnerability? • We must look at our systems the way an adversary would. • Example: Anthrax mailings, suspended ceilings, insufficient lighting, dead-end hallways

  8. Analyzing Risk Involved • What am I trying to protect and is it worth it to me? • In order to protect something, the cost of securing an asset is weighed against the cost of losing that asset. • Most companies are not willing to pay more than necessary to protect their assets. • If they can afford to lose a certain asset then they will pay less or put less emphasis on protecting it.

  9. Employing Protective Measures • Protective measures are put in place to thwart an adversary from completing his task. • Some of the solutions commonly put in place are: • Disruption of collecting information • Preventing the adversary from accurately interpreting data • Making it as simple to understand on the inside and as complex as possible for outsiders. • Or eliminating indicators and vulnerabilities altogether.

  10. What is computer security? • The three main pillars to security are: • Confidentiality • Integrity & • Availability • These pillars are protected by: • Products • People & • Procedures • Operational Security addresses the procedures needed to be in place in order to provide protection.

  11. Hardening Physical Security with Access Controls • Primary Goal of physical security: • Prevent unauthorized users from reaching equipment to use, steal, or vandalize • Most security personnel tend to focus on preventing attackers from reaching a computer electronically. • Physical security is oftentimes forgotten about. And it is equally if not more important than its counterpart.

  12. Hardening Physical Security cont… • Identity management • Biometrics • Scanning of hand geometry, fingerprints, retinas, voice, etc • Authentication • An approach to finding out if someone is who they claim to be • Providing usernames and passwords • Physical barriers • Rack mounted servers – preset locks – deadbolt locks – cipher locks – layered protection measures

  13. Minimizing Social Engineering • This is also a form of identity management. It allows personnel to require certain clearances before giving out information. • In order to minimize occurrences, a strong security policy along with plenty of training is needed • These policies should outline what information can be given out and under what circumstances • Examples: Shoulder surfing – dumpster diving – smooth tricking, deceiving, manipulating and persuasion techniques.

  14. Minimizing Social Engineering cont… • Some businesses hire actors who attempt to enter a building by pretending to be repair personnel or authorized visitors who forgot their pass.

  15. Securing the Physical Environment • Again, a strong written policy is needed • Id the physical assets you are protecting • Id the physical areas they are located • Id the security perimeter including any holes • Id the attacks you are protecting against; likelihood • Id the security defense and ways of improving it • Id the value of information you are protecting • The most important part of the written policy is keeping it private; secure

  16. Securing the Physical Environment cont… • Relocate the access point • Substitute 802.11a for 802.11b • Have appropriate alarms, other protective measures and fire extinguishers in place • Locks • Encrypting data – make it virtually useless • Destroy ‘old’ materials before discarding

  17. Protecting against Environmental Dangers • Fire – proper fire extinguishers, automatically cut power if water sprinkler system triggers • Smoke – no smoking in computer rooms, use smoke detectors • Dust – clean/replace air filters, cover computers, keep computer rooms as dust-free as possible • Earthquakes – physically attach computer to surface, avoid placing computers on high surfaces, avoid placing heavy objects near computers

  18. Protecting against Environmental Dangers cont… • Explosions – keep backups in blast-proof vaults off-site, keep computers away from windows • Food/Drink – observe ventilation holes or spaces where food or drink could be poured into/onto computer • Vandalism – examine whether network cables have been severed, if network connectors are intact, if computer screens are cracked, monitor all utilities such as phone service, water, natural gas, electricity, etc

  19. Backups • Having and maintaining backups is extremely important because disasters, accidents and attacks cannot be predicted. • Backups are the only protection against data loss • They are also beneficial to compare what the intruder changed and what he could not get to.

  20. The Role of Backups • Archival information • User error • System software error • Hardware & Software failure • Electronic break ins and vandalism • Theft • Natural disasters

  21. Basic Types of Backups • Level Zero Backups • Copy of original system before being used • Full Backup • Copies all files • Differential Backup • Copies all files since last full backup • Incremental Backup • Copies all files changed since last full backup

  22. Which Backup Do I Use? • It depends on the importance and time sensitivity of your data • How quickly do you need to resume operations after a complete loss of the main system? After a partial loss? • What data do you need restored first? Second? Last? • What will cause the biggest loss if it is not available? • How much are you willing or able to spend? • Backups tend to prove their worth

  23. Personnel Security • Personnel is the backbone to an organization. They hold a lot of power, access controls, and authorization codes to numerous important data • Personnel/employees are the #1 threat to security for this reason.

  24. Personnel Security cont… • To keep them in check, a company must: • Administer background checks before hiring • Go deeper by doing intensive investigations on those background checks • Periodically ‘recheck’ them after being hired • Give them initial training as well as ongoing training and awareness • Performance Reviews and Monitoring • Provide auditing access • Employ least privilege and separation of duties practices. • Have a defined set of actions for how to handle departure.

  25. Business Continuity • Business continuity is the process of assessing risks and developing a management strategy for how the organization will continue to run in the event that risks materialize • Personnel is very important in this process as they are the backbone of an organization. They all play important but often times very different roles and a plan is needed should something compromise those roles. • Significant absenteeism of staff – will this impact your ability to operate? • Death or incapacitation of staff – can every member of your organization be replaced?

  26. Understanding Business Continuity • This concept is not only concerned with recovering after a disaster, but also anything that could affect the continuity of service over the long run. • For example: • Power outages • Shortages of staffing in specialized areas • Disaster takes out your system, how do you face angry users? Would it ruin your reputation?

  27. Planning for Disaster Recovery • Have backups in place • Have a defined disaster recovery plan & policy • Use Fault tolerance • the ability to endure failures in a system • Having a redundant system. Protection-in-depth. Minimum consequence of component failures. *Always have a system or backup that can regain functionality if the system before it goes down.

  28. Some information provided by: • Books: • Security+ Guide to Network Security Fundamentals • Mark Ciampa 2nd edition. • Guide to Networking Essentials • Greg Tomsho, Tittel, Johnson 5th edition. • Websites: • www.searchsecurity.com • OPSEC website • http://www.ioss.gov/ • Academics: • COSC 352 • COSC 316 • CRIM 321

More Related