Chapter 9: Security Operations and Admin

avatar
Created by
High-pitchedBeetle8111

Cards (58)

  • Security administration
    refers to the group of individuals responsible for planning, designing, implementing, and monitoring an organization’s security plan
  • security operations center (SOC)

    the physical location where security admin work
  • security information and event management (SIEM) systems

    tool set used by SOC teams; provides a rich, integrated set of tools to help collect, assess, and visualize a networked environment’s state
  • security, orchestration, automation, and response (SOAR) system
    gives the SOC team an integrated set of tools with which to determine the security level of a networked environment, identify any anomalies, and respond to any issues in a structured manner
  • A primary task of an organization’s security administration team is to control access to systems or resources. There are four aspects of access control:
    Identification—Assertions made by users about who they are
    Authentication—The proving of that assertion
    Authorization—The permissions a legitimate user or process has on the system
    Accountability—Tracking or logging what authenticated and unauthenticated users do while accessing the system
  • To make the best decisions to secure assets, several types of documentation are necessary to provide the input the security administration team needs. The most common documentation requirements include the following:
    sensitive assets list, the organization's security prowess, the authority of the persons responsible for security, the policies procedures, and guidelines adopted by the organization
  • Sensitive assets list
    A list that can include computers, devices, network components, databases, documents, and any other assets that could be vulnerable to attack.
  • An organization must comply with rules on two levels:
    Regulatory compliance—The organization must comply with laws, government regulations, and contractual requirements.
    Organizational compliance—The organization must comply with its own policies, audits, culture, and standards.
  • Outsourcing considerations:
    privacy, risk, data security, ownership, adherence to policy
  • Most common agreements that define how an outsourcing relationship works:
    Service level agreement (SLA), Blanket purchase agreement (BPA), Memorandum of understanding (MOU), Interconnection security agreement (ISA)
  • Service level agreement (SLA)
    legally binding formal contract between an organization and a third-party external organization that details the specific services the third party will provide
  • Blanket purchase agreement (BPA)

    a streamlined method of meeting recurring needs for supplies or services; creates preapproved accounts with qualified suppliers to fulfill recurring orders for products or services
  • Memorandum of understanding (MOU)

    expresses areas of common interest that result in shared actions; generally less enforceable than a formal agreement but still more formal than an oral agreement
  • Interconnection security agreement (ISA)

    Often an extension of an MOU, documents the technical requirements of interconnected assets; often used to specify technical needs and security responsibilities of connected organizations.
  • Three primary means are used to ensure compliance:
    Event logs, Compliance liaison, Remediation
  • Event logs
    records of actions that an organization’s operating system or application software creates, showing which user or system accessed data or a resource and when
  • Compliance Liaison
    make sure that all personnel are aware of—and comply with—the organization’s policies
  • Remediation
    fixing something that is broken or defective, and, with computer systems, it refers to fixing security vulnerabilities.
  • The Organisation for Economic Co-operation and Development (OECD) eight privacy principles state the following:
    • An organization should collect only what it needs.
    • An organization should not share its information.
    • An organization should keep its information up to date.
    • An organization should use its information only for the purposes for which it was collected.
    • An organization should properly destroy its information when it is no longer needed.
  • Personnel Security Principles:
    limiting access, separation of duties, job rotation, mandatory vacations
  • least privilege
    limiting access to users based on the levels of permissions they need to perform their duties
  • need-to-know requirement
    states that people should have access only to information they need to perform their jobs, regardless of their clearance level.
  • An awareness program is different from a formal training program. Most users do not understand what security is and why it’s necessary.
  • Security training should cover the most common types of social engineering attacks, including:
    intimidation, namedropping, appeals for help, phishing
  • The elements of a security policy environment:

    policies, standards, procedures, baselines, guidelines
  • policies...
    document management’s security goals and objectives and explain the company’s security needs and its commitment to meeting those needs. A security policy should read like a short summary of key facts (e.g., “Security is essential to the future of our organization”)
  • functional policy
    sets out the direction for the management of an organization pertaining to security in such specific functional areas as email use, remote access, and Internet interaction (including social media)
  • privacy policy
    one example of a functional policy which specifies to consumers how an organization collects, uses, and disposes of their personal information
  • standards
    mandated requirements for hardware and software solutions used to address security risk throughout an organization
  • procedures
    step-by-step systematic actions taken to accomplish a security requirement, process, or objective; cover things such as changing passwords, responding to incidents, and creating backups
  • baselines
    basic configuration documents that list the components or configuration settings for specific types of computers or devices
  • guidelines
    actions that the organization recommends (e.g., which products and systems are acceptable for use), to help provide structure to a security program
  • data owner
    person who owns the data or someone the owner assigns; classifies the data
  • system owner
    refers to the person or group that manages the infrastructure
  • Organizations consider three criteria in classifying information:
    Value—the value to the organization, the value to competitors, the cost of replacement or loss, and the value to the organization’s reputation.
    Sensitivity—measure of the effect that a breach of integrity or the disclosure of information would have on the organization (liability or fines, reputation, credibility, or loss of market share).
    Criticality—measure of the importance of the information to the mission of the organization. What would happen to the organization if the information were lost?
  • Examples of classifications:
    • U.S. government -- hierarchical series of classifications that include Unclassified, Restricted, Confidential, Secret, and Top Secret; well known and standardized
    • private sector (i.e., companies) -- uses various categories, such as public (low), private (medium), and confidential (high); less well known and not standardized
  • Configuration control
    the management of the baseline settings for a system device so that it meets security requirements
  • Change management can be either reactive or proactive.
  • An organization can conduct change management in several ways: on a continuous basis, a regularly scheduled basis, or a release basis or when deemed necessary on a program-by-program basis.
  • change control committee
    responsibility is to oversee all proposed changes to systems and networks