Understand and Apply Foundational Security Operations Concepts

This part of the CISSP course is about some of the Fundamental concepts in security operations.  In this part of this tutorial, we’ll take a look at foundational security operations concepts including SLA to help you understand the different aspects of security operations. These fundamentals include the principles of need-to-know and least privilege, separation of duties and responsibilities, monitoring of special privileges, job rotation, information lifecycle management and service-level agreements.

Need-to-Know and Least Privileges

Need to know and least privilege are two standard principles followed in any secure IT environment. This two principle are related to each other, and in fact, many people use these terms interchangeably.

  • Need to know: only people with a valid business justification should have access to specific information or functions.
  • Least Privileges: The same people mentioned above must have an appropriate security clearance level in order for access to be granted. And at the same time, an individual with the appropriate security clearance level, but without a need-to-know, should not be granted access. In other words, this principle dictates that the individuals have not access more than the strictly required to perform their duties. This principle sometimes also called principle of minimum necessary access.

One difficult challenges in managing need-to-know: Have a control that determines the need-to-know. Furthermore, information owners need to be able to distinguish “I need-to-know” from” I want-to-know, or I-want-to-feel-important, or I-am-just-curious”.

The important thing in terms of Least Privileges is that to give an individual more privileges and access than required invites trouble, and may become a temptation that results, sooner or later, in an abuse of privilege. For example, giving a user full permissions on a network share directory – While having Read/Write permission on a special folder is enough for his/her – opens the door not only for abuse of those privileges but also for costly mistakes (accidentally deleting a file — or the entire directory).

There is a very good recommendation and that is organizations should approach permissions with a “deny all” mentality, then add needed permissions as required.

[rev_slider alias=”Advertisement-1″ /]

Separation of Duties and Responsibilities

Separation of duties refers to the process of separating certain tasks and operations so that no single person has whole control over a critical function of the system, and also he/she doesn’t control all responsibilities.

A separation of duties policy creates a checks-and-balances system where two or more users verify each other’s actions and must work in performance to accomplish necessary work tasks.

For example, it is recommended that in an organization, one person will be the director of authentication and the other person will be the director of authorization. In this state, each has administrative access to only their area. So, nobody has complete authority and control of a critical system or process. This practice promotes security in the following ways:

  • Reduces opportunities for fraud or abuse: In order for fraud or abuse to occur, two or more individuals must collude or be complicit in the performance of their duties.
  • Reduces mistakes: Because two or more individuals perform the process, mistakes are less likely to occur or mistakes are more quickly detected and corrected.
  • Reduces dependence on individuals: Critical processes are accomplished by groups of individuals or teams. Multiple individuals should be trained on different parts of the process to help ensure that the absence of an individual doesn’t unnecessarily delay or impede successful completion of a step in the process.

Privileged Account Management

A special privilege is given rights only to authorized people. Privilege account management can manage IT staff to change other users’ passwords or create user account.

Actions taken using special privileges should be closely monitored. For example, each user password reset should be recorded in a security log along with relevant information about the task: date and time, a source computer, the account that had its password changed, the user account that performed the change, and the status of the change either success or failure.

For high-security environments, even recommended you should consider a monitoring solution that offers screen captures or screen recording in addition to the text log.

The UNIX root account, Linux root account and also Windows Server administrator account (such as Enterprise administrator, Domain administrator, and Local Administrator) roles have elevated rights that allow those accounts to install software, view the entire file system and in fact, everything.

There are some important tips:

  1. Supervisor or Administrator mode should be used only for system administration purposes.
  2. System and network administrators should not be allowed to use these privileged accounts or roles as their normal user accounts.
  3. System and network administrators should not be allowed to share a single “administrator” or “root” account.

Job Rotation

Job rotation, also known as a rotation of duties or rotation of responsibilities. Anyway, it helps an organization to mitigate the risk associated with any individual having too many privileges. Rotation of duties simply requires that one person does not perform critical functions or responsibilities for an extended period of time.

Job rotations involve regularly (or randomly) transferring key personnel into different positions or departments within an organization, with or without notice.

The primary purpose of job rotation is to reduce the length of one person being in a certain job.

Job rotation can be used to cross-train members of teams to minimize the impact of absence and also prevent the organization from becoming completely dependent on one person for a particular task.

Job rotations accomplish several important organizational objectives:

  • Reduce opportunities for fraud or abuse
  • Eliminate the organization’s dependence on the individual
  • Promote professional growth

Information Lifecycle

The information lifecycle refers to the activities related to the introduction, use, and disposal of information in an organization.

Security controls protect information throughout its life cycle. The phases in the information lifecycle typically are:

  • Plan: Development of formal plans on how to create and use information.
  • Creation: Information is created, collected, received, or captured in some way.
  • Store: Information is stored in an information system.
  • Use: Information is used, maintained, and perhaps disseminated.
  • Protection: Information is protected according to its criticality and sensitivity.
  • Disposal: Information at the end of its service life is discarded. Sensitive information will be erased using techniques to prevent its recovery. Information must be destroyed in a way that is not recoverable at all.

Marking (or Labeling) Data

Marking data is used to ensure that personnel can easily recognize the data’s significance. As an example, a backup of Top Secret data should be marked Top Secret. Personnel should mark the data as soon as possible after creating it.

It is even recommended that if a system processes confidential data, the system has a screen saver and a wallpaper (as a desktop background) that clearly indicates that the system is working to process confidential data.

Handling Data

The important is to provide the same level of protection for the data during moving as it has when it is stored. For example, encrypting data in transit (over a network) a proper solution for protection.

Storing Data

Storage locations require protection against losses. Data is primarily stored on disk drives and personnel periodically backup the valuable data.

In fact, we need two backups of the data. A backup should be near us in a storage medium, and the second version should be stored on another storage medium (such as an external hard drive). The second storage media itself should preferably be stored in another geographical location. (For example an another building, an another city, or an another state) However, the second backup must be updated on a scheduled and periodic basis (not long periods of time).

All Backups should be protected against theft by physical security methods. Environmental controls protect the data (and all backups) against loss due to exploitation, corruption and natural disasters.

Destroying Data

When data is no longer needed, it should be destroyed in such a way that it is not readable. When deleting sensitive data, many organizations require personnel to destroy the disk to ensure data is not accessible because Destroying Data When data is no longer needed, it should be destroyed in such a way that it is not readable.

Simply deleting files doesn’t delete them but instead marks them for deletion, so this isn’t a valid way to destroy data. So, technicians and administrators usually overwrite the files or disks with patterns of 1s and 0s or use other methods to shred the files. Data wipe is a term that referred to Destroying data so that data can never be recovered and accessed again.

Service Level Agreements (SLA)

A SLA is an agreement between an organization and a vendor. The SLA specifies performance expectations and often includes penalties if the vendor doesn’t meet these expectations. As an example, many organizations use cloud-based services to rent servers. At result, the organization can use an SLA to specify availability such as with maximum interruptions. Users of business- or mission-critical information systems need to know whether their systems or services will function when they need them. SLA is useful here.

So it is very important that an organization should have a clear idea of their requirements when working with third parties and make sure the SLA includes these requirements. SLA is a quasi-legal document (it’s a real legal document when it is included in or referenced by a contract) that pledges the system or service performs to a set of minimum standards. These standards include the following:

  • Hours of availability
  • Average and peak number of concurrent users
  • Transaction throughput
  • Transaction accuracy
  • Data storage capacity
  • Response times
  • Service desk response and resolution times
  • Mean Time between Failures (MTBF)
  • Mean Time to Restore Service (MTRS)
  • Security incident response times
  • Escalation process during times of failure

Go CISSP’s Home