Introduction
In order to run a business smoothly and continuously without interruption it is very important to manage company’s day to day security functions. To do that it is needed to place correct procedures and process relevant to security operations.
Security operations management is the ground process by where manage security incidents of an organization and report and communicate those events effectively. Also this covers placing proper controls to avoid security attacks and continually monitoring security functions of the organization. Forensic analysis is other important part of these operations and it focuses to properly collecting evidence of security related incidents and analyze those in a standard way.
Business continuity planning and disaster recovery is another important thing to consider for smooth operations in an organization. This is covering how to react for unexpected disasters like floods, earth quake etc. The goal of disaster recovery is to take the system into operation level after a disaster.
Physical security is another important factor in security operations and under this we discuss about security of buildings, computer equipment, documents, site location, accessibility and lighting etc.
Authentication and Authorization controls who can access the computer resources and level of the accessibility of those recourses.
Background
The article discuss issues with the following areas.
1. Security Operations
2. Disaster Recovery and Business Continuity
3. Incident Response and Forensic Analysis
4. Physical Security
5. Security Organization
6. Authentication and Authorization
The article discuss two security issues of each section and also describes possible solutions to solve those issues.
Details
Security Operations
Administrative abuse of privileges. –System administrators make sure systems running smoothly, Provide an assurance to integrity and availability of computer systems. in Order to do this normally System administrators have more privileges than ordinary users. Sometimes administrators might abuse their rights, unauthorized use of systems services and data. To avoid administrator abuse of computer systems we have to put some controls over administrative privileges.
To avoid administrative abuse of power we can limit authority and separate duties. Within our IT Infrastructure We can segment system operations to different authority and assign separate administrator for each Job. Also we can segment duties based on service administration and data administration.
System changes such as updates, patches, new releases, and configuration changes might cause unexpected issues and make system unavailable. in order to avoid these kind of situations practicing a proper change management process is very important. Normally before implement a change, It is very important to do an impact analyze of the required change. also recording the change and testing before apply to the production environment is very important.
ITIL provides a service oriented framework, a set of best practices for properly manage the changes specially for service oriented organizations.
Disaster Recovery and Business Continuity
Issues with third party vendors- Most of the organizations outsource some of their business operations /Management operations with third party vendors. Examples of outsource operations are, virtual servers, Internet service providers, Payment Systems, Backup servers etc.
If we plan our disaster recovery and business continuity plans without involving our third-party vendors and service providers those would not success. Because those vendor involvement are part of our business operations and their contribution in disaster recovery and business continuity planning is very important. So when we preparing business continuity and disaster recovery plans, we should discuss with our third-party vendors and make sure their availability and on time contribution.
Issues of taking backups of transactional processing systems having high volumes of transactions - Using traditional online and offline backup methods can make some performance issues in high volume transactional processing systems. In order to overcome this kind of issues there are some new backup technologies to use and below list shows some of those.
-
Windows shadow copy
-
Hierarchical Storage Management
-
Dedicated Backup Networks
-
Disk to Disk backup- provide higher transfer rate than traditional tape backups
Incident Response and Forensic Analysis
There are some organizations, they face the same security breach incidents again and again. Although the organization has an incident response team and quickly solve and response to incidents, the organization experience the same type of attacks regularly. The reason might be the organization do not has a proper incident management plans and procedures to manage incidents.
Normally an incident management plan includes followings steps
-
Incident Detection
-
Response and Containment
-
Recovery and resumption
-
Review and Improvement
To avoid the same type of attacks future, step number 4 is very important. In this step incident response team review the incident and ensure appropriate steps are taken to close the security hole. This make sure the same incident will not happen in future.
Examiner spending many hours to collect evidence in security related incident and could not use in court due to improper procedure. Basically an examiner who contribute forensic investigation should have a better knowledge on legal requirements and must follow the correct procedures to collect evidence. Most important thing is those evidence should be collected without alerted or damaged. After extracting details from the crime scene, those data should be analyzed without modifying data.
Computer forensic data can classify as
-
Host based data
-
Network based data
Before examine effected computer systems examiner should examine the environment around computer system. Examiner might find things like papers, removable disks, CD’s nearby affected computer systems. Those kind of evidence should be collected and keep to further analysis.
If the effected computer system is already switch on the examiner should take a decision to turn off the computer. But before that examiner might decide to take a memory dump and examine live systems for facts such as
-
Open files
-
Running Process
-
Processor and Memory consumption
-
Network connections
Finally before analysis examiner should be taken a forensics backup and analyze for evidence.
Physical Security
Insider security threats – Most of the organizations make necessary controls over physical security threats and do not concern about insider security threats. But this is a very important factor to consider on physical security controls. Most of the organization use temporary contracted employees for their work. Also system administrators have more power than regular users. Most of the times organization came a cross situations like stolen of removable Medias by their employees. Also contracted employees can keep malware and backdoors when they leave from the organization. To overcome this kind of issues following controls are very important
-
Lock Server rooms
-
Protect removable media devices
-
Segregate duties
-
Use proper access control methods
-
Buildup better physical security standards and practices for the organization.
-
Putting incident response controls
-
Putting Auditing controls
Senior Executes keep Tablets and Laptops on their tables and go out – Some organization we can see this kind of issues. When senior executives keep their tablets and laptops on their tables and go out employees can access those devices and stolen some confidential information. In order to avoid this kind of situation the organization should practice proper standards and practices of using devices and data. Also automated logout systems when system is ideal and physically lock executive’s cubicles would be useful.
Security Organization
Roles and Responsibilities not properly defined – Some organizations have dedicated information security staff but their roles and responsibilities are not correctly defined. So security staff do not know their scope of the work and this makes some issues in security operations and management. To avoid this kind of issues it is important to define security staff roles and responsibilities clearly. Next section of the paper shows some guidelines for define proper roles and responsibilities.
Position
| Responsibility
|
Chief Security Risk Officer
| Ultimate accountability for security of the organization.
|
Security Director
| Responsible for overall security management.
|
Security Manager
| Head of day to day security operations.
|
Security Architect
| Security solution design and Testing.
|
Security Engineer
| Responsible to implement solutions.
|
Security Administrator
| Responsible for day to security administration tasks.
|
Security Analyst
| Monitors alerts and reports generated by security systems.
|
Security Investigator
| Responsible for investigation of incidents.
|
Incident response team
| Responsible to handle incidents and response to them.
|
In addition to above positions some organizations have Security Board of Directors, Security steering committee and Security Councils to manage security operations.
Some organizations do not build up their in-house IT security team due to various reasons. Some reasons for this are as followings
-
No necessary skills and expertise to build an in house IT team.
-
Handling vast amount of data.
-
Budget for IT security infrastructure is very high.
-
Some specific skills set are hard to find
In order to face this kinds of situations organizations can utilize manage security services providers. Manage security services providers provide several information security services and some of major services are listed below.
-
Monitoring Security incidents
-
Incident detection
-
Activity and Incident Logging Services
-
Response to incidents
-
Backup services
-
Scanning and reporting vulnerabilities
-
Supporting and Training
Using this kind of services organizations will have some advantages and disadvantages.
Advantages
-
Save costs
-
Fast Implementation
-
Expertise and experience is high
-
Adaptability is high
Disadvantage
-
Issues with service level agreements
-
Inability to align with organization business objectives
-
Delays in processing events and incidents
Authentication and Authorization
Usernames and passwords as local storage and comparison makes issues - This kinds of usernames and passwords are still in use. But there are some issues associated with those. Mainly these passwords are plain texts and not encrypted. So others can open password file and see the password. Also these kinds of passwords can be intercepted by rouge software. So we can say these kinds of systems are not well protected.
In order to solve this, there are some technologies to encrypt passwords and secure passwords files.
There are two hashing algorithms commonly used for password encryption
-
MD5
-
SHA-1
Also there are some advance authentication and authorization techniques used in more secure systems
-
Kerberos
-
Onetime passwords
-
Certificate based authentication
Untrusted software - There are some programs, after downloading from internet we can see some warning messages when we try to install in our computers. For an example in Windows Operation systems we can see unknown publisher message more commonly.
Although these software are legal and operating system cannot verify the root and publisher of the software and popup these kinds of messages.
In order to solve this issue we can use a code signing certificate to digitally sign the software. After digitally sign a software, the software will have a digital signature. Operating system uses this digital signature to verify the publisher of the software.
We can purchase code signing certificates from certified authorities such as
-
Symantec
-
Verisign
-
Godaddy
-
DIGICERT
Conclusion
First section of the article shows a typical network diagram with most commonly used network components and interconnection between those components. Also the diagram shows multiple branches and connection points to internet. In addition to those the diagram show network security related devices and components like firewalls, IDS/IPS etc.
Next section discuss issues relevant to security operations. The document focus on the following areas and discuss two issues in each area.
-
Security Operations
-
Disaster Recovery and Business Continuity
-
Incident Response and Forensic Analysis
-
Physical Security
-
Security Organization
-
Authentication and Authorization
In addition to the issues in above areas, the document described possible solutions and suggestions to overcome those issues.