Increasing Operations Security

After a network is installed, network operations personnel monitor and maintain it. From a security perspective, operations security attempts to secure hardware, software, and various media while investigating anomalous network behavior.

System Development Life Cycle

A computer network is a dynamic entity, continuously changing to meet the needs of its users. New network components are added and eventually retired.

The life of these components can be defined by the System Development Life Cycle (SDLC), which consists of five phases:

■ Initiation

■ Acquisition and development

■ Implementation

■ Operations and maintenance

■ Disposition


SDLC's initiation phase consists of two security procedures:

■ Security categorization: Security categorization, as the name suggests, categorizes the severity of a security breach on a particular network component. For example, a newly added network device might be categorized as having either a high, medium, or low security level.

■ Preliminary risk assessment: Although a more formalized risk assessment follows in the SDLC, the preliminary risk assessment offers a high-level overview of a system's security requirements.

Acquisition and Development

SDLC's acquisition and development phase consists of multiple security procedures:

■ Risk assessment: The risk assessment performed in the SDLC's initiation phase serves as the foundation for this more formalized risk assessment, which specifies protection \ Topic requirements.

/Key i Topic

/Key i Topic

■ Security functional requirement analysis: This analysis identifies what is required to properly secure a system such that it can function in its intended capacity. For example, a requirement might state that a corporate security policy has to be written.

■ Security assurance requirements analysis: Based on legal and functional security requirements, this analysis provides evidence that the network resource in question will be protected at the desired level.

■ Cost considerations and reporting: A report is created that details the costs of securing a system. Included costs might include expenses for hardware, applications, personnel, and training.

■ Security planning: A report is created that details what security controls are to be used.

■ Security control development: A report is created detailing how the previously determined security controls are to be designed, developed, and implemented.

■ Developmental security test and evaluation: Testing is performed to validate the operation of the implemented security controls.


SDLC's implementation phase consists of the following security procedures:

■ Inspection and acceptance: The installation of a system and its functional requirements are verified.

■ System integration: The system is integrated with all required components at its operational site, and its operation is verified.

■ Security certification: The operation of the previously specified security controls is verified.

■ Security accreditation: After the operation of required security controls is verified, a system is given appropriate administrative privileges to process, store, and/or transmit specific data.

Operations and Maintenance

SDLC's operations and maintenance phase consists of the following security procedures:

■ Configuration management and control: Before a configuration change is made to ¡ Key ^ ^

\ Topic one part of a network, the potential impact on other parts of the network is considered.

For example, change management software might be used to notify a variety of

/Key \ Topic information security employees before a change is made to one of the integrated systems. Those employees could then evaluate the potential impact that such a change would have on the portion of the information system they are responsible for.

■ Continuous monitoring: Even after a security solution is in place, it should be routinely monitored and tested to validate its operation.


SDLC's disposition phase consists of the following security procedures:

■ Information preservation: Some information needs to be preserved because of legal

^ / Key restrictions. Also, archived information should periodically be transferred to more i Topic modern storage technologies, to ensure that, over time, the medium used to store the archived information is not an obsolete technology.

■ Media sanitation: When storage media that contain sensitive information are disposed of, they should be "sanitized" so that no one can retrieve the information. For example, simply deleting a file from a hard drive does not necessarily prevent someone from retrieving it. A better practice might be to overwrite the old data to prevent its retrieval.

■ Hardware and software disposal: When hardware and software components are retired, a formalized disposal procedure should be used. Such a procedure could help prevent someone with malicious intent from retrieving information from those components.

Operations Security Overview

Operations security recommendations attempt to ensure that no one employee will become a pervasive security threat, that data can be recovered from backups, and that information system changes do not compromise a system's security. Table 2-2 provides an overview of these recommendations.

Table 2-2 Operations Security Recommendations



Separation of duties

Information security personnel should be assigned responsibilities such that no single employee can compromise a system's security. This could be accomplished through a dual operator system (in which specific tasks require two people) or a two-man control system (in which two employees have to approve one another's work).

continues continues

,•— Table 2-2 Operations Security Recommendations (Continued) Key _' _



Rotation of duties

The potential for a single employee to cause an ongoing security breach is lessened by having multiple employees periodically rotate duties. This rotation results in a "peer review" process in which employees check one another's work. However, smaller organizations with limited staff might have difficulty implementing this recommendation.

Trusted recovery

Trusted recovery implies making preparations for a system failure (for example, backing up sensitive data and securing those backups) and having a plan to recover data in the event of a failure. The recovery procedures should ensure that data is secured during the backup process (for example, running an operating system in a single-user mode or safe mode while restoring the data). Also, data should be restored such that its original permissions are in effect.

Configuration and change control

When making changes to an information system, multiple personnel should review the changes beforehand to anticipate any issues that could result. For example, a change in one system might open a security hole on another system. The primary goals of configuration and change management are minimizing system disruptions, being able to quickly back out of a change, and using network resources more efficiently and effectively.

Evaluating Network Security

To verify that a network's security solutions are acting as expected, you should test them occasionally. This network security evaluation typically occurs during the implementation phase and the operations and maintenance phase of SDLC.

During the implementation phase you should evaluate network security on individual system components, in addition to the overall system. By performing a network security evaluation during the implementation stage, you are better able to discover any flaws in your security design, implementation strategy, or operational strategy. You can also get a sense of whether your security solution will meet the guidelines of your security policy.

After a system enters its operation and maintenance phase, you should continue to perform periodic security evaluations to verify the performance of your security solution. In addition to regularly scheduled evaluations, Cisco recommends that evaluations be performed after you add a component (for example, a web server) to the information system.

The results of your security evaluations can be used for a variety of purposes:

■ Creating a baseline for the information system's level of protection

■ Identifying strategies to counter identified security weaknesses

■ Complementing other SDLC phases, such as performing risk assessments

■ Conducting a cost/benefit analysis when evaluating additional security measures

A variety of network evaluation techniques are available. Some of them can be automated, and others are manual procedures. Consider the following approaches to evaluating network security:

■ Scanning a network for active IP addresses and open ports on those IP addresses

■ Scanning identified hosts for known vulnerabilities

■ Using password-cracking utilities

■ Reviewing system and security logs

■ Performing virus scans

■ Performing penetration testing (perhaps by hiring an outside consultant to see if he or she can compromise specific systems)

■ Scanning for wireless SSIDs to identify unsecured wireless networks

Several tools and utilities are available for performing a security evaluation. Some are available as freeware, and other packages require the purchase of a license. The following is a sample of these tools and utilities:

■ Metasploit

■ SuperScan by Foundstone, a division of McAfee


To gain a sense of the features available in such evaluation tools, consider the Nmap utility.

Nmap is a publicly available scanner that can be downloaded from http:// Nmap offers features such as the following:

■ It has scanning and sweeping features that identify services running on systems in a specified range of IP addresses.

■ It uses a stealth approach to scanning and sweeping, making the scanning and sweeping less detectible by hosts and IPS technology.

■ It uses operating system (OS) fingerprinting technology to identify an operating system running on a target system (including a percentage of confidence that the OS was correctly detected).

Figure 2-1 shows a GUI version of Nmap called Zenmap, which can be downloaded from the link just provided.

Figure 2-1 Nmap

Figure 2-1 Nmap

Disaster Recovery Considerations

With the potential for natural disasters (such as hurricanes, floods, and earthquakes) and man-made disasters (such as terrorist attacks) looming over today's networks, network administrators need to have contingency plans in place. Although these plans are sometimes called business continuity plans or disaster recovery plans, disaster recovery planning tends to address actions taken during and immediately after a disaster.

Specifically, disaster recovery (which is just a subset of business continuity planning) is concerned with allowing personnel to again access the data, hardware, and software they need to do their jobs. Also keep in mind that although a disaster recovery plan often conjures up thoughts of redundant hardware and backup facilities, a comprehensive disaster recovery plan also considers the potential loss of key personnel.

The two primary goals of business continuity planning are

■ Moving critical business operations to another facility while the original facility is under repair

■ Using alternative forms of internal and external communication

The overall goal of these plans is to allow an organization to perform critical business operations after a disaster. Three phases of recovery include

■ Emergency response phase

■ Recovery phase

■ Return to normal operations phase

Because these plans cannot possibly address all conceivable scenarios, disaster recovery and business continuity plans typically target the events that are most likely to occur. To illustrate the severity of a critical data loss, consider that some companies reportedly spend approximately 25 percent of their IT budget on business continuity and disaster recovery plans. Cisco also offers the following statistics about companies that lose most of their computerized records:

■ 43 percent never reopen.

■ 51 percent close within two years.

■ 6 percent survive long-term.

Types of Disruptions

Business continuity and disaster recovery plans should address varying levels of disruptions by specifying different responses based on the severity of the disruption. To assist you in quantifying a disruption, consider the categories presented in Table 2-3.

Table 2-3 Disruption Categories




Normal business operations are briefly interrupted.


Normal business operations are interrupted for one or more days. However, not all critical resources at a site are destroyed.


All resources at a site are destroyed, and normal business operations must be moved to an alternative site.

Types of Backup Sites

Redundancy is key to recovering from a disaster. For example, if a server is destroyed, you need a replacement server to assume its role. However, on a larger scale, you should also consider redundant sites, from where critical business operations can be resumed. Consider the three types of redundant sites described in Table 2-4.

Table 2-4 Backup Sites



Hot site

A hot site is a completely redundant site, with very similar equipment to the original site. Data is routinely copied from the primary site to the hot site. As a result, a hot site can be up and functioning within a few minutes (or even seconds) after a catastrophe at the primary site.

Warm site

A warm site, like a hot site, is a facility that has very similar equipment to the original site. However, a warm site is unlikely to have current data because of a lack of frequent replication with the original site. Therefore, disaster recovery personnel typically need to physically go to the warm site and manually bring all systems online. As a result, critical business operations might not be restored for days.

Cold site

Although a cold site does offer an alternative site where business operations can be conducted, unlike a hot or warm site, a cold site typically does not contain redundant computing equipment (such as servers and routers). As a result, the data network would need to be rebuilt from scratch, which might require weeks. Therefore, although a cold site is less expensive initially, as compared to hot or warm sites, a cold site could create more long-term consequences. In fact, the financial consequences could be far greater than the initial cost savings.

0 0

Post a comment