CISSP CBK 7 – Operations Security

Controls and Protections

To protect hardware, software and media resources from:
– Threats in an operating environment
– Internal or external intruders
– Operators who are inappropriately accessing resources

Categories of Controls:
– Preventative Controls: Are designed to lower the amount and impact of unintentional errors that are entering the system and to prevent unauthorized intruder from internally or externally accessing the system.
– Detective Controls: Are used to detect an error once it has occurred.
– Corrective Controls / Recovery Controls: Are implemented to mitigate the impact of a loss event through data recovery procedures.
– Deterrent Controls / Directive Controls: Are used to encourage compliance with external controls.
– Application Controls: Are the controls that are designed into a software application to minimize and detect the software’s operational irregularities.
– Transaction Controls: Are used to provide control over the various stages of a transaction. Types of controls are: Input, processing, output, change and test controls.

Orange Book Controls

Operational assurance:
– System architecture
– System integrity
– Covert channel analysis
– Trusted facility management
– Trusted recovery

Life cycle assurance:
– Security testing
– Design specification and testing
– Configuration management
– Trusted distribution

Covert channel analysis:
– B2: The system must protect against covert storage channels. It must perform covert channel analysis for all covert storage channels.
– B3 and A1: The system must protect against both covert storage and covert timing channels. It must perform a covert channel analysis for both types.

Trusted Facility Management

B2: Systems must support separate operator and system administrator roles.
B3 and A1: System must clearly identify functions of the security administrator to perform the security-related functions.

Separation of duties and job rotation

 – Least privilege: Means that a system’s user should have the lowest level of rights and privileges necessary to perform their work and should only have them for the shortest length of time.

 – Two-man control: Two operators review and approve the work of each other, to provide accountability and to minimize fraud in highly sensitive or high-risk transactions.

 – Dual control: Both operators are needed to complete a sensitive task.

 – Job rotation: The process of limiting the amount of time an operator is assigned to perform a security related task before being moved to a different task with a different security classification.

Trusted Recovery: Ensures that security is not breached when a system crash or other system failure occurs. Is only required for B3 and A1 level systems.

 – Failure preparation: Backing up all critical files on a regular basis.

 –  System recovery

In common criteria three hierarchical recovery types –
– Manual recovery
– Automated recovery
– Automated recovery without undue Loss

Configuration / Change Management Control

Procedures to implement and support change control process:
– Applying to introduce a change
– Cataloging the intended change
– Scheduling the change
– Implementing the change
– Reporting the change to the appropriate parties

Clipping Levels: Thresholds for certain types of errors or mistakes allowed and the amount of these mistakes that can take place before it is considered suspicious. Once the clipping level has been exceeded, further violations are recorded for review.

Administrative Controls: Controls that are installed and maintained by administrative management to help reduce the threat or impact of violations on computer security.

 – Personal Security
– Employment Screening or Background Checks
– Mandatory Taking of Vacation in One Week Increment
– Job Action Warnings or Termination

 – Separation of Duties and Responsibilities

 – Least Privilege
– Need to Know
– Change/Configuration Management Controls
– Record Retention and Documentation

Record Retention:

Data Remanence – Refers to the data left on the media after the media has been erased

Operations Controls: Day-to-day procedures used to protect computer operations.

Resource Protection: Is the concept of protecting an organization’s computing resources and assets from loss or compromise. Covers hardware, software and data resources.

Hardware Controls:
– Hardware Maintenance
– Maintenance Accounts
– Diagnostics Port Control
– Hardware Physical Control

Software Controls:
– Anti-virus Management
– Software Testing
– Software Utilities
– Safe Software Storage
– Backup Controls

Privileged Entity Controls / Privileged operations functions:
– Special access to system commands
– Access to special parameters
– Access to the system control program

Media Resource Protection: Are implemented to protect any security threat by intentional or unintentional exposure of sensitive data

 – Media Security Controls:

Should be designed to prevent the loss of sensitive information and can be:
– Logging
– Access control
– Proper disposal
– Media Viability Controls

Should be used to protect the viability of the data storage media. Is required in the event of system recovery process –
– Marking
– Handling
– Storage

Physical Access Controls:

 – Hardware
– Software

Special arrangements for supervision must be made when external support providers are entering a data center.

Piggybacking: Is when an unauthorized person goes through a door behind an authorized person. The concept of a ”man trap” is designed to prevent it.

Monitoring and Auditing

Monitoring: Contains the mechanisms, tools and techniques which permit the identification of security events that could impact the operations of a computer facility.

Monitoring techniques –
– Intrusion detection
– Penetration testing
– Scanning and probing
– Demon Dialling
– Sniffing
– Dumpster Diving
– Social Engineering
– Violation processing using clipping levels

Auditing: Is the foundation of operational security controls monitoring.

Audit Trails: Enables a security practitioner to trace a transaction’s history.

Problem Management Concepts:
– Reduce failures to a manageable level
– Prevent the occurrence or re-occurrence of a problem
– Mitigate the negative impact of problems on computing services and resources.

Threats and Vulnerabilities


Accidential loss: Is a loss that is incurred unintentionally, though either the lack of operator training or proficiency or by the malfunctioning of an application processing procedure.

 – Operator input error and omissions

 – Transaction processing errors

Inappropriate Activities: Is computer behaviour that, while not rising to the level of criminal activity may be grounds for job action or dismissal.

 – Inappropriate Content

 – Waste of Corporate Resources

 – Sexual or Racial Harassment

 – Abuse of Privileges or Rights

Illegal Computer Operations and Intentional Attacks: Computer activities that are considered as intentional and illegal computer activity for personal financial gain for destruction.

 – Eavesdropping

 – Fraud

 – Theft

 – Sabotage

 – External Attack


 – Traffic / Trend Analysis

 – Maintenance Accounts

 – Data Scavenging Attacks

 – IPL Vulnerabilities

 – Network Address Hijacking

E-mail and Internet Security Issues


 – SMTP – Works as a message transfer agent.

 – POP – Is an Internet mail server protocol that supports incoming and outgoing messages. Once the messages are downloaded from the POP server, they are usually deleted from that server.

 – IMAP Is an Internet protocol that enables users to access mail on a mail server. Messages can be downloaded or leave them on the mail server within her remote message folder, referred to as a mailbox.

Hack and Attack Methods:

 – Port Scanning and Networking mapping: Networking mapping tools send out seemingly benign packets to many different systems on a network. Port scanning identifies open port on a computer.

 – Superzapping: Is a utility used in IBM mainframe centers and has the capability to bypass access control within operating systems.

 – Browsing: Is a general term used by intruder to obtain information that they are not authorized to access. Can be accomplished by looking through another person’s files kept on a server or workstation, rummaging through garbage looking for information that was carelessly thrown away or reviewing information that has been saved on diskettes.

 – Sniffers: Tools that monitors traffic as it passes by. The tool is either a piece of hardware or software that runs on a computer with its network interface card (NIC) in promiscuous mode.

 – Session Hijacking: An attacker putting herself in the middle of a conversation without being detected.

 – Password Cracking: Capture and reveal passwords –

   – Dictionary attack: Is when a large list of words is fed into a hacking tool. This tool runs a one-way hash on the captured password and on each word in the list. The tool compares the hashing results to see if they match. If they do match, the tool has discovered the password, if not it moves to the next word in the list.

   – Brute force attack: A tool will try many different variations of characters, run a hash value on each variation and compare it to the hash value of the captured password.

    – Backdoors

Is a program that is installed by an attacker to enable her to come back into the computer at a later date without having to supply login credentials or go through any type of authorization process.