Module 5: Security Operations

Lesson 1: Systems Operations And Maintenance

Many things that can affect operational security and performance of an information system such as system baseline,
new vulnerabilities, new system components
An operational system must be cared for to continue functioning as designed
Administrative system maintenance are things like system patching, system baselining, and user/account maintenance
System patching is applying a vendor updates that correct flaws
o Research, evaluate, authorize, install, and test patches
System baselines are a point of reference for information system changes
o Proper configuration management and change control will maintain the system baseline
o Security control baselines should be reviewed as a part of continuous monitoring
User and account maintenance is the periodic review and updates to user and system accounts
Account privileges, password requirements, and digital certificates should be updated per organizational policy
Vendor and service agreements are formal agreement between 2 organizations for products or services
An SLA is a legal agreement detailing the services to be performed or provided
o Can be based on a SOW (Statement of Work)
The MoA/MoU outlines a mutual partnership agreement to accomplish singular goal or task
ISA is a legal agreement to connect 2 or more information systems together
Always consult a lawyer or your organizational leadership for direction on complying with standing laws, regulations, or
policies

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 5: Security Operations

Lesson 2: Managing System Assets

Proper asset management is very important to security operations
Asset management is the tracking of assets owned by an organization
o Helps reduce security risks by tracking all system assets
o Focus of asset management is to track and inventory assets
o Track names, models, versions, baselines, ids, etc.
Define the depth of tracking in a CM policy
o Require inventory updates as a part of CM or change control
o Capture virtual, spare, and multiple versions of assets
o Review inventory periodically to detect unauthorized changes
o Perform security assessments to confirm changes
o Use inventory control software to automate the review process
Media management is tracking system related media
o Media examples are external storage, CD-ROM, DVD, thumb drives, etc.
o Media can contain malicious software, even sensitive data which can create risks
o Control media to prevent unauthorized access to the system
o Track and protect media using protective containers or a media library
o Clearly label media to ensure proper handling
o Maintain a change log capturing the history of changes to the media

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 5: Security Operations

Lesson 3: Configuration and Change Management

Changes to information systems occur frequently and need a process for review, verification, and approval
CM (Configuration Management) is the process focused on establishing and maintaining the integrity of the system
Ensures stakeholders review, verify, approve, and document system changes
CM is executed against configuration items
CCB (Configuration Control Board) is a group of personnel/SME to execute CM
o Change request is the change request submission to the CCB
o Change approval is provided by the CCB
o Change documents contain the approved change
o Change testing ensures the change will not impact system operations
o Change implementation is the deployment of the change into operations
o Change verification is the formal testing to ensure the implementation is working as designed
o Change acceptance is the formal change to the system baseline via the CCB
SecCM (Security-Focused CM):
o Ensures changes do not impact the security posture negatively
o Planning that defines the scope of what is included in SecCM and what is not
o Identifying and implementing configurations that defines a secure baseline configuration for all controlled items
o Change control that aligns with CM verification
o Monitoring is performing a formal security assessment and continuous monitoring

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 5: Security Operations

Lesson 4: System Auditing and Monitoring

System auditing is used to troubleshoot, and to discover security related events
Audit logs are records of system related events
System monitoring is the review and analysis of audit logs
An event is a specific system action that is recorded
A log is a system generated record of a system related event
Events are captured as required per organizational or regulatory policy
o Logons, access, user sessions, object access, application can all trigger events
o Actions, accounts, date/time, hostname/IP address, and result are typically recorded
Audit Log Collection:
o Decentralized auditing is collecting and storing logs locally on each individual system host
o Centralized log collection is transferring local logs to a centralized log server
Syslog provides a common high-level format and transfer method for system logs
Syslog format is defined by facility code (4, 10) and the amount of logs by severity levels (0-7)
System monitoring is analyzing a variety of audit logs, messages, and other mechanisms
An audit trail is a sequence of events from different sources that show all activities for a specific event
Audit log retention is the storing and protecting of audit logs for a specific amount of time
SIEMs provide real-time analysis of security events
Tracking data ingress includes auditing USB devices, newly created or transferred data, or when an access list is
violated
DLP analyzes patterns in the data to identify potential data mishandling
Create or establish policies, processes and procedures for audit log management

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 5: Security Operations

Lesson 5: Intrusion Detection and Prevention Mechanisms

Intrusion detection: detecting a violation of security policy, usually using an IDS
o IDS use can be knowledge or behavior based methods to detect potential violations or attacks
o NIDS (Network-based IDS) analyzes network communications for potential attacks
o HIDS (Host-based IDS) analyzes host communications for potential attacks
o When setting up an IDS, use a monitoring or promiscuous port and route al traffic to the IDS
o Ensure the IDS can send traffic to a monitoring station so alarms can be investigated
Knowledge based IDS detects attacks using a signature or pattern database
o Also called signature based or pattern matching IDS
Stateful matching compares the current “state” of the system to a previous state (snapshot)
Behavior-Based IDS learns and profiles the typical system behavior and can detect emerging attacks better than
knowledge based IDS
o Statistical Anomaly-Based IDS uses complex statistical algorithms
o Protocol Anomaly-Based IDS compares system usage of communications protocols
Passive Response IDS sends a notification and takes no further actions
Active response IDS takes a prescribed action to modify system configuration to stop an attack
Active response IDS is also known as IPS
Known IDS/IPS Impacts:
o False positives are detected violations or attacks that are not truly occurring
o False negatives are not detecting a potential security violation or attack
o IDS/IPS signature updates should be updated at least weekly or in accordance with organizational policy
Changing default TCP/IP ports, IP fragmentation, IP spoofing are ways you can avoid IDS sensors

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 5: Security Operations

Honeypots: Computers intentionally configured with vulnerabilities to attract attackers

Honeynets: 2 or more honeypots that are networked together
A padded cell an isolated and simulated system network that prevents an attacker from harming the system
A darknet uses remaining IP addresses within a subnet to create a simulated network where attacker are routed and
monitored

Lesson 6: Remote Access Security

Remote access is network based access an organization’s systems and/or data
o Supports administration, maintenance, and vendor/contractor access
o 5 main remote access methods:
1. Remote Console
2. Application Portal
3. Remote Desktop
4. Direct Application
5. Tunneling
o Remote console - command line or code level access to a remote host or application
o Application portals - allow access to multiple applications through a centralized interface
o Remote desktops - provide the ability to remotely control a desktop computer
o Direct application - limits remote access to a specific application on a single server
o Tunneling encapsulates network packets into another protocol format for communications
PPP is used to create a direct layer 2 connection between 2 endpoints over a WAN
PAP authentication is username/password to a server from a client in cleartext
CHAP mutual authentication between the client and server using a one-way hash authenticator

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 5: Security Operations

VPN creates a secure/trusted connection over an untrusted network

o Requires a VPN gateway (concentrator) to create the VPN tunnel
o Uses IPSEC to create an encrypted tunnel
 Authentication Header (AH) protects data integrity and ensures source authentication
 Encapsulating Security Payload (ESP) provides data confidentiality and integrity
 Transport mode encrypts the payload and requires source authentication
 Tunnel mode encrypts all contents within the tunnel
Split tunneling allows a remote user to connect through a VPN and connect to another network
Screen sharing is the remote viewing of a user’s desktop
Screen scraper is reading and capturing text and images on a user’s screen
Endpoint control is controlling the remote access connection and “hop” points
Limited the amount of remote users/administrators and require local access where possible
Include remote access in security architecture design
Use multi-factor/strong authentication methods for remote access
Thoroughly audit remote access connectivity to detect possible security violations

Lesson 7: Continuous Monitoring And Improvement

ISCM (Information System Continuous Monitoring)
o Analyzes the current security baseline for modern threats and vulnerabilities
o Ensures that the security posture and security controls are periodically reviewed for effectiveness
Define the ISCM strategy based on risk tolerance that maintains clear visibility into assets, awareness of vulnerabilities,
up-to-date threat information, and mission/business impacts

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 5: Security Operations

Establish an ISCM program that determines metrics, status monitoring frequencies, control assessment frequencies,
and an ISCM technical architecture
Implement the ISCM program to collect the security-related information required for metrics, assessments, and
reporting
Analyze data collected and report findings to determine the appropriate response
Respond to findings with technical, management, and operational mitigating activities or acceptance,
transference/sharing, or avoidance/rejection
Review and update ISCM strategy to increase visibility into assets and awareness of vulnerabilities and increase
organizational resilience

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.