DOMAIN 7 – Operations Security

Operations security is concerned with triples: threat, vulnerability, asset.


Categories of Controls:


  • Preventative Controls
  • Detective Controls
  • Corrective (Recovery) Controls


Additional categories include:


  • Deterrent Controls
  • Application Controls
  • Transaction Controls

–      Input Controls

–      Processing Controls

–      Output Controls

–      Change Controls

–      Test Controls


Orange Book Controls:


The Orange Book defined two types of assurance: operational assurance and life cycle assurance.


Operational assurance requirements specified in the orange book are:


  • System architecture
  • System integrity
  • Covert channel analysis
  • Trusted facility management
  • Trusted recovery


Life cycle assurance requirements specific in the orange book are:


  • Security testing
  • Design specification and testing
  • Configuration management
  • Trusted distribution



Covert Channel Analysis:


Involves covert storage channels and covert timing channels.


Covert Channel Requirements:


B2 – Must perform covert channel analysis and protect against covert storage channels.


B3/A1 – Must protect against covert storage and covert timing channels. Must perform covert channel analysis for both types.



Trusted Facility Management:


Trusted facility management is defined as the assignment of a specific individual to administer security related functions of a system. Trusted facility management is closely related to concepts of least privilege, need to know and separation of duties.


B2: Systems must support separate operator and administrator roles.

B3/A1: System must clearly identify the functions of the security administrator to perform the security related functions.


Two-man control: Two operators review and approve the work of the other.


Dual Control: Both operators are needed to complete a sensitive task.



Trusted Recovery:


Trusted recovery ensures that security is not breached when a system crash or other system failure (discontinuity) occurs.


Trusted recovery is required only at B3 and A1 levels.


System Recovery: The common criteria has a hierarchy of three recovery types:


  1. Manual recovery: Sysadmin intervention required.
  2. Automated recovery: Recovery after a single failure is automatic.
  3. Automated recovery without undue loss.



Configuration / Change control management:


The primary goal of configuration management is to ensure that changes to the system do not unintentionally diminish security.


Configuration management is a requirement for B2, B3 and A1 systems.


Five generally accepted procedures exist to implement and support the change control process:


  1. Applying to introduce a change.
  2. Cataloging the intended change.
  3. Scheduling the change.
  4. Implementing the change.
  5. Reporting the change to the appropriate parties.


B2 or B3: Configuration management procedures must be enforced during development and maintenance of a system.


A1 : Configuration management procedures must be enforced during the entire systems life-cycle.



Administrative Controls:


These controls have more to do with human resources, personnel and policy than they do with hardware or software controls.


  • Personnel security: Background checks, mandatory vacations, etc.
  • Separation of duties.
  • Least privilege.
  • Need to know.
  • Change control / configuration management.
  • Record retention and documentation.



Operations Controls:


Operations controls embody the day-to-day procedures used to protect computer operations. The following are the most important aspects of operations controls:


Resource protection: Hardware / software / data.


Hardware controls: Maintenance accounts, maintenance personnel, diagnostic ports, hardware physical control.


Software controls: Anti-virus managements, software testing, software utilities, safe software storage and backup controls.


Privileged Entity Controls: System commands, special parameters.


Media Resource Protection: Two areas: media security controls and media viability controls.


Physical access controls



Monitoring and Auditing:


Problem identification and problem resolution are the primary goals of monitoring.






Disaster recovery planning has the goal of minimizing the effects of a disaster.


Contingency planning deals with providing methods and procedures for dealing with longer-term outages and disasters.


The most critical piece overall is management support.


The Business Impact Analysis (BIA) is a crucial first step in disaster recovery and contingency planning. The goal is to see exactly how a business will be affected by different threats.


Time-loss curves show the total impact over specific time periods.


The main goals of disaster recovery planning is to:


  • Improve responsiveness by the employees in different situations.
  • Ease confusion by providing written procedures and participation in drills
  • Help make logical decisions during a crisis


Disaster Recovery Planning:


A disaster recovery plan is a comprehensive statement of consistent actions to be taken before, during, and after a disruptive event that causes a significant loss of information system resources.


Phases of Development:


The phases of development for a DRP/BCP program should be:


  • Initiation
  • Business impact analysis
  • Strategy development
  • Plan development
  • Implementation
  • Testing
  • Maintenance



The 4 primary elements of BCP are:


  • Scope plan initiation
  • Business impact Analysis – includes vulnerability assessment
  • Business continuity plan development
  • Plan approval and implementation


Scope and Plan initiation:


Steps involved in the scope and plan initiation include creating an account of the work required, listing the resources to be used and defining the management practices to be employed.


A BCP committee should be formed and given the responsibility to create, implement and test the plan.


Business Impact Analysis:


The purpose of a BIA is to create a document to be used to help understand what impact a disruptive event would have on the business.


The business impact analysis has 3 primary goals:


Criticality Prioritization: Critical business units must be identified and prioritized.


Downtime Escalation: Estimate the maximum tolerable downtime (MTD)


Resource Requirements: Identify resource requirements for the critical processes.


A business impact analysis generally takes 4 steps:


  1. Gathering the needed assessment materials
  2. The vulnerability assessment
  3. Analyzing the information compiled
  4. Documenting the results and presenting recommendations to management.



Contingency Planning


There is a general 6-step approach to contingency planning:


  1. Identify critical business functions
  2. Identify the resources and systems that support these critical functions.
  3. Estimate potential disasters
  4. Select planning strategies – how to recover the critical resources and evaluate alternatives. A disaster recovery and contingency plan usually consists of emergency response, recovery and resumption activities.
  5. Implementing strategies.
  6. Testing and revisiting the plan.



Plan Approval and Implementation:


Plan approval and implementation consists of:


1. Approval by senior management.                                                          (APPROVAL)

2. Creating an awareness of the plan enterprise-wide.                        (AWARENESS)

3. Maintenance of the plan, including updating when needed.                (MAINTENANCE)




End User Environment:


The first issue pertaining to users is how will they be notified of the disaster and who will tell them where to go and when? A tree structure/call list is necessary for this.



Backup Alternatives:


The hardware backup procedures should address on-site and off-site strategies. There are 3 main categories of disruption:


Non-Disaster: Disruption in service from device malfunction or user error.


Disaster: Entire facility unusable for a day or longer.


Catastrophe: Major disruption that destroys the facility altogether. Requires a short term and long term solution.


Off-site backup facility options are:


Hot-Site: Fully configured and ready to be operating within a few hours. Expensive but the company has exclusive use.


Warm-Site: Partially configured with some equipment, but not the actual computers.


Cold-Site: Basic environment such as wiring, AC, plumbing is in place, but no equipment. This is the least expensive option but has much longer recovery time.



Different Backup Types:


Incremental: All files changed since the last backup. Removes archive attribute.


Differential: All files changed since the last full backup. Does not remove archive attribute.


Full: All files. Removes archive attribute.


Other backup strategies include:


Electronic Vaulting: Makes an immediate copy of a changed file or transaction and sends it to a remote location where the original backup is stored. Moving backup tapes off-site is also a form of electronic vaulting.


Remote Journaling: Transmitting only the journal or transaction logs to the off-site facility and not the actual files.


Database Shadowing: Database shadowing is similar to remote journaling, but the transactions are shadowed to multiple databases.


Disk Shadowing: Mirrored disks for redundancy.


Disk Duplexing: More than one disk controller is used. If one fails, another takes over.



A company is not considered out of an emergency until it is back at the original site operating under normal circumstances. The least critical systems should be moved back first.


Disaster Recovery Testing:


Reasons for testing include:


  • Inform management of the recovery capabilities of the enterprise.
  • Verify accuracy of the recovery procedures and identify deficiencies.
  • Prepare and train the personnel to execute emergency duties.
  • Verify processing capability of the remote backup site.


Disaster recovery tests should be performed at least once a year!


The recovery team is used to get critical business functions running at the alternate site.


The salvage team is used to return the primary site to normal processing conditions.



Tests and Drills:


There are a few different types of tests and drills that can take place, each with its own pros and cons:


Checklist Test: Copies of the DR plan and continuity plan are distributed to each functional area for review.


Structured Walk-Through Test: Group comes together to walk through scenarios in detail.


Simulation Test: DR team or groups of employees come together to simulate a specific scenario.


Parallel Test: Done to ensure that critical systems can perform adequately at the off-site facility. The systems are moved to the alternate site and processing takes place.


Full Interruption Test: Original site is actually shut down and processing takes place at the alternate site.



“Emergency response procedures are the prepared actions that are developed to help people in a crisis situation better cope with the disruption. They are the first line of defense when dealing with a crisis situation”







Physical security mechanisms include site design and layout, environmental components, emergency response readiness, training, access control, intrusion detection, power and fire protection.


“The value of items to be protected can be determined by a critical path analysis”. The critical path analysis lists all pieces of an environment and how they interact. The CPA should include power, data, water and sewer lines, A/C, generators and storm drains.


“The physical security domain addresses the threats, vulnerabilities and countermeasures that can be utilized to physically protect an enterprises’ resources and sensitive information”. These include personnel, facilities, data, equipment, support systems and media.


There are seven major causes of physical loss:


  1. Temperate: Sunlight, fire, freezing, heat.
  2. Gases: War gases, vapors, humidity, dry air, smoke, smog.
  3. Liquids: Water and chemicals
  4. Organisms: People, animals, viruses, bacteria
  5. Projectiles: Meteors, cars and trucks, bullets, tornados
  6. Movement: Collapse, shearing, shaking, earthquakes
  7. Energy Anomalies: Surges or power failures, static, radiation, magnets.



Some common physical controls are:




  • Facility selection or construction
  • Facility management
  • Personnel controls
  • Training
  • Emergency response and procedures




  • Access controls
  • Intrusion detection
  • Alarms
  • CCTV
  • HVAC
  • Power supply.
  • Fire detection




  • Fencing
  • Locks
  • Lighting
  • Facility construction


“Load”: How much weight can be held by a building’s walls, floors & ceiling.


Raised floors need to be electrically grounded.


A/C should have positive air pressure: Pushes smoke out.


Water should have positive flow: flows out of the builders, not in.


MTBF: Mean time between failure.

MTTR: Mean time to repair.



Power Supply:


There are 3 main methods to protecting against power problems: UPS, Power line conditioners and backup sources.




Ground: Pathway to earth to enable excess voltage to dissipate.


Noise: Electromagnetic or frequency interference that disrupts power flow and can cause fluctuations.


Transient Noise: Short duration of power line disruption.


Clean Power does not fluctuate.


EMI is created by the different between three wires: Hot, Neutral & ground.


RFI is created by components of an electrical system such as electrical cables and fluorescent lighting.


Power Excess:


Spike: Momentary high voltage.

Surge: Prolonged high voltage.


Power Loss:


Fault: Momentary power out.

Blackout: Prolonged loss of power.


Power Degradation:


Sag: Momentary low voltage.

Brownout: Prolonged supply below normal voltage.


EMI is the difference between the charges in the hot, neutral and ground wires:


Common Noise: Noise from radiation generated by the difference in hot and ground.


Traverse-mode Noise: Noise from radiation generated by the difference between hot and neutral wires.


RFI is generated by components of electrical systems.



Environmental Issues:


  • Water, steam and gas must have proper shutoff values.


High humidity causes corrosion.

Low humidity causes static.


The ideal level of humidity is between 45% and 60%. A hygrometer measures humidity.


Ideal temperate for computing devices is 70 to 74F.


Fire Prevention, Detection and Suppression:


Fire detectors can be activated by:


Smoke: Photoelectric device detects change in electric current when there is a variation in the light intensive.



Rate-of-rise temperature sensors are more sensitive, but have more false positives. Fixed temperature sensors are less sensitive, but have fewer false positives.


Flame: Senses pulsation of flames or infrared energy associated with flames and combustion.


Combustion Particles:


Detectors should be on and above suspended ceilings – smoke usually gathers there first.


Detectors should be installed below raised floors because there are many types of wire that could start an electrical fire.


Detectors should be located in enclosures and air ducts.


Fire Suppression:


There are four main types of fire:


A: Common combustibles such as wood, paper, laminated. Best fought with water or soda acid.


B: Liquid fires such as petroleum products and coolants. Best fought with Gas (Halon), CO2, Soda Acid.


C: Electrical equipment and wires. Best fought with Gas (Halon) or CO2.


D: Combustible metals. Best fought with Dry Powder.


A fire needs heat, fuel and oxygen to burn. The different fire suppression methods do the following:


CO2 & Soda Acid       : Remove fuel and oxygen from the fire.

Water                     : Lowers temperature

Halon (or substitute)  : Interferes with chemical reaction between elements.


Halon is no longer legal due to environmental issues, some replacements are:


  • FM200
  • FE-13
  • Inergen
  • Argon
  • Argonite

Halon 1211 does not require the sophisticated pressurization system needed by Halon 1301 and tends to be used in self-pressurized portable extinguishers.


Water Sprinklers


“Sensors should be in place to shut down electrical power before water sprinklers activate”


Wet Pipe: Water in pipe. At a preset temperature (165), a link melts to release the water. Water can freeze in the pipes in colder climates.


Dry Pipe: Water is held back by a value until a specific temperature is reached, then a time delay occurs before the water is released. This can give time for shutdown in a false alarm, but not as fast response as wet pipe. Best in colder climates because water cannot freeze in the pipes.


Preaction: Combination of wet and dry pipe. Water is not held in the pipes – released into the pipes when a specific temperature is reached. The water is not then released right away – a link in the pipes has to melt to release the water. This type is most the one most recommended for a computer room.


Deluge: Same as dry pipe, except sprinkler heads are open. Large volume of water releases in a short period of time. Not recommended for electrical equipment.



HVACR: Heating, Ventilation, Air Conditioning, Refrigeration.



Administrative Controls


Emergency Response and procedures:


  • Evacuation procedures
  • System shutdown
  • Training and drills
  • Integrate with disaster recovery plans
  • Documented procedures for different types of emergencies
  • Periodic equipment tests


Perimeter Security:


The first line of defense is perimeter security. Preventing access to the facility deals with :


Access control, surveillance, monitoring, intrusion detection and corrective actions.


Preset locks: Usually used on doors. Latches and deadbolts.


Cipher Locks: Keypads, combination entry, swipe cards or both.


Options on Cipher locks can include:


  • Door delay – alarm will trigger if door is open for too long.
  • Key Override – specific combination programmed for emergencies
  • Master Keying – enabled supervisor personnel to change access codes and other features
  • Hostage Alarm – special code that does not ring alarm locally, but at the monitoring site (police station or alarm company)


Device Locks: Locks for specific devices such as cable locks for laptops, disk drive locks, switch control, slot locks, port controls and cable traps.



Personnel Access Controls:


A common problem is “piggybacking”.


Wireless Proximity readers:

User activated: Card transmits values to the reader.


System Sensing: Three main types of system sending cards:


  • Transponders – Card and reader both have a receiver, transmitter and battery.
  • Passive Devices – Card uses power from the reader.
  • Field-Powered Devices – Card and reader contain a transmitter. Card has its own power supply.



External Boundary Protection:




3 to 4 feet         : Deters Casual Trespassers.

6 to 7 feet         : Too high to climb easily.

8 ft + barbed wire: Deter more determined intruders.


Lighting: Critical access should be illuminated 8 feet high and 2 feet out.


Surveillance: There are three main categories of surveillance:


  1. Patrol force and guards – costly, unreliable but provide judgment.
  2. Dogs
  3. Visual recording devices – CCTV.


Issues with guards are availability, reliability, training and cost.



Surveillance techniques are used to watch for unusual behavior, whereas detecting devices are used to sense changes that take place in an environment. Monitoring live events is preventative, recording events is detective.


Author: Lawrence Pingree

Leave a Reply

Your email address will not be published. Required fields are marked *

four × 3 =