ICT3201 Operations Security
and
Incident Management
Lecture 11
Operations Security
ICT3201 1
AY23/24
�Agenda
1. Overview of Operations Security
2. Administrative Security
3. Sensitive Information/Media Security
4. Asset Management
5. Continuity of Operations
6. Incident Response Management – covered in previous lectures
7. User Administration
8. Operations Security in ISO 27002:2013
ICT3201 2
AY23/24
�Operations Security
Overview
ICT3201 3
AY23/24
�Definition (1)
Operations Security (OPSEC):
1. DoD Directive 5205.02E term
2. Identifies critical information and indicators that can reveal it and
developing countermeasures to eliminate the indicators
US Army Regulation 530-1 Operations Security
3. In information security, OPSEC is about managing threats that can
affect the confidentiality, integrity and availability of an
organisation’s IT production environment. It is about people, data,
media, hardware and its associated threats to the production
environment. Eleventh Hour CISSP Study Guide, 2 Edition nd
Syngress (e-Book available in SIT Library)
ICT3201 4
AY23/24
�Definition (2)
Operations Security (OPSEC):
1. Operations security pertains to everything that takes place to
keep networks, computer systems, applications, and environment
up and running in a secure and protected manner.
2. It details the process of understanding enterprise security
operations from a competitor's/enemy's/hacker's viewpoint and
then developing and applying countermeasures to mitigate
identified threats. AiSP Book of Knowledge, v1.0
3. ISO 27002:2013 also specifies a domain on Operations Security
see Chapter 12
ICT3201 5
AY23/24
�Definition (3)
Before 2015, in CISSP, it covers:
1. Administrative Security
2. Sensitive Information/Media Security
3. Asset Management
4. Continuity of Operations
5. Incident Response Management
After effective 15 April 2015, in CISSP, it has been updated
to Security Operations (with some changes).
ICT3201 6
AY23/24
�Job Responsibility
Common job responsibility for Information Security Officer:
Job role from
Capitaland in 2017
ICT3201 7
AY23/24
�Operations Security
Administrative Security
ICT3201 8
AY23/24
�Objective
To provide means of controlling people’s operational access
to data through:
1. Labelling
2. Clearance
3. Separation/Segregation of Duties (SOD)
4. Rotation of Duties
5. Mandatory Leave/ Forced Vacation
6. Non-Disclosure Agreement (NDA)
7. Background Checks
ICT3201 9
AY23/24
�Administrative Security (1)
1. Labelling
• Objects (that you wish to protect) have labels
• Subjects (that wish to access the object) have clearances
• Popular labels used by Governments (e.g. Singapore):
• Top Secret, Secret, Confidential, Restricted, (Unclassified)
2. Clearance
• To determine whether a user can be trusted with a specific level
of information or not
• Information may be compartmentalised, in order to enforce
need to know
• Clearance needed to access different compartments.
10
ICT3201
AY23/24
�Administrative Security (2)
3. Separation/Segregation of Duties (SOD)
• Purpose: To maintain checks and balances, especially among
employees with privileges (e.g. issue/sign cheques, etc.)
• NO single person should have total/complete control of a
sensitive/critical transaction (e.g. administration of nuclear
weapon systems, etc.)
4. Rotation of Duties
• Purpose: To prevent collusion (where 2 or more people work
together to subvert) by having different staff members perform
and review the work of their peers who performed the same
duty in the previous rotation.
• Can be a detective or deterrent control
• May detect fraud
11
ICT3201
AY23/24
�Administrative Security (3)
5. Mandatory Leave/ Forced Vacation
• The existing staff is asked to take a “forced” vacation, while another
staff takes over the role temporarily
• Similar to job rotation except it is usually on a shorter period, ranging
from 1 to 2 weeks
6. Non-Disclosure Agreement (NDA)
• Contractual agreement to maintain confidentiality of data
• Usually signed by job candidates, consultants, contractors, etc.
• Read BBC 2017 article on Apple Engineer fired over early iPhone X
Leak
7. Background Checks
• Usually performed as part of pre-employment screen process
• Read Strait Times 2014 article on Parliament: 150 foreigners jailed for
false credentials since 2012
12
ICT3201
AY23/24
�Operations Security
Sensitive Information/ Media Security
ICT3201 13
AY23/24
�Objective
To ensure that storage media (including primary and
backup) containing sensitive information are handled
appropriately through:
1. Labelling/Marking
2. Handling
3. Storage
4. Retention
5. Media Sanitisation or Destruction of Data
14
ICT3201
AY23/24
�Media Security (1)
Remember that media security applies to primary and
backup media – latter may be ignored. Best is to have a
policy.
1. Labelling/Marking
• Physically marking the media according to its information
classification (e.g. Top Secret, etc.)
2. Handling
• Staff should handle the media only according to their clearance.
• E.g. Staff not cleared to access Top Secret should not handle (i.e.
physically have access) media marked as Top Secret
• Otherwise encryption of media required
15
ICT3201
AY23/24
�Media Security (2)
3. Storage
• Media should be stored in a secure physical location. Preferable
to encrypt data. Failure to do so may have negative
consequences if the media are lost.
• Read The Guardian 2010 article on Zurich Insurance fined £2m
for losing customer details
4. Retention
• Media and information have limited useful life span.
• E.g., exam papers information are usually classified as Confidential until
the end of the exams
• Regulatory requirements may determine retention period of
media
• However, not advisable to retain data beyond retention period
• Read section on Danger of Saving Unnecessary Documents
16
ICT3201
AY23/24
�Media Security (3)
5. Media Sanitisation or Destruction of Data
• Data Remanence
• Data that persists beyond non-invasive means to delete it
• When file is deleted, file system removes metadata pointers or
references to the file. Actual file remains.
• Hence, “deleted data” is recoverable. Read Wikipedia 2017 article on
Edison Chen Photo Scandal
• Wiping/Overwriting
• Writes new data over each bit or block of file data
• Degaussing
• Use external magnetic field through degausser to destroy integrity of
magnetisation of storage media (e.g. HDD)
• Physical Destruction
• Most extreme mode, e.g. incineration, pulverisation
17
ICT3201
AY23/24
�Media Security (4)
5. Media Sanitisation or Destruction of Data
• Shredding
• Physical destruction of hardcopy data (e.g. documents) and smaller
media (e.g. floppy disks, CDs, etc.)
• Dumpster Diving
• Physical attack where person recovers trash to find sensitive information
that is not secure destroyed
Image extracted on 6 Nov 2017 from
[Link]
r5604e8a764e64338bc7c7339af8c9bcc_v9waf_8byvr_324.jpg
18
ICT3201
AY23/24
�Operations Security
Asset Management
ICT3201 19
AY23/24
�Asset Management (1)
Consists of:
1. Configuration Management (Hardening)
1. Disabling unnecessary services, removing extraneous programs,
enabling security capabilities, e.g. firewalls, antivirus, IDS/IPS, logs,
etc.
2. Follow recommended guidelines from Center of Internet Security
([Link])
2. Baselining
1. Capturing system security configuration at a certain point of time
2. Helpful in responding to potential security incident
3. Vulnerability Management
1. Discovering poor configurations and missing patches
2. Remediate or mitigate discovered vulnerabilities
20
ICT3201
AY23/24
�Asset Management (2)
4. Change Management
1. To understand, communicate and document any changes, in
order to understand, control and avoid negative impact that
changes might impose. E.g., open FW ports, etc.
2. Changes must be tracked and auditable.
3. Detailed change record must be kept – will allow tracing and
verification that change management policies and processes
are complied with.
21
ICT3201
AY23/24
�Operations Security
Continuity of Operations
ICT3201 22
AY23/24
�Continuity of Operations (1)
Concerned mainly with Availability of the CIA Triad
1. Service Level Agreements (SLA)
• Stipulates expectations regarding behaviour of department that
is providing services and its quality.
• SLAs usually dictate metrics that can be measured against such
as bandwidths, response times, etc.
2. Full, Differential, Incremental Backup#
3. RAID 0 (Mirror), RAID 1 (Striped), RAID 5 (Striped with
Parity) #
# Refer to Chapter 5 of NIST SP 800-34 rev 0 for more details
23
ICT3201
AY23/24
�Continuity of Operations (2)
4. High Availability (also known as Failover Cluster)
• Uses multiple systems such that if a failure occurs at one system,
another system can seamlessly take over
• Very popular for IT DRP with low RTO
• Two main configurations:
• Active-Active
• Commonly known as load balancing
• Each system actively processing data
• Most costly
• Active-Passive
• One system is actively processing data while the other is on hot standby
24
ICT3201
AY23/24
�Operations Security
User Administration
ICT3201 25
AY23/24
�User Administration (1)
1. Establishes the Acceptable Use Policy (AUP).
• AUP describes the permitted system uses, user activities and the
consequences of non-compliance.
• Users typically are required to agree to AUP before being
granted access rights to a system.
2. Access rights administration ensures that only
authorised users have access to information resources
on a need-to basis (usually based on functional roles).
26
ICT3201
AY23/24
�User Administration (2)
3. There are 5 broad processes in access rights
administration and management:
• (A) Enrollment/On-boarding
• Establishes user’s identity and access needs
• (B) Identification & Authentication
• User’s are identified to a system and have to prove their identities using
some form of authentication, e.g. passwords, 2FA, etc.
• User’s should be uniquely identifiable, especially those with
privileged/administrative access.
• (C) Authorisation
• After successful authentication, users are given access and privileges
(e.g. read, write, execute, etc.) to information resources (e.g. files, OS,
etc.)
27
ICT3201
AY23/24
�User Administration (3)
• (D) Monitoring
• User activities are monitored. Monitoring can be divided into :
• (D1) Activity Monitoring refers to monitoring user’s activities in the system.
Unauthorised activities must be flagged and followed-up accordingly.
• (D2) Entitlement Review refers to reviewing user’s access rights and
privileges on a regular basis (e.g. monthly, annually, etc.). User’s access
needs may change due to personnel circumstances, e.g. department
transfers, promotions, resignation, etc.
• Lack of regular entitlement review may lead to dormant/obsolete
accounts which may be exploited by malicious attackers without the
knowledge of the organisation.
• (E) De-registration/Off-boarding
• Deletes user’s access rights due to termination or resignation.
• Common for organisations to “disable” user’s accounts for a period of
time before actual deletion.
28
ICT3201
AY23/24
�User Administration (4)
4. Passwords remained the preferred technology for user
authentication due to its low costs, simplicity of
implementation and compatibility to legacy systems.
5. Password administration and management seeks to
ensure that every account has a password known only
to the authorised users are not easily compromised.
Generally, it includes:
• Defining a policy of acceptable passwords (e.g. minimum length,
character composition, password lifespan, etc.).
• Ensuring appropriate security controls for passwords (e.g.
encryption for password storage & transmission, avoiding
storing passwords in cleartext, etc.).
• Securing passwords generation, distribution and replacement.
29
ICT3201
AY23/24
�Operations Security
Operations Security (Chapter 12) in ISO 27002:2017
ICT3201 30
AY23/24
�Operations Security in ISO 27002
• ISO 27002:2013 has a domain on Operations Security
• ISO provides 7 areas on Operations Security – read Chapter 12:
No. Area Control Objectives
12.1 Operational procedures & To ensure correct and secure operations of information
responsibilities processing facilities.
12.2 Protection from malware To ensure that information and information processing
facilities are protected against malware.
12.3 Backup To protect against loss of data.
12.4 Logging and monitoring To record events and generate evidence.
12.5 Control of operational software To ensure the integrity of operational systems.
12.6 Technical vulnerability management To prevent exploitation of technical vulnerabilities.
12.7 Information systems audit To minimize the impact of audit activities on
considerations operational systems.
• Under each area, there can be more than 1 reference set of controls.
ICT3201 31
AY23/24
�12.1 Operational procedures &
responsibilities
• 4 reference controls:
No. Area Control
12.1.1 Documented operating procedures Operating procedures should be documented and
made available to all users who need them.
12.1.2 Change management Changes to the organization, business processes,
information processing facilities and systems that affect
information security shall be controlled.
12.1.3 Capacity management The use of resources shall be monitored, tuned and
projections made of future capacity requirements to
ensure the required sys-tem performance.
12.1.4 Separation of development, testing Development, testing, and operational environments
and operational environments shall be separated to reduce the risks of unauthorized
access or changes to the operational environment.
ICT3201 32
AY23/24
�12.2 Protection from malware
• Only 1 reference control:
No. Area Control
12.2.1 Controls against malware Detection, prevention and recovery controls to protect
against malware shall be implemented, combined with
appropriate user awareness.
ICT3201 33
AY23/24
�12.3 Backup
• Only 1 reference control:
No. Area Control
12.3.1 Information Backup Backup copies of information, software and system
images shall be taken and tested regularly in
accordance with an agreed backup policy.
ICT3201 34
AY23/24
�12.4 Logging and monitoring
• 4 reference controls:
No. Area Control
12.4.1 Event Logging Event logs recording user activities, exceptions, faults
and information security events shall be produced, kept
and regularly reviewed.
12.4.2 Protection of log information Logging facilities and log information shall be protected
against tampering and unauthorized access.
12.4.3 Administrator and operator logs System administrator and system operator activities
shall be logged and the logs protected and regularly
reviewed.
12.4.4 Clock synchronisation The clocks of all relevant information processing
systems within an organization or security domain shall
be synchronised to a single reference time source.
ICT3201 35
AY23/24
�12.5 Protection from malware
• Only 1 reference control:
No. Area Control
12.5.1 Installation of software on Procedures shall be implemented to control the
operational systems installation of software on operational systems.
ICT3201 36
AY23/24
�12.6 Technical vulnerability management
• 2 reference controls:
No. Area Control
12.6.1 Management of technical Information about technical vulnerabilities of
vulnerabilities information systems being used shall be obtained in a
timely fashion, the organization’s exposure to such
vulnerabilities evaluated and appropriate measures
taken to address the associated risk.
12.6.2 Restrictions on software Rules governing the installation of software by users
installations shall be established and implemented.
ICT3201 37
AY23/24
�12.7 Information systems audit
considerations
• Only 1 reference control:
No. Area Control
12.7.1 Information audit systems controls Audit requirements and activities involving verification
of operational systems shall be carefully planned and
agreed to minimise disruptions to business processes.
ICT3201 38
AY23/24
�Using Operations Security in ISO 27002 (1)
• The above mentioned set of reference controls are meant as
guidelines.
• Organisations can select them or use other more relevant controls
according to their needs and risk assessment results.
• As you can see from the above reference controls, ISO 27002:2013
provides a high-level recommendation on what control is required.
• It does NOT specify the details of the control, such as how, when,
where, etc. to apply the control.
ICT3201 39
AY23/24
�Using Operations Security in ISO 27002 (2)
• For example, 12.4 has 4 reference controls on Logging and
Monitoring.
o In 12.4.1 on Event Logging, the control states “Event logs recording user
activities, exceptions, faults and information security events shall be
produced, kept and regularly reviewed”.
o In pg. 54 of ISO 27002:2013, it also provides some examples of what event
logs should include, such as user IDs, system activities, dates, times, etc.
o However ISO 27002:2013 is silent on other information such as how the
event logs should be produced, kept and regularly reviewed.
E.g., should the logs be produced hourly, daily? Should the logs be produced locally at the
endpoint or remotely? Should the logs be produced using CEF format or SNMP? How often
should the logs be reviewed? How regular is regular? Daily, monthly, etc.?
ICT3201 40
AY23/24
�Using Operations Security in ISO 27002 (3)
• Hence, while ISO 27002 provides very good reference controls, it
does not provide very specific (especially) technical descriptions on
how to achieve/implement the reference controls.
• The lack of details provides organisations with some flexibility on
how to achieve/implement the reference controls, depending on
their needs and risk assessment results.
• However, this also results in different implementations of controls
among various organisations and it is difficult to judge the
effectiveness of the controls.
o E.g., some companies simply cut corners and achieve the minimum that is
expected of them and yet they broadcast that they are of ISO quality.
• Additionally, information security practitioners who are new or lack
sufficient knowledge often struggles to implement the controls due
to the lack of technical guidance in ISO.
ICT3201 41
AY23/24
�Summary
1. Overview of Operations Security
2. Administrative Security
3. Sensitive Information/Media Security
4. Asset Management
5. Continuity of Operations
6. Incident Response Management – covered in previous lectures
7. User Administration
8. Operations Security in ISO 27002:2013
ICT3201 42
AY23/24
�Questions?
ICT3201 43
AY23/24
