Module 9:
Operational security (OPSEC) is a fundamental element of cybersecurity, focusing on safeguarding an organization’s critical information and assets from a variety of threats. In this post, we’ll explore the key principles, strategies, and best practices of operational security for a CompTIA Security+ professional.
Implementing Operational Security
- Evaluate Security Frameworks and Guidelines
- Incorporate Documentation in Operational Security
- Implement Security Strategies
- Manage Data Security Processes
- Implement Physical Controls
Security Frameworks
A conceptual structure for security operations in the organization.
- Defines how to categorize and identify elements of security operations.
- Focus tasks at a high level; low level tasks eventually flow from these.
- Helps avoid building security in a vacuum or without considering important concepts.
Framework categories:
- Regulatory
- Non-regulatory
- Industry-specific
- National
- International
Security Framework Examples
Framework | Description |
---|---|
NIST 800 Series | NIST publishes numerous documents on many security topics. The 800 Series focuses on computer security. |
COBIT 5 | Framework for IT management and governance. Five guiding principles for organizations to achieve IT management objectives. |
ITIL | Comprehensive IT management structure developed in the UK. Has five core publications. |
ISO/IEC 27001 | Joint operation to create a standard model for information systems management. Covers everything from organizational context to reviewing system performance. |
Security Configuration Guides
- Many organizations provide guides for operational security.
- Use these guides to strengthen operations and adhere to framework principles.
- General purpose guides provide high-level guidance on a particular security topic.
Some guides target specific vendors and platforms:
Web server/application server guides.
- Example: IIS vs. Apache HTTP Server.
Operating System Guides.
- Example: Window vs. Linux vs. macOS.
Network infrastructure device guides.
- Example: Cisco devices vs. Juniper devices.
Compliance
Compliance is the practice of ensuring that legal, regulatory, and organizational requirements are met.
Authorities that mandate compliance:
- Government legislative entities that make laws.
- Government regulatory agencies that provide standards for various industries.
- Industry associations that have their own standards.
- Laws and regulations can have a profound affect on organizational security.
- Security personnel must review all applicable laws and regulations.
- Most organizations are subject to laws governing use of data and systems.
- Organizations internal policies also require compliance.
Layered Security
An approach to operational security that incorporates many different avenues of defense.
- Implements multiple controls to mitigate different types of threats.
- Can become quite complex and expensive, though it can provide optimal protection.
- Can be more effective if they rely on vendor and control diversity.
- A flaw in a vendors product may show up in other products by that vendor.
- Contracting with multiple vendors may reduce risk.
- Different types of controls can also aid layered security.
- Rather than just technical, also incorporate administrative controls.
- Diverse vendors and controls can become difficult to manage.
Defense in Depth
A tactic that leverages layered security but incorporates more comprehensive security strategies.
Used to plan:
- User training
- Policy adoption
- Physical protection
- And more…
- Covers all areas of security.
Acts as a fail-safe:
- If one element is breached, other security systems take over.
Security Policies
A formalized statement that defines how security will be implemented in an organization.
- Describes how the organization will protect CIA of data and resources.
- Consists of multiple individual policies.
- All security measures should conform to policy.
Security policies are similar to a governments foreign policy.
- Determined by needs of the organization/government.
- Based on real or perceived threats.
- Defines how to handle these threats.
Without policies, you react to threats rather than anticipate them.
Common Security Policy Types
Policy Type | Description |
---|---|
AUP | Rules of behavior for personnel. Should define what use of resources is acceptable and what is not. Must be reasonable and respect employee duties and rights. Example item: Allowing or limiting personal email use. |
Privacy policy | Defines standards for divulging personal info to other parties. Should specify what is to be kept private and what is not. Should stipulate consequences for privacy violations. • Audit policy. |
Audit Policy | Details requirements for risk assessment of organizational resources. |
Password policy | Defines standards for password complexity and strength. Defines how to use passwords securely. |
Wireless standards policy | Defines what devices can connect to the wireless network. Defines how to use wireless devices. |
Social media policy | Defines how employees can use social media networks/apps. Social media can adversely affect organizations reputation. Policy can be specific to platform or deal with all forms of collaboration. |
Personnel Management
The practice of ensuring that all of the organizations personnel are complying with policy.
- Affects both internal and external personnel.
- Outlines tasks for personnel to carry out to protect business operations.
- Every user plays some part in security.
- Human element is most vulnerable, especially to social engineering.
- Personnel management reduces human-based risk.
Separation of Duties
The practice of dividing duties and responsibilities among individuals.
- No one person should have too much power or responsibility.
- Separation of duties prevents ethical conflicts or abuse of powers.
- Makes it harder for an individual to exploit an organization with specific software.
- Backup operator, restore operator, and auditor are usually separate roles.
Job Rotation
The practice of ensuring that no one person stays in a vital job role for too long.
- Rotating individuals ensures vital knowledge is spread among trusted employees.
- A role is not too firmly tied to any one individual.
- Prevents abuse of power.
- Reduces boredom.
- Enhances individual’s skills.
Mandatory Vacation
The practice of mandating that each employee takes some specific amount of vacation each year.
- Provides opportunity to review employee’s activities.
- Usually mandates at least one vacation in a full week increment per year.
- Audit and security personnel can discover discrepancies in this time.
- Chance of fraudulent activities decreases.
Additional Personnel Management Tasks
Task | Description |
---|---|
Background check | Ensures prospective employee does not have a criminal record. Also ensures they dont have a poor history with past employer. Character flaws can add to organizations risk. Checks are mandatory for certain security clearance levels. |
Signing an NDA | Employee asserts they will not share confidential info with third parties. Legal action may result from breaking the NDA. Acts as a deterrent to violating trust. |
Onboarding | Onboarding requires account management tasks. New employees should also be aware of all policies they must follow. Give new employees the resources they need to follow these policies. |
Exit Interview | Occasionally part of the offboarding process. Organization receives feedback to use to improve future employment. Organization can salvage specialized knowledge that isnt written down. Can also reveal behavior of disgruntled employee that puts the organization at risk. |
Training and Awareness
- Personnel are the weakest link.
- Ensure they are properly trained to mitigate this risk.
- Training can be:
- Instructor-led classroom experience.
- Computer-based training and e-learning.
- Taking an exam to certify knowledge.
- One-on-one knowledge transfer.
- And more…
Overall training should include awareness of threats and ways to protect end users.
- Education should be ongoing, not static.
- Example threat: All users should be aware of social engineering attacks.
- Example control: All users should be able to spot phishing emails.
Role-based training is also common:
- Users
- Privileged users
- Executive users
- Data owners
- System owners
- System administrators
Business Agreements
Agreement Type | Description |
---|---|
SLA | Defines what services are to be provided to client. Defines what support is provided. SLA outlines service expectations for liability purposes. |
BPA | Defines how partnership between business is conducted. Defines what is expected of each partner. Should include what resources and access each partner is willing to share. |
MOU | Not legally binding and does not involve exchange of money. All parties try to achieve the same goal in the agreed-upon manner. Not the most secure agreement. |
ISA | Ensures that all partners are meeting a standard for security. Usually legally binding. Can also bolster the security of MOUS. |
Guidelines for Incorporating Documentation in Operational Security
- Ensure that you have a security policy driven by business and security needs.
- Ensure that the policy describes goals and requirements for security operations.
- Consider creating supplementary policies of specific types.
- Incorporate personnel management tasks into policies.
- Consider separating duties among different personnel.
- Consider mandating job rotation.
- Consider mandating vacations for all employees.
- Consider implementing background checks, NDAs, and other management tasks.
- Implement a Cyber-Security training program for all personnel.
- Ensure that personnel training is ongoing.
- Consider offering different training programs based on role.
- Consider how business agreements can facilitate interoperability.
Security Automation
- Automation can increase efficiency of security operations.
- Automation handles tasks that are otherwise tedious and time-consuming.
Example: Configuration validation
- A security professional would need to compare individual configurations to baseline.
- Automation saves time and may be more accurate.
Example: Continuous monitoring
- Constantly scanning environment for risks.
- More efficient than just human-based detection.
- Courses of action can also be automated.
Automation can be enhanced through scripting.
- Direct tools to perform certain tasks at certain time, given certain conditions.
- Templates can provide baselines for automated deployment.
- Master images can be created and deployed automatically.
Scalability
The property by which a computing environment is able to fulfill its ever-increasing resource needs.
- As business grows, so soes the workload.
- Scalable environments adjust to changes without disruption.
Changes can come from:
- Increased bandwidth needs.
- Increased memory needs.
- Increased storage space requirements.
- Increased identities.
- And more…
- A scalable environment adds more resources and strengthens existing resources when needed.
Elasticity
The property by which a computing environment can instantly react to both increasing and decreasing demands in workload.
- Resource demands fluctuate in the short term.
- You must not only account for increases in demand, but decreases as well.
- This streamlines operations and saves money.
Common selling point for cloud services:
- Resources dont need to run at full power 24/7.
- When demand is low, resource powers down.
- Resource powers up again when demand increases.
- Elasticity supports cost-effectiveness.
Redundancy
The property by which a computing environment keeps one or more sets of additional resources in addition to the primary set of resources.
- System maintains a copy of the resource.
- Copy can be full or partial.
- Redundancy corrects issues due to compromise.
- Resource can be reconstructed (exact copy).
- Specific errors can be corrected (partial copy)
- Resource set continues to provide services without disruption or loss.
Fault Tolerance
The ability of a computing environment to withstand component failure and continue to provide an acceptable level of service.
Measures include compensating for:
- Power outages or spikes.
- Disks and data storage corruption or loss.
- Network component failure or inefficiency.
- And more..
- Fault tolerant systems often employ redundancy measures.
- If one component fails, the redundant copy maintains functionality.
Redundant Array of Independent Disks
A set of vendor-independent specifications that support redundancy and fault tolerance for multiple-device storage systems.
- If one or more devices fail, the data can be recovered from remaining devices.
- RAID is most commonly deployed through hardware implementations.
Several RAID levels with different features.
- RAID O, RAID 1, and RAID 5 are most common.
- All levels except RAID O reduce threat of data loss.
Non-persistence
The property by which a computing environment is discarded once it has finished its assigned task.
VDI example:
- Users customize their VMs.
- Persistent mode: changes are kept.
- Non-persistent mode: changes are lost after log out.
- Enhances security through tighter control.
- Persistent VMs will deviate from security baseline.
- Non-persistent VMs routinely fall back to a secure state.
Master images and snapshots can support non-persistence.
- Snapshots capture VM state at a point in time.
- You may not need to go all the way back to the master image each time.
High Availability
The property that expresses how closely systems approach the goal of providing 100% data availability with sufficient performance.
- Highly available systems are usually rated as a percentage of uptime.
Methods to achieve high availability include:
- Distributive allocation
- Clustering
- Load balancing
- Redundancy
- Uptime of 99.9% is less than nine hours of downtime per year.
- Uptime of 99.99% is less than one hour of downtime per year.
- Increase in uptime leads to increase in cost.
Deployment Environments
Environment | Description |
---|---|
Development | In-house software is designed and actively programmed. Environments will likely support one or more development methods. Development environments may not be necessary for other resource types. |
Testing | Testing ensures all asset types meet compliance requirements. Sandbox environments can be used for software testing. TCB environments can be used for integrity measurement testing. Verifies files havent been tampered with by comparing hash values with legitimate values. |
Staging | Staging is setting up an environment to facilitate testing. Example: Secure baseline/master image to revert test VMs back to original state. Staging environments simulate production environments for realistic results. |
Production | Asset is pushed to production after testing concludes. Asset may be deployed to end users or just enter a running state. Environment is “live” and must provide security assurances like high availability. |
Guidelines for Implementing Security Strategies
- Supplement manual security processes with automated ones.
- Ensure that systems are scalable.
- Ensure that systems are elastic.
- Ensure that critical systems have redundancy.
- Ensure that critical systems are fault tolerant.
- Consider consolidating multiple storage devices in a RAID.
- Choose the appropriate RAID level for redundancy and fault tolerance.
- Consider implementing non-persistent virtual environments.
- Ensure that systems are highly available.
- Consider incorporating one or more deployment environments.
Data Security
The controls and measures taken to keep data safe, accessible and to prevent unauthorized access to it.
- Need for enhanced data security is on the rise.
- Greater volumes of data stored and accessed in many locations.
Data security must be applied at all levels of an organization:
- The physical environment.
- All traditional computing environments.
- All mobile environments.
- Data security is a priority for all organizations.
- Should be incorporated in policies.
Data Security Vulnerabilities
- The increased use of cloud computing to perform job functions.
- The lack of restricted physical access to data storage systems.
- The lack of user awareness.
- The lack of a unified data policy.
- The lack of proper data management practices.
- Obsolete or poorly implemented encryption solutions.
- The lack of proper identity and access management (IAM) practices.
- And more.
Data Storage Methods
DAS
- Traditional network servers.
- One or more storage devices directly attached to servers.
NAS
- Appliance that facilitates storage and serving of files over a network.
- Can contain multiple storage devices for faster access and easier configuration.
SAN
- Dedicated storage networks.
- Provide block-level data storage.
Cloud
- Service-based storage system.
- Data is stored in virtualized pools and hosted by a third party.
Data Encryption Methods
- Full disk encryption.
- Database encryption.
- File encryption.
- Removable media encryption.
- Mobile device encryption.
- Email encryption.
- Voice encryption.
Data Sensitivity
Not all data is equal. Data is treated differently based on its purpose. Common practice is to assign labels to data based on its sensitivity.
Labels define how data is handled:
Public
- Available to all or most.
- Example: Product catalog.
Private
- Available to organization only.
- Example: Company secrets Data Labels.
Restricted Confidential STOP
- Available to select personnel only.
- Example: Payroll database.
Confidential
- Available to organization and client.
- Example: Personally Identifiable Information (PII).
Data Management Roles
Role | Description |
---|---|
Owner | Usually a manager or executive. Ultimately responsible for the data. Responsible for labeling data. Responsible for ensuring data is protected by controls. Selects data custodians. |
Custodian | Directly manages data on an ongoing basis. Applies technical controls requested by owner. Performs backups and reviews security settings. |
Privacy officer | Organization is obliged to keep confidential data from being leaked. Ensures that access systems allow clients to only access their own data. Facilitates compliance with privacy laws and regulations. |
User | Not directly responsible for managing data. Still responsible for adhering to data security policies. |
Data Retention
The process of maintaining the existence of and control over certain data for compliance purposes.
- Organization is often required by law to retain certain data for a length of time.
Example:
- A health care providers audit logs must be retained for several years.
- Provider may also be required to retain employee emails for less time.
- Organization must balance retention with privacy requirements.
- Keeping PII/PHI for too long will expose it to greater risk.
- Retention policies must closely integrate with disposal policies.
Data Disposal
Disposal Method | Description |
---|---|
Sanitization | Removes all data from a storage medium at the virtual level. Physical medium is not harmed and can be repurposed. Commonly uses software to write random or all zero bits. |
Degaussing | Strong magnetic force applied to disk drive to remove its magnetic charge. Only works on magnetic media like HDDs. A physical process that renders some media types inoperable. |
Shredding | Industrial machine slices storage device into many pieces. Can also refer to paper shredding. Pulping breaks shredded paper down and removes ink. |
Pulverizing | Industrial machine crushes storage device. Physical components and data are destroyed. |
Burning | Typically used to destroy paper records. Can also be used to slowly destroy a storage device and its contents. |
Guidelines for Managing Data Security
- Apply data security at all levels of the organization.
- Review the various ways that data can be vulnerable to compromise.
- Choose a data storage method that is most appropriate for your business needs.
- Choose a data encryption method that is most appropriate for your security needs.
- Label each set of data according to its sensitivity and purpose.
- Divide data management responsibilities into different roles.
- Determine your data retention requirements.
- Balance data retention requirements with privacy requirements.
- Dispose of data securely.
- Consider whether a disposal method also destroys the physical storage medium.
Physical Security Controls
Restrict, detect, and monitor access to physical areas or assets.
- Buildings
- Equipment
- Server rooms
- Finance areas
- Data centers
- Cost-benefit analysis can help determine where to place controls.
- Controls may be required for compliance reasons.
Control categories:
- Deterrent
- Preventive
- Detective
- Corrective
- Compensating
- Technical
- Administrative
Physical Security Control Types
Control Type | Description |
---|---|
Locks | Bolting door locks. Combination door locks. Electronic door locks. Biometric door locks. Hardware/cable locks. |
Key Management | Physical keys that open locks must be secured. Master key locks other keys in a secure container. Policies define who can use keys and how. Auditing trails are important. |
Logging and Visitor Access | Log entry at all public entrances. Visitors should sign in with info: Name and company Date and time. Reason for visiting Organizational contact. |
Video Surveillance | CCTV or IP cameras can deter or detect unwanted access. Can be placed inside or outside of building. Recordings should be saved and secured. |
Security Guards | Human guards can be placed around a location. They can monitor checkpoints and allow entry. Can also be a visual deterrent. Can apply knowledge and intuition to a situation. |
Signs | Simple but effective at deterring less determined intruders. Can include no trespassing signs and security vendor signs. |
Lighting | Lighting can deter intruders who try to conceal themselves in darkness. Spotlights can detect and identify intruders at perimeter. Always-on room lights can prevent an internal threat from hiding. |
Mantrap Doors | A system with a door at each end of a secure chamber. Individual enters outer door, which closes before inner door is opened. Identity can be verified before outer door and/or within chamber. |
Physical Barriers | Highly secure rooms should not be visible from the outside. Other barriers: Gates Fencing Cages Barricades Bollards |
Secure Containers | Keys and sensitive physical assets should be isolated in secure containers. Secure cabinets can store keys or small electronics. Secure enclosures can store bulkier hardware. Safes offer protection against container damage. |
Faraday Cages | A wire mesh container the size of a room to the size of a bag. Designed to block external electromagnetic fields. Used to prevent wireless signal interference. Useful for preserving the integrity of wireless electronic evidence. |
Screen Filters | Attached to screens to restrict their viewing angle. Authorized personnel can sit in front of screen and see it fine. Passersby or nearby people will have their view obstructed. |
Alarms | Activated during an unauthorized access attempt. Guards or police can respond quickly. Can also trigger locks or other controls to bar access. |
Motion Detection | Sensors can trip alarms if motion is detected. Can be placed at checkpoints within or outside a building. Uses technology like infrared, microwave, or ultrasonic detection. |
Protected Distribution | Protects cabling infrastructure from attack. Cables are hardened with metallic tubing and acoustic alarm systems. Routinely inspected by qualified personnel for signs of tampering. |
Environmental Exposures
- Consider environmental exposures in the overall security of a building.
Exposures include:
- Lightning
- Hurricanes
- Earthquakes
- Volcanic Eruptions
- High Winds
- Any Other Extreme Weather
Resulting Issues:
- Power Fluctuations and Failure
- Water Damage and Flooding
- Fire
- Structural Damage Leading to Unauthorized Access
Environmental Controls
Control Type | Description |
---|---|
HVAC Systems | Can regulate humidity and temperature. Can regulate air flow to keep dust or contaminants out. Should be monitored locally and remotely. |
Hot And Cold Aisle | Controls the flow of air with strategically placed vents and exhaust fans. Cold air moves from cold aisle to server rack/cabinet intake. Comes out other side as hot air in hot aisles. Keeps hardware and room at desired temperature and humidity. |
Alarm Control Panel | Should be protected against exposure. Should be in a protected location that is accessible by the fire department. Should be in a waterproof box that is powered by a dedicated circuit. |
Fire Prevention | Eliminate unnecessary storage items. Conduct annual inspections. Install fireproof walls, floors, and ceilings. Use fire-resistant office materials. |
Fire Detection | Should be connected to a central reporting station. Smoke detectors. Heat sensors. Flame detectors. |
Fire Suppression | Fire damage can be costly and even hazardous. Fires may be suppressed with hand-held extinguishers. When water is not practical, special gases should be used. Consider having both water-based and gas-based suppression systems. Consult with your local fire department for more information. |
Environmental Monitoring
- Its critical to regularly monitor environmental conditions and controls.
- Reduces the risk of damage to hardware and other property.
- Monitoring system may be able to interface with existing controls.
- Some controls provide their own monitoring systems.
HVAC system example:
- Output temperature and humidity reports to a console.
- Output temperature and humidity reports over a SCADA network.
Video monitoring can also reveal:
- Overheating.
- Water damage.
- Electricity issues.
- And more.
Safety
- The safety of your employees and property are important to overall security.
- Both are vital in keeping the business running efficiently.
Example safety controls:
- Fencing and CCTV to deter intruders from harming assets.
- Locks placed on doors to hazardous areas.
- Proper lighting to prevent accidents due to poor visibility.
- Escape plans for fire and noxious gas hazards.
- Mapping escape routes.
- Performing drills to test personnel preparedness.
- Safety controls are subject to wear and tear.
- Personnel and property should not be left vulnerable.
- Consistently test controls to see if they meet safety standards.
Guidelines for Implementing Physical Controls
- Conduct a cost-benefit analysis to determine physical control viability.
- Identify regulations that require physical controls.
- Implement a variety of physical control types that are relevant to your environments.
- Recognize how your environments are exposed to environmental conditions.
- Implement environmental controls like HVAC and fire management.
- Ensure that environmental exposures are being consistently monitored.
- Ensure that the safety of personnel and property is a priority.
- Consider how existing physical controls can be used as safety controls.
- Develop an escape plan in the event of fire or noxious gas hazard.
- Conduct period drills to test personnel preparedness.
- Ensure safety controls are consistently tested.
Operational security is the linchpin of a comprehensive cybersecurity strategy. As a CompTIA Security+ professional, by understanding the principles of OPSEC and implementing best practices, you can protect an organizations assets, data, and reputation from the ever-evolving threat landscape.
You can find all of our CompTIA Sec+ guides here: CompTIA Sec+
We also have guides for the CompTIA A+ here: CompTIA A+
Recommendation:
Basic Security Testing with Kali Linux: https://amzn.to/3S0t7Vq