Okay, so we're gonna assume that we've installed, um, the the system in a secure fashion. We've taken a look at secure startup. We've put it into a secure environment. We've hard in the system. Now. We move into the ongoing faces of operation and maintenance. This is the day today.
So, you know, ideally, that software's gonna perform within the operations environment for quite some time, and it's gonna need to be monitored. Ah, perhaps patched, updated, upgraded as time goes on. So when we talk about software operations, we want to make sure that we have a reliable system. When that
does the work that it's supposed to do.
Ah, and that it does so in a reliable fashion. We want it to be resilient, so it would be able to bounce back from false or errors and would be able to shut down gracefully in a secure manner on. We also want to make sure that it would be recoverable in the event of failure, whether that's intentional or
that it could recover its its functionality.
So we want to make sure that we know is part of operations. One of our most important jobs is to continue ongoing monitoring and maintenance of the software
and that goes hand in hand with risk management. You know, we talked about when you're you've done with risks in a network environment, the answers you're never done working with risks. Well, you're never done looking at risk in relation to applications either. So we're constantly monitoring. We're looking for identified risks,
but we're also looking for risks that have not
and identified that still have the potential to cause harm
so we can install an application into an environment that application be perfectly secure. But as Theo, environment that it's been installed to it changes as risks changes, the threat landscape changes over time, then we may find that what was once a very secure system is no longer that secure.
All right, so when we move into talking about the security of operations, sometimes we refer to this is opsec operations security.
So what we want once we moved this program and operations is we want assurance that the software is gonna continue to work as we've expected, that it's gonna continue to function in a predictable manner
in a reliable fashion for the business. We want to make sure that it's State of Security doesn't get compromised, that it doesn't affect negatively in any way the production environment.
All right, so when we're talking about operations security, we want to monitor four basic elements. We monitor hardware in their software.
We also look a media media usage and we look at our people.
So we start with hardware and we think about all the elements that fall under the category of hardware. You know, hardware is a very, very large topic.
Ah, you know the individual servers, the monitors, the keyboards, the cases the CP use, but also network devices like routers and switches and firewalls and intrusion detection systems.
Any other communication devices like, for instance, their VoIP systems and our smartphones
faxes. If we're using those,
and then, um, you know, we could go on and on and on listing hardware.
When we talk about controlling the hardware, we have to look at points of vulnerability
and many of the points of vulnerability. We've already talked about
default settings, default passwords, Like I've said, I know several different organizations. I know one specific manufacturer of routers, the default
administrative accounts, admin. That fault password is also admin. So these default settings general configurations that come up that are easy to use, no security or weak security configured because again security slows things down.
It's easier for me to give you a device. It has absolutely no security because then we have no problems. We can communicate freely. So what we have to do is we have to be very, very vigilant against these default in these ah, standard configurations. We also have to think about protecting physical access to our hardware.
I actually went out. I took my two boys to the malt and have pictures made
for them. It's been about six months ago
and this was, Ah, pretty busy shopping mall in the Montgomery County, Maryland area.
And I went to the restroom in the photography place. And I kid you not on the back of the toilet was the WiFi router
It was in a public restroom. The router was sitting right there on the toilet. I mean, you want to talk about an easy denial of service attempt to our attack, you know, just pulling the plug there. But how easy would it be for me to set up some sort of mechanism to intercept the request to the router. How hard would it be to me?
But for me to impersonate
you know, just just how very, very poor security that is. It doesn't matter what your password on that router is. And all the other things if I haven't my physical possession, we have a huge vulnerability. And a silly is that seems I can't tell you how many businesses I walk into where the server doors unlocked.
Sometimes the server doors wide.
So it's very easy for us to thumb our noses at places that don't have good physical security. But then a lot of times will look around, and maybe we find that's a weakness for us as well.
Many organizations tend to be much more focused on technical security
and policies and procedures of security. Then they are actually physical security.
Without physical security, we have nothing.
Um, I went to a meeting
that was at a local business, and it was over the weekend, and we were sitting around in the conference center is a fairly small office building. We were sitting around their meeting room and it got warmer and warmer and warmer. And they're finally, we said, You know, what's the deal? It's so unbearably hot.
Well, their first response. Waas Well, the building shuts down their air conditioning over the weekends,
and I thought, OK, that's fine, But it's it's not that hot outside. And they said, and because of that, we have to open the door to our server room. So what we're feeling is all that hot air that's escaping from our servers in the server room.
And I thought, Wow, if that is, is what's escaping your server room, How hot is it in your server room? And how big a problem are we gonna have with the favorability? As you know, time goes by
you know, to me, sometimes common sense is remarkably uncommon,
so we have to be very precise about physical and environmental controls to our hardware. Resource is, we have to make sure that we're aware of some of the default settings, and we want to restrict those things that are geared more towards ease of use than they are towards security.
When it comes to software, many of the same ideas apply. Um, we might have software that's developed in house, we might have proprietary software that we've outsourced and created from 1/3 party.
Um, well, have operating system from known vendors. Ah, you know, when we have these mechanisms, often default port numbers are used, and that's not very difficult, you know, Ah, Web traffic is gonna use port A, D. D. And s traffic. So you support 53. So by using the standard default
information that I have that might be useful to me. Now, it doesn't mean that you can't redirect Web traffic to another location,
but everybody that's gonna want to access your Web server would need to know that port number that you're gonna redirect to. So it gets to be a little bit more complicated if you want to use the non standard ports and disseminating that information can be challenging us. Well,
um, get rid of unnecessary service is make sure that that is protected while it rest.
And in transit, make sure we use good secure protocols while we are transmitting information across the net.
All right, when we talk about operational security and media Ah, they're all types of media, you know, USB tapes hard drives. You know, the internal drives, the external drives, optical devices, DVD, R, C V C. CDs.
Um, you know all different types of media. The optical drives air getting less possible, a popular the magnetic drive, certainly getting less popular. We have solid state devices, so we have a lot of different types of media on which we can store data and store information. We have to be very
careful about how we cleanse that media if we're going to allow its re use.
There's a nest standard n'est 800-88 that gives the aspects and the concerns with sanitizing media.
So the idea is, if I'm going to re use this thumb drive, but it's got sensitive information, I want to remove that information. How would I do it?
Well, quite honestly, the only way to make sure that confidential information is gone
would be to destroy the media
whether you're incinerating it, whether you're shredding physically, shredding the device, whatever that might mean. But ultimately the only way to be assured that remnants of the data gone is to destroy the media
a lot of time, so we don't have that option. We need to re use the media again.
So then we would look to something like zero ization, which is overriding zeros again and again, getting together again to the device, overriding any and all that. But that was there.
Now keep in mind this still is not as good as physical destruction because with the right tools,
if the value of the information is great enough,
um, using an electron microscope data has still been able to be pulled off some of these devices that have been serialized. So the best bet would be physical destruction. If you can't physically destroy the media, overriding or zero ization would be good. Call with magnetic media.
deke. Oust the magnetic media, which basically means that we expose it to a large magnet which eliminates erases of cylinders, tracks and sectors that love level formatting produces. So and even though technically we could reuse that drive after we've dig ousted, we generally
don't because then we would have to perform a low level format of the drive, which takes
hours and hours and hours to do a lot of times. It's easier just to physically destroy the drive and get a new one. The price of hard drives are so cheap today that that's much more realistic of an option
I will mention down here at the bottom
when we talk about getting rid of sensitive information, deleting files will never be the correct answer on this examine. That should never be a solution. When you delete a file, you're not deleting the file. You're deleting the marker that points the location of the file, so the file is still there and it's full existence. So
we're not really accomplishing any security goals there,
the media so formatting your hard drive. That's not a good choice, either, because devices many times there's an unformed Matt capability on these devices. That's very easy to reverse the format process. So once again, I'll stress if you really want
Physical destruction of the media. If you want to reuse the media, look to decals.
Those would be your best bets,
all right, And then we look at the element of people on her network operations. Security has to take into consideration for people, and people can really be the greatest asset on our network. It in our work environment. They can also be the greatest weakness.
And they can hover between those two extremes forth their entire existence.
So when we talk about people being our greatest strength
people and bringing that human element into the work factor is very beneficial, you know that person's gonna be the last line of defense against our resource is And it has to be someone with human judgment to say, Wait a minute, something doesn't seem right here.
Can you show me your badge again? I think I mistakenly I think I saw that it required an escort. I may have made a mistake and I see that again. War. You know, I don't think that person should have access to that room. How did they get in there?
So people can provide that human element of judgment that will bring in, you know, additional surveillance and observation. That's good.
But we also have to look at the fact that many times when we talk about internal lost to an organization,
the 85% of all loss for fraud with an organization is initiated by someone in the house, and I think that absolutely is a true statistic. it might even be a little bit higher.
So another thing is, users don't have to maliciously intend on creating damage or harm. But through social engineering, our users can be tricked to give out sensitive information or to allow someone else. And again, this would be for them unwittingly. But allow someone else to access. Sensitive resource is on the network,
so we have to be very, very aware of our people. The best solution for people is to train them in to train them well,
and our training shouldn't just be a list of do this. Don't do that. But we need to give them a broader vision of what security means and what we're trying to accomplish and also help them to understand some of the threats that are out there today and understand the fact that Attackers have
very high value assets that they're after,
and they will stop it any. They won't stop it at normal links. They will continue in continuing continue. You know, millions and millions of dollars are lost each year through the use of of criminal attacks like identity theft and credit card fraud. You know,
it tends to be a more of a white collar crime, so there's less at risk. And a friend of mine who's in law enforcement was talking about the idea that many of, um, the gang members that he used to frequently see involved in selling drugs and other illicit activities out on the street.
He said that many of the members of gangs have moved in
behind computers because they find an area where they could make a lot more profit. That's a lot lower risk. They're not risking their neck by being out on the street, selling drugs and the potential for ramifications there. So I think it's very interesting that we see how much money there is to be made
in the world of social engineering.
There really is no upper way er to that. You know, the sky's the limit, so to speak,
all right, so with operations, security, those day by day controls that we want to put in place and we've looked at securing our people, we've looked at securing our hardware, our software as well as our media