160 ◾ Security Strategy: From Requirements to Reality
Stay with high-end vendors that produce high-quality signatures, automate updates, and ◾
have a quick turnaround on new threats.
Use overlapping controls when possible. ◾
Do exhaustive testing on IPS agents and appliances, especially failover features for network IPS. ◾
Test the detection accuracy occasionally to ensure the solution actually detected malicious ◾
activity.
e fi nal lesson learned is training. Ensure you have a knowledgeable and skilled staff manag-
ing your observation solutions and a company of observant people.
Excellence in Observation Control Objectives
Reconnaissance
is section covers the controls the reconnaissance tactic requires for successful operations.
Table 9.3 maps reconnaissance attributes to specifi c baselines. e type (hard or soft) is used to
denote how evidence is collected for each control. Soft indicates a procedure-based control, while
hard denotes a technology-based (i.e., automated) control.
In-house reconnaissance capabilities are not cost eff ective for most organizations, especially in
light of the low-cost availability of reconnaissance information from security vendors, service orga-
nizations, and government agencies. e success of in-house reconnaissance eff orts is based on three
factors: planning, operations, and eff ectiveness. Planning includes training personnel in reconnais-
sance techniques, as well as giving them time to study the black-hat culture. Spending time with
other people who do black-hat reconnaissance is recommended. ese contacts also assist in the
vetting of information obtained during reconnaissance operations. Reconnaissance eff orts should
have specifi c operational objectives oriented primarily toward connecting with good sources of reli-
able information. Operations should be active (continuous). Eff orts must be ongoing, and regular
interactions with black-hat resources should be taking place. Operations must be fl exible; be willing
to break off contacts and change techniques or avenues of approach when the situation dictates (e.g.,
being discovered as a white-hat spy). It is also important to evaluate the eff ectiveness of your recon-
naissance eff orts from time to time. Successful reconnaissance provides accurate information about
potential threats far enough in advance to allow countermeasure preparations to be made and to
develop a good understanding of potential risk as well as the time line available for preparations.
Surveillance
Surveillance in the context of this chapter is human-based visual observation by viewing a scene
either directly or remotely using video. ere are two types of surveillance: active and passive.
Passive surveillance is the review of recorded video; all other surveillance is active. e eff ective-
ness of surveillance is based on interpretation and resolution. In surveillance these factors are
expressed as fi eld of view, resolution, and training.
Table 9.4 maps surveillance attributes to specifi c baselines. e type (hard or soft) is used to
denote how evidence is collected for each control. Soft indicates a procedure-based control, while
hard denotes a technology-based (i.e., automated) control.
ese factors are the same for people either looking directly at the scene or monitoring it with
video. e control objectives are intended to improve the viewing area or the resolution of the
scene so that changes to the scene can be properly interpreted and malicious activity detected.
TAF-K11348-10-0301-C009.indd 160TAF-K11348-10-0301-C009.indd 160 8/18/10 3:09:30 PM8/18/10 3:09:30 PM