158 ◾ Security Strategy: From Requirements to Reality
dog as a potential danger but don’t think twice about opening an e-mail with “I Love You” for a
subject line. Consequently, attackers are able to take advantage of our naivete, fear, confusion, or
helpfulness to attack and damage our systems. “I Love You”—who wouldn’t open a message with
that subject line?
Interpretation and resolution are the two main challenges in observation tactics. Whether the
monitoring is being done by a human, a physical device, or software, the detection of unauthor-
ized or malicious activity is based entirely on the proper interpretation of changes in the scene
or situation. e higher the resolution of the scene, the more information is available for inter-
pretation. e accuracy of all observation is the result of this learned (or programmed) behavior;
the eff ectiveness is based on resolution. Poor resolution or inaccurate interpretation means some
malicious activity may go undetected (false negative) or some acceptable activities may be inter-
preted as malicious (false positive). Interpretation and resolution are the main control objectives
for observation-based controls.
Excellence in observation extends beyond interpretation and resolution to include coverage.
Excellent coverage means there are no “blind spots” (gaps) in our capabilities. is represents
another challenge: We want to be able to observe and detect every instance of unauthorized or
malicious activity. ough not completely feasible, this goal should be a driving factor in our
eff orts. e challenge of coverage is how to identify our observation gaps and understand the
risks they represent so that we can prioritize our eff orts to close them. A good place to start is
with your past breaches; then you need to take a look at the current breaches the industry is
experiencing. Understanding the root causes of these breaches not only shows you the failure of
your preventative controls but also points to the gaps in your detective controls (observation).
Once you understand the gaps, you can begin looking at which observation tactics will best
address them.
Success Factors and Lessons Learned
Now let’s look at some of the observation success factors and lessons learned.
Reconnaissance
Successful reconnaissance provides reliable information about pending attacks far enough in
advance that preparations and countermeasures can be deployed. Reconnaissance information
gathered from black-hats has questionable reliability. Vetting information with other reconnais-
sance eff orts can improve reliability and can help with countermeasure preparations.
Surveillance
For surveillance to be considered successful, it should, at a minimum, record all security-related
events such as building or secured area entry and exit. It should also provide monitoring of public
areas such as lobbies, conference rooms, and parking areas, as well as the exterior walls and the
roof. Blind spots must be minimized. Lighting must be suffi cient for nighttime recording and
consistent throughout the fi eld of view so that the complete scene is recorded clearly during night
surveillance. e same principles apply to the use of physical detectors. Make sure they provide
overlapping detection capabilities and complete coverage of all exterior entry points, including
windows, doors, load docks, HVAC vents, skylights, and so on.
TAF-K11348-10-0301-C009.indd 158TAF-K11348-10-0301-C009.indd 158 8/18/10 3:09:29 PM8/18/10 3:09:29 PM
Did You See That! (Observation) ◾ 159
CCTV Surveillance Lessons Learned
e following points are commonly employed as best practices for the deployment and use of
CCTV:
Plan holistically; design as if you are going to observe everything and cut the design back ◾
as required.
With regard to overlapping fi elds of view, try to have at least two devices cover the same fi eld ◾
of view to eliminate blind spots and to cover device failures or sabotage.
Use tamper-resistant devices and locate them out of reach; protect all cabling to prevent ◾
tampering.
Return devices to their default fi eld of view after a period of inactivity. ◾
Use recorders that sense motion to reduce disk usage and speed up reviews. ◾
Use IP-based devices that support power over Ethernet (POE); avoid wireless devices, which ◾
can be jammed.
Integrate physical sensors so that monitoring is switched automatically to high-priority ◾
scenes when activity is present.
Use color cameras and color monitors to improve resolution. ◾
Watch your disk usage carefully on recording servers. ◾
Physical Detectors Lessons Learned
e following lessons learned and best practices are fairly consistent throughout the industry:
Use devices that have adjustable thresholds. ◾
Use devices that combine detections to increase accuracy. ◾
Use devices that are attached to the network. ◾
Have dedicated power sources for critical detectors. ◾
Use programmable controllers that can be expanded to support a wide variety of devices. ◾
Try to use devices and controllers that can report to a common console. ◾
Use high-resolution devices (low false positives and false negatives). ◾
IT System Security
High resolution is the best measure of success when you are using logical detection applications
and appliances. High resolution means low false-positive and false-negative rates. Systems that
use multiple types of detections have higher resolution. Heuristic analysis appears to have the best
overall results. Resolution improves the closer the detector is located to the asset it is protecting.
No detection device is going to have perfect resolution; there must be good procedures for dealing
with false-positive alarms.
IT System Security Lessons Learned
Use software that allows signatures and patterns to be tuned. ◾
Use solutions with stateful detection for higher resolution. ◾
Try to fi nd solutions that report to a common management platform. ◾
TAF-K11348-10-0301-C009.indd 159TAF-K11348-10-0301-C009.indd 159 8/18/10 3:09:29 PM8/18/10 3:09:29 PM
160 ◾ Security Strategy: From Requirements to Reality
Stay with high-end vendors that produce high-quality signatures, automate updates, and ◾
have a quick turnaround on new threats.
Use overlapping controls when possible. ◾
Do exhaustive testing on IPS agents and appliances, especially failover features for network IPS. ◾
Test the detection accuracy occasionally to ensure the solution actually detected malicious ◾
activity.
e fi nal lesson learned is training. Ensure you have a knowledgeable and skilled staff manag-
ing your observation solutions and a company of observant people.
Excellence in Observation Control Objectives
Reconnaissance
is section covers the controls the reconnaissance tactic requires for successful operations.
Table 9.3 maps reconnaissance attributes to specifi c baselines. e type (hard or soft) is used to
denote how evidence is collected for each control. Soft indicates a procedure-based control, while
hard denotes a technology-based (i.e., automated) control.
In-house reconnaissance capabilities are not cost eff ective for most organizations, especially in
light of the low-cost availability of reconnaissance information from security vendors, service orga-
nizations, and government agencies. e success of in-house reconnaissance eff orts is based on three
factors: planning, operations, and eff ectiveness. Planning includes training personnel in reconnais-
sance techniques, as well as giving them time to study the black-hat culture. Spending time with
other people who do black-hat reconnaissance is recommended. ese contacts also assist in the
vetting of information obtained during reconnaissance operations. Reconnaissance eff orts should
have specifi c operational objectives oriented primarily toward connecting with good sources of reli-
able information. Operations should be active (continuous). Eff orts must be ongoing, and regular
interactions with black-hat resources should be taking place. Operations must be fl exible; be willing
to break off contacts and change techniques or avenues of approach when the situation dictates (e.g.,
being discovered as a white-hat spy). It is also important to evaluate the eff ectiveness of your recon-
naissance eff orts from time to time. Successful reconnaissance provides accurate information about
potential threats far enough in advance to allow countermeasure preparations to be made and to
develop a good understanding of potential risk as well as the time line available for preparations.
Surveillance
Surveillance in the context of this chapter is human-based visual observation by viewing a scene
either directly or remotely using video. ere are two types of surveillance: active and passive.
Passive surveillance is the review of recorded video; all other surveillance is active. e eff ective-
ness of surveillance is based on interpretation and resolution. In surveillance these factors are
expressed as fi eld of view, resolution, and training.
Table 9.4 maps surveillance attributes to specifi c baselines. e type (hard or soft) is used to
denote how evidence is collected for each control. Soft indicates a procedure-based control, while
hard denotes a technology-based (i.e., automated) control.
ese factors are the same for people either looking directly at the scene or monitoring it with
video. e control objectives are intended to improve the viewing area or the resolution of the
scene so that changes to the scene can be properly interpreted and malicious activity detected.
TAF-K11348-10-0301-C009.indd 160TAF-K11348-10-0301-C009.indd 160 8/18/10 3:09:30 PM8/18/10 3:09:30 PM
Did You See That! (Observation) ◾ 161
Event Detectors
Event detectors are used to monitor changes to the physical state of a scene. e eff ectiveness of
event detectors is based primarily on resolution. Event detectors typically do not diff erentiate
between good or bad behavior; they simply report state changes. It is up to the device they are
reporting to (i.e., the controller) to interpret those state changes. As a general rule, controllers do a
good job of detecting events because events are based on changes in physical state.
Table 9.3 Reconnaissance Control Objectives
Attribute/Control Type Risk and Requirements
Planned
Prepared Soft Personnel performing reconnaissance activities should be
trained in reconnaissance techniques and should become
knowledgeable in black-hat culture before engaging in
reconnaissance. Work with experienced reconnaissance
agents is highly recommended.
Focused Soft Reconnaissance activities should have well-defi ned objectives
designed to obtain the best and most current information.
Operative
Active Soft Reconnaissance activities should be conducted continuously
to gain all possible information about people (black-hats),
planned attacks, and potential targets.
Connected Soft Reconnaissance activities should make every effort to gain
and maintain contact with the black-hat community to
provide continuous information on activities and changes in
threat situations.
Flexible Soft Reconnaissance activities should be fl exible, that is, able to
break off contact, change techniques, etc., to prevent
discovery and/or retaliation.
Effective
Timely Soft Information obtained by reconnaissance activities should be
reported as quickly as possible to maximize countermeasure
preparations.
Developed Soft Personnel performing reconnaissance activities should
analyze threat situations to provide threat-level ratings,
potential attack time frames, etc., to help guide
countermeasure efforts.
Accurate Soft
Soft
Reconnaissance activities should endeavor to provide the
most accurate information possible to ensure the best
possible response.
Information obtained by reconnaissance activities should be
vetted to ensure accuracy.
TAF-K11348-10-0301-C009.indd 161TAF-K11348-10-0301-C009.indd 161 8/18/10 3:09:30 PM8/18/10 3:09:30 PM
162 ◾ Security Strategy: From Requirements to Reality
Table 9.4 Surveillance Control Objectives
Attribute/Control Type Risk and Requirements
Coverage Soft Surveillance should provide, at a minimum, visual
observation for all facility security-related activities,
including building ingress and egress, entry or exit from
secured areas, public access area (parking lots, reception
areas, conference rooms, etc.) usage to facilitate the
detection of unauthorized or malicious activities.
Field of View
Properly scoped Soft
Soft
Surveillance should, to the most reasonable extent
possible, provide the broadest fi eld of view possible.
Surveillance must be confi gured so that the entire scope
of activity is in the fi eld of view (it should not be necessary
to change the viewing perspective to see everything that
is taking place).
Clear/unobstructed Soft The fi eld of view should have no structural or landscaping
feature that would allow someone or something to
approach undetected, including frosted glass, works of
art, plants, and posts.
Resolution
Defi ned Soft Surveillance should have a resolution defi nition
commensurate with the value of or risk to the monitored
object to facilitate the detection of unacceptable activity.
Defi nition depends on optical lens quality, receptor pixel
count, and monitor size and pixel count.
Focused Soft Surveillance scenes must be in focus (have the best
possible clarity) to facilitate the detection of unacceptable
activity.
Properly lit Soft Surveillance scenes must be properly lit to ensure
unacceptable activity within the fi eld of view can be detected.
Contrasted Soft Surveillance scenes should be properly contrasted to
facilitate the detection of unacceptable activity within the
scene and to prevent someone or something from
approaching undetected.
Colored Soft Surveillance should use color monitors and viewing
devices to facilitate monitoring and detecting
unacceptable activity.
Training
Survey Soft Personnel performing surveillance activities should be
trained in surveillance techniques, including the use of
surveillance equipment and features to improve
surveillance effectiveness.
TAF-K11348-10-0301-C009.indd 162TAF-K11348-10-0301-C009.indd 162 8/18/10 3:09:30 PM8/18/10 3:09:30 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.