The second domain in the SSCP CBK is Security Operations and Administration. This domain accounts for 17% of the SSCP exam.
The Security Operations and Administration domain defines eight (8) tasks that a certified SSCP should be able to perform:
- Understand and Comply with Codes of Ethics
- Understand Security Concepts
- Document and Operate Security Controls
- Participate in Asset Management
- Implement and Assess Compliance with Controls
- Participate in Change Management
- Participate in Security Awareness and Training
- Participate in Physical Security Operations
This is part 2 in a 7-part series on the (ISC)2 SSCP Common Body of Knowledge (CBK).
Remember: An SSCP who can recall this information will likely pass the exam, but the SSCP who can explain how these concepts are applied in real-world situations is more likely to get hired.
Understand and Comply with Code of Ethics
(ISC)² maintains a Code of Ethics that outlines the expectations for every professional they certify. Considering how hard you’re working to get your SSCP, it would be a shame to throw all that work away for an ethics violation. More importantly, adhering to this code indicates to both peers and employers that you’re trustworthy. Take a few minutes to read through the code.
However, your employer may also have an organizational code of ethics, one that’s unique to that organization. It’s your responsibility to understand this code as well, and to seek guidance on any potential conflicts between this code and the (ISC)2 code.
Professional ethics are an important part of the information security community. Learn them. Live by them.
Understand Security Concepts
The most common representation of information security is the CIA (or AIC) triad:
- Confidentiality – Keeping the secrets “secret.”
- Integrity – Protecting against unauthorized changes (intentional or accidental).
- Availability – Ensuring systems and applications are online when they’re expected to be online.
The acronym letters or ordered based on an organization’s priorities. A government agency, for example, is likely to prioritize confidentiality above all else, while a retailer may be more concerned with whether or not the e-commerce site is online 24×7 during peak shopping times.
Accountability is an important concept when it comes to determining who did what. If multiple users share an admin account, how can you determine which one of them abused that privilege to access sensitive data? At a time like that, it is very important to be able to link actions to individuals.
Privacy is often confused with security. Although many privacy and security controls are similar (e.g., encryption, strong passwords), the end goal is slightly different. The goal of privacy is to ensure that an individual is free to act without being monitored, while the goal of security is to ensure that systems, applications, and people are protected from threats. Monitoring user account activity is an example of a security control that conflicts with the concept of privacy.
Non-repudiation is a way of enforcing trust between two parties. We often use this term when sending electronic messages or transmissions back and forth. Alice sends a message to Bob. Alice wants proof that Bob received the her message, and both of them want proof that the message wasn’t changed along the way. The cryptographic controls we put in place around that transmission help us attain non-repudiation.
The principle of least privilege may be the cornerstone of identity and access management security controls. When you follow this principle, you make sure that users only have the minimum level of access/permission they need in order to do their jobs. The users in accounting don’t need the ability to install software on their computers, so you don’t give them local admin rights. The CIO doesn’t need 24×7 access to the data center, so you don’t assign that privilege to her proximity card. By following the principle of least privilege, you reduce the likelihood that an insider (or an attacker who compromises an insider’s account) can do extensive damage.
Separation of duties goes hand-in-hand with the principle of least privilege. The key difference is that separation of duties is designed to reduce the likelihood of fraud. Developers who write code shouldn’t be able to promote that code to production. An employee who creates purchase orders shouldn’t be to approve those same purchase orders. When you put too much power in the hands of any one person, the risk of that person abusing that authority increases.
The Common Sense Security Framework (CSSF) was developed with the intent of simplifying security for organizations, leaders, and security professionals. Although not officially part of the SSCP exam, you might find that the CSSF helps solidify your understanding of basic security concepts.
Document and Operate Security Controls
Different security controls have different intentions. When an organization layers these differing controls on top of one another, it becomes much harder to an attacker to circumvent them.
Use deterrent controls to discourage an attacker from taking action. A logon warning banner on a workstation or server is an example of an electronic deterrent. Lights and cameras on each of a building’s entrances are examples of physical deterrents.
Use preventative controls to keep a bad thing from happening. Locked doors that keep people from entering without a badge or key are the equivalent of systems and applications that only let users “enter” if they have valid credentials. Both are examples of preventative controls.
Use detective controls to alert the defenders when something bad has happened. Logging and monitoring systems are perfect examples of detective controls. When an attacker attempts to login with a bad password, a logging and monitoring system can record that action and notify a security administrator about that activity.
Use corrective controls to counteract something bad after it happens. Backups are a fantastic corrective control. Just ask anyone who has been infected with ransomware. By restoring a copy of the data as it was before the ransomware attack, users are able to go about their business quickly.
Use compensating controls when the original (ideal) control isn’t an option. If end users need local admin rights because a piece of business critical software requires those rights, then you can add logging and monitoring controls to make sure you’re notified when a user attempts to use those rights for some other purpose.
Participate in Asset Management
Organization’s rely on physical and electronic assets to conduct business using technology. Having a complete and accurate inventory of these assets is a fundamental security control.
The asset lifecycle is similar to the user lifecycle. In both cases, you need to provision resources to new users and deprovision resources from users no longer associated with the company. With software (electronic) assets, it is important to ensure that they are both current and securely configured. Older software can be riddled with security vulnerabilities. With hardware (physical) assets, it is important to know where they are at all times. If a user were to lose his or her proximity card, an attacker might use that card to gain physical access to an office location.
An effective asset management system tracks both hardware and software assets alike.
By understanding (classifying) the data contained within your assets, you can determine which controls are appropriate for that asset. If an attacker compromises a database containing public data, who cares? The data was already public. If an attacker compromises a database containing private healthcare information, however, the impact (including cost) is much greater. It makes sense to apply additional security controls (e.g., encryption) to the healthcare database, but we might not want to manage the cost and complexity when it comes to the public database.
Implement and Assess Compliance with Controls
Once you’ve implemented the right controls, you’ll need to assess your compliance on a regular basis.
One common control is access management is that user accounts are disabled when an employee leaves the organization. Unfortunately, many organizations still struggle with identifying and disabling these accounts. How might you check compliance with that control? You could run a monthly report in the HR system for recent separations, and then compare that report to your current list of users in Active Directory. If you could write a script or deploy a technology that would automatically disable those accounts, that would be even better.
When assessing compliance, it helps to categorize controls as follows:
- You implement and enforce technical controls using computers.
- You implement and enforce operational controls using people.
- You implement and enforce managerial controls using documentation, such as policies, baselines, standards and procedures.
Participate in Change Management
When your IT department deploys a new system or application, everything should be battle-tested and ready to go. But what happens when something changes?
That something could be a new business requirement, a newly discovered security vulnerability, or even a new release of some critical software component. We refer to the process of testing and fixing vulnerabilities as patch management. Patches should be applied at both the operating system level and the software/application level.
That said, patch management is just one component of a larger vulnerability management program. Applying patches is a corrective control, where scanning the network for vulnerabilities is a detective control.
If you’d like to learn more about patch management, you can read the Special Publication 800-40 (rev 3) (Guide to Enterprise Patch Management Technologies) from the National Institute of Standards and Technology. At 26 pages, it’s a quick read, and it will give you a much better understanding of the patch management as a whole.
Organizations that have a documented configuration (or change) management plan are less likely to run into problems when making these changes.
Configuration management plans often include the following:
- Rules for adding a new system/application to the network.
- Rules for testing any changes prior to deploying those changes to production.
- A list of individuals who must review and approve changes beforehand.
- Rules for who can make changes in production.
- Remember separation of duties? Perfect example.
- Rules for validating that changes were successful.
Configuration management plans and procedures should include a security impact assessment. Will this change require any related changes to security controls (e.g., new firewall rules)? Do we need to modify existing security controls (or implement new ones) in order to reduce new risks introduced with this change? Asking these (and similar) questions about how change might impact your security posture will help you avoid potential security incidents down the line.
As organizations deploy more systems and more applications, the need for those systems and applications to be able to talk to one another becomes a high priority. Imagine deploying a new Human Resources system that doesn’t generate logs your logging and monitoring system can understand. How will you be able to generate alerts when an attacker attempts to compromise that system. And what if that HR system can’t talk to your identity and access management (IAM) system? How will you provision user accounts for new hires?
Secure system architectures take the interoperability of systems into account. In other words, they try to ensure that different systems are able to communicate with another another and exchange meaningful information.
Participate in Security Awareness and Training
It doesn’t matter how many technical controls you implement, though, if you don’t take time to teach your users about security as well.
Social engineering, or the process of tricking a user into divulging sensitive information or installing unauthorized malware, is an incredibly effective way for attackers to bypass your technical security controls. While those technical controls are crucial, you must also spend time training your users on security risks. Effective training topics include:
- Appropriate use of company resources (including email usage and web browsing)
- Password and account security
- Mobile device security
- Social media security
- How to detect and respond to social engineering attacks
SANS publishes a free security awareness training newsletter each month, geared toward end users. If you’d like to learn more about security awareness training, you can subscribe to that newsletter here.
Participate in Physical Security Operations
It’s easy for information security professionals to focus exclusively on technical controls while overlooking physical controls. This is due in part to the fact that physical security controls almost always fall to a different team or department.
However, if an attacker ever gains physical access to your offices, that attacker can do significant damage. Physical access allows an attacker to steal unattended equipment, and to introduce unauthorized technology (e.g., wireless access points, weaponized thumb drives) to your internal network.
Make sure to include physical security assessments as part of your recurring assessment activity. Things to look for include:
- Locked exterior doors
- Locked interior doors (i.e., network closets, data centers)
- Passwords on sticky notes and white boards
- Unattended equipment in public spaces
- Cameras monitoring access to exterior doors and internal data centers
What Else Should I Know About Security Operations and Administration?
This is a high level introduction to the concepts you need to know as an SSCP, based on the (ISC)2 SSCP Certification Exam Outline. It’s not intended to be a deep-dive into everything you need to know in order to pass the exam.
You’ll increase your chances of passing the exam the first time if you read these two (2) books next:
- Start with the SSCP All-in-One Exam Guide (2nd Edition).
- Then read the (ISC)2 SSCP Official Study Guide.
If you prefer videos to books, use our list of recommended online training providers to take advantage of FREE offers to help you prepare for the exam.
Keep at it!
SSCP Domain 1 – Access Controls | SSCP Domain 3 – Risk Identification, Monitoring, and Analysis
