Privileged Operations Functions Privileged operations functions are activities that require special access or privileges to perform within a secured IT environment. In most cases, these functions are restricted to administrators and system operators. Maintaining privileged control over these functions is an essential part of sustaining the system’s security. Many of these functions could be easily exploited to violate the confidentiality, integrity, or availability of the system’s assets. The following list includes some examples of privileged operations functions: Using operating system control commands Configuring interfaces Accessing audit logs Managing user accounts Configuring security mechanism controls Running scripttask automation tools Backing up and restoring the system Controlling communication Using database recovery tools and log files Controlling system reboots Managing privileged access is an important part of keeping security under control. In addi- tion to restricting privileged operations functions, you should also employ separation of duties. Separation of duties ensures that no single person has total control over a system’s or environ- ment’s security mechanisms. This is necessary to ensure that no single person can compromise the system as a whole. It can also be called a form of split knowledge. In deployment, separation of duties is enforced by dividing the top- and mid-level administrative capabilities and functions among multiple trusted users. Further control and restriction of privileged capabilities can be implemented by using two- man controls and rotation of duties. Two-man controls is the configuration of privileged activ- ities so that they require two administrators to work in conjunction in order to complete the task. The necessity of two operators also gives you the benefits of peer review and reduced like- lihood of collusion and fraud. Rotation of duties is the security control that involves switching several privileged security or operational roles among several users on a regular basis. For exam- ple, if an organization has divided its administrative activities into six distinct roles or job descriptions, then six or seven people need to be cross-trained for those distinct roles. Each per- son would work in a specific role for two to three months, and then everyone in this group would be switched or rotated to a new role. When the organization has more than the necessary minimum number of trained administrators, every rotation leaves out one person, who can take some vacation time and serve as a fill-in when necessary. The rotation of duties security control provides for peer review, reduces collusion and fraud, and provides for cross-training. Cross- training makes your environment less dependent on any single individual. Trusted Recovery For a secured system, trusted recovery is recovering securely from operation failures or system crashes. The purpose of trusted recovery is to provide assurance that after a failure or crash, the rebooted system is no less secure than it was before the failure or crash. You must address two ele- ments of the process to implement a trusted recovery solution. The first element is failure prepa- ration. In most cases, this is simply the deployment of a reliable backup solution that keeps a current backup of all data. A reliable backup solution also implies that there is a means by which data on the backup media can be restored in a protected and efficient manner. The second element is the process of system recovery. The system should be forced to reboot into a single-user non- privileged state. This means that the system should reboot so that a normal user account can be used to log in and that the system does not grant unauthorized access to users. System recovery also includes the restoration of all affected files and services active or in use on the system at the time of the failure or crash. Any missing or damaged files are restored, any changes to classifica- tion labels are corrected, and the settings on all security critical files is verified. Trusted recovery is a security mechanism discussed in the Common Criteria. The Common Criteria defines three types or hierarchical levels of trusted recovery: Manual Recovery An administrator is required to manually perform the actions necessary to implement a secured or trusted recovery after a failure or system crash. Automated Recovery The system itself is able to perform trusted recovery activities to restore a system, but only against a single failure. Automated Recovery without Undue Loss The system itself is able to perform trusted recov- ery activities to restore a system. This level of trusted recovery allows for additional steps to pro- vide verification and protection of classified objects. These additional protection mechanisms may include restoring corrupted files, rebuilding data from transaction logs, and verifying the integrity of key system and security components. What happens when a systems suffers from an uncontrolled TCB or media failure? Such fail- ures may compromise the stability and security of the environment, and the only possible response is to terminate the current environment and re-create the environment through reboo- ting. Related to trusted recovery, an emergency system restart is the feature of a security system that forces an immediate reboot once the system goes down. Configuration and Change Management Control Once a system has been properly secured, it is important to keep that security intact. Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to sys- tematically manage change. Typically, this involves extensive logging, auditing, and monitoring of activities related to security controls and mechanisms. The resulting data is then used to iden- tify agents of change, whether objects, subjects, programs, communication pathways, or even the network itself. The means to provide this function is to deploy configuration management control or change management control. These mechanisms ensure that any alterations or