Domain 7: Security Operations

7.1 Understand and support investigations

Forensics

• Digital Forensics – focuses on the recovery and investigation of material found in digital devices, often related to computer crime. Closely related to incident response as it is based on gathering and protecting evidence. Biggest difference is that it’s not what you know, it’s what you can prove in court. Evidence is much more valuable.

• International Organization of Computer Evidence’s 6 Principles for Computer Forensics:

2. All of the general forensic and procedural principles must be applied

3. Actions taken should not change evidence

4. Person investigating should be trained for the purpose

5. All activity must be fully documented, preserved and available for review

6. An individual is responsible for all actions taken with respect to digital evidence

7. Any agency, which is responsible for seizing/accessing/storing/transferring digitial evidence is responsible for compliance with these principles.

• Binary images are required for forensics work. You never work on the original media. A binary image is exactly identical to the original, including deleted files.

• Certified forensic tools include Norton Ghost, FTK Imager and EnCase

• Four types of disk-based forensic data:

• Allocated space – normal files

• Unallocated space – deleted files

• Slack space – leftover space at the end of clusters. Contains fragments of old files

• Bad blocks – ignored by OS. May contain hidden data

7.2 Understand requirements for investigation types

• Criminal vs. Civil Law – Criminal law has higher standards for evidence.

• Administrative Law

• Also called Regulatory Law. Consists of regulations like HIPAA

• Legal aspects of investigations

• Evidence –Real Evidence (physical objects), Direct Evidence (Witness testimony), Circumstancial Evidence (Indirect evidence of guilt, can support other evidence but is inadequate for a conviction alone.)

• Best evidence is going to be the original documents/hard drives etc

• Secondary would include copies of original evidence, log files, etc

• Evidence integrity contingent on hashes

• Hearsay is inadmissible in court. In order for evidence to be admissible, it must be relevant to a fact at issue, the fact must be material to the case, and the evidence mast have been legally collected.

• Evidence can be surrendered, obtained through a subpoena which compels the owner to surrender it, or forcefully obtained before a subject has an opportunity to alter it through a warrant

• Chain of custody – documents entirely where evidence is at all times. If there is any lapse, the evidence will be deemed inadmissible

• Reasonable Searches - 4th amendment protects against unreasonable search and seizure. Searches require warrants

• Exceptions when an object is in plain site, at public checkpoints, or exigent circumstances (immediate threat to human life or evidence being destroyed).

7.3 Conduct logging and monitoring activities

Incident Response and Management

• Involves the monitoring and detection of security events. Need clear processes and responses

• Steps to incident response:

2. Preparation – involves training and creating policies/procedures

3. Detection/Identification – analyzing events to determine if a security incident has taken place through the examination of log files.

4. Response/Containment – preventing further damage by isolating traffic, taking the system offline, etc. You would often make binary images of systems involved.

5. Mitigation/Eradication – System is cleaned.

6. Reporting – notifying proper personnel. Two kinds

7. Technical – appropriate technical individuals

8. Non-technical – stakeholders, business owners, regulators and auditors

9. Recovery – putting the system back into production. Monitoring to see if the attack resumes

10. Remediation – Root cause analysis is performed to determine and patch the vulnerability that allowed the incident. New processes to prevent recurrence are created.

11. Lessons Learned - after action meeting to determine what went wrong, what went well and what could be improved on. Final report delivered to management.

7.4 Securely provisioning resources

7.5 Understand and apply foundational security operations concepts

7.6 Apply resource protection techniques

7.7 Conduct incident management

7.8 Operate and maintain detective and preventative measures

Security Appliances

• IDS – monitors activity and sends alert when suspicious actiity occurs. Often connected to SPAN port on switches.

• Two types:

• HIDS – agent-based. Sits on a host. Scrutinizes logs, system files, etc.. Attackers may be able to detect and disable them

• NIDS – monitors traffic traversing the network. Not visible to attackers but encryption interferes with their ability to analyze traffic.

• Two ways to detect:

• Signature-based – compares events to static signatures

• Heuristic/anomaly-based – reports traffic that varies from the normal baseline, detects protocol errors.

• Data Loss Prevention – prevents sensitive data from leaving the network

• Honeypots – purposefully vulnerable (pseudo flaws) to attract attackers. Ties back to idea of enticement.

• Padded Cells are where an attacker may be redirected upon detection.

7.9 Implement and support patch and vulnerability management

Patch Management

• Critical part of change control involves security updates

• Steps:

2. Evaluate for applicability

3. Test

4. Approve

5. Deploy

6. Verify completion

Vulnerability Management

• Finds poorly configured machines

• Zero Day Vulnerabilities have no patches available

7.10 Understand and participate in change management processes

Change Control/Management

• Minimizes negative impact of changes. Allows managers to scrutinize changes, creates an audit trail of all completed changes, and aids in the patching of known vulnerabilities.

• Provides a process by which all system changes are tracked, audited, controlled, identified and approved. Users are informed of impending changes.

• Requires rigorous testing prior to being deployed. This avoids unintentional reductions in security.

• Requires documentation and allows for training users

• Implements the ability to reverse changes

• Steps:

2. Identify change

3. Propose change

4. Assess risk associated w ith change

5. Test change

6. Schedule change

7. Notify impacted parties of change

8. Implement

9. Report results

Configuration management

• Consistent security configurations through hardening, imaging, and baselining

7.11 Implement recovery strategies

RAID

• RAID 0 – Striping. Data is read from multiple disks.

• RAID 1 – Mirroring

• RAID 5 – Striping with parity. At least 3 disks. All data is spread across all disks. Parity allows data to still be read with drive failures by “guessing” the missing data.

RAID 10 – RAID 1 + RAID 0

7.12 Implement Disaster Recovery processes

Developing a BCP/DRP

• Seven Milestones:

1. Develop Policy

2. Conduct Business Impact Analysis - identify critical business functions/resources. Calculate metrics such as:

• Recovery Time Objectives (RTO) – max time required to recover systems

• Recovery Point Objective (RPO) – amount of data loss measured in time that an organization can withstand.

• Maximum Tolerable Downtime (MTD) – total time a system can be inoperable before severe impact occur

3. Identify Preventive Controls – improving security, identify possible improvements in business processes.

4. Develop Recovery Strategies

1. Redundant sites – ready to go, include updated data

2. Hot site – equipment ready, but may take time to load data. Recovery time is 6 hours or less

3. Warm site – has some equipment, no data. Will take days to bring up

4. Cold site – lacks hardware and data. Could take weeks to bring up

• Reciprocal/Mutual Assistance Agreement– using another organization’s datacenter. Difficult to enforce in court. Also, partner is generally close in terms of proximity and may be affected by the same disaster

• Mobile site – datacenter on wheels that can be driven into the disaster area

• Subscription service – outsourced BCP/DRP, such as IBM’s Sunguard

• Backups

1. Full Backup – all data. Clears archive bit after backups

2. Incremental – only files that changed since last backup. Clears the archive bit.

1. With incremental backups, you must first restore the most recent full backup and then apply all incremental backups that occurred since that full backup.

2. Differential – only files changed since last full backup. Does not clear the archive bit

Electronic Vaulting transmits data over the internet. Can be backed up at short intervals. Should be encrypted.

• Remote journaling – saves database checkpoints (transaction logs) periodically

• Remote Mirroring - database transactions are mirrored at the backup site in real time

• Database Shadowing – maintains two identical databases on different servers for fast recovery

1. 5. Develop IP Contingency Plan

6. Plan/Test/Train using a type of DR test:

• Read-through – plan is distributed to departments and functional areas for review. Managers read over and indicate if anything is missing or should be modified.

• Walk-through – often referred to as a “table top” exercise. DR team assembles and role plays a scenario.

1. Simulation Test – specific scenario is proposed and employees must simulate that event and start taking action to recover

2. Full Interruption Test – original site is shut down and processing is moved to the alternate site. Requires massive amounts of planning and can be very risky

3. Parallel Test – involves moving components to an alternate site. Regular production systems are not interrupted

7. Plan Maintenance

• Top-down rule applies here. C level management must approve and support the plan, and allocate the resources

• Plans should be tested/updated/reviewed annually

• Continuity Planning Project Team includes:

• Senior management, but does NOT include the CEO.

• HR

• Public Relations

• IT

• Physical security

• Line managers

• Legal/regulatory

• Anyone else responsible for essential functions

7.13 Test Disaster Recovery Plans

7.14 Participate in Business Continuity planning and exercises

Business Continuity Planning

• Business Continuity Plan is a long-term strategic business-oriented plan for continued operation after a disrupted event

• Disaster Recovery Plan is more tactical insofar that it provides short-term plans for specific disruptions

• BCP comes first, DRP fills in the gaps. DRP kicks in when BCP fails

• Steps in Disaster Recovery Process:

• Respond – quickly assess damage and determine if event is a disaster. Determine if facility is safe for continued use

• Activate team – Call Trees assist in communication. Timely updates must make their way back to central team.

• Communicate - Phones may be down so organizations should be prepared with multiple ways of communicating

• Assess – Protect safety of personnel

• Reconstitution – recover critical business processes, whether at primary or secondary site. Salvage team will begin recovery process at primary site

BCP/DRP Frameworks

• NIST SP 800-34 – contingency plan for federal information sytems.

• ISO 27031

• BS-25999

• Business Continuity Institute – “the good practice guidelines”

7.15 Implement and manage physical security

• Physical Security Attacks:

• Abuse – tampering with or bypassing security controls, such as picking locks and propping doors open

• Masquerading – using someone else’s badge or other credentials for authentication

• Piggybacking – same as tailgating

7.16 Address personal safety and security concerns

#CISSP